1321 files changed, 17518 insertions, 7407 deletions

diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs
new file mode 100644
index 000000000..0c9701d1c
--- /dev/null
+++ b/.git-blame-ignore-revs
@@ -0,0 +1,4 @@
+# move whitelist/blacklist to allow/deny
+fe0f975f447d59977d90c3226cc8c623b31b20b3
+# Revert "move whitelist/blacklist to allow/deny"
+f43382f1e9707b4fd5e63c7bfe881912aa4ee994
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 000000000..6b329f917
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+/etc/inc/*.inc linguist-language=text
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 4b2df855c..eb485b8a2 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -6,44 +6,85 @@ labels: ''
 assignees: ''
 
 ---
-Write clear, concise and in textual form.
 
-**Bug and expected behavior**
-- Describe the bug.
-- What did you expect to happen?
+<!--
+See the following links for help with formatting:
 
-**No profile and disabling firejail**
-- What changed calling `firejail --noprofile /path/to/program` in a terminal?
-- What changed calling the program by path (e.g. `/usr/bin/vlc`)?
+https://guides.github.com/features/mastering-markdown/
+https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax
+-->
 
-**Reproduce**
-Steps to reproduce the behavior:
-1. Run in bash `firejail PROGRAM`
-2. See error `ERROR`
-3. Click on '....'
-4. Scroll down to '....'
+### Description
 
-**Environment**
- - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`)
- - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`)
+_Describe the bug_
 
-**Additional context**
-Other context about the problem like related errors to understand the problem.
+### Steps to Reproduce
 
-**Checklist**
- - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc).
- - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
- - [ ] I have performed a short search for similar issues (to avoid opening a duplicate).
- - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile.
- - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages.
- - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.
- - [ ] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.
+_Steps to reproduce the behavior_
 
+1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody)
+2. Click on '....'
+3. Scroll down to '....'
+4. See error `ERROR`
 
-<details><summary> debug output </summary>
+### Expected behavior
+
+_What you expected to happen_
+
+### Actual behavior
+
+_What actually happened_
+
+### Behavior without a profile
+
+_What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_
+
+### Additional context
+
+_Any other detail that may help to understand/debug the problem_
+
+### Environment
+
+- Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")
+- Firejail version (`firejail --version`).
+- If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`).
+
+### Checklist
+
+<!--
+Note: Items are checked with an "x", like so:
+
+- [x] This is a checked item.
+-->
+
+- [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it).
+- [ ] I can reproduce the issue without custom modifications (e.g. globals.local).
+- [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
+- [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc).
+- [ ] I have performed a short search for similar issues (to avoid opening a duplicate).
+  - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.
+- [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)
+
+### Log
+
+<details>
+<summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary>
+<p>
+
+```
+output goes here
+```
+
+</p>
+</details>
+
+<details>
+<summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary>
+<p>
 
 ```
-OUTPUT OF `firejail --debug PROGRAM`
+output goes here
 ```
 
+</p>
 </details>
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
new file mode 100644
index 000000000..b8fe40acd
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Question
+    url: https://github.com/netblue30/firejail/discussions
+    about: For questions you should use GitHub Discussions.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
new file mode 100644
index 000000000..a723cdbde
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,23 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+---
+
+### Is your feature request related to a problem? Please describe.
+
+_A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]_
+
+### Describe the solution you'd like
+
+_A clear and concise description of what you want to happen._
+
+### Describe alternatives you've considered
+
+_A clear and concise description of any alternative solutions or features you've considered._
+
+### Additional context
+
+_Add any other context or screenshots about the feature request here._
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 000000000..30242923d
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 2
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 57ac2e9c4..7cb92a938 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,4 +1,3 @@
-
 If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.
 
 If you submit a PR for new profiles or changing profiles, please do the following:
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 29f14788d..0d53b270d 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -30,25 +30,25 @@ jobs:
   build-clang:
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
     - name: configure
-      run: CC=clang-10 ./configure --enable-fatal-warnings
+      run: CC=clang-11 ./configure --enable-fatal-warnings
     - name: make
       run: make
   scan-build:
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v2
-    - name: install clang-tools-10
-      run: sudo apt-get install clang-tools-10
+    - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+    - name: install clang-tools-11
+      run: sudo apt-get install clang-tools-11
     - name: configure
-      run: CC=clang-10 ./configure --enable-fatal-warnings
+      run: CC=clang-11 ./configure --enable-fatal-warnings
     - name: scan-build
-      run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make
+      run: NO_EXTRA_CFLAGS="yes" scan-build-11 --status-bugs make
   cppcheck:
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
     - name: install cppcheck
       run: sudo apt-get install cppcheck
     - name: cppcheck
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 07ab1431e..6219abc2f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,11 +22,11 @@ jobs:
   build_and_test:
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
     - name: install dependencies
-      run: sudo apt-get install gcc-10 libapparmor-dev libselinux1-dev expect xzdec
+      run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec
     - name: configure
-      run: CC=gcc-10 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
+      run: CC=gcc-11 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
     - name: make
       run: make
     - name: make install
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 4476963b5..1352ce3e6 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -43,11 +43,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@75f07e7ab2ee63cba88752d8c696324e4df67466
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@75f07e7ab2ee63cba88752d8c696324e4df67466
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -72,4 +72,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@75f07e7ab2ee63cba88752d8c696324e4df67466
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
new file mode 100644
index 000000000..c2a3c5dc7
--- /dev/null
+++ b/.github/workflows/profile-checks.yml
@@ -0,0 +1,31 @@
+name: Profile Checks
+
+on:
+  push:
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+      - 'ci/check/profiles/**'
+      - 'src/firecfg/firecfg.config'
+      - 'contrib/sort.py'
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+      - 'ci/check/profiles/**'
+      - 'src/firecfg/firecfg.config'
+      - 'contrib/sort.py'
+
+jobs:
+  profile-checks:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+    - name: sort.py
+      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+    - name: private-etc-always-required.sh
+      run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+    - name: sort-disable-programs.sh
+      run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc
+    - name: sort-firecfg.config.sh
+      run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
deleted file mode 100644
index f3ded0f22..000000000
--- a/.github/workflows/sort.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-name: sort.py
-
-on:
-  push:
-    branches: [ master ]
-    paths:
-      - 'etc/**'
-      - 'contrib/sort.py'
-  pull_request:
-    branches: [ master ]
-    paths:
-      - 'etc/**'
-      - 'contrib/sort.py'
-
-jobs:
-  profile-sort:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: check profiles
-      run: ./contrib/sort.py etc/*/{*.inc,*.profile}
-
diff --git a/.gitignore b/.gitignore
index cbb1b2e83..29e0b63d6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,12 +22,13 @@ firejail-users.5
 firejail.1
 firemon.1
 firecfg.1
-jailtest.5
+jailcheck.1
 mkdeb.sh
 src/firejail/firejail
 src/firemon/firemon
 src/firecfg/firecfg
 src/ftee/ftee
+src/fids/fids
 src/tags
 src/faudit/faudit
 src/fnet/fnet
@@ -41,7 +42,8 @@ src/fbuilder/fbuilder
 src/profstats/profstats
 src/bash_completion/firejail.bash_completion
 src/zsh_completion/_firejail
-src/jailtest/jailtest
+src/jailcheck/jailcheck
+src/fnettrace/fnettrace
 uids.h
 seccomp
 seccomp.debug
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5affd5cff..e79028c4f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -21,7 +21,7 @@ build_debian_package:
         - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb
 
 build_redhat_package:
-    image: centos:latest
+    image: almalinux:latest
     script:
         - dnf update -y
         - dnf install -y rpm-build gcc make
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 688101d13..0f868d6c4 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -34,6 +34,13 @@ If you want to write a new profile, the easiest way to do this is to use the
 [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
 If you have already written a profile, please make sure it follows the rules described in the template.
 
+If you add a new command, here's the checklist:
+
+ - [ ] Update manpages: firejail(1) and firejail-profile(5)
+ - [ ] Update shell completions
+ - [ ] Update vim syntax files
+ - [ ] Update --help
+
 # Editing the wiki
 
 You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki).
diff --git a/COPYING b/COPYING
index b6e1c33e0..d159169d1 100644
--- a/COPYING
+++ b/COPYING
@@ -1,12 +1,12 @@
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 2, June 1991
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
 
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
-                            Preamble
+                            Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -15,7 +15,7 @@ software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
+the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.
 
   When we speak of free software, we are referring to freedom, not
@@ -55,8 +55,8 @@ patent must be licensed for everyone's free use or not licensed at all.
 
   The precise terms and conditions for copying, distribution and
 modification follow.
-
-                    GNU GENERAL PUBLIC LICENSE
+
+                    GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
   0. This License applies to any program or other work which contains
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions:
     License.  (Exception: if the Program itself is interactive but
     does not normally print such an announcement, your work based on
     the Program is not required to print an announcement.)
-
+
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
-
+
   4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
@@ -225,7 +225,7 @@ impose that choice.
 
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
-
+
   8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
@@ -255,7 +255,7 @@ make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
 
-                            NO WARRANTY
+                            NO WARRANTY
 
   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
@@ -277,4 +277,63 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
-                     END OF TERMS AND CONDITIONS
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
diff --git a/Makefile.in b/Makefile.in
index f9422fc8b..f38191880 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -25,14 +25,15 @@ COMPLETIONDIRS = src/zsh_completion src/bash_completion
 
 .PHONY: all
 all: all_items mydirs $(MAN_TARGET) filters
-APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailtest/jailtest
-SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee
+APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
+SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
 SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
+SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
+SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailtest.5
-SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
 
@@ -83,6 +84,7 @@ clean:
         rm -f $(SECCOMP_FILTERS)
         rm -f test/utils/index.html*
         rm -f test/utils/wget-log
+        rm -f test/utils/firejail-test-file*
         rm -f test/utils/lstesting
         rm -f test/environment/index.html*
         rm -f test/environment/wget-log*
@@ -105,22 +107,24 @@ realinstall:
         # firejail executable
         install -m 0755 -d $(DESTDIR)$(bindir)
         install -m 0755 src/firejail/firejail $(DESTDIR)$(bindir)
-ifeq ($(HAVE_SUID),yes)
+ifeq ($(HAVE_SUID),-DHAVE_SUID)
         chmod u+s $(DESTDIR)$(bindir)/firejail
 endif
         # firemon executable
         install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir)
         # firecfg executable
         install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir)
-        # jailtest executable
-        install -m 0755 src/jailtest/jailtest $(DESTDIR)$(bindir)
+        # jailcheck executable
+        install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir)
         # libraries and plugins
         install -m 0755 -d $(DESTDIR)$(libdir)/firejail
-        install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
+        install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
         install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
+        install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
         # plugins w/o read permission (non-dumpable)
         install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
         install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
+        install -m 0644 -t $(DESTDIR)$(libdir)/firejail src/fnettrace/static-ip-map
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
         # contrib scripts
         install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
@@ -135,7 +139,8 @@ endif
         install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/*
         # profiles and settings
         install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
-        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config
+        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
+        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
 ifeq ($(BUSYBOX_WORKAROUND),yes)
         ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
@@ -144,9 +149,13 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
         # install apparmor profile
         sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
         install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d
-        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
         # install apparmor profile customization file
+        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;"
+        # install apparmor base abstraction drop-in
+        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions; fi;"
+        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d; fi;"
+        install -m 0644 etc/apparmor/firejail-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d
 endif
 ifneq ($(HAVE_MAN),no)
         # man pages
@@ -182,7 +191,7 @@ uninstall:
         rm -f $(DESTDIR)$(bindir)/firemon
         rm -f $(DESTDIR)$(bindir)/firecfg
         rm -fr $(DESTDIR)$(libdir)/firejail
-        rm -fr $(DESTDIR)$(libdir)/jailtest
+        rm -fr $(DESTDIR)$(libdir)/jailcheck
         rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
         for man in $(MANPAGES); do \
                 rm -f $(DESTDIR)$(mandir)/man5/$$man*; \
diff --git a/README b/README
index 99beaf694..a9e6b98c3 100644
--- a/README
+++ b/README
@@ -1,18 +1,18 @@
-Firejail  is  a  SUID sandbox program that reduces the risk of security
-breaches by restricting the running environment of  untrusted  applications
+Firejail is a SUID sandbox program that reduces the risk of security
+breaches by restricting the running environment of untrusted applications
 using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
 Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission,
 VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
 DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove,
 Pidgin, Quassel, and XChat.
 
-Firejail also expands the restricted shell facility found  in  bash  by adding
-Linux  namespace support. It supports sandboxing specific users upon login.
+Firejail also expands the restricted shell facility found in bash by adding
+Linux namespace support. It supports sandboxing specific users upon login.
 
 Download: https://sourceforge.net/projects/firejail/files/
 Build and install: ./configure && make && sudo make install
 Documentation and support: https://firejail.wordpress.com/
-Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA
+Video Channel: https://www.brighteon.com/channels/netblue30
 Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
 Development: https://github.com/netblue30/firejail
 License: GPL v2
@@ -45,6 +45,7 @@ Committers
 - Kelvin M. Klann (https://github.com/kmk3)
 - Kristóf Marussy (https://github.com/kris7t)
 - Neo00001 (https://github.com/Neo00001)
+- pirate486743186 (https://github.com/pirate486743186)
 - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer)
 - rusty-snake (https://github.com/rusty-snake)
 - smitsohu (https://github.com/smitsohu)
@@ -67,11 +68,15 @@ Firejail Authors (alphabetical order)
         - fix flameshot raw screenshots
 1dnrr (https://github.com/1dnrr)
         - add pybitmessage profile
+a1346054 (https://github.com/a1346054)
+        - add missing final newlines in various files
 Ádler Jonas Gross (https://github.com/adgross)
         - AppArmor fix
 Adrian L. Shaw (https://github.com/adrianlshaw)
         - add profanity profile
         - add barrirer profile
+        - add profile for Beyond All Reason
+        - RPCS3 profile
 Aidan Gauland (https://github.com/aidalgol)
         - added electron, riot-web and npm profiles
         - whitelist Bohemia Interactive config dir for Steam
@@ -80,6 +85,8 @@ Akhil Hans Maulloo (https://github.com/kouul)
 Albin Kauffmann (https://github.com/albinou)
         - Firefox and Chromium profile fixes
         - info to allow screen sharing in profiles
+Alex Leahu (https://github.com/alxjsn)
+        - fix screen sharing configuration on Wayland
 Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
         - src/lib/libnetlink.c extracted from iproute2 software package
 Aleksey Manevich (https://github.com/manevich)
@@ -109,6 +116,9 @@ Amin Vakil (https://github.com/aminvakil)
         - whois profile fix
         - added profile for strawberry
         - w3m profile fix
+        - disable seccomp in wireshark profile
+Ammon Smith (https://github.com/ammongit)
+        - Add DBus filter rules specific to firefox-developer-edition
 Andreas Hunkeler (https://github.com/Karneades)
         - Add profile for offical Linux Teams application
 Andrey Alekseenko (https://github.com/al42and)
@@ -124,6 +134,9 @@ announ (https://github.com/announ)
         - evince profile fix
 Anton Shestakov (https://github.com/antonv6)
         - add whitelist items for uim
+        - allow /etc/vulkan in steam profile
+        - allow ~/.cache/wine in lutris and wine profile
+        - support MangoHud in steam profile
 Antonio Russo (https://github.com/aerusso)
         - enumerate root directories in apparmor profile
         - fix join-or-start
@@ -143,6 +156,9 @@ Austin S. Hemmelgarn (https://github.com/Ferroin)
         - unbound profile update
 Avi Lumelsky (https://github.com/avilum)
         - syscall.sh improvements
+avallach2000 (https://github.com/avallach2000(
+        - fix qbittorrent profile
+        - support for changing appearance of the Qt6 apps with qt6ct
 avoidr (https://github.com/avoidr)
         - whitelist fix
         - recently-used.xbel fix
@@ -167,6 +183,8 @@ Bandie (https://github.com/Bandie)
         - fixed riot-desktop
 Barış Ekin Yıldırım (https://github.com/circuitshaker)
         - removing net none from code.profile
+Bart Bakker (https://github.com/bjpbakker)
+        - multimc5: fix exec of LWJGL libraries
 bbhtt (https://github.com/bbhtt)
         - improvements to balsa,fractal,gajim,trojita profiles
         - improvements to nheko, spectral, feh, links, lynx, smplayer profiles
@@ -181,6 +199,7 @@ bitfreak25 (https://github.com/bitfreak25)
         - added PlayOnLinux profile
         - minetest profile fix
         - added sylpheed profile
+
 bn0785ac (https://github.com/bn0785ac)
         - fixed bnox, dnox profiles
         - support all tor-browser langpacks
@@ -203,6 +222,8 @@ Bundy01 (https://github.com/Bundy01)
         - fixup geary
         - add gradio profile
         - update virtualbox.profile
+        - Quodlibet profile
+        - update apparmor firejail-local for Brave + ipfs
 BytesTuner (https://github.com/BytesTuner)
         - provided keepassxc profile
 caoliver (https://github.com/caoliver)
@@ -211,8 +232,13 @@ Carlo Abelli (https://github.com/carloabelli)
         - fixed udiskie profile
         - Allow mbind syscall for GIMP
         - fixed simple-scan
+Case_Of (https://github.com/CaseOf)
+        - added Seafile profile
 Cat (https://github.com/ecat3)
         - prevent tmux connecting to an existing session
+cayday (https://github.com/caydey)
+        - added ~/Private blacklist in disable-common.inc
+        - added quiet to some CLI profiles
 Christian Pinedo (https://github.com/chrpinedo)
         - added nicotine profile
         - allow python3 in totem profile
@@ -238,6 +264,11 @@ crass (https://github.com/crass)
         - extract_command_name fixes
         - update appimage size calculation to newest code from libappimage
         - firejail should look for processes with names exactly named
+croket (https://github.com/crocket)
+        - fix librewolf profile
+        - added profiles for imv, retroarch, and torbrowser
+        - fix dino profile
+        - fix wireshark profile
 curiosity-seeker (https://github.com/curiosity-seeker - old)
 curiosityseeker (https://github.com/curiosityseeker - new)
         - tightening unbound and dnscrypt-proxy profiles
@@ -279,6 +310,7 @@ Davide Beatrici (https://github.com/davidebeatrici)
         - steam.profile: correctly blacklist unneeded directories in user's home
         - minetest fixes
         - map /dev/input with "--private-dev", add "--no-input" option to disable it
+        - whitelist /usr/share/TelegramDesktop in telegram.profile
 David Hyrule (https://github.com/Svaag)
         - remove nou2f in ssh profile
 Deelvesh Bunjun (https://github.com/DeelveshBunjun)
@@ -295,9 +327,13 @@ DiGitHubCap (https://github.com/DiGitHubCap)
         - fix qt5ct colour schemes and QSS
 Disconnect3d (https://github.com/disconnect3d)
         - code cleanup
+dm9pZCAq (https://github.com/dm9pZCAq)
+        - fix for compilation under musl
 dmfreemon (https://github.com/dmfreemon)
         - add sandbox name or name of private directory to the window title when xpra is used
         - handle malloc() failures; use gnu_basename() instead of basenaem()
+Dmitriy Chestnykh (https://github.com/chestnykh)
+        - add ability to disable user profiles at compile time
 dshmgh (https://github.com/dshmgh)
         - overlayfs fix for systems with /home mounted on a separate partition
 Duncan Overbruck (https://github.com/Duncaen)
@@ -307,6 +343,8 @@ Duncan Overbruck (https://github.com/Duncaen)
 Eduard Tolosa (https://github.com/Edu4rdSHL)
         - fixed and hardened qpdfview.profile
         - fixed gajim.profile
+Eklektisk (https://github.com/Eklektisk)
+        - update librewolf.profile: use new d-bus message bus
 emacsomancer (https://github.com/emacsomancer)
         - added profile for Conkeror browser
 Emil Gedda (https://github.com/EmilGedda)
@@ -322,10 +360,12 @@ Felipe Barriga Richards (https://github.com/fbarriga)
         - --private-etc fix
 fenuks (https://github.com/fenuks)
         - fix sound in games using FMOD
+        - allow /opt/tor-browser for Tor Browser profile
 Florian Begusch (https://github.com/florianbegusch)
         - (la)tex profiles
         - fixed transmission-common.profile
         - fixed standardnotes-desktop.profile
+        - fix jailprober.py
 floxo (https://github.com/floxo)
         - fixed qml disk cache issue
 Franco (nextime) Lanza (https://github.com/nextime)
@@ -435,6 +475,8 @@ hamzadis (https://github.com/hamzadis)
         - added --overlay-named=name and --overlay-path=path
 Hans-Christoph Steiner (https://github.com/eighthave)
         - added xournal profile
+Harald Kubota (https://github.com/haraldkubota)
+        - zsh completion
 hawkey116477 (https://github.com/hawkeye116477)
         - added Waterfox profile
         - updated Cyberfox profile
@@ -442,9 +484,12 @@ hawkey116477 (https://github.com/hawkeye116477)
 Helmut Grohne (https://github.com/helmutg)
         -  compiler support in the build system - Debian bug #869707
 hhzek0014 (https://github.com/hhzek0014)
-        - updated  bibletime.profile
+        - updated bibletime.profile
 hlein (https://github.com/hlein)
         - strip out \r's from jail prober
+        - make env/arg sanity check failure messages more useful
+        - relocate firecfg.config to /etc/firejail/
+        - fix display profile for Gentoo distribution
 Holger Heinz (https://github.com/hheinz)
         - manpage work
 Haowei Yu (https://github.com/sfc-gh-hyu)
@@ -467,6 +512,8 @@ irregulator (https://github.com/irregulator)
 Irvine (https://github.com/Irvinehimself)
         - added conky profile
         - added ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch) profiles
+Ivan (https://github.com/ordinary-dev)
+        - fix telegram profile
 Ivan Kozik (https://github.com/ivan)
         - speed up sandbox exit
 Jaykishan Mutkawoa (https://github.com/jmutkawoa)
@@ -476,6 +523,13 @@ James Elford (https://github.com/jelford)
         - removed shell none from ssh-agent configuration, fixing the infinite loop
         - added gcloud profile
         - blacklist sensitive cloud provider files in disable-common
+Jan-Niclas (https://github.com/0x6a61)
+        - moved rules from firefox-common.profile to firefox.profile
+        - blacklist /*firefox* except for firefox itself
+        - fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox
+Jan Sonntag (https://github.com/jmetrius)
+        - added OpenStego profile
+        - allow common access to EGL External platform configuration directory
 Jean Lucas (https://github.com/flacks)
         - fix Discord profile
         - add AnyDesk profile
@@ -496,6 +550,7 @@ Jean-Philippe Eisenbarth (https://github.com/jpeisenbarth)
         - fixed spotify.profile
 Jeff Squyres (https://github.com/jsquyres)
         - various manpage fixes
+        - cmdline.c: optionally quote the resulting command line
 Jericho (https://github.com/attritionorg)
         - spelling
 Jesse Smith (https://github.com/slicer69)
@@ -511,6 +566,7 @@ John Mullee (https://github.com/jmullee)
 Jonas Heinrich (https://github.com/onny)
         - added signal-desktop profile
         - fixed franz profile
+        - remove /etc/hosts is_link check for NixOS
 Jose Riha (https://github.com/jose1711)
         - added meteo-qt profile
         - created qgis, links, xlinks profiles
@@ -520,6 +576,12 @@ Jose Riha (https://github.com/jose1711)
         - Add davfs2 secrets file to blacklist
         - Add profile for udiskie
         - fix udiskie.profile
+        - improve hints for allowing browser access to Gnome extensions connector
+        - fix warshow, jumpnbump, tremulous, blobwars profile fixes
+        - drop noinput for games with gampad/joystick support
+        - goldendict profile fix
+        - whitelist /usr/share/nextcloud to allow access to translation files
+        - fix clipgrab profile
 jrabe (https://github.com/jrabe)
         - disallow access to kdbx files
         - Epiphany profile
@@ -552,9 +614,10 @@ Kishore96in (https://github.com/Kishore96in)
         - added falkon profile
         - kxmlgui fixes
         - okular profile fixes
-        -  jitsi-meet-desktop profile
+        - jitsi-meet-desktop profile
         - konversatin profile fix
         - added Neochat profile
+        - added whitelist-1793-workaround.inc
 KOLANICH (https://github.com/KOLANICH)
         - added symlink fixer fix_private-bin.py in contrib section
         - update fix_private-bin.py
@@ -564,6 +627,10 @@ kortewegdevries (https://github.com/kortewegdevries)
         - whitelisting evolution, kmail
 Kristóf Marussy (https://github.com/kris7t)
         - dns support
+kuesji koesnu (https://github.com/kuesji)
+        - unit suffixes for rlimit-fsize and rlimit-as
+        - util.c and firejail.h fixes
+        - better parser for size strings
 Kunal Mehta (https://github.com/legoktm)
         - converted all links to https in manpages
 laniakea64 (https://github.com/laniakea64)
@@ -574,6 +641,9 @@ Laurent Declercq (https://github.com/nuxwin)
         - fixed test for shell interpreter in chroots
 LaurentGH (https://github.com/LaurentGH)
         - allow private-bin parameters to be absolute paths
+lecso7 (https://github.com/lecso7)
+        - added goldendict profile
+        - allow evince to read .cbz file format
 Loïc Damien (https://github.com/dzamlo)
         - small fixes
 Liorst4 (https://github.com/Liorst4)
@@ -587,6 +657,8 @@ Lukáš Krejčí (https://github.com/lskrejci)
         - fixed parsing of --keep-var-tmp
 luzpaz (https://github.com/luzpaz)
         - code spelling fixes
+lxeiqr (https://github.com/lxeiqr)
+        - fix sndio support
 Mace Muilman (https://github.com/mace015)
         - google-chrome{,beta,unstable} flags
 maces (https://github.com/maces)
@@ -604,12 +676,16 @@ Martin Carpenter (https://github.com/mcarpenter)
 Martin Dosch (spam-debian@mdosch.de)
         - support for gnome-shell integration addon in Firefox
           (Bug-Debian: https://bugs.debian.org/872720)
+Martynas Janonis (https://github.com/mjanonis)
+        - update wrc for Arch Linux
 Matt Parnell (https://github.com/ilikenwf)
         - whitelisting for core firefox related functionality
 Mattias Wadman (https://github.com/wader)
         - seccomp errno filter support
 Matthew Gyurgyik (https://github.com/pyther)
         - rpm spec and several fixes
+Matthew Cline (https://github.com/matthew-cline)
+        - steam profile and dropbox profile fixes
 matu3ba (https://github.com/matu3ba)
         - evince hardening, dbus removed
         - fix dia profile
@@ -625,6 +701,8 @@ Michael Hoffmann (https://github.com/brisad)
         - added support for subdirs in private-etc
 Mike Frysinger (vapier@gentoo.org)
         - Gentoo compile patch
+minus7 (https://github.com/minus7)
+        - fix hanging arp_check
 mirabellette (https://github.com/mirabellette)
         - add comment to thunderbird.profile to allow Firefox to load profiles
 mjudtmann (https://github.com/mjudtmann)
@@ -643,18 +721,28 @@ Neo00001 (https://github.com/Neo00001)
         - update telegram profile
         - add spectacle profile
         - add kdiff3 profile
+NetSysFire (https://github.com/NetSysFire)
+        - update weechat profile
 Nick Fox (https://github.com/njfox)
         - add a profile alias for code-oss
         - add code-oss config directory
         - fix wire-desktop.profile on arch
 NickMolloy (https://github.com/NickMolloy)
         - ARP address length fix
+Nico (https://github.com/dr460nf1r3)
+        - added FireDragon profile
+Nicola Davide Mannarelli (https://github.com/nidamanx)
+        - fix "Could not create AF_NETLINK socket"
+        - added nextcloud profiles
+        - Firefox, KeepassXC, Telegram fixes
 Niklas Haas (https://github.com/haasn)
         - blacklisting for keybase.io's client
 Niklas Goerke (https://github.com/Niklas974)
         - update QOwnNotes profile
 Nikos Chantziaras (https://github.com/realnc)
         - fix audio support for Discord
+nolanl (https://github.com/nolanl)
+        - added localtime to signal-desktop's profile
 nyancat18 (https://github.com/nyancat18)
         - added ardour4, dooble, karbon, krita profiles
 Ondra Nekola (https://github.com/satai)
@@ -662,7 +750,7 @@ Ondra Nekola (https://github.com/satai)
 OndrejMalek (https://github.com/OndrejMalek)
         - various manpage fixes
 Ondřej Nový (https://github.com/onovy)
-        -  allow video for Signal profile
+        - allow video for Signal profile
         - added Mattermost desktop profile
         - hardened Zoom profile
         - hardened Signal desktop profile
@@ -679,7 +767,7 @@ Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/)
 Paul Moore <pmoore@redhat.com>
         -src/fsec-print/print.c extracted from libseccomp software package
 Paupiah Yash (https://github.com/CaffeinatedStud)
-        - gzip  profile
+        - gzip profile
 Pawel (https://github.com/grimskies)
         - make --join return exit code of the invoked program
 Peter Millerchip (https://github.com/pmillerchip)
@@ -702,6 +790,8 @@ Petter Reinholdtsen (pere@hungry.com)
 PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb)
         - fix quiterss profile
         - added profile for gnome-ring
+pholodniak (https://github.com/pholodniak)
+        - profstats fixes
 pianoslum (https://github.com/pianoslum)
         - nodbus breaking evince two-page-view warning
 pirate486743186 (https://github.com/pirate486743186)
@@ -709,6 +799,18 @@ pirate486743186 (https://github.com/pirate486743186)
         - mpsyt profile
         - fix youtube-dl and mpv
         - fix gnome-mpv profile
+        - fix gunzip profile
+        - reorganizing youtube-viewers
+        - fix pluma profile
+        - whitelist /var/lib/aspell
+        - mcomix fixes
+        - fixing engrampa profile
+        - adding qcomicbook and pipe-viewer in disable-programs
+        - newsboat/newsbeuter profiles
+        - fix atril profile
+        - reorganizing links browsers
+        - added rtv, alpine, mcomix, qcomicbook, googler, ddgr profiles
+        - w3m, zahura, profile.template fixes
 Pixel Fairy (https://github.com/xahare)
         - added fjclip.py, fjdisplay.py and fjresize.py in contrib section
 PizzaDude (https://github.com/pizzadude)
@@ -744,10 +846,17 @@ Rahul Golam (https://github.com/technoLord)
         - strings profile
 RandomVoid (https://github.com/RandomVoid)
         - fix building C# projects in Godot
+        - fix Lutris profile
+        - fix running games with enabled Feral GameMode in Lutris
 Raphaël Droz (https://github.com/drzraf)
         - zoom profile fixes
 realaltffour (https://github.com/realaltffour)
         - add lynx support to newsboat profile
+Reed Riley (https://github.com/reedriley)
+        - cointop profile
+        - 1password profile
+        - blacklist rclone, 1Password, Ledger Live and cointop
+        - allow Signal to open links in Firefox
 Reiner Herrmann (https://github.com/reinerh)
         - a number of build patches
         - man page fixes
@@ -785,6 +894,8 @@ rusty-snake (https://github.com/rusty-snake)
         - some typo fixes
         - added profile templates
         - added sort.py to contrib
+sak96 (https://github.com/sak96)
+        - discord profile fixes
 Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
         - fixed ktorrent profile
 sarneaud (https://github.com/sarneaud)
@@ -796,6 +907,8 @@ Sebastian Hafner (https://github.com/DropNib)
 Senemu (https://github.com/Senemu)
         - protection for .pythonrc.py
         - fixed evince
+Seonwoo Lee (https://github.com/seonwoolee)
+        - fix teams ignoring input sources e.g. microphones
 Sergey Alirzaev (https://github.com/l29ah)
         - firejail.h enum fix
         - firefox-common-addons.inc: + tridactyl
@@ -813,6 +926,8 @@ sinkuu (https://github.com/sinkuu)
         - fix symlink invocation for programs placing symlinks in $PATH
 Simo Piiroinen (https://github.com/spiiroin)
         - Jolla/SailfishOS patches
+slowpeek (https://github.com/slowpeek)
+        - refine appimage example in docs
 smitsohu (https://github.com/smitsohu)
         - read-only kde4 services directory
         - enhanced mediathekview profile
@@ -864,6 +979,8 @@ SkewedZeppelin (https://github.com/SkewedZeppelin)
         - hardern /var
         - profile standard layout
         - Spotify and itch.io profile fixes
+Spacewalker2 (https://github.com/Spacewalker2)
+        - fix  MediathekView profile
 sshirokov (https://sourceforge.net/u/yshirokov/profile/)
         - Patch to output "Reading profile" to stderr instead of stdout
 SYN-cook (https://github.com/SYN-cook)
@@ -887,7 +1004,7 @@ SYN-cook (https://github.com/SYN-cook)
         - gnome-calculator changes
 startx2017 (https://github.com/startx2017)
         - syscall list update
-        - updated default seccomp filters - added  bpf, clock_settime, personality, process_vm_writev, query_module,
+        - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module,
                       settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old
         - enable/disable join support in /etc/firejail/firejail.config
         - firecfg fix: create ~/.local/share/applications directory if it doesn't exist
@@ -938,6 +1055,14 @@ Topi Miettinen (https://github.com/topimiettinen)
         - improve loading of seccomp filter and memory-deny-write-execute feature
         - private-lib feature
         - make --nodbus block also system D-Bus socket
+Ted Robertson (https://github.com/tredondo)
+        - webstorm profile fixes
+        - added bcompare profile
+        - various documentation fixes
+        - blacklist Exodus wallet
+        - blacklist monero-project directory
+Tus1688 (https://github.com/Tus1688)
+        - added neovim profile
 user1024 (user1024@tut.by)
         - electron profile whitelisting
         - fixed Rocket.Chat profile
@@ -989,11 +1114,14 @@ Vincent43 (https://github.com/Vincent43)
         - apparmor enhancements
 Vincent Blillault (https://github.com/Feandil)
         - fix mumble profile
+Vincent Lefèvre (https://github.com/vinc17fr)
+        - blacklist rxvt after the blacklist of Perl
+        - Noblacklist rxvt in allow-perl.inc
 vismir2 (https://github.com/vismir2)
         - feh, ranger, 7z, keepass, keepassx and zathura profiles
         - claws-mail, mutt, git, emacs, vim profiles
         - lots of profile fixes
-        -  support for truecrypt and zuluCrypt
+        - support for truecrypt and zuluCrypt
 viq (https://github.com/viq)
         - discord-canary profile
 Vladimir Gorelov (https://github.com/larkvirtual)
@@ -1001,9 +1129,21 @@ Vladimir Gorelov (https://github.com/larkvirtual)
 Vladimir Schowalter (https://github.com/VladimirSchowalter20)
         - apparmor profile enhancements
         - various KDE profile enhancements
-        read-only kde5 services directory
+        - read-only kde5 services directory
+Vladislav Nepogodin (https://github.com/vnepogodin)
+        - added Librewolf profiles
+        - added Sway profile
+        - fix CLion profile
+        - fixes for disable-programs.inc
+        - CachyBrowser profile
+Hugo Osvaldo Barrera (https://github.com/WhyNotHugo)
+        - Skype profile tweaks
+        - whitelist-ro command
 xee5ch (https://github.com/xee5ch)
         - skypeforlinux profile
+York Zhao (https://github.com/YorkZ)
+        - tor browser profile fix
+        - allow telegram to open hyperlinks
 Ypnose (https://github.com/Ypnose)
         - disable-shell.inc: add mksh shell
 yumkam (https://github.com/yumkam)
@@ -1031,4 +1171,4 @@ Zack Weinberg (https://github.com/zackw)
 zupatisc (https://github.com/zupatisc)
         - patch-util fix
 
-Copyright (C) 2014-2021 Firejail Authors
+Copyright (C) 2014-2022 Firejail Authors
diff --git a/README.md b/README.md
index 40e9eff41..01d24db1b 100644
--- a/README.md
+++ b/README.md
@@ -22,43 +22,23 @@ implemented directly in Linux kernel and available on any Linux computer.
 <table><tr>
 
 <td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=7RMz7tePA98
-" target="_blank"><img src="http://img.youtube.com/vi/7RMz7tePA98/0.jpg"
-alt="Firejail Introduction" width="240" height="180" border="10" /><br/>Firejail Intro</a>
+<a href="https://www.brighteon.com/6ebef4a5-20fe-4071-9d03-e6172c806ff7" target="_blank">
+<img src="https://photos.brighteon.com/thumbnail/092dccab-9974-4775-93d2-35e31b2ebf61"
+alt="Advanced Browser Security" width="240" height="142" border="10" /><br/>Advanced Browser Security</a>
 </td>
 
 <td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU
-" target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg"
-alt="Firejail Demo" width="240" height="180" border="10" /><br/>Firejail Demo</a>
+<a href="https://www.brighteon.com/f09f693a-9847-4d9e-aaaf-60f756cc3833" target="_blank">
+<img src="https://photos.brighteon.com/thumbnail/ab951131-81c7-4a6b-b483-924a342fea11"
+alt="How To Disable Network Access" width="240" height="142" border="10" /><br/>How To Disable Network Access</a>
 </td>
 
 <td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4
-" target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg"
-alt="Debian Install" width="240" height="180" border="10" /><br/>Debian Install</a>
+<a href="https://www.brighteon.com/94ae1731-2352-4cda-bb48-7cc7a6ad32f8" target="_blank">
+<img src="https://photos.brighteon.com/thumbnail/5c90254c-61f3-4927-ac57-ae279dc543cf"
+alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a>
 </td>
 
-
-</tr><tr>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w
-" target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg"
-alt="Arch Linux Install" width="240" height="180" border="10" /><br/>Arch Linux Install</a>
-
-</td>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ
-" target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg"
-alt="Disable Network Access" width="240" height="180" border="10" /><br/>Disable Network Access</a>
-
-</td>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=N-Mso2bSr3o
-" target="_blank"><img src="http://img.youtube.com/vi/N-Mso2bSr3o/0.jpg"
-alt="Firejail Security Deep Dive" width="240" height="180" border="10" /><br/>Firejail Security Deep Dive</a>
-
-</td>
 </tr></table>
 
 Project webpage: https://firejail.wordpress.com/
@@ -75,7 +55,7 @@ Wiki: https://github.com/netblue30/firejail/wiki
 
 GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/
 
-Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA
+Video Channel: https://www.brighteon.com/channels/netblue30
 
 Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
 
@@ -114,9 +94,47 @@ https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-loca
 
 ## Installing
 
-Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.
+### Debian
+
+Debian stable (bullseye): We recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package.
+
+### Ubuntu
+
+For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly advised** to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail).
+
+How to add and install from the PPA:
 
-The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian buster we recommend to use the [backports](https://packages.debian.org/buster-backports/firejail) package.
+```sh
+sudo add-apt-repository ppa:deki/firejail
+sudo apt-get update
+sudo apt-get install firejail firejail-profiles
+```
+
+Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to CVE-2021-26910 for months after a patch for it was posted on Launchpad:
+
+* [firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767)
+
+See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>:
+
+> What software is supported by the Ubuntu Security team?
+>
+> Ubuntu is currently divided into four components: main, restricted, universe
+> and multiverse. All binary packages in main and restricted are supported by
+> the Ubuntu Security team for the life of an Ubuntu release, while binary
+> packages in universe and multiverse are supported by the Ubuntu community.
+
+Additionally, the PPA version is likely to be more recent and to contain more profile fixes.
+
+See the following discussions for details:
+
+* [Should I keep using the version of firejail available in my distro repos?](https://github.com/netblue30/firejail/discussions/4666)
+* [How to install the latest version on Ubuntu and derivatives](https://github.com/netblue30/firejail/discussions/4663)
+
+### Other
+
+Firejail is included in a large number of Linux distributions.
+
+Note: The firejail 0.9.52-LTS version is deprecated.
 
 You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually:
 
@@ -126,18 +144,18 @@ $ cd firejail
 $ ./configure && make && sudo make install-strip
 `````
 On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor
-development libraries and pkg-config are required when using --apparmor
+development libraries and pkg-config are required when using `--apparmor`
 ./configure option:
 `````
 $ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
 `````
-For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).
+For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora).
 
 Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git).
 
 ## Running the sandbox
 
-To start the sandbox, prefix your command with “firejail”:
+To start the sandbox, prefix your command with `firejail`:
 
 `````
 $ firejail firefox            # starting Mozilla Firefox
@@ -145,7 +163,7 @@ $ firejail transmission-gtk   # starting Transmission BitTorrent
 $ firejail vlc                # starting VideoLAN Client
 $ sudo firejail /etc/init.d/nginx start
 `````
-Run "firejail --list" in a terminal to list all active sandboxes. Example:
+Run `firejail --list` in a terminal to list all active sandboxes. Example:
 `````
 $ firejail --list
 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr
@@ -170,7 +188,7 @@ PulseAudio changes.
 Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers.
 The integration applies to any program supported by default by Firejail. There are about 250 default applications
 in current Firejail version, and the number goes up with every new release.
-We keep the application list in [/usr/lib/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file.
+We keep the application list in [/etc/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file.
 
 ## Security profiles
 
@@ -188,152 +206,57 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 You can also use this tool to get a list of syscalls needed by a program: [contrib/syscalls.sh](contrib/syscalls.sh).
 
 We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
-`````
 
-`````
-## Latest released version: 0.9.64
+## Latest released version: 0.9.68
 
-## Current development version: 0.9.65
+## Current development version: 0.9.69
 
 Milestone page: https://github.com/netblue30/firejail/milestone/1
-Release discussion: https://github.com/netblue30/firejail/issues/3696
 
-### jailtest
-`````
-JAILTEST(1)                    JAILTEST man page                   JAILTEST(1)
-
-NAME
-       jailtest - Simple utility program to test running sandboxes
-
-SYNOPSIS
-       sudo jailtest [OPTIONS] [directory]
-
-DESCRIPTION
-       WORK IN PROGRESS!  jailtest attaches itself to all sandboxes started by
-       the user and performs some basic tests on the sandbox filesystem:
-
-       1. Virtual directories
-              jailtest extracts a list with the main virtual  directories  in‐
-              stalled by the sandbox.  These directories are build by firejail
-              at startup using --private* and --whitelist commands.
-
-       2. Noexec test
-              jailtest inserts executable programs  in  /home/username,  /tmp,
-              and  /var/tmp  directories and tries to run them form inside the
-              sandbox, thus testing if the directory is executable or not.
-
-       3. Read access test
-              jailtest creates test files in the directories specified by  the
-              user and tries to read them from inside the sandbox.
-
-       4. AppArmor test
-
-       5. Seccomp test
-
-       The program is started as root using sudo.
-
-OPTIONS
-       --debug
-              Print debug messages
-
-       -?, --help
-              Print options end exit.
-
-       --version
-              Print program version and exit.
-
-       [directory]
-              One  or  more  directories in user home to test for read access.
-              ~/.ssh and ~/.gnupg are tested by default.
-
-OUTPUT
-       For each sandbox detected we print the following line:
-
-            PID:USER:Sandbox Name:Command
-
-       It is followed by relevant sandbox information, such as the virtual di‐
-       rectories and various warnings.
-
-EXAMPLE
-       $ sudo jailtest
-       2014:netblue::firejail /usr/bin/gimp
-          Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
-          Warning: I can run programs in /home/netblue
-
-       2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
-          Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
-          Warning: I can read ~/.ssh
-
-       2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐
-       pimage
-          Virtual dirs: /tmp, /var/tmp, /dev,
-
-       26090:netblue::/usr/bin/firejail /opt/firefox/firefox
-          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
-                        /run/user/1000,
-
-       26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
-          Warning: AppArmor not enabled
-          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
-                        /usr/share, /run/user/1000,
-          Warning: I can run programs in /home/netblue
-
-LICENSE
-       This program is free software; you can redistribute it and/or modify it
-       under  the  terms of the GNU General Public License as published by the
-       Free Software Foundation; either version 2 of the License, or (at  your
-       option) any later version.
-
-       Homepage: https://firejail.wordpress.com
-
-SEE ALSO
-       firejail(1),  firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐
-       gin(5), firejail-users(5),
+### Shell tab completion
+```
+       --tab  Enable shell tab completion in sandboxes using private or whitelisted
+              home directories.
 
-0.9.65                             Feb 2021                        JAILTEST(1)
-`````
+              $ firejail --private --tab
+```
 
 ### Profile Statistics
 
-A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
+A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
+Run it over the profiles in /etc/profiles:
 ```
-$ sudo cp src/profstats/profstats /etc/firejail/.
-$ cd /etc/firejail
-$ ./profstats *.profile
-Warning: multiple caps in transmission-daemon.profile
+$ /usr/lib/firejail/profstats /etc/firejail/*.profile
+No include .local found in /etc/firejail/noprofile.profile
+Warning: multiple caps in /etc/firejail/transmission-daemon.profile
 
 Stats:
-    profiles                    1077
-    include local profile       1077   (include profile-name.local)
-    include globals             1077   (include globals.local)
-    blacklist ~/.ssh            971   (include disable-common.inc)
-    seccomp                     988
-    capabilities                1076
-    noexec                      960   (include disable-exec.inc)
-    memory-deny-write-execute   231
-    apparmor                    621
-    private-bin                 571
-    private-dev                 949
-    private-etc                 470
-    private-tmp                 835
-    whitelist home directory    508
-    whitelist var               758   (include whitelist-var-common.inc)
-    whitelist run/user          539   (include whitelist-runuser-common.inc
+    profiles                    1184
+    include local profile       1183   (include profile-name.local)
+    include globals             1152   (include globals.local)
+    blacklist ~/.ssh            1057   (include disable-common.inc)
+    seccomp                     1076
+    capabilities                1178
+    noexec                      1064   (include disable-exec.inc)
+    noroot                      985
+    memory-deny-write-execute   259
+    apparmor                    707
+    private-bin                 686
+    private-dev                 1040
+    private-etc                 537
+    private-tmp                 911
+    whitelist home directory    567
+    whitelist var               849   (include whitelist-var-common.inc)
+    whitelist run/user          1153   (include whitelist-runuser-common.inc
                                         or blacklist ${RUNUSER})
-    whitelist usr/share         526   (include whitelist-usr-share-common.inc
-    net none                    354
-    dbus-user none              573
-    dbus-user filter            86
-    dbus-system none            706
-    dbus-system filter          7
+    whitelist usr/share         621   (include whitelist-usr-share-common.inc
+    net none                    403
+    dbus-user none              670
+    dbus-user filter            114
+    dbus-system none            824
+    dbus-system filter          10
 ```
 
 ### New profiles:
 
-vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
-avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop,
-pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum,
-sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper,
-ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper,
-pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon
-neochat
+onionshare, onionshare-cli, opera-developer
diff --git a/RELNOTES b/RELNOTES
index f62bf70bb..4849168f0 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,22 +1,112 @@
-firejail (0.9.65) baseline; urgency=low
+firejail (0.9.69) baseline; urgency=low
+  * work in progress
+  * feature: enable shell tab completion (#4936)
+  * feature: disable user profiles at compile time (#4990)
+  * rework: whitelist restructuring (#4985)
+  * bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
+  * bugfix: nogroups + wrc prints confusing messages (#4930 #4933)
+  * bugfix: openSUSE Leap - whitelist-run-common.inc (#4954)
+  * bugfix: fix printing in evince (#5011)
+  * ci: replace centos (EOL) with almalinux (#4912)
+  * docs: Refer to firejail.config in configuration files (#4916)
+  * docs: firejail.config: add warning about allow-tray (#4946)
+  * new profiles: onionshare, onionshare-cli
+ -- netblue30 <netblue30@yahoo.com>  Mon, 7 Feb 2022 09:00:00 -0500
+
+firejail (0.9.68) baseline; urgency=low
+  * security: on Ubuntu, the PPA is now recommended over the distro package
+    (see README.md) (#4748)
+  * security: bugfix: private-cwd leaks access to the entire filesystem
+    (#4780); reported by Hugo Osvaldo Barrera
+  * feature: remove (some) environment variables with auth-tokens (#4157)
+  * feature: ALLOW_TRAY condition (#4510 #4599)
+  * feature: add basic Firejail support to AppArmor base abstraction (#3226
+    #4628)
+  * feature: intrusion detection system (--ids-init, --ids-check)
+  * feature: deterministic shutdown command (--deterministic-exit-code,
+     --deterministic-shutdown) (#928 #3042 #4635)
+  * feature: noprinters command (#4607 #4827)
+  * feature: network monitor (--nettrace)
+  * feature: network locker (--netlock) (#4848)
+  * feature: whitelist-ro profile command (#4740)
+  * feature: disable pipewire with --nosound (#4855)
+  * feature: Unset TMP if it doesn't exist inside of sandbox (#4151)
+  * feature: Allow apostrophe in whitelist and blacklist (#4614)
+  * feature: AppImage support in --build command (#4878)
+  * modifs: exit code: distinguish fatal signals by adding 128 (#4533)
+  * modifs: firecfg.config is now installed to /etc/firejail/ (#408 #4669)
+  * modifs: close file descriptors greater than 2 (--keep-fd) (#4845)
+  * modifs: nogroups now stopped causing certain system groups to be dropped,
+    which are now controlled by the relevant "no" options instead (such as
+    nosound -> drop audio group), which fixes device access issues on systems
+    not using (e)logind (such as with seatd) (#4632 #4725 #4732 #4851)
+  * removal: --disable-whitelist at compile time
+  * removal: whitelist=yes/no in /etc/firejail/firejail.config
+  * bugfix: Fix sndio support (#4362 #4365)
+  * bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)
+  * bugfix: --build clears the environment (#4460 #4467)
+  * bugfix: firejail hangs with net parameter (#3958 #4476)
+  * bugfix: Firejail does not work with a custom hosts file (#2758 #4560)
+  * bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)
+  * bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583 #4606)
+  * bugfix: firejail symlinks are not skipped with private-bin + globs (#4626)
+  * bugfix: Firejail rejects empty arguments (#4395)
+  * bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)
+  * bugfix: Seccomp list output goes to stdout instead of stderr (#4328)
+  * bugfix: private-etc does not work with symlinks (#4887)
+  * bugfix: Hardware key not detected on keepassxc (#4883)
+  * build: allow building with address sanitizer (#4594)
+  * build: Stop linking pthread (#4695)
+  * build: Configure cleanup and improvements (#4712)
+  * ci: add profile checks for sorting disable-programs.inc and
+    firecfg.config and for the required arguments in private-etc (#2739 #4643)
+  * ci: pin GitHub actions to SHAs and use Dependabot to update them (#4774)
+  * docs: Add new command checklist to CONTRIBUTING.md (#4413)
+  * docs: Rework bug report issue template and add both a question and a
+    feature request template (#4479 #4515 #4561)
+  * docs: fix contradictory descriptions of machine-id ("preserves" vs
+    "spoofs") (#4689)
+  * docs: Document that private-bin and private-etc always accumulate (#4078)
+  * new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)
+  * new includes: disable-proc.inc (#4521)
+  * removed includes: disable-passwordmgr.inc (#4454 #4461)
+  * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
+  * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
+  * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
+  * new profiles: make, meson, pip, codium, telnet, ftp, OpenStego
+  * new profiles: imv, retroarch, torbrowser, CachyBrowser,
+  * new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd,
+  * new profiles: Seafile, neovim, com.github.tchx84.Flatseal
+ -- netblue30 <netblue30@yahoo.com>  Sun, 6 Feb 2022 09:00:00 -0500
+
+firejail (0.9.66) baseline; urgency=low
+  * deprecated --audit options, relpaced by jailcheck utility
+  * deprecated follow-symlink-as-user from firejail.config
+  * new firejail.config settings: private-bin, private-etc
+  * new firejail.config settings: private-opt, private-srv
+  * new firejail.config settings: whitelist-disable-topdir
+  * new firejail.config settings: seccomp-filter-add
+  * removed kcmp syscall from seccomp default filter
+  * rename --noautopulse to keep-config-pulse
   * filtering environment variables
   * zsh completion
   * command line: --mkdir, --mkfile
   * --protocol now accumulates
   * Jolla/SailfishOS patches
   * private-lib rework
+  * whitelist rework
   * jailtest utility for testing running sandboxes
-  * removed --audit options, relpaced by jailtest
   * capabilities list update
   * faccessat2 syscall support
   * --private-dev keeps /dev/input
   * added --noinput to disable /dev/input
-  * Add support for subdirs in --private-etc
+  * add support for subdirs in --private-etc
   * compile time: --enable-force-nonewprivs
   * compile time: --disable-output
   * compile time: --enable-lts
   * subdirs support in private-etc
   * input devices support in private-dev, --no-input
+  * support trailing comments on profile lines
   * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng
   * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
   * avidemux, calligragemini, vmware-player, vmware-workstation
@@ -27,8 +117,10 @@ firejail (0.9.65) baseline; urgency=low
   * alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper,
   * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium,
   * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon
-  * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat
- -- netblue30 <netblue30@yahoo.com>  Tue, 9 Feb 2021 09:00:00 -0500
+  * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat,
+  * cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer
+  * links2, xlinks2, googler, ddgr, tin
+ -- netblue30 <netblue30@yahoo.com>  Mon, 28 Jun 2021 09:00:00 -0500
 
 firejail (0.9.64.4) baseline; urgency=low
   * disabled overlayfs, pending multiple fixes (CVE-2021-26910)
@@ -36,7 +128,7 @@ firejail (0.9.64.4) baseline; urgency=low
 
 firejail (0.9.64.2) baseline; urgency=low
   * allow --tmpfs inside $HOME for unprivileged users
-  * --disable-usertmpfs  compile time option
+  * --disable-usertmpfs compile time option
   * allow AF_BLUETOOTH via --protocol=bluetooth
   * Setup guide for new users: contrib/firejail-welcome.sh
   * implement netns in profiles
@@ -543,7 +635,7 @@ firejail (0.9.44) baseline; urgency=low
   * feature: disable 3D hardware acceleration (--no3d)
   * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
   * feature: move files in sandbox (--put)
-  * feature: accept wildcard patterns in user  name field of restricted
+  * feature: accept wildcard patterns in user name field of restricted
     shell login feature
   * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
   * new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
@@ -585,7 +677,7 @@ firejail (0.9.42) baseline; urgency=low
   * compile time: disable whitelisting (--disable-whitelist)
   * compile time: disable global config (--disable-globalcfg)
   * run time: enable/disable overlayfs (overlayfs yes/no)
-  * run time: enable/disable  quiet as default (quiet-by-default yes/no)
+  * run time: enable/disable quiet as default (quiet-by-default yes/no)
   * run time: user-defined network filter (netfilter-default)
   * run time: enable/disable whitelisting (whitelist yes/no)
   * run time: enable/disable remounting of /proc and /sys
@@ -683,7 +775,7 @@ firejail (0.9.38) baseline; urgency=low
  -- netblue30 <netblue30@yahoo.com>  Tue, 2 Feb 2016 10:00:00 -0500
 
 firejail (0.9.36) baseline; urgency=low
-  * added  unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
+  * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
      parole and rtorrent profiles
   * Google Chrome profile rework
   * added google-chrome-stable profile
diff --git a/SECURITY.md b/SECURITY.md
index 92204da0a..5159a5f3d 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,23 +2,25 @@
 
 ## Supported Versions
 
-| Version | Supported by us    | EOL  | Supported by distribution |
-| ------- | ------------------ | ---- | ---------------------------
-| 0.9.64  | :heavy_check_mark: |      | :white_check_mark: Debian 10 **backports**, Debian 11 **backports**, Debian 12 (testing/unstable)
-| 0.9.62  | :x:                |      | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10
-| 0.9.60  | :x:                | 29 Dec 2019 |
-| 0.9.58  | :x:                |      | :white_check_mark: Debian 9 **backports**, Debian 10
-| 0.9.56  | :x:                | 27 Jan 2019 |
-| 0.9.54  | :x:                | 18 Sep 2018 |
-| 0.9.52  | :x:                |      | :white_check_mark: Ubuntu 18.04 LTS
-| 0.9.50  | :x:                | 12 Dec 2017 |
-| 0.9.48  | :x:                | 09 Sep 2017 |
-| 0.9.46  | :x:                | 12 Jun 2017 |
-| 0.9.44  | :x:                |      | :white_check_mark: Debian 9
-| 0.9.42  | :x:                | 22 Oct 2016     |
-| 0.9.40  | :x:                | 09 Sep 2016     |
-| 0.9.38  | :x:                |      | :white_check_mark: Ubuntu 16.04 LTS
-| <0.9.38 | :x:                | Before 05 Feb 2016 |
+| Version | Supported by us    | EOL                | Supported by distribution                                                         |
+| ------- | ------------------ | ------------------ | --------------------------------------------------------------------------------- |
+| 0.9.68  | :heavy_check_mark: |                    |                                                                                   |
+| 0.9.66  | :x:                |                    | :white_check_mark: Debian 11 **backports**, Debian 12 (testing/unstable)          |
+| 0.9.64  | :x:                |                    | :white_check_mark: Debian 10 **backports**, Debian 11, Ubuntu 21.10               |
+| 0.9.62  | :x:                |                    | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10                                 |
+| 0.9.60  | :x:                | 29 Dec 2019        |                                                                                   |
+| 0.9.58  | :x:                |                    | :white_check_mark: Debian 9 **backports**, Debian 10                              |
+| 0.9.56  | :x:                | 27 Jan 2019        |                                                                                   |
+| 0.9.54  | :x:                | 18 Sep 2018        |                                                                                   |
+| 0.9.52  | :x:                |                    | :white_check_mark: Ubuntu 18.04 LTS                                               |
+| 0.9.50  | :x:                | 12 Dec 2017        |                                                                                   |
+| 0.9.48  | :x:                | 09 Sep 2017        |                                                                                   |
+| 0.9.46  | :x:                | 12 Jun 2017        |                                                                                   |
+| 0.9.44  | :x:                |                    | :white_check_mark: Debian 9                                                       |
+| 0.9.42  | :x:                | 22 Oct 2016        |                                                                                   |
+| 0.9.40  | :x:                | 09 Sep 2016        |                                                                                   |
+| 0.9.38  | :x:                | 31 May 2016        |                                                                                   |
+| <0.9.38 | :x:                | Before 05 Feb 2016 |                                                                                   |
 
 ## Security vulnerabilities
 
diff --git a/ci/check/profiles/private-etc-always-required.sh b/ci/check/profiles/private-etc-always-required.sh
new file mode 100755
index 000000000..892b15aa4
--- /dev/null
+++ b/ci/check/profiles/private-etc-always-required.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+ALWAYS_REQUIRED=(alternatives ld.so.cache ld.so.preload)
+
+error=0
+while IFS=: read -r profile private_etc; do
+        for required in "${ALWAYS_REQUIRED[@]}"; do
+                if grep -q -v -E "( |,)$required(,|$)" <<<"$private_etc"; then
+                        printf '%s misses %s\n' "$profile" "$required" >&2
+                        error=1
+                fi
+        done
+done < <(grep "^private-etc " "$@")
+
+exit "$error"
diff --git a/ci/check/profiles/sort-disable-programs.sh b/ci/check/profiles/sort-disable-programs.sh
new file mode 100755
index 000000000..d81ee75d7
--- /dev/null
+++ b/ci/check/profiles/sort-disable-programs.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+tail -n +5 "$1" | LC_ALL=C sort -c -u
diff --git a/ci/check/profiles/sort-firecfg.config.sh b/ci/check/profiles/sort-firecfg.config.sh
new file mode 100755
index 000000000..17a595350
--- /dev/null
+++ b/ci/check/profiles/sort-firecfg.config.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+tail -n +4 "$1" | sed 's/^# /#/' | LC_ALL=C sort -c -d
diff --git a/ci/check/profiles/sort.py b/ci/check/profiles/sort.py
new file mode 120000
index 000000000..e1f3f5f16
--- /dev/null
+++ b/ci/check/profiles/sort.py
@@ -0,0 +1 @@
+../../../contrib/sort.py
\ No newline at end of file
diff --git a/configure b/configure
index e5e0dcc0d..6611a8817 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.65.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.69.
 #
 # Report bugs to <netblue30@protonmail.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.65'
-PACKAGE_STRING='firejail 0.9.65'
+PACKAGE_VERSION='0.9.69'
+PACKAGE_STRING='firejail 0.9.69'
 PACKAGE_BUGREPORT='netblue30@protonmail.com'
 PACKAGE_URL='https://firejail.wordpress.com'
 
@@ -628,13 +628,13 @@ EGREP
 GREP
 CPP
 HAVE_LTS
+HAVE_ONLY_SYSCFG_PROFILES
 HAVE_FORCE_NONEWPRIVS
 HAVE_CONTRIB_INSTALL
 HAVE_GCOV
 BUSYBOX_WORKAROUND
 HAVE_FATAL_WARNINGS
 HAVE_SUID
-HAVE_WHITELIST
 HAVE_FILE_TRANSFER
 HAVE_X11
 HAVE_USERNS
@@ -652,12 +652,12 @@ HAVE_DBUSPROXY
 EXTRA_LDFLAGS
 EXTRA_CFLAGS
 HAVE_SELINUX
-HAVE_APPARMOR
 AA_LIBS
 AA_CFLAGS
 PKG_CONFIG_LIBDIR
 PKG_CONFIG_PATH
 PKG_CONFIG
+HAVE_APPARMOR
 RANLIB
 INSTALL_DATA
 INSTALL_SCRIPT
@@ -712,6 +712,7 @@ ac_subst_files=''
 ac_user_opts='
 enable_option_checking
 enable_analyzer
+enable_sanitizer
 enable_apparmor
 enable_selinux
 enable_dbusproxy
@@ -726,13 +727,13 @@ enable_network
 enable_userns
 enable_x11
 enable_file_transfer
-enable_whitelist
 enable_suid
 enable_fatal_warnings
 enable_busybox_workaround
 enable_gcov
 enable_contrib_install
 enable_force_nonewprivs
+enable_only_syscfg_profiles
 enable_lts
 '
       ac_precious_vars='build_alias
@@ -1299,7 +1300,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.65 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.69 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1361,7 +1362,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.65:";;
+     short | recursive ) echo "Configuration of firejail 0.9.69:";;
    esac
   cat <<\_ACEOF
 
@@ -1369,7 +1370,9 @@ Optional Features:
   --disable-option-checking  ignore unrecognized --enable/--with options
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
-  --enable-analyzer       enable GCC 10 static analyzer
+  --enable-analyzer       enable GCC static analyzer
+  --enable-sanitizer=[address | memory | undefined]
+                          enable a compiler-based sanitizer (debug)
   --enable-apparmor       enable apparmor
   --enable-selinux        SELinux labeling support
   --disable-dbusproxy     disable dbus proxy
@@ -1379,13 +1382,12 @@ Optional Features:
   --disable-firetunnel    disable firetunnel
   --disable-private-home  disable private home feature
   --disable-chroot        disable chroot
-  --disable-globalcfg     if the global config file firejail.cfg is not
+  --disable-globalcfg     if the global config file firejail.config is not
                           present, continue the program using defaults
   --disable-network       disable network
   --disable-userns        disable user namespace
   --disable-x11           disable X11 sandboxing support
   --disable-file-transfer disable file transfer
-  --disable-whitelist     disable whitelist
   --disable-suid          install as a non-SUID executable
   --enable-fatal-warnings -W -Wall -Werror
   --enable-busybox-workaround
@@ -1395,6 +1397,8 @@ Optional Features:
                           install contrib scripts
   --enable-force-nonewprivs
                           enable force nonewprivs
+  --enable-only-syscfg-profiles
+                          disable profiles in $HOME/.config/firejail
   --enable-lts            enable long-term support software version (LTS)
 
 Some influential environment variables:
@@ -1481,7 +1485,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.65
+firejail configure 0.9.69
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1533,52 +1537,6 @@ fi
 
 } # ac_fn_c_try_compile
 
-# ac_fn_c_try_link LINENO
-# -----------------------
-# Try to link conftest.$ac_ext, and return whether this succeeded.
-ac_fn_c_try_link ()
-{
-  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  rm -f conftest.$ac_objext conftest$ac_exeext
-  if { { ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
-  (eval "$ac_link") 2>conftest.err
-  ac_status=$?
-  if test -s conftest.err; then
-    grep -v '^ *+' conftest.err >conftest.er1
-    cat conftest.er1 >&5
-    mv -f conftest.er1 conftest.err
-  fi
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; } && {
-         test -z "$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-         test "$cross_compiling" = yes ||
-         test -x conftest$ac_exeext
-       }; then :
-  ac_retval=0
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-        ac_retval=1
-fi
-  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
-  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
-  # interfere with the next link command; also delete a directory that is
-  # left behind by Apple's compiler.  We do this before executing the actions.
-  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
-  as_fn_set_status $ac_retval
-
-} # ac_fn_c_try_link
-
 # ac_fn_c_try_cpp LINENO
 # ----------------------
 # Try to preprocess conftest.$ac_ext, and return whether this succeeded.
@@ -1783,7 +1741,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.65, which was
+It was created by firejail $as_me 0.9.69, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3171,7 +3129,7 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mindirect_branch_thunk" >&5
 $as_echo "$ax_cv_check_cflags___mindirect_branch_thunk" >&6; }
 if test "x$ax_cv_check_cflags___mindirect_branch_thunk" = xyes; then :
-  HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mindirect-branch=thunk"
+  HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"
 
 else
   :
@@ -3207,7 +3165,7 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5
 $as_echo "$ax_cv_check_cflags___mretpoline" >&6; }
 if test "x$ax_cv_check_cflags___mretpoline" = xyes; then :
-  HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mretpoline"
+  HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"
 
 else
   :
@@ -3243,7 +3201,7 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_clash_protection" >&5
 $as_echo "$ax_cv_check_cflags___fstack_clash_protection" >&6; }
 if test "x$ax_cv_check_cflags___fstack_clash_protection" = xyes; then :
-  HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-clash-protection"
+  HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"
 
 else
   :
@@ -3279,7 +3237,7 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_strong" >&5
 $as_echo "$ax_cv_check_cflags___fstack_protector_strong" >&6; }
 if test "x$ax_cv_check_cflags___fstack_protector_strong" = xyes; then :
-  HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-protector-strong"
+  HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"
 
 else
   :
@@ -3293,11 +3251,63 @@ fi
 
 if test "x$enable_analyzer" = "xyes"; then :
 
-        EXTRA_CFLAGS+=" -fanalyzer"
+        EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak"
+
+fi
+
+# Check whether --enable-sanitizer was given.
+if test "${enable_sanitizer+set}" = set; then :
+  enableval=$enable_sanitizer;
+else
+  enable_sanitizer=no
+fi
+
+if test "x$enable_sanitizer" != "xno" ; then :
+  as_CACHEVAR=`$as_echo "ax_cv_check_cflags__-fsanitize=$enable_sanitizer" | $as_tr_sh`
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=$enable_sanitizer" >&5
+$as_echo_n "checking whether C compiler accepts -fsanitize=$enable_sanitizer... " >&6; }
+if eval \${$as_CACHEVAR+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -fsanitize=$enable_sanitizer"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  eval "$as_CACHEVAR=yes"
+else
+  eval "$as_CACHEVAR=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+eval ac_res=\$$as_CACHEVAR
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then :
+
+                EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer"
+                EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer"
+
+else
+  as_fn_error $? "sanitizer not supported: $enable_sanitizer" "$LINENO" 5
+
+fi
 
 fi
 
 HAVE_APPARMOR=""
+
 # Check whether --enable-apparmor was given.
 if test "${enable_apparmor+set}" = set; then :
   enableval=$enable_apparmor;
@@ -3428,8 +3438,8 @@ if test "x$enable_apparmor" = "xyes"; then :
         HAVE_APPARMOR="-DHAVE_APPARMOR"
 
 pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for AA" >&5
-$as_echo_n "checking for AA... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libapparmor" >&5
+$as_echo_n "checking for libapparmor... " >&6; }
 
 if test -n "$AA_CFLAGS"; then
     pkg_cv_AA_CFLAGS="$AA_CFLAGS"
@@ -3469,7 +3479,7 @@ fi
 
 
 if test $pkg_failed = yes; then
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 
 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
@@ -3496,7 +3506,7 @@ Alternatively, you may set the environment variables AA_CFLAGS
 and AA_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
         { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
@@ -3515,13 +3525,13 @@ else
         AA_LIBS=$pkg_cv_AA_LIBS
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-        EXTRA_CFLAGS+=" $AA_CFLAGS" && EXTRA_LDFLAGS+=" $AA_LIBS"
+        EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS"
 fi
 
-
 fi
 
 HAVE_SELINUX=""
+
 # Check whether --enable-selinux was given.
 if test "${enable_selinux+set}" = set; then :
   enableval=$enable_selinux;
@@ -3530,8 +3540,7 @@ fi
 if test "x$enable_selinux" = "xyes"; then :
 
         HAVE_SELINUX="-DHAVE_SELINUX"
-        EXTRA_LDFLAGS+=" -lselinux "
-
+        EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux"
 
 fi
 
@@ -3540,6 +3549,7 @@ fi
 
 
 HAVE_DBUSPROXY=""
+
 # Check whether --enable-dbusproxy was given.
 if test "${enable_dbusproxy+set}" = set; then :
   enableval=$enable_dbusproxy;
@@ -3549,21 +3559,19 @@ if test "x$enable_dbusproxy" != "xno"; then :
 
         HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
 
-
 fi
 
-# overlayfs features temporarely disabled pending fixes
+# overlayfs features temporarily disabled pending fixes
 HAVE_OVERLAYFS=""
 
-#
 #AC_ARG_ENABLE([overlayfs],
-#    AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
+#    [AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])])
 #AS_IF([test "x$enable_overlayfs" != "xno"], [
 #       HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
-#       AC_SUBST(HAVE_OVERLAYFS)
 #])
 
 HAVE_OUTPUT=""
+
 # Check whether --enable-output was given.
 if test "${enable_output+set}" = set; then :
   enableval=$enable_output;
@@ -3573,10 +3581,10 @@ if test "x$enable_output" != "xno"; then :
 
         HAVE_OUTPUT="-DHAVE_OUTPUT"
 
-
 fi
 
 HAVE_USERTMPFS=""
+
 # Check whether --enable-usertmpfs was given.
 if test "${enable_usertmpfs+set}" = set; then :
   enableval=$enable_usertmpfs;
@@ -3586,10 +3594,10 @@ if test "x$enable_usertmpfs" != "xno"; then :
 
         HAVE_USERTMPFS="-DHAVE_USERTMPFS"
 
-
 fi
 
 HAVE_MAN="no"
+
 # Check whether --enable-man was given.
 if test "${enable_man+set}" = set; then :
   enableval=$enable_man;
@@ -3598,7 +3606,6 @@ fi
 if test "x$enable_man" != "xno"; then :
 
         HAVE_MAN="-DHAVE_MAN"
-
         # Extract the first word of "gawk", so it can be a program name with args.
 set dummy gawk; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
@@ -3638,12 +3645,13 @@ fi
 
 
         if test "x$HAVE_GAWK" != "xyes"; then :
-  as_fn_error $? "\"*** gawk not found ***\"" "$LINENO" 5
+  as_fn_error $? "*** gawk not found ***" "$LINENO" 5
 fi
 
 fi
 
 HAVE_FIRETUNNEL=""
+
 # Check whether --enable-firetunnel was given.
 if test "${enable_firetunnel+set}" = set; then :
   enableval=$enable_firetunnel;
@@ -3653,10 +3661,10 @@ if test "x$enable_firetunnel" != "xno"; then :
 
         HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
 
-
 fi
 
-HAVE_PRIVATEHOME=""
+HAVE_PRIVATE_HOME=""
+
 # Check whether --enable-private-home was given.
 if test "${enable_private_home+set}" = set; then :
   enableval=$enable_private_home;
@@ -3666,10 +3674,10 @@ if test "x$enable_private_home" != "xno"; then :
 
         HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
 
-
 fi
 
 HAVE_CHROOT=""
+
 # Check whether --enable-chroot was given.
 if test "${enable_chroot+set}" = set; then :
   enableval=$enable_chroot;
@@ -3679,10 +3687,10 @@ if test "x$enable_chroot" != "xno"; then :
 
         HAVE_CHROOT="-DHAVE_CHROOT"
 
-
 fi
 
 HAVE_GLOBALCFG=""
+
 # Check whether --enable-globalcfg was given.
 if test "${enable_globalcfg+set}" = set; then :
   enableval=$enable_globalcfg;
@@ -3692,10 +3700,10 @@ if test "x$enable_globalcfg" != "xno"; then :
 
         HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
 
-
 fi
 
 HAVE_NETWORK=""
+
 # Check whether --enable-network was given.
 if test "${enable_network+set}" = set; then :
   enableval=$enable_network;
@@ -3705,10 +3713,10 @@ if test "x$enable_network" != "xno"; then :
 
         HAVE_NETWORK="-DHAVE_NETWORK"
 
-
 fi
 
 HAVE_USERNS=""
+
 # Check whether --enable-userns was given.
 if test "${enable_userns+set}" = set; then :
   enableval=$enable_userns;
@@ -3718,10 +3726,10 @@ if test "x$enable_userns" != "xno"; then :
 
         HAVE_USERNS="-DHAVE_USERNS"
 
-
 fi
 
 HAVE_X11=""
+
 # Check whether --enable-x11 was given.
 if test "${enable_x11+set}" = set; then :
   enableval=$enable_x11;
@@ -3731,10 +3739,10 @@ if test "x$enable_x11" != "xno"; then :
 
         HAVE_X11="-DHAVE_X11"
 
-
 fi
 
 HAVE_FILE_TRANSFER=""
+
 # Check whether --enable-file-transfer was given.
 if test "${enable_file_transfer+set}" = set; then :
   enableval=$enable_file_transfer;
@@ -3744,37 +3752,23 @@ if test "x$enable_file_transfer" != "xno"; then :
 
         HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
 
-
-fi
-
-HAVE_WHITELIST=""
-# Check whether --enable-whitelist was given.
-if test "${enable_whitelist+set}" = set; then :
-  enableval=$enable_whitelist;
-fi
-
-if test "x$enable_whitelist" != "xno"; then :
-
-        HAVE_WHITELIST="-DHAVE_WHITELIST"
-
-
 fi
 
 HAVE_SUID=""
+
 # Check whether --enable-suid was given.
 if test "${enable_suid+set}" = set; then :
   enableval=$enable_suid;
 fi
 
-if test "x$enable_suid" = "xno"; then :
-  HAVE_SUID="no"
-else
-  HAVE_SUID="yes"
+if test "x$enable_suid" != "xno"; then :
 
-fi
+        HAVE_SUID="-DHAVE_SUID"
 
+fi
 
 HAVE_FATAL_WARNINGS=""
+
 # Check whether --enable-fatal_warnings was given.
 if test "${enable_fatal_warnings+set}" = set; then :
   enableval=$enable_fatal_warnings;
@@ -3784,10 +3778,10 @@ if test "x$enable_fatal_warnings" = "xyes"; then :
 
         HAVE_FATAL_WARNINGS="-W -Wall -Werror"
 
-
 fi
 
 BUSYBOX_WORKAROUND="no"
+
 # Check whether --enable-busybox-workaround was given.
 if test "${enable_busybox_workaround+set}" = set; then :
   enableval=$enable_busybox_workaround;
@@ -3797,11 +3791,11 @@ if test "x$enable_busybox_workaround" = "xyes"; then :
 
         BUSYBOX_WORKAROUND="yes"
 
-
 fi
 
 
 HAVE_GCOV=""
+
 # Check whether --enable-gcov was given.
 if test "${enable_gcov+set}" = set; then :
   enableval=$enable_gcov;
@@ -3809,27 +3803,26 @@ fi
 
 if test "x$enable_gcov" = "xyes"; then :
 
-        HAVE_GCOV="--coverage -DHAVE_GCOV "
-        EXTRA_LDFLAGS+=" -lgcov --coverage "
-
+        HAVE_GCOV="--coverage -DHAVE_GCOV"
+        EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage"
 
 fi
 
 HAVE_CONTRIB_INSTALL="yes"
+
 # Check whether --enable-contrib-install was given.
 if test "${enable_contrib_install+set}" = set; then :
   enableval=$enable_contrib_install;
 fi
 
 if test "x$enable_contrib_install" = "xno"; then :
-  HAVE_CONTRIB_INSTALL="no"
-else
-  HAVE_CONTRIB_INSTALL="yes"
 
-fi
+       HAVE_CONTRIB_INSTALL="no"
 
+fi
 
 HAVE_FORCE_NONEWPRIVS=""
+
 # Check whether --enable-force-nonewprivs was given.
 if test "${enable_force_nonewprivs+set}" = set; then :
   enableval=$enable_force_nonewprivs;
@@ -3839,10 +3832,23 @@ if test "x$enable_force_nonewprivs" = "xyes"; then :
 
         HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
 
+fi
+
+HAVE_ONLY_SYSCFG_PROFILES=""
+
+# Check whether --enable-only-syscfg-profiles was given.
+if test "${enable_only_syscfg_profiles+set}" = set; then :
+  enableval=$enable_only_syscfg_profiles;
+fi
+
+if test "x$enable_only_syscfg_profiles" = "xyes"; then :
+
+    HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
 
 fi
 
 HAVE_LTS=""
+
 # Check whether --enable-lts was given.
 if test "${enable_lts+set}" = set; then :
   enableval=$enable_lts;
@@ -3851,98 +3857,22 @@ fi
 if test "x$enable_lts" = "xyes"; then :
 
         HAVE_LTS="-DHAVE_LTS"
-
-
         HAVE_DBUSPROXY=""
-
-
         HAVE_OVERLAYFS=""
-
-
         HAVE_OUTPUT=""
-
-
         HAVE_USERTMPFS=""
-
-
         HAVE_MAN="-DHAVE_MAN"
-
-
         HAVE_FIRETUNNEL=""
-
-
-        HAVE_PRIVATEHOME=""
-
-
+        HAVE_PRIVATE_HOME=""
         HAVE_CHROOT=""
-
-
         HAVE_GLOBALCFG=""
-
-
         HAVE_USERNS=""
-
-
         HAVE_X11=""
-
-
         HAVE_FILE_TRANSFER=""
-
-
-        HAVE_SUID="yes"
-
-
+        HAVE_SUID="-DHAVE_SUID"
         BUSYBOX_WORKAROUND="no"
-
-
         HAVE_CONTRIB_INSTALL="no",
 
-
-fi
-
-
-
-
-# checking pthread library
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
-$as_echo_n "checking for main in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread_main+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_pthread_main=yes
-else
-  ac_cv_lib_pthread_main=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5
-$as_echo "$ac_cv_lib_pthread_main" >&6; }
-if test "x$ac_cv_lib_pthread_main" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-
-  LIBS="-lpthread $LIBS"
-
-else
-  as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5
 fi
 
 ac_ext=c
@@ -4342,14 +4272,6 @@ fi
 done
 
 
-ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default"
-if test "x$ac_cv_header_pthread_h" = xyes; then :
-
-else
-  as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5
-fi
-
-
 ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default"
 if test "x$ac_cv_header_linux_seccomp_h" = xyes; then :
 
@@ -4366,7 +4288,7 @@ fi
 
 ac_config_files="$ac_config_files mkdeb.sh"
 
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailtest/Makefile"
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile src/fids/Makefile src/fnettrace/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4910,7 +4832,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.65, which was
+This file was extended by firejail $as_me 0.9.69, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4964,7 +4886,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.65
+firejail config.status 0.9.69
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -5099,7 +5021,9 @@ do
     "src/zsh_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/zsh_completion/Makefile" ;;
     "src/bash_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/bash_completion/Makefile" ;;
     "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
-    "src/jailtest/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailtest/Makefile" ;;
+    "src/jailcheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailcheck/Makefile" ;;
+    "src/fids/Makefile") CONFIG_FILES="$CONFIG_FILES src/fids/Makefile" ;;
+    "src/fnettrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnettrace/Makefile" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
@@ -5560,47 +5484,49 @@ $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
 fi
 
 
-echo
-echo "Configuration options:"
-echo "   prefix: $prefix"
-echo "   sysconfdir: $sysconfdir"
-echo "   apparmor: $HAVE_APPARMOR"
-echo "   SELinux labeling support: $HAVE_SELINUX"
-echo "   global config: $HAVE_GLOBALCFG"
-echo "   chroot: $HAVE_CHROOT"
-echo "   network: $HAVE_NETWORK"
-echo "   user namespace: $HAVE_USERNS"
-echo "   X11 sandboxing support: $HAVE_X11"
-echo "   whitelisting: $HAVE_WHITELIST"
-echo "   private home support: $HAVE_PRIVATE_HOME"
-echo "   file transfer support: $HAVE_FILE_TRANSFER"
-echo "   overlayfs support: $HAVE_OVERLAYFS"
-echo "   DBUS proxy support: $HAVE_DBUSPROXY"
-echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
-echo "   enable --ouput logging: $HAVE_OUTPUT"
-echo "   Manpage support: $HAVE_MAN"
-echo "   firetunnel support: $HAVE_FIRETUNNEL"
-echo "   busybox workaround: $BUSYBOX_WORKAROUND"
-echo "   Spectre compiler patch: $HAVE_SPECTRE"
-echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
-echo "   EXTRA_CFLAGS: $EXTRA_CFLAGS"
-echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
-echo "   Gcov instrumentation: $HAVE_GCOV"
-echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo "   Install as a SUID executable: $HAVE_SUID"
-echo "   LTS: $HAVE_LTS"
-echo "   Always enforce filters: $HAVE_FORCE_NONEWPRIVS"
-echo
-
+cat <<EOF
+
+Configuration options:
+   prefix: $prefix
+   sysconfdir: $sysconfdir
+   apparmor: $HAVE_APPARMOR
+   SELinux labeling support: $HAVE_SELINUX
+   global config: $HAVE_GLOBALCFG
+   chroot: $HAVE_CHROOT
+   network: $HAVE_NETWORK
+   user namespace: $HAVE_USERNS
+   X11 sandboxing support: $HAVE_X11
+   private home support: $HAVE_PRIVATE_HOME
+   file transfer support: $HAVE_FILE_TRANSFER
+   overlayfs support: $HAVE_OVERLAYFS
+   DBUS proxy support: $HAVE_DBUSPROXY
+   allow tmpfs as regular user: $HAVE_USERTMPFS
+   enable --ouput logging: $HAVE_OUTPUT
+   Manpage support: $HAVE_MAN
+   firetunnel support: $HAVE_FIRETUNNEL
+   busybox workaround: $BUSYBOX_WORKAROUND
+   Spectre compiler patch: $HAVE_SPECTRE
+   EXTRA_LDFLAGS: $EXTRA_LDFLAGS
+   EXTRA_CFLAGS: $EXTRA_CFLAGS
+   fatal warnings: $HAVE_FATAL_WARNINGS
+   Gcov instrumentation: $HAVE_GCOV
+   Install contrib scripts: $HAVE_CONTRIB_INSTALL
+   Install as a SUID executable: $HAVE_SUID
+   LTS: $HAVE_LTS
+   Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+   Disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
+
+EOF
 
 if test "$HAVE_LTS" = -DHAVE_LTS; then
-        echo
-        echo
-        echo "*********************************************************"
-        echo "*    Warning: Long-term support (LTS) was enabled!      *"
-        echo "*    Most compile-time options have bean rewritten!     *"
-        echo "*********************************************************"
-        echo
-        echo
-fi
+        cat <<\EOF
+
 
+*********************************************************
+*    Warning: Long-term support (LTS) was enabled!      *
+*    Most compile-time options have bean rewritten!     *
+*********************************************************
+
+
+EOF
+fi
diff --git a/configure.ac b/configure.ac
index e8bd6fb80..4ca30e6d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -12,9 +12,10 @@
 #
 
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.65, netblue30@protonmail.com, , https://firejail.wordpress.com)
-AC_CONFIG_SRCDIR([src/firejail/main.c])
+AC_INIT([firejail], [0.9.69], [netblue30@protonmail.com], [],
+    [https://firejail.wordpress.com])
 
+AC_CONFIG_SRCDIR([src/firejail/main.c])
 AC_CONFIG_MACRO_DIR([m4])
 
 AC_PROG_CC
@@ -24,43 +25,54 @@ AC_PROG_RANLIB
 HAVE_SPECTRE="no"
 AX_CHECK_COMPILE_FLAG(
     [-mindirect-branch=thunk],
-    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mindirect-branch=thunk"]
+    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"]
 )
 AX_CHECK_COMPILE_FLAG(
     [-mretpoline],
-    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mretpoline"]
+    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"]
 )
 AX_CHECK_COMPILE_FLAG(
     [-fstack-clash-protection],
-    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-clash-protection"]
+    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"]
 )
 AX_CHECK_COMPILE_FLAG(
     [-fstack-protector-strong],
-    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-protector-strong"]
+    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"]
 )
 
 AC_ARG_ENABLE([analyzer],
-    AS_HELP_STRING([--enable-analyzer], [enable GCC 10 static analyzer]))
+    [AS_HELP_STRING([--enable-analyzer], [enable GCC static analyzer])])
 AS_IF([test "x$enable_analyzer" = "xyes"], [
-        EXTRA_CFLAGS+=" -fanalyzer"
+        EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak"
 ])
 
+AC_ARG_ENABLE([sanitizer],
+    [AS_HELP_STRING([--enable-sanitizer=@<:@address | memory | undefined@:>@], [enable a compiler-based sanitizer (debug)])],
+    [], [enable_sanitizer=no])
+AS_IF([test "x$enable_sanitizer" != "xno" ],
+        [AX_CHECK_COMPILE_FLAG([-fsanitize=$enable_sanitizer], [
+                EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer"
+                EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer"
+        ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])]
+)])
+
 HAVE_APPARMOR=""
+AC_SUBST([HAVE_APPARMOR])
 AC_ARG_ENABLE([apparmor],
-    AS_HELP_STRING([--enable-apparmor], [enable apparmor]))
+    [AS_HELP_STRING([--enable-apparmor], [enable apparmor])])
 AS_IF([test "x$enable_apparmor" = "xyes"], [
         HAVE_APPARMOR="-DHAVE_APPARMOR"
-        PKG_CHECK_MODULES([AA], libapparmor, [EXTRA_CFLAGS+=" $AA_CFLAGS" && EXTRA_LDFLAGS+=" $AA_LIBS"])
-        AC_SUBST(HAVE_APPARMOR)
+        PKG_CHECK_MODULES([AA], [libapparmor],
+            [EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS"])
 ])
 
 HAVE_SELINUX=""
+AC_SUBST([HAVE_SELINUX])
 AC_ARG_ENABLE([selinux],
-    AS_HELP_STRING([--enable-selinux], [SELinux labeling support]))
+    [AS_HELP_STRING([--enable-selinux], [SELinux labeling support])])
 AS_IF([test "x$enable_selinux" = "xyes"], [
         HAVE_SELINUX="-DHAVE_SELINUX"
-        EXTRA_LDFLAGS+=" -lselinux "
-        AC_SUBST(HAVE_SELINUX)
+        EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux"
 ])
 
 AC_SUBST([EXTRA_CFLAGS])
@@ -68,234 +80,195 @@ AC_SUBST([EXTRA_LDFLAGS])
 
 
 HAVE_DBUSPROXY=""
+AC_SUBST([HAVE_DBUSPROXY])
 AC_ARG_ENABLE([dbusproxy],
-    AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy]))
+    [AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy])])
 AS_IF([test "x$enable_dbusproxy" != "xno"], [
         HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
-        AC_SUBST(HAVE_DBUSPROXY)
 ])
 
-# overlayfs features temporarely disabled pending fixes
+# overlayfs features temporarily disabled pending fixes
 HAVE_OVERLAYFS=""
-AC_SUBST(HAVE_OVERLAYFS)
-#
+AC_SUBST([HAVE_OVERLAYFS])
 #AC_ARG_ENABLE([overlayfs],
-#    AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
+#    [AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])])
 #AS_IF([test "x$enable_overlayfs" != "xno"], [
 #       HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
-#       AC_SUBST(HAVE_OVERLAYFS)
 #])
 
 HAVE_OUTPUT=""
+AC_SUBST([HAVE_OUTPUT])
 AC_ARG_ENABLE([output],
-    AS_HELP_STRING([--disable-output], [disable --output logging]))
+    [AS_HELP_STRING([--disable-output], [disable --output logging])])
 AS_IF([test "x$enable_output" != "xno"], [
         HAVE_OUTPUT="-DHAVE_OUTPUT"
-        AC_SUBST(HAVE_OUTPUT)
 ])
 
 HAVE_USERTMPFS=""
+AC_SUBST([HAVE_USERTMPFS])
 AC_ARG_ENABLE([usertmpfs],
-    AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user]))
+    [AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])])
 AS_IF([test "x$enable_usertmpfs" != "xno"], [
         HAVE_USERTMPFS="-DHAVE_USERTMPFS"
-        AC_SUBST(HAVE_USERTMPFS)
 ])
 
 HAVE_MAN="no"
+AC_SUBST([HAVE_MAN])
 AC_ARG_ENABLE([man],
-    AS_HELP_STRING([--disable-man], [disable man pages]))
+    [AS_HELP_STRING([--disable-man], [disable man pages])])
 AS_IF([test "x$enable_man" != "xno"], [
         HAVE_MAN="-DHAVE_MAN"
-        AC_SUBST(HAVE_MAN)
         AC_CHECK_PROG([HAVE_GAWK], [gawk], [yes], [no])
-        AS_IF([test "x$HAVE_GAWK" != "xyes"], [AC_MSG_ERROR("*** gawk not found ***")])
+        AS_IF([test "x$HAVE_GAWK" != "xyes"], [AC_MSG_ERROR([*** gawk not found ***])])
 ])
 
 HAVE_FIRETUNNEL=""
+AC_SUBST([HAVE_FIRETUNNEL])
 AC_ARG_ENABLE([firetunnel],
-    AS_HELP_STRING([--disable-firetunnel], [disable firetunnel]))
+    [AS_HELP_STRING([--disable-firetunnel], [disable firetunnel])])
 AS_IF([test "x$enable_firetunnel" != "xno"], [
         HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
-        AC_SUBST(HAVE_FIRETUNNEL)
 ])
 
-HAVE_PRIVATEHOME=""
+HAVE_PRIVATE_HOME=""
+AC_SUBST([HAVE_PRIVATE_HOME])
 AC_ARG_ENABLE([private-home],
-    AS_HELP_STRING([--disable-private-home], [disable private home feature]))
+    [AS_HELP_STRING([--disable-private-home], [disable private home feature])])
 AS_IF([test "x$enable_private_home" != "xno"], [
         HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
-        AC_SUBST(HAVE_PRIVATE_HOME)
 ])
 
 HAVE_CHROOT=""
+AC_SUBST([HAVE_CHROOT])
 AC_ARG_ENABLE([chroot],
-    AS_HELP_STRING([--disable-chroot], [disable chroot]))
+    [AS_HELP_STRING([--disable-chroot], [disable chroot])])
 AS_IF([test "x$enable_chroot" != "xno"], [
         HAVE_CHROOT="-DHAVE_CHROOT"
-        AC_SUBST(HAVE_CHROOT)
 ])
 
 HAVE_GLOBALCFG=""
+AC_SUBST([HAVE_GLOBALCFG])
 AC_ARG_ENABLE([globalcfg],
-    AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults]))
+    [AS_HELP_STRING([--disable-globalcfg],
+        [if the global config file firejail.config is not present, continue the program using defaults])])
 AS_IF([test "x$enable_globalcfg" != "xno"], [
         HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
-        AC_SUBST(HAVE_GLOBALCFG)
 ])
 
 HAVE_NETWORK=""
+AC_SUBST([HAVE_NETWORK])
 AC_ARG_ENABLE([network],
-    AS_HELP_STRING([--disable-network], [disable network]))
+    [AS_HELP_STRING([--disable-network], [disable network])])
 AS_IF([test "x$enable_network" != "xno"], [
         HAVE_NETWORK="-DHAVE_NETWORK"
-        AC_SUBST(HAVE_NETWORK)
 ])
 
 HAVE_USERNS=""
+AC_SUBST([HAVE_USERNS])
 AC_ARG_ENABLE([userns],
-    AS_HELP_STRING([--disable-userns], [disable user namespace]))
+    [AS_HELP_STRING([--disable-userns], [disable user namespace])])
 AS_IF([test "x$enable_userns" != "xno"], [
         HAVE_USERNS="-DHAVE_USERNS"
-        AC_SUBST(HAVE_USERNS)
 ])
 
 HAVE_X11=""
+AC_SUBST([HAVE_X11])
 AC_ARG_ENABLE([x11],
-    AS_HELP_STRING([--disable-x11], [disable X11 sandboxing support]))
+    [AS_HELP_STRING([--disable-x11], [disable X11 sandboxing support])])
 AS_IF([test "x$enable_x11" != "xno"], [
         HAVE_X11="-DHAVE_X11"
-        AC_SUBST(HAVE_X11)
 ])
 
 HAVE_FILE_TRANSFER=""
+AC_SUBST([HAVE_FILE_TRANSFER])
 AC_ARG_ENABLE([file-transfer],
-    AS_HELP_STRING([--disable-file-transfer], [disable file transfer]))
+    [AS_HELP_STRING([--disable-file-transfer], [disable file transfer])])
 AS_IF([test "x$enable_file_transfer" != "xno"], [
         HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
-        AC_SUBST(HAVE_FILE_TRANSFER)
-])
-
-HAVE_WHITELIST=""
-AC_ARG_ENABLE([whitelist],
-    AS_HELP_STRING([--disable-whitelist], [disable whitelist]))
-AS_IF([test "x$enable_whitelist" != "xno"], [
-        HAVE_WHITELIST="-DHAVE_WHITELIST"
-        AC_SUBST(HAVE_WHITELIST)
 ])
 
 HAVE_SUID=""
+AC_SUBST([HAVE_SUID])
 AC_ARG_ENABLE([suid],
-    AS_HELP_STRING([--disable-suid], [install as a non-SUID executable]))
-AS_IF([test "x$enable_suid" = "xno"],
-        [HAVE_SUID="no"],
-        [HAVE_SUID="yes"]
-)
-AC_SUBST(HAVE_SUID)
+    [AS_HELP_STRING([--disable-suid], [install as a non-SUID executable])])
+AS_IF([test "x$enable_suid" != "xno"], [
+        HAVE_SUID="-DHAVE_SUID"
+])
 
 HAVE_FATAL_WARNINGS=""
+AC_SUBST([HAVE_FATAL_WARNINGS])
 AC_ARG_ENABLE([fatal_warnings],
-    AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror]))
+    [AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])])
 AS_IF([test "x$enable_fatal_warnings" = "xyes"], [
         HAVE_FATAL_WARNINGS="-W -Wall -Werror"
-        AC_SUBST(HAVE_FATAL_WARNINGS)
 ])
 
 BUSYBOX_WORKAROUND="no"
+AC_SUBST([BUSYBOX_WORKAROUND])
 AC_ARG_ENABLE([busybox-workaround],
-    AS_HELP_STRING([--enable-busybox-workaround], [enable busybox workaround]))
+    [AS_HELP_STRING([--enable-busybox-workaround], [enable busybox workaround])])
 AS_IF([test "x$enable_busybox_workaround" = "xyes"], [
         BUSYBOX_WORKAROUND="yes"
-        AC_SUBST(BUSYBOX_WORKAROUND)
 ])
 
 
 HAVE_GCOV=""
+AC_SUBST([HAVE_GCOV])
 AC_ARG_ENABLE([gcov],
-    AS_HELP_STRING([--enable-gcov], [Gcov instrumentation]))
+    [AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])])
 AS_IF([test "x$enable_gcov" = "xyes"], [
-        HAVE_GCOV="--coverage -DHAVE_GCOV "
-        EXTRA_LDFLAGS+=" -lgcov --coverage "
-        AC_SUBST(HAVE_GCOV)
+        HAVE_GCOV="--coverage -DHAVE_GCOV"
+        EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage"
 ])
 
 HAVE_CONTRIB_INSTALL="yes"
+AC_SUBST([HAVE_CONTRIB_INSTALL])
 AC_ARG_ENABLE([contrib-install],
-    AS_HELP_STRING([--enable-contrib-install], [install contrib scripts]))
-AS_IF([test "x$enable_contrib_install" = "xno"],
-        [HAVE_CONTRIB_INSTALL="no"],
-        [HAVE_CONTRIB_INSTALL="yes"]
-)
-AC_SUBST(HAVE_CONTRIB_INSTALL)
+    [AS_HELP_STRING([--enable-contrib-install], [install contrib scripts])])
+AS_IF([test "x$enable_contrib_install" = "xno"], [
+       HAVE_CONTRIB_INSTALL="no"
+])
 
 HAVE_FORCE_NONEWPRIVS=""
+AC_SUBST([HAVE_FORCE_NONEWPRIVS])
 AC_ARG_ENABLE([force-nonewprivs],
-    AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs]))
+    [AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs])])
 AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [
         HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
-        AC_SUBST(HAVE_FORCE_NONEWPRIVS)
+])
+
+HAVE_ONLY_SYSCFG_PROFILES=""
+AC_SUBST([HAVE_ONLY_SYSCFG_PROFILES])
+AC_ARG_ENABLE([only-syscfg-profiles],
+    [AS_HELP_STRING([--enable-only-syscfg-profiles], [disable profiles in $HOME/.config/firejail])])
+AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [
+    HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
 ])
 
 HAVE_LTS=""
+AC_SUBST([HAVE_LTS])
 AC_ARG_ENABLE([lts],
-    AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)]))
+    [AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])])
 AS_IF([test "x$enable_lts" = "xyes"], [
         HAVE_LTS="-DHAVE_LTS"
-        AC_SUBST(HAVE_LTS)
-
         HAVE_DBUSPROXY=""
-        AC_SUBST(HAVE_DBUSPROXY)
-
         HAVE_OVERLAYFS=""
-        AC_SUBST(HAVE_OVERLAYFS)
-
         HAVE_OUTPUT=""
-        AC_SUBST(HAVE_OUTPUT)
-
         HAVE_USERTMPFS=""
-        AC_SUBST(HAVE_USERTMPFS)
-
         HAVE_MAN="-DHAVE_MAN"
-        AC_SUBST(HAVE_MAN)
-
         HAVE_FIRETUNNEL=""
-        AC_SUBST(HAVE_FIRETUNNEL)
-
-        HAVE_PRIVATEHOME=""
-        AC_SUBST(HAVE_PRIVATE_HOME)
-
+        HAVE_PRIVATE_HOME=""
         HAVE_CHROOT=""
-        AC_SUBST(HAVE_CHROOT)
-
         HAVE_GLOBALCFG=""
-        AC_SUBST(HAVE_GLOBALCFG)
-
         HAVE_USERNS=""
-        AC_SUBST(HAVE_USERNS)
-
         HAVE_X11=""
-        AC_SUBST(HAVE_X11)
-
         HAVE_FILE_TRANSFER=""
-        AC_SUBST(HAVE_FILE_TRANSFER)
-
-        HAVE_SUID="yes"
-        AC_SUBST(HAVE_SUID)
-
+        HAVE_SUID="-DHAVE_SUID"
         BUSYBOX_WORKAROUND="no"
-        AC_SUBST(BUSYBOX_WORKAROUND)
-
         HAVE_CONTRIB_INSTALL="no",
-        AC_SUBST(HAVE_CONTRIB_INSTALL)
 ])
 
-
-
-
-# checking pthread library
-AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
-AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***]))
-AC_CHECK_HEADER([linux/seccomp.h],,AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***]))
+AC_CHECK_HEADER([linux/seccomp.h], [], AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***]))
 
 # set sysconfdir
 if test "$prefix" = /usr; then
@@ -303,53 +276,56 @@ if test "$prefix" = /usr; then
 fi
 
 AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
-AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
+AC_CONFIG_FILES([Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
 src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
-src/jailtest/Makefile)
-
-echo
-echo "Configuration options:"
-echo "   prefix: $prefix"
-echo "   sysconfdir: $sysconfdir"
-echo "   apparmor: $HAVE_APPARMOR"
-echo "   SELinux labeling support: $HAVE_SELINUX"
-echo "   global config: $HAVE_GLOBALCFG"
-echo "   chroot: $HAVE_CHROOT"
-echo "   network: $HAVE_NETWORK"
-echo "   user namespace: $HAVE_USERNS"
-echo "   X11 sandboxing support: $HAVE_X11"
-echo "   whitelisting: $HAVE_WHITELIST"
-echo "   private home support: $HAVE_PRIVATE_HOME"
-echo "   file transfer support: $HAVE_FILE_TRANSFER"
-echo "   overlayfs support: $HAVE_OVERLAYFS"
-echo "   DBUS proxy support: $HAVE_DBUSPROXY"
-echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
-echo "   enable --ouput logging: $HAVE_OUTPUT"
-echo "   Manpage support: $HAVE_MAN"
-echo "   firetunnel support: $HAVE_FIRETUNNEL"
-echo "   busybox workaround: $BUSYBOX_WORKAROUND"
-echo "   Spectre compiler patch: $HAVE_SPECTRE"
-echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
-echo "   EXTRA_CFLAGS: $EXTRA_CFLAGS"
-echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
-echo "   Gcov instrumentation: $HAVE_GCOV"
-echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo "   Install as a SUID executable: $HAVE_SUID"
-echo "   LTS: $HAVE_LTS"
-echo "   Always enforce filters: $HAVE_FORCE_NONEWPRIVS"
-echo
-
+src/jailcheck/Makefile src/fids/Makefile src/fnettrace/Makefile])
+AC_OUTPUT
+
+cat <<EOF
+
+Configuration options:
+   prefix: $prefix
+   sysconfdir: $sysconfdir
+   apparmor: $HAVE_APPARMOR
+   SELinux labeling support: $HAVE_SELINUX
+   global config: $HAVE_GLOBALCFG
+   chroot: $HAVE_CHROOT
+   network: $HAVE_NETWORK
+   user namespace: $HAVE_USERNS
+   X11 sandboxing support: $HAVE_X11
+   private home support: $HAVE_PRIVATE_HOME
+   file transfer support: $HAVE_FILE_TRANSFER
+   overlayfs support: $HAVE_OVERLAYFS
+   DBUS proxy support: $HAVE_DBUSPROXY
+   allow tmpfs as regular user: $HAVE_USERTMPFS
+   enable --ouput logging: $HAVE_OUTPUT
+   Manpage support: $HAVE_MAN
+   firetunnel support: $HAVE_FIRETUNNEL
+   busybox workaround: $BUSYBOX_WORKAROUND
+   Spectre compiler patch: $HAVE_SPECTRE
+   EXTRA_LDFLAGS: $EXTRA_LDFLAGS
+   EXTRA_CFLAGS: $EXTRA_CFLAGS
+   fatal warnings: $HAVE_FATAL_WARNINGS
+   Gcov instrumentation: $HAVE_GCOV
+   Install contrib scripts: $HAVE_CONTRIB_INSTALL
+   Install as a SUID executable: $HAVE_SUID
+   LTS: $HAVE_LTS
+   Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+   Disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
+
+EOF
 
 if test "$HAVE_LTS" = -DHAVE_LTS; then
-        echo
-        echo
-        echo "*********************************************************"
-        echo "*    Warning: Long-term support (LTS) was enabled!      *"
-        echo "*    Most compile-time options have bean rewritten!     *"
-        echo "*********************************************************"
-        echo
-        echo
-fi
+        cat <<\EOF
 
+
+*********************************************************
+*    Warning: Long-term support (LTS) was enabled!      *
+*    Most compile-time options have bean rewritten!     *
+*********************************************************
+
+
+EOF
+fi
diff --git a/contrib/firejail-welcome.sh b/contrib/firejail-welcome.sh
index 6eebc67c5..c9b6c450b 100755
--- a/contrib/firejail-welcome.sh
+++ b/contrib/firejail-welcome.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # This file is part of Firejail project
-# Copyright (C) 2020-2021 Firejail Authors
+# Copyright (C) 2020-2022 Firejail Authors
 # License GPL v2
 
 if ! command -v zenity >/dev/null; then
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py
index 12b596749..961646aa4 100755
--- a/contrib/fix_private-bin.py
+++ b/contrib/fix_private-bin.py
@@ -164,7 +164,7 @@ def printHelp():
 
 
 def main() -> None:
-    """The main function. Parses the commandline args, shows messages and calles the function actually doing the work."""
+    """The main function. Parses the commandline args, shows messages and calls the function actually doing the work."""
     if len(sys.argv) > 2 or (len(sys.argv) == 2 and
                              (sys.argv[1] == "-h" or sys.argv[1] == "--help")):
         printHelp()
diff --git a/contrib/fj-mkdeb.py b/contrib/fj-mkdeb.py
index b4a947535..60e25fd14 100755
--- a/contrib/fj-mkdeb.py
+++ b/contrib/fj-mkdeb.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 # This script automates the workaround for https://github.com/netblue30/firejail/issues/772
diff --git a/contrib/fjclip.py b/contrib/fjclip.py
index 3e99d71e9..893fff243 100755
--- a/contrib/fjclip.py
+++ b/contrib/fjclip.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 import sys
diff --git a/contrib/fjdisplay.py b/contrib/fjdisplay.py
index 294bde997..a49aa3e36 100755
--- a/contrib/fjdisplay.py
+++ b/contrib/fjdisplay.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 import re
diff --git a/contrib/fjresize.py b/contrib/fjresize.py
index d656f5c91..6575d6a0b 100755
--- a/contrib/fjresize.py
+++ b/contrib/fjresize.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 import sys
diff --git a/contrib/gdb-firejail.sh b/contrib/gdb-firejail.sh
index 941fc45ef..397438e1e 100755
--- a/contrib/gdb-firejail.sh
+++ b/contrib/gdb-firejail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 set -x
 
@@ -21,4 +21,4 @@ else
 fi
 
 bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" &
-sudo gdb -e  "$FIREJAIL" -p "$!"
+sudo gdb -e "$FIREJAIL" -p "$!"
diff --git a/contrib/jail_prober.py b/contrib/jail_prober.py
index 9205d9b3e..9776e9380 100755
--- a/contrib/jail_prober.py
+++ b/contrib/jail_prober.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 """
 Figure out which profile options may be causing a particular program to break
@@ -70,6 +70,19 @@ def get_args(profile_path):
     return profile
 
 
+def absolute_include(word):
+    home = os.environ['HOME']
+    path = home + '/.config/firejail/'
+
+    option, filename = word.split('=')
+    absolute_filename = path + filename
+
+    if not os.path.isfile(absolute_filename):
+        absolute_filename = '${CFG}/' + filename
+
+    return option + '=' + absolute_filename
+
+
 def arg_converter(arg_list, style):
     """
     Convert between firejail command-line arguments (--example=something) and
@@ -94,9 +107,12 @@ def arg_converter(arg_list, style):
     if style == 'to_profile':
         new_args = [word[2:] for word in new_args]
 
-    # Remove invalid '--include' args if converting to command-line form
     elif style == 'to_commandline':
-        new_args = [word for word in new_args if 'include' not in word]
+        new_args = [
+            absolute_include(word) if word.startswith('--include')
+            else word
+            for word in new_args
+        ]
 
     return new_args
 
@@ -148,8 +164,12 @@ def run_firejail(program, all_args):
 
 
 def main():
-    profile_path = sys.argv[1]
-    program = sys.argv[2]
+    try:
+        profile_path = sys.argv[1]
+        program = sys.argv[2]
+    except IndexError:
+        print('USAGE: jail_prober.py <PROFILE-PATH> <PROGRAM>')
+        sys.exit()
     # Quick error check and extract arguments
     check_params(profile_path)
     profile = get_args(profile_path)
diff --git a/contrib/sort.py b/contrib/sort.py
index c7325facb..6f21370ec 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 """
 Sort the items of multi-item options in profiles, the following options are supported:
@@ -24,7 +24,7 @@ Exit-Codes:
 
 # Requirements:
 #  python >= 3.6
-from sys import argv
+from sys import argv, exit as sys_exit
 
 
 def sort_alphabetical(raw_items):
@@ -34,7 +34,7 @@ def sort_alphabetical(raw_items):
 
 
 def sort_protocol(protocols):
-    """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
+    """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
 
     # shortcut for common protocol lines
     if protocols in ("unix", "unix,inet,inet6"):
@@ -105,4 +105,4 @@ def main(args):
 
 
 if __name__ == "__main__":
-    exit(main(argv[1:]))
+    sys_exit(main(argv[1:]))
diff --git a/contrib/syscalls.sh b/contrib/syscalls.sh
index 728ff5a78..d13f24280 100755
--- a/contrib/syscalls.sh
+++ b/contrib/syscalls.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 STRACE_OUTPUT_FILE="$(pwd)/strace_output.txt"
diff --git a/contrib/update_deb.sh b/contrib/update_deb.sh
index 4c715aaf7..68460e41f 100755
--- a/contrib/update_deb.sh
+++ b/contrib/update_deb.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 # Purpose: Fetch, compile, and install firejail from GitHub source. For
diff --git a/contrib/vim/ftdetect/firejail.vim b/contrib/vim/ftdetect/firejail.vim
index a8ba5cd75..2edc741da 100644
--- a/contrib/vim/ftdetect/firejail.vim
+++ b/contrib/vim/ftdetect/firejail.vim
@@ -1,6 +1,6 @@
-autocmd BufNewFile,BufRead /etc/firejail/*.profile      set filetype=firejail
-autocmd BufNewFile,BufRead /etc/firejail/*.local        set filetype=firejail
-autocmd BufNewFile,BufRead /etc/firejail/*.inc          set filetype=firejail
-autocmd BufNewFile,BufRead ~/.config/firejail/*.profile set filetype=firejail
-autocmd BufNewFile,BufRead ~/.config/firejail/*.local   set filetype=firejail
-autocmd BufNewFile,BufRead ~/.config/firejail/*.inc     set filetype=firejail
+autocmd BufNewFile,BufRead /etc/firejail/*.profile      setfiletype firejail
+autocmd BufNewFile,BufRead /etc/firejail/*.local        setfiletype firejail
+autocmd BufNewFile,BufRead /etc/firejail/*.inc          setfiletype firejail
+autocmd BufNewFile,BufRead ~/.config/firejail/*.profile setfiletype firejail
+autocmd BufNewFile,BufRead ~/.config/firejail/*.local   setfiletype firejail
+autocmd BufNewFile,BufRead ~/.config/firejail/*.inc     setfiletype firejail
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index 65eb690ac..714ed8e6e 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -20,19 +20,20 @@ syn match fjCapabilityList /,/ nextgroup=fjCapability contained
 syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
 syn match fjProtocolList /,/ nextgroup=fjProtocol contained
 
-" Syscalls grabbed from: src/include/syscall.h
-" Generate list with: rg -o '"([^"]+)' -r '$1' src/include/syscall.h | sort -u | tr $'\n' ' '
-syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_getres clock_gettime clock_nanosleep clock_settime clone close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futimesat get_kernel_syms get_mempolicy get_robust_list get_thread_area getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit getrusage getsid getsockname getsockopt gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel io_destroy io_getevents io_setup io_submit ioctl ioperm iopl ioprio_get ioprio_set ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedsend mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open open_by_handle_at openat pause perf_event_open personality pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_get_priority_max sched_get_priority_min sched_getaffinity sched_getattr sched_getparam sched_getscheduler sched_rr_get_interval sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop sendfile sendfile64 sendmmsg sendmsg sendto set_mempolicy set_robust_list set_thread_area set_tid_address setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit setsid setsockopt settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range syncfs sysfs sysinfo syslog tee tgkill time timer_create timer_delete timer_getoverrun timer_gettime timer_settime timerfd_create timerfd_gettime timerfd_settime times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained
+" Syscalls grabbed from: src/include/syscall*.h
+" Generate list with: sed -ne 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr $'\n' ' '
+syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained
 " Syscall groups grabbed from: src/fseccomp/syscall.c
-" Generate list with: rg -o '"@([^",]+)' -r '$1' src/fseccomp/syscall.c | sort -u | tr $'\n' '|'
-syn match fjSyscall /\v\@(clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|module|obsolete|privileged|raw-io|reboot|resources|swap)>/ nextgroup=fjSyscallErrno contained
+" Generate list with: rg -o '"@([^",]+)' -r '$1' src/lib/syscall.c | sort -u | tr $'\n' '|'
+syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained
 syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
 " Errnos grabbed from: src/fseccomp/errno.c
-" Generate list with: rg -o '"(E[^"]+)' -r '$1' src/fseccomp/errno.c | sort -u | tr $'\n' '|'
+" Generate list with: rg -o '"(E[^"]+)' -r '$1' src/lib/errno.c | sort -u | tr $'\n' '|'
 syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained
 syn match fjSyscallList /,/ nextgroup=fjSyscall contained
 
 syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
+syn keyword fjSeccompAction kill log ERRNO contained
 
 syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
 syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
@@ -40,6 +41,7 @@ syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
 syn keyword fjAll all contained
 syn keyword fjNone none contained
 syn keyword fjLo lo contained
+syn keyword fjFilter filter contained
 
 " Variable names grabbed from: src/firejail/macros.c
 " Generate list with: rg -o '\$\{([^}]+)\}' -r '$1' src/firejail/macros.c | sort -u | tr $'\n' '|'
@@ -47,27 +49,30 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
 
 " Commands grabbed from: src/firejail/profile.c
 " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
-syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
+syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
 " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
-syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
+syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
 syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
 syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
 syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
 syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
-syn match fjCommand /\vseccomp(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
+syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
 syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
 syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
 syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
 syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
 syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
 syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
+syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
+syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
+syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
 " Commands that can't be inside a ?CONDITIONAL: statement
 syn match fjCommandNoCond /include / skipwhite contained
 syn match fjCommandNoCond /quiet$/ contained
 
 " Conditionals grabbed from: src/firejail/profile.c
 " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|'
-syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NODBUS) ?:/ nextgroup=fjCommand skipwhite contained
+syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
 
 " A line is either a command, a conditional or a comment
 syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
@@ -88,6 +93,8 @@ hi def link fjRmenvVar Type
 hi def link fjAll Type
 hi def link fjNone Type
 hi def link fjLo Type
+hi def link fjFilter Type
+hi def link fjSeccompAction Type
 
 
 let b:current_syntax = "firejail"
diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile
index 9bc35da5a..1cc9b0116 100644
--- a/etc-fixes/0.9.58/atom.profile
+++ b/etc-fixes/0.9.58/atom.profile
@@ -1,4 +1,3 @@
-
 # Firejail profile for atom
 # Description: A hackable text editor for the 21st Century
 # This file is overwritten after every install/update
diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README
index 9f85a0e00..15596eca7 100644
--- a/etc-fixes/seccomp-join-bug/README
+++ b/etc-fixes/seccomp-join-bug/README
@@ -8,4 +8,3 @@ on May 21, 2019:
 
 The original discussion thread: https://github.com/netblue30/firejail/issues/2718
 The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
-
diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base
new file mode 100644
index 000000000..6e286d4af
--- /dev/null
+++ b/etc/apparmor/firejail-base
@@ -0,0 +1,27 @@
+#########################################
+# Firejail base abstraction drop-in
+#
+# Adds basic Firejail support to AppArmor profiles.
+# Please note: Firejail's nonewprivs and seccomp options
+# are not compatible with AppArmor profile transitions.
+# Also there is no support for Firejail chroot options.
+#########################################
+
+# Discovery of process names
+owner /proc/@{pid}/comm r,
+
+##########
+# Following paths only exist inside a Firejail sandbox
+##########
+
+# Library preloading
+/{,var/}run/firejail/lib/*.so mr,
+
+# Supporting seccomp
+owner /{,var/}run/firejail/mnt/seccomp/seccomp.postexec r,
+
+# Supporting trace
+owner /{,var/}run/firejail/mnt/trace w,
+
+# Supporting tracelog
+/{,var/}run/firejail/mnt/fslogger r,
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index ca32f5b0d..a7044152e 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -129,7 +129,7 @@ signal (receive),
 ##########
 # The list of recognized capabilities varies from one apparmor version to another.
 # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available
-# We allow all caps by default and remove the  ones we don't like:
+# We allow all caps by default and remove the ones we don't like:
 capability,
 deny capability audit_write,
 deny capability audit_control,
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local
index 3dfd3d0ea..59c8f7f8a 100644
--- a/etc/apparmor/firejail-local
+++ b/etc/apparmor/firejail-local
@@ -8,6 +8,9 @@
 #owner @HOME/bin/** ix
 #owner @HOME/.local/bin/** ix
 
+# Uncomment to opt-in to apparmor for brave + ipfs
+#owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix,
+
 # Uncomment to opt-in to apparmor for brave + tor
 #owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix,
 
diff --git a/etc/firejail.config b/etc/firejail.config
index 731e744dd..856018101 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -2,6 +2,10 @@
 # keyword-argument pairs, one per line. Most features are enabled by default.
 # Use 'yes' or 'no' as configuration values.
 
+# Allow programs to display a tray icon (warning: allows escaping the sandbox;
+# see https://github.com/netblue30/firejail/discussions/4053)
+# allow-tray no
+
 # Enable AppArmor functionality, default enabled.
 # apparmor yes
 
@@ -35,23 +39,12 @@
 # cannot be overridden by --noblacklist or --ignore.
 # disable-mnt no
 
-# Set the limit for file copy in several --private-* options. The size is set
-# in megabytes. By default we allow up to 500MB.
-# Note: the files are copied in RAM.
-# file-copy-limit 500
-
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
 
 # Enable Firejail green prompt in terminal, default disabled
 # firejail-prompt no
 
-# Follow symlink as user. While using --whitelist feature,
-# symlinks pointing outside home directory are followed only
-# if both the link and the real file are owned by the user.
-# Enabled by default
-# follow-symlink-as-user yes
-
 # Force use of nonewprivs.  This mitigates the possibility of
 # a user abusing firejail's features to trick a privileged (suid
 # or file capabilities) process into loading code or configuration
@@ -74,7 +67,7 @@
 # a file argument, the default filter is hardcoded (see man 1 firejail). This
 # configuration entry allows the user to change the default by specifying
 # a file containing the filter configuration. The filter file format is the
-# format of  iptables-save  and iptable-restore commands. Example:
+# format of iptables-save and iptables-restore commands. Example:
 # netfilter-default /etc/iptables.iptables.rules
 
 # Enable or disable networking features, default enabled.
@@ -83,18 +76,35 @@
 # Enable or disable overlayfs features, default enabled.
 # overlayfs yes
 
+# Set the limit for file copy in several --private-* options. The size is set
+# in megabytes. By default we allow up to 500MB.
+# Note: the files are copied in RAM.
+# file-copy-limit 500
+
+# Enable or disable private-bin feature, default enabled.
+# private-bin yes
+
 # Remove /usr/local directories from private-bin list, default disabled.
 # private-bin-no-local no
 
 # Enable or disable private-cache feature, default enabled
 # private-cache yes
 
+# Enable or disable private-etc feature, default enabled.
+# private-etc yes
+
 # Enable or disable private-home feature, default enabled
 # private-home yes
 
 # Enable or disable private-lib feature, default enabled
 # private-lib yes
 
+# Enable or disable private-opt feature, default enabled.
+# private-opt yes
+
+# Enable or disable private-srv feature, default enabled.
+# private-srv yes
+
 # Enable --quiet as default every time the sandbox is started. Default disabled.
 # quiet-by-default no
 
@@ -107,14 +117,19 @@
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
 
+# Add rules to the default seccomp filter. Same syntax as for --seccomp=
+# None by default; this is an example.
+# seccomp-filter-add !chroot,kcmp,mincore
+
 # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
 # seccomp-error-action EPERM
 
 # Enable or disable user namespace support, default enabled.
 # userns yes
 
-# Enable or disable whitelisting support, default enabled.
-# whitelist yes
+# Disable whitelist top level directories, in addition to those
+# that are disabled out of the box. None by default; this is an example.
+# whitelist-disable-topdir /etc,/usr/etc
 
 # Enable or disable X11 sandboxing support, default enabled.
 # x11 yes
diff --git a/etc/ids.config b/etc/ids.config
new file mode 100644
index 000000000..ff55416ca
--- /dev/null
+++ b/etc/ids.config
@@ -0,0 +1,158 @@
+# /etc/firejail/ids.config - configuration file for Firejail's Intrusion Detection System
+# This config file is overwritten when a new version of Firejail is installed.
+# For global customization use /etc/firejail/ids.config.local.
+include ids.config.local
+#
+# Each line is a file or directory name such as
+#       /usr/bin
+# or
+#       ${HOME}/Desktop/*.desktop
+#
+# ${HOME} is expanded to the user's home directory, and * is the regular
+# globbing match for zero or more characters.
+#
+# File or directory names starting with ! are not scanned. For example
+#        !${HOME}/.ssh/known_hosts
+#        ${HOME}/.ssh
+# will scan all files in ~/.ssh directory with the exception of known_hosts
+
+### system executables ###
+/bin
+/sbin
+/usr/bin
+/usr/games
+/usr/libexec
+/usr/sbin
+
+### user executables ###
+#/opt
+#/usr/local
+
+### system libraries ###
+#/lib
+#/usr/lib
+#/usr/lib32
+#/usr/lib64
+#/usr/libx32
+
+### shells local ###
+# bash
+${HOME}/.bash_aliases
+${HOME}/.bash_login
+${HOME}/.bash_logout
+${HOME}/.bash_profile
+${HOME}/.bashrc
+# fish
+${HOME}/.config/fish/config.fish
+# others
+${HOME}/.cshrc
+${HOME}/.kshrc
+${HOME}/.login
+${HOME}/.logout
+${HOME}/.profile
+${HOME}/.tcshrc
+# zsh
+${HOME}/.zlogin
+${HOME}/.zlogout
+${HOME}/.zshenv
+${HOME}/.zshprofile
+${HOME}/.zshrc
+
+### shells global ###
+# all
+/etc/dircolors
+/etc/environment
+/etc/profile
+/etc/profile.d
+/etc/shells
+/etc/skel
+# bash
+/etc/bash_completion*
+/etc/bash.bashrc
+/etc/bashrc
+# fish
+/etc/fish
+# ksh
+/etc/ksh.kshrc
+# tcsh
+/etc/complete.tcsh
+/etc/csh.cshrc
+/etc/csh.login
+/etc/csh.logout
+# zsh
+/etc/zlogin
+/etc/zlogout
+/etc/zprofile
+/etc/zshenv
+/etc/zshrc
+
+### X11 ###
+/etc/X11
+${HOME}/.xinitrc
+${HOME}/.xmodmaprc
+${HOME}/.xprofile
+${HOME}/.Xresources
+${HOME}/.xserverrc
+${HOME}/.Xsession
+${HOME}/.xsession
+${HOME}/.xsessionrc
+
+### window/desktop manager ###
+${HOME}/Desktop/*.desktop
+${HOME}/.config/autostart
+${HOME}/.config/autostart-scripts
+${HOME}/.config/lxsession/LXDE/autostart
+${HOME}/.config/openbox/autostart
+${HOME}/.config/openbox/environment
+${HOME}/.config/plasma-workspace/env
+${HOME}/.config/plasma-workspace/shutdown
+${HOME}/.gnomerc
+${HOME}/.gtkrc
+${HOME}/.kde/Autostart
+${HOME}/.kde/env
+${HOME}/.kde/share/autostart
+${HOME}/.kde/shutdown
+${HOME}/.kde4/Autostart
+${HOME}/.kde4/env
+${HOME}/.kde4/share/autostart
+${HOME}/.kde4/shutdown
+${HOME}/.kderc
+${HOME}/.local/share/autostart
+
+### security ###
+/etc/aide
+/etc/apparmor*
+/etc/chkrootkit.conf
+/etc/cracklib
+/etc/libaudit.conf
+/etc/group*
+/etc/gshadow*
+/etc/pam.*
+/etc/passwd*
+/etc/rkhunter*
+/etc/securetty
+/etc/security
+/etc/selinux
+/etc/shadow*
+/etc/sudoers*
+/etc/tripwire
+${HOME}/.config/firejail
+${HOME}/.gnupg
+${HOME}/.pam_environment
+
+### network security ###
+/etc/ca-certificates*
+/etc/hosts.*
+/etc/services
+/etc/snort
+/etc/ssh
+/etc/ssl
+/etc/wireshark
+!${HOME}/.ssh/known_hosts # excluding
+${HOME}/.ssh
+/usr/share/ca-certificates
+
+### system config ###
+/etc/cron.*
+/etc/crontab
+/etc/default
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 41643657d..4e460fc10 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.java
 noblacklist ${HOME}/.node-gyp
 noblacklist ${HOME}/.npm
 noblacklist ${HOME}/.npmrc
+noblacklist ${HOME}/.nvm
 noblacklist ${HOME}/.yarn
 noblacklist ${HOME}/.yarn-config
 noblacklist ${HOME}/.yarncache
@@ -26,11 +27,8 @@ noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.python_history
 noblacklist ${HOME}/.pythonhist
 
+# Ruby
+noblacklist ${HOME}/.bundle
+
 # Rust
-noblacklist ${HOME}/.cargo/advisory-db
-noblacklist ${HOME}/.cargo/config
-noblacklist ${HOME}/.cargo/git
-noblacklist ${HOME}/.cargo/registry
-noblacklist ${HOME}/.cargo/.crates.toml
-noblacklist ${HOME}/.cargo/.crates2.json
-noblacklist ${HOME}/.cargo/.package-cache
+noblacklist ${HOME}/.cargo
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc
index 78a4bed80..351c94ab8 100644
--- a/etc/inc/allow-nodejs.inc
+++ b/etc/inc/allow-nodejs.inc
@@ -4,3 +4,7 @@ include allow-nodejs.local
 
 noblacklist ${PATH}/node
 noblacklist /usr/include/node
+
+# Allow python for node-gyp (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
diff --git a/etc/inc/allow-opengl-game.inc b/etc/inc/allow-opengl-game.inc
index b5ff1bd50..5d2d6c5c1 100644
--- a/etc/inc/allow-opengl-game.inc
+++ b/etc/inc/allow-opengl-game.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-opengl-game.local
+
 noblacklist ${PATH}/bash
 whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh
 private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
diff --git a/etc/inc/allow-perl.inc b/etc/inc/allow-perl.inc
index 5a1952c94..a473900da 100644
--- a/etc/inc/allow-perl.inc
+++ b/etc/inc/allow-perl.inc
@@ -10,3 +10,6 @@ noblacklist ${PATH}/vendor_perl
 noblacklist /usr/lib/perl*
 noblacklist /usr/lib64/perl*
 noblacklist /usr/share/perl*
+
+# rxvt is also blacklisted in disable-interpreters.inc
+noblacklist ${PATH}/rxvt
diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc
index a8c701219..00276cac7 100644
--- a/etc/inc/allow-ruby.inc
+++ b/etc/inc/allow-ruby.inc
@@ -4,3 +4,4 @@ include allow-ruby.local
 
 noblacklist ${PATH}/ruby
 noblacklist /usr/lib/ruby
+noblacklist /usr/lib64/ruby
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index 67c78a483..5d41e6607 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -5,4 +5,11 @@ include allow-ssh.local
 noblacklist ${HOME}/.ssh
 noblacklist /etc/ssh
 noblacklist /etc/ssh/ssh_config
+noblacklist ${PATH}/ssh
 noblacklist /tmp/ssh-*
+# Arch Linux and derivatives
+noblacklist /usr/lib/ssh
+# Debian/Ubuntu and derivatives
+noblacklist /usr/lib/openssh
+# Fedora and derivatives
+noblacklist /usr/libexec/openssh
diff --git a/etc/inc/disable-X11.inc b/etc/inc/disable-X11.inc
new file mode 100644
index 000000000..d227c7a0b
--- /dev/null
+++ b/etc/inc/disable-X11.inc
@@ -0,0 +1,15 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-X11.local
+
+blacklist /tmp/.X11-unix
+blacklist ${HOME}/.Xauthority
+blacklist ${RUNUSER}/gdm/Xauthority
+blacklist ${RUNUSER}/.mutter-Xwaylandauth*
+blacklist ${RUNUSER}/xauth_*
+#blacklist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
+blacklist /tmp/xauth*
+blacklist /tmp/.ICE-unix
+blacklist ${RUNUSER}/ICEauthority
+rmenv DISPLAY
+rmenv XAUTHORITY
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 35f89e11b..43332b4d0 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -16,7 +16,9 @@ blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.kde/share/apps/klipper
 blacklist-nolog ${HOME}/.kde4/share/apps/klipper
 blacklist-nolog ${HOME}/.local/share/fish/fish_history
+blacklist-nolog ${HOME}/.local/share/ibus-typing-booster
 blacklist-nolog ${HOME}/.local/share/klipper
+blacklist-nolog ${HOME}/.local/share/nvim
 blacklist-nolog ${HOME}/.macromedia
 blacklist-nolog ${HOME}/.mupdf.history
 blacklist-nolog ${HOME}/.python-history
@@ -159,20 +161,23 @@ blacklist ${RUNUSER}/gsconnect
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
-blacklist /var/lib/systemd
+blacklist ${PATH}/systemctl
 blacklist ${PATH}/systemd-run
 blacklist ${RUNUSER}/systemd
+blacklist /etc/systemd/network
+blacklist /etc/systemd/system
+blacklist /var/lib/systemd
 # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
 #blacklist /var/run/systemd
 
 # openrc
-blacklist /etc/runlevels/
-blacklist /etc/init.d/
+blacklist /etc/init.d
 blacklist /etc/rc.conf
+blacklist /etc/runlevels
 
 # VirtualBox
-blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.config/VirtualBox
+blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/VirtualBox VMs
 
 # GNOME Boxes
@@ -242,20 +247,34 @@ blacklist /var/spool/cron
 blacklist /var/spool/mail
 
 # etc
+blacklist /etc/adduser.conf
 blacklist /etc/anacrontab
+blacklist /etc/apparmor*
 blacklist /etc/cron*
+blacklist /etc/default
+blacklist /etc/dkms
+blacklist /etc/grub*
+blacklist /etc/kernel*
+blacklist /etc/logrotate*
+blacklist /etc/modules*
 blacklist /etc/profile.d
 blacklist /etc/rc.local
 # rc1.d, rc2.d, ...
 blacklist /etc/rc?.d
-blacklist /etc/kernel*
-blacklist /etc/grub*
-blacklist /etc/dkms
-blacklist /etc/apparmor*
-blacklist /etc/selinux
-blacklist /etc/modules*
-blacklist /etc/logrotate*
-blacklist /etc/adduser.conf
+blacklist /etc/sysconfig
+
+# hide config for various intrusion detection systems
+blacklist /etc/aide
+blacklist /etc/aide.conf
+blacklist /etc/chkrootkit.conf
+blacklist /etc/fail2ban.conf
+blacklist /etc/logcheck
+blacklist /etc/lynis
+blacklist /etc/rkhunter.*
+blacklist /etc/snort
+blacklist /etc/suricata
+blacklist /etc/tripwire
+blacklist /var/lib/rkhunter
 
 # Startup files
 read-only ${HOME}/.antigen
@@ -305,6 +324,7 @@ read-only ${HOME}/.ssh/config.d
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
 read-only ${HOME}/.cargo/env
+read-only ${HOME}/.config/nvim
 read-only ${HOME}/.dotfiles
 read-only ${HOME}/.emacs
 read-only ${HOME}/.emacs.d
@@ -314,6 +334,7 @@ read-only ${HOME}/.homesick
 read-only ${HOME}/.iscreenrc
 read-only ${HOME}/.local/lib
 read-only ${HOME}/.local/share/cool-retro-term
+read-only ${HOME}/.local/share/nvim
 read-only ${HOME}/.mailcap
 read-only ${HOME}/.msmtprc
 read-only ${HOME}/.mutt/muttrc
@@ -335,13 +356,15 @@ read-only ${HOME}/_vimrc
 read-only ${HOME}/dotfiles
 
 # Make directories commonly found in $PATH read-only
+read-only ${HOME}/.bin
+read-only ${HOME}/.cargo/bin
 read-only ${HOME}/.gem
+read-only ${HOME}/.local/bin
 read-only ${HOME}/.luarocks
 read-only ${HOME}/.npm-packages
+read-only ${HOME}/.nvm
+read-only ${HOME}/.rustup
 read-only ${HOME}/bin
-read-only ${HOME}/.bin
-read-only ${HOME}/.local/bin
-read-only ${HOME}/.cargo/bin
 
 # Write-protection for desktop entries
 read-only ${HOME}/.config/menus
@@ -360,13 +383,32 @@ read-only ${HOME}/.local/share/thumbnailers
 blacklist /tmp/ssh-*
 
 # top secret
+blacklist /.fscrypt
+blacklist /etc/davfs2/secrets
+blacklist /etc/group+
+blacklist /etc/group-
+blacklist /etc/gshadow
+blacklist /etc/gshadow+
+blacklist /etc/gshadow-
+blacklist /etc/passwd+
+blacklist /etc/passwd-
+blacklist /etc/shadow
+blacklist /etc/shadow+
+blacklist /etc/shadow-
+blacklist /etc/ssh
+blacklist /etc/ssh/*
+blacklist /home/.ecryptfs
+blacklist /home/.fscrypt
 blacklist ${HOME}/*.kdb
 blacklist ${HOME}/*.kdbx
 blacklist ${HOME}/*.key
+blacklist ${HOME}/Private
 blacklist ${HOME}/.Private
 blacklist ${HOME}/.caff
 blacklist ${HOME}/.cargo/credentials
+blacklist ${HOME}/.cargo/credentials.toml
 blacklist ${HOME}/.cert
+blacklist ${HOME}/.config/hub
 blacklist ${HOME}/.config/keybase
 blacklist ${HOME}/.davfs2/secrets
 blacklist ${HOME}/.ecryptfs
@@ -376,40 +418,37 @@ blacklist ${HOME}/.git-credential-cache
 blacklist ${HOME}/.git-credentials
 blacklist ${HOME}/.gnome2/keyrings
 blacklist ${HOME}/.gnupg
-blacklist ${HOME}/.config/hub
 blacklist ${HOME}/.kde/share/apps/kwallet
 blacklist ${HOME}/.kde4/share/apps/kwallet
 blacklist ${HOME}/.local/share/keyrings
 blacklist ${HOME}/.local/share/kwalletd
+blacklist ${HOME}/.local/share/pki
 blacklist ${HOME}/.local/share/plasma-vault
+blacklist ${HOME}/.minisign
 blacklist ${HOME}/.msmtprc
 blacklist ${HOME}/.mutt
 blacklist ${HOME}/.muttrc
 blacklist ${HOME}/.netrc
 blacklist ${HOME}/.nyx
 blacklist ${HOME}/.pki
-blacklist ${HOME}/.local/share/pki
 blacklist ${HOME}/.smbcredentials
 blacklist ${HOME}/.ssh
 blacklist ${HOME}/.vaults
-blacklist /.fscrypt
-blacklist /etc/davfs2/secrets
-blacklist /etc/group+
-blacklist /etc/group-
-blacklist /etc/gshadow
-blacklist /etc/gshadow+
-blacklist /etc/gshadow-
-blacklist /etc/passwd+
-blacklist /etc/passwd-
-blacklist /etc/shadow
-blacklist /etc/shadow+
-blacklist /etc/shadow-
-blacklist /etc/ssh
-blacklist /etc/ssh/*
-blacklist /home/.ecryptfs
-blacklist /home/.fscrypt
+blacklist /run/timeshift
 blacklist /var/backup
 
+# Remove environment variables with auth tokens.
+# Note however that the sandbox might still have access to the
+# files where these variables are set.
+rmenv GH_TOKEN
+rmenv GITHUB_TOKEN
+rmenv GH_ENTERPRISE_TOKEN
+rmenv GITHUB_ENTERPRISE_TOKEN
+rmenv CARGO_REGISTRY_TOKEN
+rmenv RESTIC_KEY_HINT
+rmenv RESTIC_PASSWORD_COMMAND
+rmenv RESTIC_PASSWORD_FILE
+
 # cloud provider configuration
 blacklist ${HOME}/.aws
 blacklist ${HOME}/.boto
@@ -424,7 +463,7 @@ blacklist /sbin
 blacklist /usr/local/sbin
 blacklist /usr/sbin
 
-# system management
+# system management and various SUID executables
 blacklist ${PATH}/at
 blacklist ${PATH}/busybox
 blacklist ${PATH}/chage
@@ -459,6 +498,42 @@ blacklist ${PATH}/umount
 blacklist ${PATH}/unix_chkpwd
 blacklist ${PATH}/xev
 blacklist ${PATH}/xinput
+# from 0.9.67
+blacklist /usr/lib/openssh
+blacklist /usr/lib/ssh
+blacklist /usr/libexec/openssh
+blacklist ${PATH}/passwd
+blacklist /usr/lib/xorg/Xorg.wrap
+blacklist /usr/lib/policykit-1/polkit-agent-helper-1
+blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper
+blacklist /usr/lib/eject/dmcrypt-get-device
+blacklist /usr/lib/chromium/chrome-sandbox
+blacklist /usr/lib/vmware
+blacklist ${PATH}/suexec
+blacklist /usr/lib/squid/basic_pam_auth
+blacklist ${PATH}/slock
+blacklist ${PATH}/physlock
+blacklist ${PATH}/schroot
+blacklist ${PATH}/wshowkeys
+blacklist ${PATH}/pmount
+blacklist ${PATH}/pumount
+blacklist ${PATH}/bmon
+blacklist ${PATH}/fping
+blacklist ${PATH}/fping6
+blacklist ${PATH}/hostname
+# blacklist ${PATH}/ip - breaks --ip=dhcp
+blacklist ${PATH}/mtr
+blacklist ${PATH}/mtr-packet
+blacklist ${PATH}/netstat
+blacklist ${PATH}/nm-online
+blacklist ${PATH}/nmcli
+blacklist ${PATH}/nmtui
+blacklist ${PATH}/nmtui-connect
+blacklist ${PATH}/nmtui-edit
+blacklist ${PATH}/nmtui-hostname
+blacklist ${PATH}/networkctl
+blacklist ${PATH}/ss
+blacklist ${PATH}/traceroute
 
 # other SUID binaries
 blacklist /usr/lib/virtualbox
@@ -470,10 +545,12 @@ blacklist /tmp/.lxterminal-socket*
 blacklist /tmp/tmux-*
 
 # disable terminals running as server resulting in sandbox escape
-blacklist ${PATH}/lxterminal
 blacklist ${PATH}/gnome-terminal
 blacklist ${PATH}/gnome-terminal.wrapper
+# blacklist ${PATH}/konsole
+# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
 blacklist ${PATH}/lilyterm
+blacklist ${PATH}/lxterminal
 blacklist ${PATH}/mate-terminal
 blacklist ${PATH}/mate-terminal.wrapper
 blacklist ${PATH}/pantheon-terminal
@@ -485,8 +562,6 @@ blacklist ${PATH}/urxvtc
 blacklist ${PATH}/urxvtcd
 blacklist ${PATH}/xfce4-terminal
 blacklist ${PATH}/xfce4-terminal.wrapper
-# blacklist ${PATH}/konsole
-# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
 
 # kernel files
 blacklist /initrd*
@@ -502,17 +577,17 @@ noblacklist ${HOME}/.local/share/flatpak/exports
 read-only ${HOME}/.local/share/flatpak/exports
 blacklist ${HOME}/.local/share/flatpak/*
 blacklist ${HOME}/.var
-blacklist ${RUNUSER}/app
-blacklist ${RUNUSER}/doc
+# most of the time bwrap is SUID binary
+blacklist ${PATH}/bwrap
 blacklist ${RUNUSER}/.dbus-proxy
 blacklist ${RUNUSER}/.flatpak
 blacklist ${RUNUSER}/.flatpak-cache
 blacklist ${RUNUSER}/.flatpak-helper
+blacklist ${RUNUSER}/app
+blacklist ${RUNUSER}/doc
 blacklist /usr/share/flatpak
 noblacklist /var/lib/flatpak/exports
 blacklist /var/lib/flatpak/*
-# most of the time bwrap is SUID binary
-blacklist ${PATH}/bwrap
 
 # snap
 blacklist ${RUNUSER}/snapd-session-agent.socket
@@ -529,8 +604,7 @@ blacklist ${HOME}/sent
 # kernel configuration
 blacklist /proc/config.gz
 
-# prevent DNS malware attempting to communicate with the server
-# using regular DNS tools
+# prevent DNS malware attempting to communicate with the server using regular DNS tools
 blacklist ${PATH}/dig
 blacklist ${PATH}/dlint
 blacklist ${PATH}/dns2tcp
@@ -548,8 +622,19 @@ blacklist ${PATH}/nslookup
 blacklist ${PATH}/resolvectl
 blacklist ${PATH}/unbound-host
 
+# prevent an intruder to guess passwords using regular network tools
+blacklist ${PATH}/ftp
+blacklist ${PATH}/ssh
+blacklist ${PATH}/telnet
+
 # rest of ${RUNUSER}
 blacklist ${RUNUSER}/*.lock
 blacklist ${RUNUSER}/inaccessible
 blacklist ${RUNUSER}/pk-debconf-socket
 blacklist ${RUNUSER}/update-notifier.pid
+
+# tor-browser
+blacklist ${HOME}/.local/opt/tor-browser
+
+# pass utility (pass package in Debian etc.)
+blacklist ${HOME}/.password-store
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index e74b1b40b..98bf5ecc8 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -60,9 +60,7 @@ blacklist /usr/lib/tcc
 blacklist ${PATH}/valgrind*
 blacklist /usr/lib/valgrind
 
-
 # Source-Code
-
 blacklist /usr/src
 blacklist /usr/local/src
 blacklist /usr/include
diff --git a/etc/inc/disable-exec.inc b/etc/inc/disable-exec.inc
index 9b5c40a2b..d7dcef7e7 100644
--- a/etc/inc/disable-exec.inc
+++ b/etc/inc/disable-exec.inc
@@ -6,6 +6,7 @@ noexec ${HOME}
 noexec ${RUNUSER}
 noexec /dev/mqueue
 noexec /dev/shm
+noexec /run/shm
 noexec /tmp
 # /var is noexec by default for unprivileged users
 # except there is a writable-var option, so just in case:
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 5d8a236fb..ca43e5ed9 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -40,6 +40,15 @@ blacklist /usr/lib/perl*
 blacklist /usr/lib64/perl*
 blacklist /usr/share/perl*
 
+# rxvt needs Perl modules, thus does not work. In particular, blacklisting
+# it is needed so that Firefox can run applications with Terminal=true in
+# their .desktop file (depending on what is installed). The reason is that
+# this is done via glib, which currently uses a hardcoded list of terminal
+# emulators:
+#   https://gitlab.gnome.org/GNOME/glib/-/issues/338
+# And in this list, rxvt comes before xterm.
+blacklist ${PATH}/rxvt
+
 # PHP
 blacklist ${PATH}/php*
 blacklist /usr/lib/php*
@@ -48,6 +57,7 @@ blacklist /usr/share/php*
 # Ruby
 blacklist ${PATH}/ruby
 blacklist /usr/lib/ruby
+blacklist /usr/lib64/ruby
 
 # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
 # Python 2
diff --git a/etc/inc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc
deleted file mode 100644
index 3ed9a1b14..000000000
--- a/etc/inc/disable-passwdmgr.inc
+++ /dev/null
@@ -1,19 +0,0 @@
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
-include disable-passwdmgr.local
-
-blacklist ${HOME}/.config/Bitwarden
-blacklist ${HOME}/.config/KeePass
-blacklist ${HOME}/.config/keepass
-blacklist ${HOME}/.config/keepassx
-blacklist ${HOME}/.config/keepassxc
-blacklist ${HOME}/.config/KeePassXCrc
-blacklist ${HOME}/.config/Sinew Software Systems
-blacklist ${HOME}/.fpm
-blacklist ${HOME}/.keepass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.keepassxc
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.local/share/KeePass
-blacklist ${HOME}/.local/share/keepass
-blacklist ${HOME}/.password-store
diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc
new file mode 100644
index 000000000..81a8883f3
--- /dev/null
+++ b/etc/inc/disable-proc.inc
@@ -0,0 +1,82 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-proc.local
+
+blacklist /proc/acpi
+blacklist /proc/asound
+blacklist /proc/bootconfig
+blacklist /proc/buddyinfo
+blacklist /proc/cgroups
+blacklist /proc/cmdline
+blacklist /proc/config.gz
+blacklist /proc/consoles
+#blacklist /proc/cpuinfo
+blacklist /proc/crypto
+blacklist /proc/devices
+blacklist /proc/diskstats
+blacklist /proc/dma
+#blacklist /proc/driver
+blacklist /proc/dynamic_debug
+blacklist /proc/execdomains
+blacklist /proc/fb
+#blacklist /proc/filesystems
+blacklist /proc/fs
+blacklist /proc/i8k
+blacklist /proc/interrupts
+blacklist /proc/iomem
+blacklist /proc/ioports
+blacklist /proc/irq
+blacklist /proc/kallsyms
+blacklist /proc/kcore
+blacklist /proc/keys
+blacklist /proc/key-users
+blacklist /proc/kmsg
+blacklist /proc/kpagecgroup
+blacklist /proc/kpagecount
+blacklist /proc/kpageflags
+blacklist /proc/latency_stats
+#blacklist /proc/loadavg
+blacklist /proc/locks
+blacklist /proc/mdstat
+#blacklist /proc/meminfo
+blacklist /proc/misc
+#blacklist /proc/modules
+#blacklist /proc/mounts
+blacklist /proc/mtrr
+#blacklist /proc/net
+blacklist /proc/partitions
+blacklist /proc/pressure
+blacklist /proc/sched_debug
+blacklist /proc/schedstat
+blacklist /proc/scsi
+#blacklist /proc/self
+blacklist /proc/slabinfo
+blacklist /proc/softirqs
+blacklist /proc/spl
+#blacklist /proc/stat
+blacklist /proc/swaps
+#blacklist /proc/sys
+blacklist /proc/sysrq-trigger
+blacklist /proc/sysvipc
+#blacklist /proc/thread-self
+blacklist /proc/timer_list
+blacklist /proc/tty
+#blacklist /proc/uptime
+#blacklist /proc/version
+blacklist /proc/version_signature
+blacklist /proc/vmallocinfo
+#blacklist /proc/vmstat
+#blacklist /proc/zoneinfo
+
+blacklist /proc/sys/abi
+blacklist /proc/sys/crypto
+blacklist /proc/sys/debug
+blacklist /proc/sys/dev
+blacklist /proc/sys/fs
+blacklist /proc/sys/net
+blacklist /proc/sys/user
+blacklist /proc/sys/vm
+
+noblacklist /proc/sys/kernel/osrelease
+noblacklist /proc/sys/kernel/yama
+blacklist /proc/sys/*/*
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index cbc8ef6d2..5078ec82f 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -2,18 +2,6 @@
 # Persistent customizations should go in a .local file.
 include disable-programs.local
 
-blacklist ${HOME}/Arduino
-blacklist ${HOME}/i2p
-blacklist ${HOME}/Monero/wallets
-blacklist ${HOME}/Nextcloud
-blacklist ${HOME}/Nextcloud/Notes
-blacklist ${HOME}/SoftMaker
-blacklist ${HOME}/Standard Notes Backups
-blacklist ${HOME}/TeamSpeak3-Client-linux_x86
-blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
-blacklist ${HOME}/hyperrogue.ini
-blacklist ${HOME}/mps
-blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
 blacklist ${HOME}/.AndroidStudio*
@@ -38,8 +26,10 @@ blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.WebStorm*
 blacklist ${HOME}/.Wolfram Research
 blacklist ${HOME}/.ZAP
-blacklist ${HOME}/.abook
 blacklist ${HOME}/.aMule
+blacklist ${HOME}/.abook
+blacklist ${HOME}/.addressbook
+blacklist ${HOME}/.alpine-smime
 blacklist ${HOME}/.android
 blacklist ${HOME}/.anydesk
 blacklist ${HOME}/.arduino15
@@ -57,19 +47,196 @@ blacklist ${HOME}/.balsa
 blacklist ${HOME}/.bcast5
 blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
+blacklist ${HOME}/.blobby
 blacklist ${HOME}/.bogofilter
+blacklist ${HOME}/.bundle
 blacklist ${HOME}/.bzf
-blacklist ${HOME}/.cargo/advisory-db
-blacklist ${HOME}/.cargo/config
-blacklist ${HOME}/.cargo/git
-blacklist ${HOME}/.cargo/registry
-blacklist ${HOME}/.cargo/.crates.toml
-blacklist ${HOME}/.cargo/.crates2.json
-blacklist ${HOME}/.cargo/.package-cache
+blacklist ${HOME}/.cache/0ad
+blacklist ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.cache/Authenticator
+blacklist ${HOME}/.cache/BraveSoftware
+blacklist ${HOME}/.cache/Clementine
+blacklist ${HOME}/.cache/ENCOM/Spectral
+blacklist ${HOME}/.cache/Enox
+blacklist ${HOME}/.cache/Enpass
+blacklist ${HOME}/.cache/Ferdi
+blacklist ${HOME}/.cache/Flavio Tordini
+blacklist ${HOME}/.cache/Franz
+blacklist ${HOME}/.cache/GoldenDict
+blacklist ${HOME}/.cache/INRIA
+blacklist ${HOME}/.cache/INRIA/Natron
+blacklist ${HOME}/.cache/JetBrains/CLion*
+blacklist ${HOME}/.cache/KDE/neochat
+blacklist ${HOME}/.cache/Mendeley Ltd.
+blacklist ${HOME}/.cache/MusicBrainz
+blacklist ${HOME}/.cache/NewsFlashGTK
+blacklist ${HOME}/.cache/Otter
+blacklist ${HOME}/.cache/PawelStolowski
+blacklist ${HOME}/.cache/Psi
+blacklist ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/Quotient/quaternion
+blacklist ${HOME}/.cache/Shortwave
+blacklist ${HOME}/.cache/Tox
+blacklist ${HOME}/.cache/Zeal
+blacklist ${HOME}/.cache/agenda
+blacklist ${HOME}/.cache/akonadi*
+blacklist ${HOME}/.cache/atril
+blacklist ${HOME}/.cache/attic
+blacklist ${HOME}/.cache/babl
+blacklist ${HOME}/.cache/bnox
+blacklist ${HOME}/.cache/borg
+blacklist ${HOME}/.cache/cachy
+blacklist ${HOME}/.cache/calibre
+blacklist ${HOME}/.cache/cantata
+blacklist ${HOME}/.cache/champlain
+blacklist ${HOME}/.cache/chromium
+blacklist ${HOME}/.cache/chromium-dev
+blacklist ${HOME}/.cache/cliqz
+blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
+blacklist ${HOME}/.cache/darktable
+blacklist ${HOME}/.cache/deja-dup
+blacklist ${HOME}/.cache/discover
+blacklist ${HOME}/.cache/dnox
+blacklist ${HOME}/.cache/dolphin
+blacklist ${HOME}/.cache/dolphin-emu
+blacklist ${HOME}/.cache/ephemeral
+blacklist ${HOME}/.cache/epiphany
+blacklist ${HOME}/.cache/evolution
+blacklist ${HOME}/.cache/falkon
+blacklist ${HOME}/.cache/feedreader
+blacklist ${HOME}/.cache/firedragon
+blacklist ${HOME}/.cache/flaska.net/trojita
+blacklist ${HOME}/.cache/folks
+blacklist ${HOME}/.cache/font-manager
+blacklist ${HOME}/.cache/fossamail
+blacklist ${HOME}/.cache/fractal
+blacklist ${HOME}/.cache/freecol
+blacklist ${HOME}/.cache/gajim
+blacklist ${HOME}/.cache/geary
+blacklist ${HOME}/.cache/geeqie
+blacklist ${HOME}/.cache/gegl-0.4
+blacklist ${HOME}/.cache/gfeeds
+blacklist ${HOME}/.cache/gimp
+blacklist ${HOME}/.cache/gnome-boxes
+blacklist ${HOME}/.cache/gnome-builder
+blacklist ${HOME}/.cache/gnome-control-center
+blacklist ${HOME}/.cache/gnome-recipes
+blacklist ${HOME}/.cache/gnome-screenshot
+blacklist ${HOME}/.cache/gnome-software
+blacklist ${HOME}/.cache/gnome-twitch
+blacklist ${HOME}/.cache/godot
+blacklist ${HOME}/.cache/google-chrome
+blacklist ${HOME}/.cache/google-chrome-beta
+blacklist ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.cache/gradio
+blacklist ${HOME}/.cache/gummi
+blacklist ${HOME}/.cache/icedove
+blacklist ${HOME}/.cache/inkscape
+blacklist ${HOME}/.cache/inox
+blacklist ${HOME}/.cache/io.github.lainsce.Notejot
+blacklist ${HOME}/.cache/iridium
+blacklist ${HOME}/.cache/kcmshell5
+blacklist ${HOME}/.cache/kdenlive
+blacklist ${HOME}/.cache/keepassxc
+blacklist ${HOME}/.cache/kfind
+blacklist ${HOME}/.cache/kinfocenter
+blacklist ${HOME}/.cache/kmail2
+blacklist ${HOME}/.cache/krunner
+blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/kscreenlocker_greet
+blacklist ${HOME}/.cache/ksmserver-logout-greeter
+blacklist ${HOME}/.cache/ksplashqml
+blacklist ${HOME}/.cache/kube
+blacklist ${HOME}/.cache/kwin
+blacklist ${HOME}/.cache/libgweather
+blacklist ${HOME}/.cache/librewolf
+blacklist ${HOME}/.cache/liferea
+blacklist ${HOME}/.cache/lutris
+blacklist ${HOME}/.cache/marker
+blacklist ${HOME}/.cache/matrix-mirage
+blacklist ${HOME}/.cache/microsoft-edge-beta
+blacklist ${HOME}/.cache/microsoft-edge-dev
+blacklist ${HOME}/.cache/midori
+blacklist ${HOME}/.cache/minetest
+blacklist ${HOME}/.cache/mirage
+blacklist ${HOME}/.cache/moonchild productions/basilisk
+blacklist ${HOME}/.cache/moonchild productions/pale moon
+blacklist ${HOME}/.cache/mozilla
+blacklist ${HOME}/.cache/ms-excel-online
+blacklist ${HOME}/.cache/ms-office-online
+blacklist ${HOME}/.cache/ms-onenote-online
+blacklist ${HOME}/.cache/ms-outlook-online
+blacklist ${HOME}/.cache/ms-powerpoint-online
+blacklist ${HOME}/.cache/ms-skype-online
+blacklist ${HOME}/.cache/ms-word-online
+blacklist ${HOME}/.cache/mutt
+blacklist ${HOME}/.cache/mypaint
+blacklist ${HOME}/.cache/netsurf
+blacklist ${HOME}/.cache/nheko
+blacklist ${HOME}/.cache/nvim
+blacklist ${HOME}/.cache/okular
+blacklist ${HOME}/.cache/opera
+blacklist ${HOME}/.cache/opera-beta
+blacklist ${HOME}/.cache/opera-developer
+blacklist ${HOME}/.cache/org.gabmus.gfeeds
+blacklist ${HOME}/.cache/org.gnome.Books
+blacklist ${HOME}/.cache/org.gnome.Maps
+blacklist ${HOME}/.cache/pdfmod
+blacklist ${HOME}/.cache/peek
+blacklist ${HOME}/.cache/pip
+blacklist ${HOME}/.cache/pipe-viewer
+blacklist ${HOME}/.cache/plasmashell
+blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/psi
+blacklist ${HOME}/.cache/qBittorrent
+blacklist ${HOME}/.cache/quodlibet
+blacklist ${HOME}/.cache/qupzilla
+blacklist ${HOME}/.cache/qutebrowser
+blacklist ${HOME}/.cache/rclone
+blacklist ${HOME}/.cache/rednotebook
+blacklist ${HOME}/.cache/rhythmbox
+blacklist ${HOME}/.cache/rpcs3
+blacklist ${HOME}/.cache/shotwell
+blacklist ${HOME}/.cache/simple-scan
+blacklist ${HOME}/.cache/slimjet
+blacklist ${HOME}/.cache/smuxi
+blacklist ${HOME}/.cache/snox
+blacklist ${HOME}/.cache/spotify
+blacklist ${HOME}/.cache/straw-viewer
+blacklist ${HOME}/.cache/strawberry
+blacklist ${HOME}/.cache/supertuxkart
+blacklist ${HOME}/.cache/systemsettings
+blacklist ${HOME}/.cache/telepathy
+blacklist ${HOME}/.cache/thunderbird
+blacklist ${HOME}/.cache/torbrowser
+blacklist ${HOME}/.cache/transmission
+blacklist ${HOME}/.cache/ungoogled-chromium
+blacklist ${HOME}/.cache/vivaldi
+blacklist ${HOME}/.cache/vivaldi-snapshot
+blacklist ${HOME}/.cache/vlc
+blacklist ${HOME}/.cache/vmware
+blacklist ${HOME}/.cache/warsow-2.1
+blacklist ${HOME}/.cache/waterfox
+blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/wine
+blacklist ${HOME}/.cache/winetricks
+blacklist ${HOME}/.cache/xmms2
+blacklist ${HOME}/.cache/xournalpp
+blacklist ${HOME}/.cache/xreader
+blacklist ${HOME}/.cache/yandex-browser
+blacklist ${HOME}/.cache/yandex-browser-beta
+blacklist ${HOME}/.cache/youtube-dl
+blacklist ${HOME}/.cache/youtube-viewer
+blacklist ${HOME}/.cache/yt-dlp
+blacklist ${HOME}/.cache/zim
+blacklist ${HOME}/.cachy
+blacklist ${HOME}/.cargo
 blacklist ${HOME}/.claws-mail
+blacklist ${HOME}/.clion*
 blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clonk
 blacklist ${HOME}/.config/0ad
+blacklist ${HOME}/.config/1Password
 blacklist ${HOME}/.config/2048-qt
 blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/Audaciousrc
@@ -80,17 +247,20 @@ blacklist ${HOME}/.config/Bitwarden
 blacklist ${HOME}/.config/Brackets
 blacklist ${HOME}/.config/BraveSoftware
 blacklist ${HOME}/.config/Clementine
+blacklist ${HOME}/.config/ClipGrab
 blacklist ${HOME}/.config/Code
 blacklist ${HOME}/.config/Code - OSS
 blacklist ${HOME}/.config/Code Industry
 blacklist ${HOME}/.config/Cryptocat
 blacklist ${HOME}/.config/Debauchee/Barrier.conf
 blacklist ${HOME}/.config/Dharkael
+blacklist ${HOME}/.config/ENCOM
+blacklist ${HOME}/.config/Electron
 blacklist ${HOME}/.config/Element
 blacklist ${HOME}/.config/Element (Riot)
-blacklist ${HOME}/.config/ENCOM
 blacklist ${HOME}/.config/Enox
 blacklist ${HOME}/.config/Epic
+blacklist ${HOME}/.config/Exodus
 blacklist ${HOME}/.config/Ferdi
 blacklist ${HOME}/.config/Flavio Tordini
 blacklist ${HOME}/.config/Franz
@@ -105,16 +275,23 @@ blacklist ${HOME}/.config/Google Play Music Desktop Player
 blacklist ${HOME}/.config/Gpredict
 blacklist ${HOME}/.config/INRIA
 blacklist ${HOME}/.config/InSilmaril
+blacklist ${HOME}/.config/JetBrains/CLion*
 blacklist ${HOME}/.config/Jitsi Meet
 blacklist ${HOME}/.config/KDE/neochat
+blacklist ${HOME}/.config/KeePass
+blacklist ${HOME}/.config/KeePassXCrc
 blacklist ${HOME}/.config/Kid3
 blacklist ${HOME}/.config/Kingsoft
+blacklist ${HOME}/.config/Ledger Live
+blacklist ${HOME}/.config/LibreCAD
 blacklist ${HOME}/.config/Loop_Hero
 blacklist ${HOME}/.config/Luminance
 blacklist ${HOME}/.config/LyX
+blacklist ${HOME}/.config/MangoHud
 blacklist ${HOME}/.config/Mattermost
 blacklist ${HOME}/.config/Meltytech
 blacklist ${HOME}/.config/Mendeley Ltd.
+blacklist ${HOME}/.config/Microsoft
 blacklist ${HOME}/.config/Min
 blacklist ${HOME}/.config/ModTheSpire
 blacklist ${HOME}/.config/Mousepad
@@ -124,11 +301,14 @@ blacklist ${HOME}/.config/MuseScore
 blacklist ${HOME}/.config/MusicBrainz
 blacklist ${HOME}/.config/Nathan Osman
 blacklist ${HOME}/.config/Nextcloud
+blacklist ${HOME}/.config/NitroShare
+blacklist ${HOME}/.config/Notable
 blacklist ${HOME}/.config/Nylas Mail
+blacklist ${HOME}/.config/PBE
 blacklist ${HOME}/.config/PacmanLogViewer
 blacklist ${HOME}/.config/PawelStolowski
-blacklist ${HOME}/.config/PBE
 blacklist ${HOME}/.config/Philipp Schmieder
+blacklist ${HOME}/.config/Pinta
 blacklist ${HOME}/.config/QGIS
 blacklist ${HOME}/.config/QMediathekView
 blacklist ${HOME}/.config/Qlipper
@@ -140,6 +320,7 @@ blacklist ${HOME}/.config/Riot
 blacklist ${HOME}/.config/Rocket.Chat
 blacklist ${HOME}/.config/RogueLegacy
 blacklist ${HOME}/.config/RogueLegacyStorageContainer
+blacklist ${HOME}/.config/Seafile
 blacklist ${HOME}/.config/Signal
 blacklist ${HOME}/.config/Sinew Software Systems
 blacklist ${HOME}/.config/Slack
@@ -148,11 +329,14 @@ blacklist ${HOME}/.config/SubDownloader
 blacklist ${HOME}/.config/Thunar
 blacklist ${HOME}/.config/Twitch
 blacklist ${HOME}/.config/Unknown Organization
+blacklist ${HOME}/.config/VSCodium
 blacklist ${HOME}/.config/VirtualBox
+blacklist ${HOME}/.config/Whalebird
 blacklist ${HOME}/.config/Wire
 blacklist ${HOME}/.config/Youtube
-blacklist ${HOME}/.config/Zeal
 blacklist ${HOME}/.config/ZeGrapher Project
+blacklist ${HOME}/.config/Zeal
+blacklist ${HOME}/.config/Zulip
 blacklist ${HOME}/.config/aacs
 blacklist ${HOME}/.config/abiword
 blacklist ${HOME}/.config/agenda
@@ -201,10 +385,12 @@ blacklist ${HOME}/.config/chromium-flags.conf
 blacklist ${HOME}/.config/clipit
 blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
+blacklist ${HOME}/.config/cointop
 blacklist ${HOME}/.config/com.github.bleakgrey.tootle
 blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/cower
 blacklist ${HOME}/.config/coyim
+blacklist ${HOME}/.config/d-feet
 blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
@@ -219,7 +405,7 @@ blacklist ${HOME}/.config/dolphin-emu
 blacklist ${HOME}/.config/dolphinrc
 blacklist ${HOME}/.config/dragonplayerrc
 blacklist ${HOME}/.config/draw.io
-blacklist ${HOME}/.config/d-feet
+blacklist ${HOME}/.config/electron-flag*.conf
 blacklist ${HOME}/.config/electron-mail
 blacklist ${HOME}/.config/emaildefaults
 blacklist ${HOME}/.config/emailidentities
@@ -239,6 +425,7 @@ blacklist ${HOME}/.config/font-manager
 blacklist ${HOME}/.config/freecol
 blacklist ${HOME}/.config/gajim
 blacklist ${HOME}/.config/galculator
+blacklist ${HOME}/.config/gallery-dl
 blacklist ${HOME}/.config/gconf
 blacklist ${HOME}/.config/geany
 blacklist ${HOME}/.config/geary
@@ -293,6 +480,9 @@ blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/kdenliverc
 blacklist ${HOME}/.config/kdiff3fileitemactionrc
 blacklist ${HOME}/.config/kdiff3rc
+blacklist ${HOME}/.config/keepass
+blacklist ${HOME}/.config/keepassx
+blacklist ${HOME}/.config/keepassxc
 blacklist ${HOME}/.config/kfindrc
 blacklist ${HOME}/.config/kgetrc
 blacklist ${HOME}/.config/kid3rc
@@ -302,8 +492,8 @@ blacklist ${HOME}/.config/kmail2rc
 blacklist ${HOME}/.config/kmailsearchindexingrc
 blacklist ${HOME}/.config/kmplayerrc
 blacklist ${HOME}/.config/knotesrc
-blacklist ${HOME}/.config/konversationrc
 blacklist ${HOME}/.config/konversation.notifyrc
+blacklist ${HOME}/.config/konversationrc
 blacklist ${HOME}/.config/kritarc
 blacklist ${HOME}/.config/ktorrentrc
 blacklist ${HOME}/.config/ktouch2rc
@@ -324,13 +514,14 @@ blacklist ${HOME}/.config/mate/mate-dictionary
 blacklist ${HOME}/.config/matrix-mirage
 blacklist ${HOME}/.config/mcomix
 blacklist ${HOME}/.config/meld
-blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/menulibre.cfg
+blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/mfusion
-blacklist ${HOME}/.config/Microsoft
+blacklist ${HOME}/.config/microsoft-edge-beta
 blacklist ${HOME}/.config/microsoft-edge-dev
 blacklist ${HOME}/.config/midori
 blacklist ${HOME}/.config/mirage
+blacklist ${HOME}/.config/monero-project
 blacklist ${HOME}/.config/mono
 blacklist ${HOME}/.config/mpDris2
 blacklist ${HOME}/.config/mpd
@@ -343,17 +534,17 @@ blacklist ${HOME}/.config/mypaint
 blacklist ${HOME}/.config/nano
 blacklist ${HOME}/.config/nautilus
 blacklist ${HOME}/.config/nemo
-blacklist ${HOME}/.config/neochatrc
 blacklist ${HOME}/.config/neochat.notifyrc
+blacklist ${HOME}/.config/neochatrc
 blacklist ${HOME}/.config/neomutt
 blacklist ${HOME}/.config/netsurf
 blacklist ${HOME}/.config/newsbeuter
 blacklist ${HOME}/.config/newsboat
 blacklist ${HOME}/.config/newsflash
 blacklist ${HOME}/.config/nheko
-blacklist ${HOME}/.config/NitroShare
 blacklist ${HOME}/.config/nomacs
 blacklist ${HOME}/.config/nuclear
+blacklist ${HOME}/.config/nvim
 blacklist ${HOME}/.config/obs-studio
 blacklist ${HOME}/.config/okularpartrc
 blacklist ${HOME}/.config/okularrc
@@ -363,6 +554,7 @@ blacklist ${HOME}/.config/onlyoffice
 blacklist ${HOME}/.config/openmw
 blacklist ${HOME}/.config/opera
 blacklist ${HOME}/.config/opera-beta
+blacklist ${HOME}/.config/opera-developer
 blacklist ${HOME}/.config/orage
 blacklist ${HOME}/.config/org.gabmus.gfeeds.json
 blacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
@@ -372,7 +564,6 @@ blacklist ${HOME}/.config/pavucontrol-qt
 blacklist ${HOME}/.config/pavucontrol.ini
 blacklist ${HOME}/.config/pcmanfm
 blacklist ${HOME}/.config/pdfmod
-blacklist ${HOME}/.config/Pinta
 blacklist ${HOME}/.config/pipe-viewer
 blacklist ${HOME}/.config/pitivi
 blacklist ${HOME}/.config/pix
@@ -390,10 +581,12 @@ blacklist ${HOME}/.config/quodlibet
 blacklist ${HOME}/.config/qupzilla
 blacklist ${HOME}/.config/qutebrowser
 blacklist ${HOME}/.config/ranger
+blacklist ${HOME}/.config/rclone
 blacklist ${HOME}/.config/redshift
 blacklist ${HOME}/.config/redshift.conf
 blacklist ${HOME}/.config/remmina
 blacklist ${HOME}/.config/ristretto
+blacklist ${HOME}/.config/rpcs3
 blacklist ${HOME}/.config/rtv
 blacklist ${HOME}/.config/scribus
 blacklist ${HOME}/.config/scribusrc
@@ -411,8 +604,8 @@ blacklist ${HOME}/.config/spectaclerc
 blacklist ${HOME}/.config/spotify
 blacklist ${HOME}/.config/sqlitebrowser
 blacklist ${HOME}/.config/stellarium
-blacklist ${HOME}/.config/strawberry
 blacklist ${HOME}/.config/straw-viewer
+blacklist ${HOME}/.config/strawberry
 blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/synfig
 blacklist ${HOME}/.config/teams
@@ -435,19 +628,20 @@ blacklist ${HOME}/.config/vivaldi
 blacklist ${HOME}/.config/vivaldi-snapshot
 blacklist ${HOME}/.config/vlc
 blacklist ${HOME}/.config/wesnoth
-blacklist ${HOME}/.config/wormux
-blacklist ${HOME}/.config/Whalebird
+blacklist ${HOME}/.config/wget
 blacklist ${HOME}/.config/wireshark
+blacklist ${HOME}/.config/wormux
 blacklist ${HOME}/.config/xchat
 blacklist ${HOME}/.config/xed
 blacklist ${HOME}/.config/xfburn
+blacklist ${HOME}/.config/xfce4-dict
 blacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc
 blacklist ${HOME}/.config/xfce4/xfce4-notes.rc
 blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
 blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-blacklist ${HOME}/.config/xfce4-dict
 blacklist ${HOME}/.config/xiaoyong
 blacklist ${HOME}/.config/xmms2
+blacklist ${HOME}/.config/xournalpp
 blacklist ${HOME}/.config/xplayer
 blacklist ${HOME}/.config/xreader
 blacklist ${HOME}/.config/xviewer
@@ -456,12 +650,14 @@ blacklist ${HOME}/.config/yandex-browser-beta
 blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/youtube-dl
 blacklist ${HOME}/.config/youtube-dlg
-blacklist ${HOME}/.config/youtubemusic-nativefier-040164
 blacklist ${HOME}/.config/youtube-music-desktop-app
 blacklist ${HOME}/.config/youtube-viewer
+blacklist ${HOME}/.config/youtubemusic-nativefier-040164
+blacklist ${HOME}/.config/yt-dlp
+blacklist ${HOME}/.config/yt-dlp.conf
 blacklist ${HOME}/.config/zathura
+blacklist ${HOME}/.config/zim
 blacklist ${HOME}/.config/zoomus.conf
-blacklist ${HOME}/.config/Zulip
 blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.crawl
 blacklist ${HOME}/.cups
@@ -489,24 +685,29 @@ blacklist ${HOME}/.firedragon
 blacklist ${HOME}/.flowblade
 blacklist ${HOME}/.fltk
 blacklist ${HOME}/.fossamail
+blacklist ${HOME}/.fpm
 blacklist ${HOME}/.freeciv
 blacklist ${HOME}/.freecol
 blacklist ${HOME}/.freemind
 blacklist ${HOME}/.frogatto
 blacklist ${HOME}/.frozen-bubble
+blacklist ${HOME}/.funnyboat
+blacklist ${HOME}/.gallery-dl.conf
+blacklist ${HOME}/.geekbench5
 blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.gist
 blacklist ${HOME}/.gitconfig
 blacklist ${HOME}/.gl-117
 blacklist ${HOME}/.glaxiumrc
 blacklist ${HOME}/.gnome/gnome-schedule
+blacklist ${HOME}/.goldendict
 blacklist ${HOME}/.googleearth
 blacklist ${HOME}/.gradle
 blacklist ${HOME}/.gramps
 blacklist ${HOME}/.guayadeque
 blacklist ${HOME}/.hashcat
-blacklist ${HOME}/.hex-a-hop
 blacklist ${HOME}/.hedgewars
+blacklist ${HOME}/.hex-a-hop
 blacklist ${HOME}/.hugin
 blacklist ${HOME}/.i2p
 blacklist ${HOME}/.icedove
@@ -582,6 +783,9 @@ blacklist ${HOME}/.kde4/share/config/kopeterc
 blacklist ${HOME}/.kde4/share/config/ktorrentrc
 blacklist ${HOME}/.kde4/share/config/okularpartrc
 blacklist ${HOME}/.kde4/share/config/okularrc
+blacklist ${HOME}/.keepass
+blacklist ${HOME}/.keepassx
+blacklist ${HOME}/.keepassxc
 blacklist ${HOME}/.killingfloor
 blacklist ${HOME}/.kingsoft
 blacklist ${HOME}/.kino-history
@@ -589,9 +793,11 @@ blacklist ${HOME}/.kinorc
 blacklist ${HOME}/.klatexformula
 blacklist ${HOME}/.klei
 blacklist ${HOME}/.kodi
+blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.librewolf
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.links
+blacklist ${HOME}/.links2
 blacklist ${HOME}/.linphone-history.db
 blacklist ${HOME}/.linphonerc
 blacklist ${HOME}/.lmmsrc.xml
@@ -602,14 +808,19 @@ blacklist ${HOME}/.local/share/Anki2
 blacklist ${HOME}/.local/share/Dredmor
 blacklist ${HOME}/.local/share/Empathy
 blacklist ${HOME}/.local/share/Enpass
+blacklist ${HOME}/.local/share/FasterThanLight
 blacklist ${HOME}/.local/share/Flavio Tordini
+blacklist ${HOME}/.local/share/IntoTheBreach
 blacklist ${HOME}/.local/share/JetBrains
 blacklist ${HOME}/.local/share/KDE/neochat
+blacklist ${HOME}/.local/share/KeePass
 blacklist ${HOME}/.local/share/Kingsoft
+blacklist ${HOME}/.local/share/LibreCAD
 blacklist ${HOME}/.local/share/Mendeley Ltd.
 blacklist ${HOME}/.local/share/Mumble
 blacklist ${HOME}/.local/share/Nextcloud
 blacklist ${HOME}/.local/share/PBE
+blacklist ${HOME}/.local/share/Paradox Interactive
 blacklist ${HOME}/.local/share/PawelStolowski
 blacklist ${HOME}/.local/share/PillarsOfEternity
 blacklist ${HOME}/.local/share/Psi
@@ -621,20 +832,20 @@ blacklist ${HOME}/.local/share/RogueLegacy
 blacklist ${HOME}/.local/share/RogueLegacyStorageContainer
 blacklist ${HOME}/.local/share/Shortwave
 blacklist ${HOME}/.local/share/Steam
-blacklist ${HOME}/.local/share/SteamWorldDig
 blacklist ${HOME}/.local/share/SteamWorld Dig 2
+blacklist ${HOME}/.local/share/SteamWorldDig
 blacklist ${HOME}/.local/share/SuperHexagon
 blacklist ${HOME}/.local/share/TelegramDesktop
 blacklist ${HOME}/.local/share/Terraria
 blacklist ${HOME}/.local/share/TpLogger
 blacklist ${HOME}/.local/share/Zeal
+blacklist ${HOME}/.local/share/agenda
 blacklist ${HOME}/.local/share/akonadi*
 blacklist ${HOME}/.local/share/akregator
-blacklist ${HOME}/.local/share/agenda
 blacklist ${HOME}/.local/share/apps/korganizer
 blacklist ${HOME}/.local/share/aspyr-media
-blacklist ${HOME}/.local/share/autokey
 blacklist ${HOME}/.local/share/authenticator-rs
+blacklist ${HOME}/.local/share/autokey
 blacklist ${HOME}/.local/share/backintime
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/barrier
@@ -661,7 +872,6 @@ blacklist ${HOME}/.local/share/dolphin-emu
 blacklist ${HOME}/.local/share/emailidentities
 blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
-blacklist ${HOME}/.local/share/FasterThanLight
 blacklist ${HOME}/.local/share/feedreader
 blacklist ${HOME}/.local/share/feral-interactive
 blacklist ${HOME}/.local/share/five-or-more
@@ -691,12 +901,13 @@ blacklist ${HOME}/.local/share/godot
 blacklist ${HOME}/.local/share/gradio
 blacklist ${HOME}/.local/share/gwenview
 blacklist ${HOME}/.local/share/i2p
-blacklist ${HOME}/.local/share/IntoTheBreach
+blacklist ${HOME}/.local/share/io.github.lainsce.Notejot
 blacklist ${HOME}/.local/share/jami
 blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kalgebra
 blacklist ${HOME}/.local/share/kate
 blacklist ${HOME}/.local/share/kdenlive
+blacklist ${HOME}/.local/share/keepass
 blacklist ${HOME}/.local/share/kget
 blacklist ${HOME}/.local/share/kiwix
 blacklist ${HOME}/.local/share/kiwix-desktop
@@ -741,20 +952,21 @@ blacklist ${HOME}/.local/share/newsboat
 blacklist ${HOME}/.local/share/nheko
 blacklist ${HOME}/.local/share/nomacs
 blacklist ${HOME}/.local/share/notes
+blacklist ${HOME}/.local/share/nvim
 blacklist ${HOME}/.local/share/ocenaudio
 blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/onlyoffice
 blacklist ${HOME}/.local/share/openmw
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
-blacklist ${HOME}/.local/share/Paradox Interactive
 blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/profanity
 blacklist ${HOME}/.local/share/psi
 blacklist ${HOME}/.local/share/psi+
-blacklist ${HOME}/.local/share/quadrapassel
+blacklist ${HOME}/.local/share/qBittorrent
 blacklist ${HOME}/.local/share/qpdfview
+blacklist ${HOME}/.local/share/quadrapassel
 blacklist ${HOME}/.local/share/qutebrowser
 blacklist ${HOME}/.local/share/remmina
 blacklist ${HOME}/.local/share/rhythmbox
@@ -779,11 +991,13 @@ blacklist ${HOME}/.local/share/vlc
 blacklist ${HOME}/.local/share/vpltd
 blacklist ${HOME}/.local/share/vulkan
 blacklist ${HOME}/.local/share/warsow-2.1
+blacklist ${HOME}/.local/share/warzone2100-3.*
 blacklist ${HOME}/.local/share/wesnoth
 blacklist ${HOME}/.local/share/wormux
 blacklist ${HOME}/.local/share/xplayer
 blacklist ${HOME}/.local/share/xreader
 blacklist ${HOME}/.local/share/zathura
+blacklist ${HOME}/.local/state/pipewire
 blacklist ${HOME}/.lv2
 blacklist ${HOME}/.lyx
 blacklist ${HOME}/.magicor
@@ -811,11 +1025,14 @@ blacklist ${HOME}/.netactview
 blacklist ${HOME}/.neverball
 blacklist ${HOME}/.newsbeuter
 blacklist ${HOME}/.newsboat
+blacklist ${HOME}/.newsrc
 blacklist ${HOME}/.nicotine
 blacklist ${HOME}/.node-gyp
+blacklist ${HOME}/.notable
 blacklist ${HOME}/.npm
 blacklist ${HOME}/.npmrc
 blacklist ${HOME}/.nv
+blacklist ${HOME}/.nvm
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.openarena
 blacklist ${HOME}/.opencity
@@ -825,11 +1042,20 @@ blacklist ${HOME}/.openshot_qt
 blacklist ${HOME}/.openttd
 blacklist ${HOME}/.opera
 blacklist ${HOME}/.opera-beta
+blacklist ${HOME}/.opera-developer
 blacklist ${HOME}/.ostrichriders
 blacklist ${HOME}/.paradoxinteractive
 blacklist ${HOME}/.parallelrealities/blobwars
 blacklist ${HOME}/.pcsxr
 blacklist ${HOME}/.penguin-command
+blacklist ${HOME}/.pine-crash
+blacklist ${HOME}/.pine-debug1
+blacklist ${HOME}/.pine-debug2
+blacklist ${HOME}/.pine-debug3
+blacklist ${HOME}/.pine-debug4
+blacklist ${HOME}/.pine-interrupted-mail
+blacklist ${HOME}/.pinerc
+blacklist ${HOME}/.pinercex
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
 blacklist ${HOME}/.purple
@@ -839,6 +1065,7 @@ blacklist ${HOME}/.qgis2
 blacklist ${HOME}/.qmmp
 blacklist ${HOME}/.quodlibet
 blacklist ${HOME}/.redeclipse
+blacklist ${HOME}/.rednotebook
 blacklist ${HOME}/.remmina
 blacklist ${HOME}/.repo_.gitconfig.json
 blacklist ${HOME}/.repoconfig
@@ -867,6 +1094,7 @@ blacklist ${HOME}/.teeworlds
 blacklist ${HOME}/.texlive20*
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tilp
+blacklist ${HOME}/.tin
 blacklist ${HOME}/.tooling
 blacklist ${HOME}/.tor-browser*
 blacklist ${HOME}/.torcs
@@ -908,176 +1136,28 @@ blacklist ${HOME}/.yarn-config
 blacklist ${HOME}/.yarncache
 blacklist ${HOME}/.yarnrc
 blacklist ${HOME}/.zoom
-blacklist /tmp/akonadi-*
+blacklist ${HOME}/Arduino
+blacklist ${HOME}/Monero/wallets
+blacklist ${HOME}/Nextcloud
+blacklist ${HOME}/Nextcloud/Notes
+blacklist ${HOME}/Seafile/.seafile-data
+blacklist ${HOME}/SoftMaker
+blacklist ${HOME}/Standard Notes Backups
+blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
+blacklist ${HOME}/TeamSpeak3-Client-linux_x86
+blacklist ${HOME}/hyperrogue.ini
+blacklist ${HOME}/i2p
+blacklist ${HOME}/mps
+blacklist ${HOME}/openstego.ini
+blacklist ${HOME}/wallet.dat
+blacklist ${HOME}/yt-dlp.conf
+blacklist ${HOME}/yt-dlp.conf.txt
+blacklist ${RUNUSER}/*firefox*
+blacklist ${RUNUSER}/akonadi
 blacklist /tmp/.wine-*
+blacklist /tmp/akonadi-*
 blacklist /var/games/nethack
 blacklist /var/games/slashem
 blacklist /var/games/vulturesclaw
 blacklist /var/games/vultureseye
 blacklist /var/lib/games/Maelstrom-Scores
-
-# ${HOME}/.cache directory
-blacklist ${HOME}/.cache/0ad
-blacklist ${HOME}/.cache/8pecxstudios
-blacklist ${HOME}/.cache/Authenticator
-blacklist ${HOME}/.cache/BraveSoftware
-blacklist ${HOME}/.cache/Clementine
-blacklist ${HOME}/.cache/ENCOM/Spectral
-blacklist ${HOME}/.cache/Enox
-blacklist ${HOME}/.cache/Enpass
-blacklist ${HOME}/.cache/Ferdi
-blacklist ${HOME}/.cache/Flavio Tordini
-blacklist ${HOME}/.cache/Franz
-blacklist ${HOME}/.cache/INRIA
-blacklist ${HOME}/.cache/MusicBrainz
-blacklist ${HOME}/.cache/NewsFlashGTK
-blacklist ${HOME}/.cache/Otter
-blacklist ${HOME}/.cache/PawelStolowski
-blacklist ${HOME}/.cache/Psi
-blacklist ${HOME}/.cache/QuiteRss
-blacklist ${HOME}/.cache/quodlibet
-blacklist ${HOME}/.cache/Quotient/quaternion
-blacklist ${HOME}/.cache/Shortwave
-blacklist ${HOME}/.cache/Tox
-blacklist ${HOME}/.cache/Zeal
-blacklist ${HOME}/.cache/agenda
-blacklist ${HOME}/.cache/akonadi*
-blacklist ${HOME}/.cache/atril
-blacklist ${HOME}/.cache/attic
-blacklist ${HOME}/.cache/babl
-blacklist ${HOME}/.cache/bnox
-blacklist ${HOME}/.cache/borg
-blacklist ${HOME}/.cache/calibre
-blacklist ${HOME}/.cache/cantata
-blacklist ${HOME}/.cache/champlain
-blacklist ${HOME}/.cache/chromium
-blacklist ${HOME}/.cache/chromium-dev
-blacklist ${HOME}/.cache/cliqz
-blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
-blacklist ${HOME}/.cache/darktable
-blacklist ${HOME}/.cache/deja-dup
-blacklist ${HOME}/.cache/discover
-blacklist ${HOME}/.cache/dnox
-blacklist ${HOME}/.cache/dolphin
-blacklist ${HOME}/.cache/dolphin-emu
-blacklist ${HOME}/.cache/ephemeral
-blacklist ${HOME}/.cache/epiphany
-blacklist ${HOME}/.cache/evolution
-blacklist ${HOME}/.cache/falkon
-blacklist ${HOME}/.cache/feedreader
-blacklist ${HOME}/.cache/firedragon
-blacklist ${HOME}/.cache/flaska.net/trojita
-blacklist ${HOME}/.cache/folks
-blacklist ${HOME}/.cache/font-manager
-blacklist ${HOME}/.cache/fossamail
-blacklist ${HOME}/.cache/fractal
-blacklist ${HOME}/.cache/freecol
-blacklist ${HOME}/.cache/gajim
-blacklist ${HOME}/.cache/geary
-blacklist ${HOME}/.cache/gegl-0.4
-blacklist ${HOME}/.cache/geeqie
-blacklist ${HOME}/.cache/gfeeds
-blacklist ${HOME}/.cache/gimp
-blacklist ${HOME}/.cache/gnome-boxes
-blacklist ${HOME}/.cache/gnome-builder
-blacklist ${HOME}/.cache/gnome-control-center
-blacklist ${HOME}/.cache/gnome-recipes
-blacklist ${HOME}/.cache/gnome-screenshot
-blacklist ${HOME}/.cache/gnome-software
-blacklist ${HOME}/.cache/gnome-twitch
-blacklist ${HOME}/.cache/godot
-blacklist ${HOME}/.cache/google-chrome
-blacklist ${HOME}/.cache/google-chrome-beta
-blacklist ${HOME}/.cache/google-chrome-unstable
-blacklist ${HOME}/.cache/gradio
-blacklist ${HOME}/.cache/gummi
-blacklist ${HOME}/.cache/icedove
-blacklist ${HOME}/.cache/INRIA/Natron
-blacklist ${HOME}/.cache/inkscape
-blacklist ${HOME}/.cache/inox
-blacklist ${HOME}/.cache/iridium
-blacklist ${HOME}/.cache/kcmshell5
-blacklist ${HOME}/.cache/KDE/neochat
-blacklist ${HOME}/.cache/kdenlive
-blacklist ${HOME}/.cache/keepassxc
-blacklist ${HOME}/.cache/kfind
-blacklist ${HOME}/.cache/kinfocenter
-blacklist ${HOME}/.cache/kmail2
-blacklist ${HOME}/.cache/krunner
-blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
-blacklist ${HOME}/.cache/kscreenlocker_greet
-blacklist ${HOME}/.cache/ksmserver-logout-greeter
-blacklist ${HOME}/.cache/ksplashqml
-blacklist ${HOME}/.cache/kube
-blacklist ${HOME}/.cache/kwin
-blacklist ${HOME}/.cache/libgweather
-blacklist ${HOME}/.cache/librewolf
-blacklist ${HOME}/.cache/liferea
-blacklist ${HOME}/.cache/lutris
-blacklist ${HOME}/.cache/Mendeley Ltd.
-blacklist ${HOME}/.cache/marker
-blacklist ${HOME}/.cache/matrix-mirage
-blacklist ${HOME}/.cache/microsoft-edge-dev
-blacklist ${HOME}/.cache/midori
-blacklist ${HOME}/.cache/minetest
-blacklist ${HOME}/.cache/mirage
-blacklist ${HOME}/.cache/moonchild productions/basilisk
-blacklist ${HOME}/.cache/moonchild productions/pale moon
-blacklist ${HOME}/.cache/mozilla
-blacklist ${HOME}/.cache/ms-excel-online
-blacklist ${HOME}/.cache/ms-office-online
-blacklist ${HOME}/.cache/ms-onenote-online
-blacklist ${HOME}/.cache/ms-outlook-online
-blacklist ${HOME}/.cache/ms-powerpoint-online
-blacklist ${HOME}/.cache/ms-skype-online
-blacklist ${HOME}/.cache/ms-word-online
-blacklist ${HOME}/.cache/mutt
-blacklist ${HOME}/.cache/mypaint
-blacklist ${HOME}/.cache/nheko
-blacklist ${HOME}/.cache/netsurf
-blacklist ${HOME}/.cache/okular
-blacklist ${HOME}/.cache/opera
-blacklist ${HOME}/.cache/opera-beta
-blacklist ${HOME}/.cache/org.gabmus.gfeeds
-blacklist ${HOME}/.cache/org.gnome.Books
-blacklist ${HOME}/.cache/org.gnome.Maps
-blacklist ${HOME}/.cache/pdfmod
-blacklist ${HOME}/.cache/peek
-blacklist ${HOME}/.cache/pip
-blacklist ${HOME}/.cache/pipe-viewer
-blacklist ${HOME}/.cache/plasmashell
-blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
-blacklist ${HOME}/.cache/psi
-blacklist ${HOME}/.cache/qBittorrent
-blacklist ${HOME}/.cache/qupzilla
-blacklist ${HOME}/.cache/qutebrowser
-blacklist ${HOME}/.cache/rhythmbox
-blacklist ${HOME}/.cache/shotwell
-blacklist ${HOME}/.cache/simple-scan
-blacklist ${HOME}/.cache/slimjet
-blacklist ${HOME}/.cache/smuxi
-blacklist ${HOME}/.cache/snox
-blacklist ${HOME}/.cache/spotify
-blacklist ${HOME}/.cache/strawberry
-blacklist ${HOME}/.cache/straw-viewer
-blacklist ${HOME}/.cache/supertuxkart
-blacklist ${HOME}/.cache/systemsettings
-blacklist ${HOME}/.cache/telepathy
-blacklist ${HOME}/.cache/thunderbird
-blacklist ${HOME}/.cache/torbrowser
-blacklist ${HOME}/.cache/transmission
-blacklist ${HOME}/.cache/ungoogled-chromium
-blacklist ${HOME}/.cache/vivaldi
-blacklist ${HOME}/.cache/vivaldi-snapshot
-blacklist ${HOME}/.cache/vlc
-blacklist ${HOME}/.cache/vmware
-blacklist ${HOME}/.cache/warsow-2.1
-blacklist ${HOME}/.cache/waterfox
-blacklist ${HOME}/.cache/wesnoth
-blacklist ${HOME}/.cache/winetricks
-blacklist ${HOME}/.cache/xmms2
-blacklist ${HOME}/.cache/xreader
-blacklist ${HOME}/.cache/yandex-browser
-blacklist ${HOME}/.cache/yandex-browser-beta
-blacklist ${HOME}/.cache/youtube-dl
-blacklist ${HOME}/.cache/youtube-viewer
diff --git a/etc/inc/whitelist-1793-workaround.inc b/etc/inc/whitelist-1793-workaround.inc
index 862837f12..54fa849b1 100644
--- a/etc/inc/whitelist-1793-workaround.inc
+++ b/etc/inc/whitelist-1793-workaround.inc
@@ -23,6 +23,7 @@ noblacklist ${HOME}/.config/kio_httprc
 noblacklist ${HOME}/.config/kioslaverc
 noblacklist ${HOME}/.config/ksslcablacklist
 noblacklist ${HOME}/.config/qt5ct
+noblacklist ${HOME}/.config/qt6ct
 noblacklist ${HOME}/.config/qtcurve
 
 blacklist ${HOME}/.config/*
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc
index 1d3728521..353a622d3 100644
--- a/etc/inc/whitelist-common.inc
+++ b/etc/inc/whitelist-common.inc
@@ -23,6 +23,7 @@ read-only ${HOME}/.local/share/applications
 whitelist ${HOME}/.local/share/icons
 whitelist ${HOME}/.local/share/mime
 whitelist ${HOME}/.mime.types
+whitelist ${HOME}/.sndio/cookie
 whitelist ${HOME}/.uim.d
 
 # dconf
@@ -68,6 +69,7 @@ whitelist ${HOME}/.config/kio_httprc
 whitelist ${HOME}/.config/kioslaverc
 whitelist ${HOME}/.config/ksslcablacklist
 whitelist ${HOME}/.config/qt5ct
+whitelist ${HOME}/.config/qt6ct
 whitelist ${HOME}/.config/qtcurve
 whitelist ${HOME}/.kde/share/config/kdeglobals
 whitelist ${HOME}/.kde/share/config/kio_httprc
@@ -82,3 +84,4 @@ whitelist ${HOME}/.kde4/share/config/ksslcablacklist
 whitelist ${HOME}/.kde4/share/config/oxygenrc
 whitelist ${HOME}/.kde4/share/icons
 whitelist ${HOME}/.local/share/qt5ct
+whitelist ${HOME}/.local/share/qt6ct
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc
new file mode 100644
index 000000000..26160a10b
--- /dev/null
+++ b/etc/inc/whitelist-run-common.inc
@@ -0,0 +1,16 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include whitelist-run-common.local
+
+whitelist /run/NetworkManager/resolv.conf
+whitelist /run/cups/cups.sock
+whitelist /run/dbus/system_bus_socket
+whitelist /run/media
+whitelist /run/resolvconf/resolv.conf
+whitelist /run/netconfig/resolv.conf    # openSUSE Leap
+whitelist /run/shm
+whitelist /run/systemd/journal/dev-log
+whitelist /run/systemd/journal/socket
+whitelist /run/systemd/resolve/resolv.conf
+whitelist /run/systemd/resolve/stub-resolv.conf
+whitelist /run/udev/data
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
index 0a1030b34..a8cab8d07 100644
--- a/etc/inc/whitelist-runuser-common.inc
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -10,6 +10,7 @@ whitelist ${RUNUSER}/gdm/Xauthority
 whitelist ${RUNUSER}/ICEauthority
 whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
 whitelist ${RUNUSER}/pulse/native
-whitelist ${RUNUSER}/wayland-0
-whitelist ${RUNUSER}/wayland-1
+whitelist ${RUNUSER}/pipewire-?
+whitelist ${RUNUSER}/wayland-?
 whitelist ${RUNUSER}/xauth_*
+whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index fe0097934..1dbaf8bdb 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -12,6 +12,7 @@ whitelist /usr/share/cursors
 whitelist /usr/share/dconf
 whitelist /usr/share/distro-info
 whitelist /usr/share/drirc.d
+whitelist /usr/share/egl
 whitelist /usr/share/enchant
 whitelist /usr/share/enchant-2
 whitelist /usr/share/file
@@ -45,6 +46,7 @@ whitelist /usr/share/myspell
 whitelist /usr/share/p11-kit
 whitelist /usr/share/perl
 whitelist /usr/share/perl5
+whitelist /usr/share/pipewire
 whitelist /usr/share/pixmaps
 whitelist /usr/share/pki
 whitelist /usr/share/plasma
@@ -53,6 +55,7 @@ whitelist /usr/share/qt
 whitelist /usr/share/qt4
 whitelist /usr/share/qt5
 whitelist /usr/share/qt5ct
+whitelist /usr/share/qt6ct
 whitelist /usr/share/sounds
 whitelist /usr/share/tcl8.6
 whitelist /usr/share/tcltk
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index 454a15ab2..ddc7ecad5 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -10,11 +10,12 @@ noblacklist ${HOME}/.cache/0ad
 noblacklist ${HOME}/.config/0ad
 noblacklist ${HOME}/.local/share/0ad
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/1password.profile b/etc/profile-a-l/1password.profile
new file mode 100644
index 000000000..bc8bfae0d
--- /dev/null
+++ b/etc/profile-a-l/1password.profile
@@ -0,0 +1,20 @@
+# Firejail profile for 1password
+# Description: 1Password is a password manager developed by AgileBits Inc.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include 1password.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/1Password
+
+mkdir ${HOME}/.config/1Password
+whitelist ${HOME}/.config/1Password
+
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+
+# Needed for keychain things, talking to Firefox, possibly other things?  Not sure how to narrow down
+ignore dbus-user none
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/2048-qt.profile b/etc/profile-a-l/2048-qt.profile
index 1d787cba7..80b032aee 100644
--- a/etc/profile-a-l/2048-qt.profile
+++ b/etc/profile-a-l/2048-qt.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/2048-qt
diff --git a/etc/profile-a-l/Books.profile b/etc/profile-a-l/Books.profile
index 76fd21d32..a256e942f 100644
--- a/etc/profile-a-l/Books.profile
+++ b/etc/profile-a-l/Books.profile
@@ -1,5 +1,10 @@
 # Firejail profile for gnome-books
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Books.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
 
 
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
diff --git a/etc/profile-a-l/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile
index 1d86b0fbf..39b39667c 100644
--- a/etc/profile-a-l/Cryptocat.profile
+++ b/etc/profile-a-l/Cryptocat.profile
@@ -10,7 +10,6 @@ noblacklist ${HOME}/.config/Cryptocat
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/Fritzing.profile b/etc/profile-a-l/Fritzing.profile
index 7dc6b5ff0..3fe2ddcd5 100644
--- a/etc/profile-a-l/Fritzing.profile
+++ b/etc/profile-a-l/Fritzing.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/JDownloader.profile b/etc/profile-a-l/JDownloader.profile
index d10b70796..92f8e5c85 100644
--- a/etc/profile-a-l/JDownloader.profile
+++ b/etc/profile-a-l/JDownloader.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index 75da9a956..0e7126458 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -43,7 +42,7 @@ tracelog
 private-bin abiword
 private-cache
 private-dev
-private-etc fonts,gtk-3.0,passwd
+private-etc alternatives,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index 7e3946454..dd3b2e59b 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -32,7 +31,6 @@ caps.drop all
 hostname agetpkg
 ipc-namespace
 machine-id
-noautopulse
 netfilter
 no3d
 nodvd
@@ -52,7 +50,7 @@ tracelog
 private-bin agetpkg,python3
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index 37fdb38b5..2f58d9146 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.local/share/apps/korganizer
 noblacklist ${HOME}/.local/share/contacts
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
+noblacklist ${RUNUSER}/akonadi
 noblacklist /sbin
 noblacklist /tmp/akonadi-*
 noblacklist /usr/sbin
@@ -25,9 +26,9 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 # disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
index 38fcd2dc1..47468a658 100644
--- a/etc/profile-a-l/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -26,6 +25,7 @@ whitelist ${HOME}/.local/share/akregator
 whitelist ${HOME}/.local/share/kssl
 whitelist ${HOME}/.local/share/kxmlgui5/akregator
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
@@ -49,3 +49,4 @@ private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit4,kdeinit4_shu
 private-dev
 private-tmp
 
+deterministic-shutdown
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 4c6d68020..5a528595b 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -15,7 +15,6 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-include disable-passwdmgr.inc
 include disable-xdg.inc
 
 # Whitelist your system icon directory,varies by distro
@@ -54,7 +53,7 @@ disable-mnt
 # private-bin alacarte,bash,python*,sh
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
index 81ee6bd46..68512e37b 100644
--- a/etc/profile-a-l/alienarena.profile
+++ b/etc/profile-a-l/alienarena.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -30,7 +29,6 @@ caps.drop all
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile
new file mode 100644
index 000000000..61c3ad21d
--- /dev/null
+++ b/etc/profile-a-l/alpine.profile
@@ -0,0 +1,103 @@
+# Firejail profile for alpine
+# Description: Text-based email and newsgroups reader
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include alpine.local
+# Persistent global definitions
+include globals.local
+
+# Workaround for bug https://github.com/netblue30/firejail/issues/2747
+# firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)'
+
+noblacklist /var/mail
+noblacklist /var/spool/mail
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.addressbook
+noblacklist ${HOME}/.alpine-smime
+noblacklist ${HOME}/.mailcap
+noblacklist ${HOME}/.mh_profile
+noblacklist ${HOME}/.mime.types
+noblacklist ${HOME}/.newsrc
+noblacklist ${HOME}/.pine-crash
+noblacklist ${HOME}/.pine-debug1
+noblacklist ${HOME}/.pine-debug2
+noblacklist ${HOME}/.pine-debug3
+noblacklist ${HOME}/.pine-debug4
+noblacklist ${HOME}/.pine-interrupted-mail
+noblacklist ${HOME}/.pinerc
+noblacklist ${HOME}/.pinercex
+noblacklist ${HOME}/.signature
+noblacklist ${HOME}/mail
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+#whitelist ${DOCUMENTS}
+#whitelist ${DOWNLOADS}
+#whitelist ${HOME}/.addressbook
+#whitelist ${HOME}/.alpine-smime
+#whitelist ${HOME}/.mailcap
+#whitelist ${HOME}/.mh_profile
+#whitelist ${HOME}/.mime.types
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.pine-crash
+#whitelist ${HOME}/.pine-interrupted-mail
+#whitelist ${HOME}/.pinerc
+#whitelist ${HOME}/.pinercex
+#whitelist ${HOME}/.pine-debug1
+#whitelist ${HOME}/.pine-debug2
+#whitelist ${HOME}/.pine-debug3
+#whitelist ${HOME}/.pine-debug4
+#whitelist ${HOME}/.signature
+#whitelist ${HOME}/mail
+whitelist /var/mail
+whitelist /var/spool/mail
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin alpine
+private-cache
+private-dev
+private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+private-tmp
+writable-run-user
+writable-var
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}/.signature
diff --git a/etc/profile-a-l/alpinef.profile b/etc/profile-a-l/alpinef.profile
new file mode 100644
index 000000000..97b97fe5f
--- /dev/null
+++ b/etc/profile-a-l/alpinef.profile
@@ -0,0 +1,14 @@
+# Firejail profile for alpinef
+# Description: Text-based email and newsgroups reader using function keys
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include alpinef.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin alpinef
+
+# Redirect
+include alpine.profile
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index a15d3628d..7d8ec481d 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -11,7 +11,6 @@ noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -35,14 +34,14 @@ private-dev
 # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
 private-tmp
 
-# If you ain't on kde-plasma you need to uncomment the following
 dbus-user filter
 dbus-user.own org.kde.amarok
-#dbus-user.own org.kde.kded
-#dbus-user.own org.kde.klauncher
 dbus-user.own org.mpris.amarok
 dbus-user.own org.mpris.MediaPlayer2.amarok
 dbus-user.talk org.freedesktop.Notifications
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# If you're not on kde-plasma add the next lines to your amarok.local.
+#dbus-user.own org.kde.kded
+#dbus-user.own org.kde.klauncher
 #dbus-user.talk org.kde.knotify
-dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile
index e3c4164ee..e82c145d1 100644
--- a/etc/profile-a-l/amule.profile
+++ b/etc/profile-a-l/amule.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.aMule
@@ -33,6 +32,7 @@ nosound
 notv
 nou2f
 novideo
+# Add netlink protocol to use UPnP
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
index 5a21744cf..ad44d5f1d 100644
--- a/etc/profile-a-l/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@@ -20,7 +20,6 @@ include allow-common-devel.inc
 include allow-ssh.inc
 
 include disable-common.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index ef60e91c2..f6d711b2e 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -46,13 +45,12 @@ protocol unix,inet,inet6
 # QtWebengine needs chroot to set up its own sandbox
 seccomp !chroot
 shell none
-tracelog
 
 disable-mnt
 private-bin anki,python*
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf
+private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/anydesk.profile b/etc/profile-a-l/anydesk.profile
index fdaf10259..5001b20cb 100644
--- a/etc/profile-a-l/anydesk.profile
+++ b/etc/profile-a-l/anydesk.profile
@@ -10,7 +10,6 @@ noblacklist ${HOME}/.anydesk
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile
index e7b09283e..9668ba00a 100644
--- a/etc/profile-a-l/aosp.profile
+++ b/etc/profile-a-l/aosp.profile
@@ -20,7 +20,6 @@ include allow-common-devel.inc
 include allow-ssh.inc
 
 include disable-common.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/apktool.profile b/etc/profile-a-l/apktool.profile
index 4ea43c434..1951748d4 100644
--- a/etc/profile-a-l/apktool.profile
+++ b/etc/profile-a-l/apktool.profile
@@ -9,7 +9,6 @@ include globals.local
 
 include disable-common.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 54abdb234..5d45a0804 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -26,11 +26,11 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/apostrophe
 whitelist /usr/share/texlive
 whitelist /usr/share/texmf
diff --git a/etc/profile-a-l/arch-audit.profile b/etc/profile-a-l/arch-audit.profile
index accabb6f5..c164073c5 100644
--- a/etc/profile-a-l/arch-audit.profile
+++ b/etc/profile-a-l/arch-audit.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/archaudit-report.profile b/etc/profile-a-l/archaudit-report.profile
index 19c37f90e..3aebd685d 100644
--- a/etc/profile-a-l/archaudit-report.profile
+++ b/etc/profile-a-l/archaudit-report.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index 1fab4606b..81733220f 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -17,7 +17,6 @@ blacklist ${RUNUSER}
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 # Add the next line to your archiver-common.local if you don't need to compress files in disable-programs.inc.
 #include disable-programs.inc
 include disable-shell.inc
diff --git a/etc/profile-a-l/ardour5.profile b/etc/profile-a-l/ardour5.profile
index 84b1d6c18..78dea1cd0 100644
--- a/etc/profile-a-l/ardour5.profile
+++ b/etc/profile-a-l/ardour5.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile
index fd1ca9a09..01da63e8e 100644
--- a/etc/profile-a-l/arduino.profile
+++ b/etc/profile-a-l/arduino.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index 22b8ecd65..8aef75cd1 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-usr-share-common.inc
@@ -46,7 +45,7 @@ private-bin aria2c,gzip
 # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
 #private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.cache,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
 private-lib libreadline.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
index a63dd8f5f..a26592f3a 100644
--- a/etc/profile-a-l/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -13,10 +13,10 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /usr/share/ark
+include whitelist-run-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
index 2c8b630ce..6676d42e9 100644
--- a/etc/profile-a-l/arm.profile
+++ b/etc/profile-a-l/arm.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.arm
@@ -44,6 +43,6 @@ tracelog
 disable-mnt
 private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
 private-tmp
 
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index fab72b7d3..254f3f571 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -57,7 +56,7 @@ disable-mnt
 private-bin artha,enchant,notify-send
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-lib libnotify.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile
index 977fe30a4..788a94302 100644
--- a/etc/profile-a-l/assogiate.profile
+++ b/etc/profile-a-l/assogiate.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile
index c97fd691a..fbc65ffc7 100644
--- a/etc/profile-a-l/asunder.profile
+++ b/etc/profile-a-l/asunder.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index 5f237ac59..c1ca20ec9 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -11,6 +11,8 @@ ignore include disable-devel.inc
 ignore include disable-interpreters.inc
 ignore include disable-xdg.inc
 ignore whitelist ${DOWNLOADS}
+ignore whitelist ${HOME}/.config/Electron
+ignore whitelist ${HOME}/.config/electron-flag*.conf
 ignore include whitelist-common.inc
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index e377de2c8..6399bc1a3 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -13,7 +13,7 @@ include allow-perl.inc
 noroot
 
 # without login.defs atool complains and uses UID/GID 1000 by default
-private-etc alternatives,group,login.defs,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd
 private-tmp
 
 # Redirect
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index 1c3ed66ff..264bc0215 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -43,7 +42,7 @@ tracelog
 
 private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote
 private-dev
-private-etc alternatives,fonts,ld.so.cache
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 # atril uses webkit gtk to display epub files
 # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
 #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index f9f209786..e9ecdd72e 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -14,10 +14,10 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index a2de8436a..88bddfb22 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -33,7 +32,7 @@ noroot
 notv
 nou2f
 novideo
-protocol unix
+protocol unix,inet
 seccomp
 shell none
 tracelog
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index 2c7fdc812..58b2efde6 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index 2ebe35dd5..a8af1928b 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -48,7 +47,7 @@ disable-mnt
 private-bin authenticator-rs
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 42d9cd56a..f9a03ca68 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 # apparmor
@@ -40,7 +39,7 @@ shell none
 disable-mnt
 # private-bin authenticator,python*
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
 
 # makes settings immutable
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
index 891928e5a..abd535afe 100644
--- a/etc/profile-a-l/autokey-common.profile
+++ b/etc/profile-a-l/autokey-common.profile
@@ -19,7 +19,6 @@ include disable-devel.inc
 # disable-exec.inc might break scripting functionality
 #include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile
index 1ecc03da1..468a3fe9f 100644
--- a/etc/profile-a-l/avidemux.profile
+++ b/etc/profile-a-l/avidemux.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -23,6 +22,7 @@ mkdir ${HOME}/.config/avidemux3_qt5rc
 whitelist ${HOME}/.avidemux6
 whitelist ${HOME}/.config/avidemux3_qt5rc
 whitelist ${VIDEOS}
+
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/aweather.profile b/etc/profile-a-l/aweather.profile
index a57ad4014..e01ea5b5d 100644
--- a/etc/profile-a-l/aweather.profile
+++ b/etc/profile-a-l/aweather.profile
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.config/aweather
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile
index 3952921a3..daa13a7ed 100644
--- a/etc/profile-a-l/ballbuster.profile
+++ b/etc/profile-a-l/ballbuster.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index fe86d9b80..55d2453d8 100644
--- a/etc/profile-a-l/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
@@ -23,9 +23,9 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index 8c69652c5..be3543b08 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -67,7 +66,7 @@ tracelog
 private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 writable-run-user
 writable-var
@@ -80,4 +79,4 @@ dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.gnome.keyring.SystemPrompter
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
\ No newline at end of file
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
index ac03c663a..c8dbcad4e 100644
--- a/etc/profile-a-l/baobab.profile
+++ b/etc/profile-a-l/baobab.profile
@@ -10,7 +10,6 @@ include globals.local
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 # include disable-programs.inc
 include disable-shell.inc
 # include disable-xdg.inc
diff --git a/etc/profile-a-l/barrier.profile b/etc/profile-a-l/barrier.profile
index 7b50e9199..f6775ee01 100644
--- a/etc/profile-a-l/barrier.profile
+++ b/etc/profile-a-l/barrier.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
index 3ecaea7fe..87bcf9a19 100644
--- a/etc/profile-a-l/bcompare.profile
+++ b/etc/profile-a-l/bcompare.profile
@@ -17,7 +17,6 @@ noblacklist ${HOME}/.config/gwenviewrc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 # Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
 #include disable-shell.inc - breaks launch
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index c7a82afbd..602576e56 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.bibletime
@@ -50,10 +49,10 @@ seccomp !chroot
 shell none
 
 disable-mnt
-# private-bin bibletime,qt5ct
+# private-bin bibletime
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index ce1ddbb03..b86232860 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -20,8 +19,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.local/share/bijiben
 whitelist ${HOME}/.local/share/bijiben
 whitelist ${HOME}/.cache/tracker
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/bijiben
 whitelist /usr/share/tracker
+whitelist /usr/share/tracker3
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -50,7 +51,7 @@ disable-mnt
 private-bin bijiben
 # private-cache -- access to .cache/tracker is required
 private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile
index 932db9b73..ef6ef7a75 100644
--- a/etc/profile-a-l/bitcoin-qt.profile
+++ b/etc/profile-a-l/bitcoin-qt.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
index dd7651979..773fa7500 100644
--- a/etc/profile-a-l/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index bef25276d..f8114c71b 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -6,54 +6,25 @@ include bitwarden.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore include whitelist-usr-share-common.inc
+
 ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Bitwarden
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
 include disable-shell.inc
-include disable-xdg.inc
 
 mkdir ${HOME}/.config/Bitwarden
 whitelist ${HOME}/.config/Bitwarden
-whitelist ${DOWNLOADS}
-include whitelist-common.inc
-include whitelist-var-common.inc
 
-apparmor
-caps.drop all
 machine-id
-netfilter
 no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
 nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
-shell none
-#tracelog - breaks on Arch
-
-private-bin bitwarden
-private-cache
+
 ?HAS_APPIMAGE: ignore private-dev
-private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 private-opt Bitwarden
-private-tmp
-
-# breaks appindicator (tray) functionality
-# dbus-user none
-# dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile
index 09fa24577..267e8b539 100644
--- a/etc/profile-a-l/bleachbit.profile
+++ b/etc/profile-a-l/bleachbit.profile
@@ -1,6 +1,7 @@
 # Firejail profile for bleachbit
 # Description: Delete unnecessary files from the system
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include bleachbit.local
 # Persistent global definitions
@@ -14,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 # include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/blender.profile b/etc/profile-a-l/blender.profile
index 701ae431e..225fd7cdc 100644
--- a/etc/profile-a-l/blender.profile
+++ b/etc/profile-a-l/blender.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 # Allow usage of AMD GPU by OpenCL
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 80dc750f7..3e20ed133 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
@@ -36,7 +35,7 @@ shell none
 # private-bin bash,bless,mono,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,mono
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,mono
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
new file mode 100644
index 000000000..d7df3bc49
--- /dev/null
+++ b/etc/profile-a-l/blobby.profile
@@ -0,0 +1,51 @@
+# Firejail profile for blobby
+# Persistent local customizations
+include blobby.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.blobby
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.blobby
+whitelist ${HOME}/.blobby
+include whitelist-common.inc
+whitelist /usr/share/blobby
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin blobby
+private-dev
+private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pulse
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index 904710cb5..cc2fda3f2 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -20,6 +19,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.parallelrealities/blobwars
 whitelist ${HOME}/.parallelrealities/blobwars
 whitelist /usr/share/blobwars
+whitelist /usr/share/games/blobwars
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
@@ -44,7 +43,7 @@ disable-mnt
 private-bin blobwars
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile
index f28435987..bc5219e29 100644
--- a/etc/profile-a-l/bluefish.profile
+++ b/etc/profile-a-l/bluefish.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile
index 6e8f0d7d1..8729d8d40 100644
--- a/etc/profile-a-l/bnox.profile
+++ b/etc/profile-a-l/bnox.profile
@@ -6,7 +6,6 @@ include bnox.local
 include globals.local
 
 # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile
index 0cbac049a..94afc9e0b 100644
--- a/etc/profile-a-l/brackets.profile
+++ b/etc/profile-a-l/brackets.profile
@@ -13,7 +13,6 @@ noblacklist ${HOME}/.config/Brackets
 include allow-common-devel.inc
 
 include disable-common.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile
index 417a6b3e0..656701909 100644
--- a/etc/profile-a-l/brasero.profile
+++ b/etc/profile-a-l/brasero.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index d731a6a6e..fbc7c9056 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -6,7 +6,7 @@ include bsdtar.local
 # Persistent global definitions
 include globals.local
 
-private-etc alternatives,group,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
 
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
new file mode 100644
index 000000000..1b199d612
--- /dev/null
+++ b/etc/profile-a-l/build-systems-common.profile
@@ -0,0 +1,66 @@
+# Firejail profile for build-systems-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include build-systems-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+ignore noexec ${HOME}
+ignore noexec /tmp
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+#include allow-ssh.inc
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+whitelist /usr/share/pkgconfig
+include whitelist-run-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+# net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile
new file mode 100644
index 000000000..bb82022b1
--- /dev/null
+++ b/etc/profile-a-l/bundle.profile
@@ -0,0 +1,23 @@
+# Firejail profile for bundle
+# Description: Ruby Dependency Management
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bundle.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.bundle
+
+# Allow ruby (blacklisted by disable-interpreters.inc)
+include allow-ruby.inc
+
+#whitelist ${HOME}/.bundle
+#whitelist ${HOME}/.gem
+#whitelist ${HOME}/.local/share/gem
+whitelist /usr/share/gems
+whitelist /usr/share/ruby
+whitelist /usr/share/rubygems
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/bzflag.profile b/etc/profile-a-l/bzflag.profile
index bda96bbb3..53cfde352 100644
--- a/etc/profile-a-l/bzflag.profile
+++ b/etc/profile-a-l/bzflag.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile
new file mode 100644
index 000000000..7a14d9464
--- /dev/null
+++ b/etc/profile-a-l/cachy-browser.profile
@@ -0,0 +1,56 @@
+# Firejail profile for Cachy-Browser
+# Description: Librewolf fork based on enhanced privacy with gentoo patchset
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cachy-browser.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/cachy
+noblacklist ${HOME}/.cachy
+
+mkdir ${HOME}/.cache/cachy
+mkdir ${HOME}/.cachy
+whitelist ${HOME}/.cache/cachy
+whitelist ${HOME}/.cachy
+
+# Add the next lines to your cachy-browser.local if you want to use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local.
+# NOTE: start KeePassXC before CachyBrowser and keep it open to allow communication between them.
+#whitelist ${RUNUSER}/kpxc_server
+#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
+
+whitelist /usr/share/doc
+whitelist /usr/share/gtk-doc/html
+whitelist /usr/share/mozilla
+whitelist /usr/share/webext
+include whitelist-usr-share-common.inc
+
+# Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).
+#private-bin dbus-launch,dbus-send,cachy-browser,sh
+# Add the next line to your cachy-browser.local to enable private-etc.
+# NOTE: private-etc must first be enabled in firefox-common.local.
+#private-etc cachy-browser
+
+dbus-user filter
+dbus-user.own org.mozilla.cachybrowser.*
+# Add the next line to your cachy-browser.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your cachy-browser.local to allow inhibiting screensavers.
+#dbus-user.talk org.freedesktop.ScreenSaver
+# Add the next lines to your cachy-browser.local for plasma browser integration.
+#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kuiserver
+# Add the next line to your cachy-browser.local to allow screensharing under Wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
+# Also add the next line to your cachy-browser.local if screensharing does not work with
+# the above lines (depends on the portal implementation).
+#ignore noroot
+ignore dbus-user none
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile
index 83571397b..cdc168384 100644
--- a/etc/profile-a-l/calibre.profile
+++ b/etc/profile-a-l/calibre.profile
@@ -13,7 +13,6 @@ noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
index fcff47662..280a61401 100644
--- a/etc/profile-a-l/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.local/share/kxmlgui5/calligra
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index 74c7cc34b..92c455144 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -47,7 +46,7 @@ tracelog
 disable-mnt
 private-bin cameramonitor,python*
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile
index 96f88a7c4..69cf912ef 100644
--- a/etc/profile-a-l/cantata.profile
+++ b/etc/profile-a-l/cantata.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
new file mode 100644
index 000000000..4c8afd895
--- /dev/null
+++ b/etc/profile-a-l/cargo.profile
@@ -0,0 +1,24 @@
+# Firejail profile for cargo
+# Description: The Rust package manager
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cargo.local
+# Persistent global definitions
+include globals.local
+
+ignore read-only ${HOME}/.cargo/bin
+
+noblacklist ${HOME}/.cargo/credentials
+noblacklist ${HOME}/.cargo/credentials.toml
+
+#whitelist ${HOME}/.cargo
+#whitelist ${HOME}/.rustup
+
+#private-bin cargo,rustc
+private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
+
+memory-deny-write-execute
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile
index 009d3a049..38a670fdc 100644
--- a/etc/profile-a-l/catfish.profile
+++ b/etc/profile-a-l/catfish.profile
@@ -18,7 +18,6 @@ include allow-python3.inc
 # include disable-common.inc
 # include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 # include disable-programs.inc
 
 whitelist /var/lib/mlocate
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index 6e137010c..c7a98250e 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -40,7 +39,7 @@ disable-mnt
 private-bin cawbird
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index f02161b9b..1a9340632 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -17,14 +17,14 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
-read-only ${DESKTOP}
 mkdir ${HOME}/.config/celluloid
 mkdir ${HOME}/.config/gnome-mpv
 mkdir ${HOME}/.config/youtube-dl
@@ -53,12 +53,13 @@ tracelog
 
 private-bin celluloid,env,gnome-mpv,python*,youtube-dl
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
 private-dev
 private-tmp
 
 dbus-user filter
 dbus-user.own io.github.celluloid_player.Celluloid
+dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
 dbus-system none
 
diff --git a/etc/profile-a-l/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile
index 24939fc70..e89f488ea 100644
--- a/etc/profile-a-l/checkbashisms.profile
+++ b/etc/profile-a-l/checkbashisms.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index aca1f5876..713d8a5e4 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -9,18 +9,23 @@ include globals.local
 noblacklist ${VIDEOS}
 noblacklist ${PICTURES}
 
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist ${VIDEOS}
 whitelist ${PICTURES}
+whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
 whitelist /usr/share/gnome-video-effects
+whitelist /usr/share/gstreamer-1.0
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -31,21 +36,26 @@ machine-id
 net none
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
+nosound
 notv
 nou2f
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 disable-mnt
 private-bin cheese
 private-cache
-private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0
+private-dev
+private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user filter
+dbus-user.own org.gnome.Cheese
 dbus-user.talk ca.desrt.dconf
 dbus-system none
diff --git a/etc/profile-a-l/cherrytree.profile b/etc/profile-a-l/cherrytree.profile
index 7621b3c8c..e68182b27 100644
--- a/etc/profile-a-l/cherrytree.profile
+++ b/etc/profile-a-l/cherrytree.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
index 0283a6934..8803a4d9d 100644
--- a/etc/profile-a-l/chromium-browser-privacy.profile
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -6,6 +6,8 @@ include chromium-browser-privacy.local
 noblacklist ${HOME}/.cache/ungoogled-chromium
 noblacklist ${HOME}/.config/ungoogled-chromium
 
+blacklist /usr/libexec
+
 mkdir ${HOME}/.cache/ungoogled-chromium
 mkdir ${HOME}/.config/ungoogled-chromium
 whitelist ${HOME}/.cache/ungoogled-chromium
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile
index 87a0a0994..19addd285 100644
--- a/etc/profile-a-l/chromium-common-hardened.inc.profile
+++ b/etc/profile-a-l/chromium-common-hardened.inc.profile
@@ -6,5 +6,4 @@ caps.drop all
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
-# kcmp is required for ozone-platform=wayland, see #3783.
-seccomp !chroot,!kcmp
+seccomp !chroot
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 134f4665c..998ffd9da 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -9,8 +9,9 @@ include chromium-common.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
+noblacklist /usr/lib/chromium/chrome-sandbox
 
 # Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser
 # to have access to Gnome extensions (extensions.gnome.org) via browser connector
@@ -20,16 +21,18 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
-whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
+whitelist /usr/share/mozilla/extensions
+whitelist /usr/share/webext
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -37,14 +40,12 @@ include whitelist-var-common.inc
 # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
 #include chromium-common-hardened.inc.profile
 
-# Add the next line to your chromium-common.local to allow screen sharing under wayland.
-#whitelist ${RUNUSER}/pipewire-0
-
 apparmor
 caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
+noinput
 notv
 ?BROWSER_DISABLE_U2F: nou2f
 shell none
@@ -54,6 +55,10 @@ private-cache
 ?BROWSER_DISABLE_U2F: private-dev
 #private-tmp - issues when using multiple browser sessions
 
+blacklist ${PATH}/curl
+blacklist ${PATH}/wget
+blacklist ${PATH}/wget2
+
 #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
 dbus-system none
 
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
index 9ac33aa1c..14f1bbe64 100644
--- a/etc/profile-a-l/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
@@ -16,7 +16,6 @@ whitelist ${HOME}/.cache/chromium
 whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.config/chromium-flags.conf
 whitelist /usr/share/chromium
-whitelist /usr/share/mozilla/extensions
 
 # private-bin chromium,chromium-browser,chromedriver
 
diff --git a/etc/profile-a-l/cin.profile b/etc/profile-a-l/cin.profile
index 542d6600d..7d3e0c100 100644
--- a/etc/profile-a-l/cin.profile
+++ b/etc/profile-a-l/cin.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
@@ -26,7 +25,7 @@ nou2f
 noroot
 protocol unix
 
-# if an 1-1.2% gap per thread hurts you, comment seccomp
+# If a 1-1.2% gap per thread hurts you, add 'ignore seccomp' to your cin.local.
 seccomp
 shell none
 
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 9b62a1f73..677d2b7eb 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.claws-mail
@@ -45,7 +44,7 @@ disable-mnt
 private-bin bash,clawsker,perl,sh,which
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
 private-tmp
 
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile
index fa33795c1..b1509f391 100644
--- a/etc/profile-a-l/clementine.profile
+++ b/etc/profile-a-l/clementine.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/clion-eap.profile b/etc/profile-a-l/clion-eap.profile
new file mode 100644
index 000000000..3602c3e7b
--- /dev/null
+++ b/etc/profile-a-l/clion-eap.profile
@@ -0,0 +1,10 @@
+# Firejail profile for CLion EAP
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clion-eap.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include clion.profile
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
index 22cecff09..15071d731 100644
--- a/etc/profile-a-l/clion.profile
+++ b/etc/profile-a-l/clion.profile
@@ -5,6 +5,9 @@ include clion.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.config/JetBrains/CLion*
+noblacklist ${HOME}/.cache/JetBrains/CLion*
+noblacklist ${HOME}/.clion*
 noblacklist ${HOME}/.CLion*
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
@@ -17,7 +20,6 @@ noblacklist ${HOME}/.tooling
 include allow-ssh.inc
 
 include disable-common.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index c8258da07..084f0ccad 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -6,15 +6,18 @@ include clipgrab.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.config/ClipGrab
 noblacklist ${HOME}/.config/Philipp Schmieder
 noblacklist ${HOME}/.pki
 noblacklist ${VIDEOS}
 
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile
index d421903a3..4c7cb86bf 100644
--- a/etc/profile-a-l/clipit.profile
+++ b/etc/profile-a-l/clipit.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile
new file mode 100644
index 000000000..26cc2a00a
--- /dev/null
+++ b/etc/profile-a-l/cmake.profile
@@ -0,0 +1,13 @@
+# Firejail profile for cargo
+# Description: The Rust package manager
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cargo.local
+# Persistent global definitions
+include globals.local
+
+memory-deny-write-execute
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile
index bcd557787..7421debe0 100644
--- a/etc/profile-a-l/cmus.profile
+++ b/etc/profile-a-l/cmus.profile
@@ -12,7 +12,6 @@ noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -28,4 +27,4 @@ seccomp
 shell none
 
 private-bin cmus
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile
index e19b78908..4cade5749 100644
--- a/etc/profile-a-l/code.profile
+++ b/etc/profile-a-l/code.profile
@@ -5,6 +5,23 @@ include code.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-exec.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore whitelist ${HOME}/.config/Electron
+ignore whitelist ${HOME}/.config/electron-flag*.conf
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore disable-mnt
+ignore dbus-user none
+ignore dbus-system none
+
 noblacklist ${HOME}/.config/Code
 noblacklist ${HOME}/.config/Code - OSS
 noblacklist ${HOME}/.vscode
@@ -13,31 +30,13 @@ noblacklist ${HOME}/.vscode-oss
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
 
-include disable-common.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
 nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-private-cache
-private-dev
-private-tmp
 
 # Disabling noexec ${HOME} for now since it will
 # probably interfere with running some programmes
 # in VS Code
 # noexec ${HOME}
 noexec /tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/codium.profile b/etc/profile-a-l/codium.profile
new file mode 100644
index 000000000..9ff87ed8a
--- /dev/null
+++ b/etc/profile-a-l/codium.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for VSCodium
+# This file is overwritten after every install/update
+# Persistent local customizations
+include codium.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vscodium.profile
diff --git a/etc/profile-a-l/cointop.profile b/etc/profile-a-l/cointop.profile
new file mode 100644
index 000000000..4349f58fc
--- /dev/null
+++ b/etc/profile-a-l/cointop.profile
@@ -0,0 +1,63 @@
+# Firejail profile for cointop
+# Description: TUI for tracking cryptocurrency stats
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cointop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/cointop
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/cointop
+whitelist ${HOME}/.config/cointop
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin cointop
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile
index e5debfd82..97bf6d394 100644
--- a/etc/profile-a-l/cola.profile
+++ b/etc/profile-a-l/cola.profile
@@ -7,4 +7,4 @@ include cola.local
 include globals.local
 
 # Redirect
-include git-cola.profile
\ No newline at end of file
+include git-cola.profile
diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile
index bd6d8f5b0..33ee0d0ee 100644
--- a/etc/profile-a-l/colorful.profile
+++ b/etc/profile-a-l/colorful.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index c8bdfec23..27780b669 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -46,7 +45,7 @@ disable-mnt
 private-bin com.github.bleakgrey.tootle
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
 
 # Settings are immutable
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
index b467a0f7a..0e29d90de 100644
--- a/etc/profile-a-l/com.github.dahenson.agenda.profile
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -53,7 +52,7 @@ disable-mnt
 private-bin com.github.dahenson.agenda
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index c13f9618b..24222164b 100644
--- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -56,7 +55,7 @@ disable-mnt
 private-bin com.github.johnfactotum.Foliate,gjs
 private-cache
 private-dev
-private-etc dconf,fonts,gconf,gtk-3.0
+private-etc alternatives,dconf,fonts,gconf,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 read-only ${HOME}
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile
index d0402d188..b10d1b5b0 100644
--- a/etc/profile-a-l/com.github.phase1geo.minder.profile
+++ b/etc/profile-a-l/com.github.phase1geo.minder.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/com.github.tchx84.Flatseal.profile b/etc/profile-a-l/com.github.tchx84.Flatseal.profile
new file mode 100644
index 000000000..a095104f0
--- /dev/null
+++ b/etc/profile-a-l/com.github.tchx84.Flatseal.profile
@@ -0,0 +1,65 @@
+# Firejail profile for flatseal
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.tchx84.Flatseal.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/flatpak/overrides
+noblacklist /var/lib/flatpak/app
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/flatpak/overrides
+whitelist ${HOME}/.local/share/flatpak/overrides
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin com.github.tchx84.Flatseal,gjs
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
+private-tmp
+
+dbus-user filter
+dbus-user.own com.github.tchx84.Flatseal
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.impl.portal.PermissionStore
+dbus-user.talk org.gnome.Software
+dbus-system none
+
+read-write ${HOME}/.local/share/flatpak/overrides
diff --git a/etc/profile-a-l/conky.profile b/etc/profile-a-l/conky.profile
index eaa18739d..7ccc101bf 100644
--- a/etc/profile-a-l/conky.profile
+++ b/etc/profile-a-l/conky.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile
index 2fb446e2a..537381f64 100644
--- a/etc/profile-a-l/corebird.profile
+++ b/etc/profile-a-l/corebird.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index 1635995dc..351ca0dab 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
index 7ece35c2b..099253b21 100644
--- a/etc/profile-a-l/coyim.profile
+++ b/etc/profile-a-l/coyim.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -41,7 +40,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/crawl.profile b/etc/profile-a-l/crawl.profile
index b10216895..7cbbcd8d3 100644
--- a/etc/profile-a-l/crawl.profile
+++ b/etc/profile-a-l/crawl.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
index 02b15ecc2..ed1213687 100644
--- a/etc/profile-a-l/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -40,7 +39,7 @@ shell none
 disable-mnt
 private-bin crow
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
 private-opt none
 private-tmp
 private-srv none
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index c9867c5d7..448d8b655 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -20,7 +20,6 @@ blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 # Depending on workflow you can add 'include disable-xdg.inc' to your curl.local.
 #include disable-xdg.inc
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index ba1e7adad..c75bc756f 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -51,7 +50,7 @@ disable-mnt
 private-bin d-feet,python*
 private-cache
 private-dev
-private-etc alternatives,dbus-1,fonts,machine-id
+private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile
index 61fa52928..a3590281c 100644
--- a/etc/profile-a-l/darktable.profile
+++ b/etc/profile-a-l/darktable.profile
@@ -10,11 +10,12 @@ noblacklist ${HOME}/.cache/darktable
 noblacklist ${HOME}/.config/darktable
 noblacklist ${PICTURES}
 
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 67a61bb60..e1b96f186 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-write-mnt.inc
@@ -52,7 +51,7 @@ private
 private-bin dbus-send
 private-cache
 private-dev
-private-etc alternatives,dbus-1
+private-etc alternatives,dbus-1,ld.so.cache,ld.so.preload
 private-lib libpcre*
 private-tmp
 
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index 0c221850a..8c3c22dcf 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -44,7 +43,7 @@ disable-mnt
 private-bin dconf-editor
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
index be7514cbf..b170842c3 100644
--- a/etc/profile-a-l/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -47,7 +46,7 @@ disable-mnt
 private-bin dconf,gsettings
 private-cache
 private-dev
-private-etc alternatives,dconf
+private-etc alternatives,dconf,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/ddgr.profile b/etc/profile-a-l/ddgr.profile
new file mode 100644
index 000000000..b1d41ddf7
--- /dev/null
+++ b/etc/profile-a-l/ddgr.profile
@@ -0,0 +1,13 @@
+# Firejail profile for ddgr
+# Description: Search DuckDuckGo from your terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ddgr.local
+# Persistent global definitions
+include globals.local
+
+private-bin ddgr
+
+# Redirect
+include googler-common.profile
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 5b95b74be..e9b8f5c47 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -46,7 +45,7 @@ tracelog
 disable-mnt
 private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile
index a221ebbd7..d9ff941da 100644
--- a/etc/profile-a-l/deadbeef.profile
+++ b/etc/profile-a-l/deadbeef.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 2ecf1a45d..dac842bb6 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 # include disable-devel.inc
 # include disable-exec.inc
 # include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 # include disable-shell.inc
 # include disable-write-mnt.inc
@@ -32,12 +31,13 @@ netfilter
 # no3d
 # nodvd
 # nogroups
+noinput
 nonewprivs
 noroot
 # nosound
-# notv
+notv
 # nou2f
-# novideo
+novideo
 protocol unix,inet,inet6
 seccomp
 # shell none
@@ -57,5 +57,6 @@ seccomp
 # dbus-user none
 # dbus-system none
 
+# deterministic-shutdown
 # memory-deny-write-execute
 # read-only ${HOME}
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile
index ad7aa6ed5..3697243e0 100644
--- a/etc/profile-a-l/deluge.profile
+++ b/etc/profile-a-l/deluge.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 # include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/deluge
diff --git a/etc/profile-a-l/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile
index 212cdab60..5175146db 100644
--- a/etc/profile-a-l/desktopeditors.profile
+++ b/etc/profile-a-l/desktopeditors.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index 5007f8e74..562f6b105 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -43,7 +42,7 @@ disable-mnt
 private-bin devhelp
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl
+private-etc alternatives,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
 private-tmp
 
 # makes settings immutable
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 6267b5709..a0f24c388 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -49,7 +48,7 @@ disable-mnt
 private-bin devilspie
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib gconv
 private-tmp
 
diff --git a/etc/profile-a-l/dex2jar.profile b/etc/profile-a-l/dex2jar.profile
index 8f3703369..9c1cf72f0 100644
--- a/etc/profile-a-l/dex2jar.profile
+++ b/etc/profile-a-l/dex2jar.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
index 531734b7d..902148756 100644
--- a/etc/profile-a-l/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index 247159a8a..a925781af 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 # include disable-devel.inc
 include disable-exec.inc
 # include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
index 2ca7bd400..41625e12e 100644
--- a/etc/profile-a-l/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile
index 9871a6095..19b99b5fd 100644
--- a/etc/profile-a-l/dillo.profile
+++ b/etc/profile-a-l/dillo.profile
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.dillo
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.dillo
@@ -36,3 +35,5 @@ tracelog
 
 private-dev
 private-tmp
+
+deterministic-shutdown
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index 968c0b114..77fc98223 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -20,22 +19,24 @@ mkdir ${HOME}/.local/share/dino
 whitelist ${HOME}/.local/share/dino
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-nosound
 notv
 nou2f
-novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
+tracelog
 
 disable-mnt
 private-bin dino
@@ -43,3 +44,13 @@ private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection
 private-tmp
 
+dbus-user filter
+# Integration with notification and other desktop environment functionalities
+dbus-user.own im.dino.Dino
+# dconf integration
+dbus-user.talk ca.desrt.dconf
+# Notification support
+dbus-user.talk org.freedesktop.Notifications
+dbus-system filter
+# Integration with systemd-logind or elogind
+dbus-system.talk org.freedesktop.login1
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index b83e626d9..c04e38899 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -23,8 +23,10 @@ ignore novideo
 whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
 
-private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
+private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
+
+join-or-start discord
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index 11f3fd36e..1def961b2 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -41,7 +40,8 @@ shell none
 private-bin display,python*
 private-dev
 # On Debian-based systems, display is a symlink in /etc/alternatives
-private-etc alternatives
+private-etc alternatives,ImageMagick-6,ImageMagick-7,ld.so.cache,ld.so.preload
+private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,ImageMagick*,libfreetype.so.*,libltdl.so.*,libMagickWand-*.so.*,libXext.so.*
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile
index 51ba6f8b7..2169c8552 100644
--- a/etc/profile-a-l/dnox.profile
+++ b/etc/profile-a-l/dnox.profile
@@ -6,7 +6,6 @@ include dnox.local
 include globals.local
 
 # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile
index f8fb1a331..906089663 100644
--- a/etc/profile-a-l/dnscrypt-proxy.profile
+++ b/etc/profile-a-l/dnscrypt-proxy.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile
index 01398c2b2..2db1548a4 100644
--- a/etc/profile-a-l/dnsmasq.profile
+++ b/etc/profile-a-l/dnsmasq.profile
@@ -16,7 +16,6 @@ blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index 49feec32e..ac86ef75a 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/dooble.profile b/etc/profile-a-l/dooble.profile
index 37a4113cb..f1b630ac8 100644
--- a/etc/profile-a-l/dooble.profile
+++ b/etc/profile-a-l/dooble.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.dooble
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
index 988f66f28..ad7049d3d 100644
--- a/etc/profile-a-l/dosbox.profile
+++ b/etc/profile-a-l/dosbox.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile
index 8fa01d504..d5591adfb 100644
--- a/etc/profile-a-l/dragon.profile
+++ b/etc/profile-a-l/dragon.profile
@@ -14,12 +14,12 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/dragonplayer
+include whitelist-run-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 82d96e405..df7be55de 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -46,7 +45,7 @@ shell none
 private-bin drawio
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
index 068bd88d8..2a09270f7 100644
--- a/etc/profile-a-l/drill.profile
+++ b/etc/profile-a-l/drill.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 # include disable-devel.inc
 include disable-exec.inc
 # include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile
index b3b2aaf40..73d9cfbbc 100644
--- a/etc/profile-a-l/dropbox.profile
+++ b/etc/profile-a-l/dropbox.profile
@@ -15,7 +15,6 @@ include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.dropbox
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index 38e4b16f7..20cffae73 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -46,7 +45,7 @@ disable-mnt
 #private-bin bash,easystroke,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,group,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd
 # breaks custom shell command functionality
 #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 278dd6cbd..09d14045a 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -46,7 +45,7 @@ shell none
 private-bin electron-mail
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
 private-opt ElectronMail
 private-tmp
 
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
index 493af79d4..cedef34ff 100644
--- a/etc/profile-a-l/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -4,15 +4,19 @@
 # Persistent local customizations
 include electron.local
 
+noblacklist ${HOME}/.config/Electron
+noblacklist ${HOME}/.config/electron-flag*.conf
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
 whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/Electron
+whitelist ${HOME}/.config/electron-flag*.conf
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index ad636d71a..dfbe5cee4 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -48,7 +47,7 @@ private-bin electrum,python*
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile
index 8120725d2..a3596bb5e 100644
--- a/etc/profile-a-l/elinks.profile
+++ b/etc/profile-a-l/elinks.profile
@@ -1,6 +1,7 @@
 # Firejail profile for elinks
 # Description: Advanced text-mode WWW browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include elinks.local
 # Persistent global definitions
@@ -8,37 +9,13 @@ include globals.local
 
 noblacklist ${HOME}/.elinks
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
 
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
+mkdir ${HOME}/.elinks
+whitelist ${HOME}/.elinks
 
-include whitelist-runuser-common.inc
+private-bin elinks
 
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin elinks
-private-cache
-private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
-private-tmp
+# Redirect
+include links-common.profile
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile
index 55bf743ef..7e9be653d 100644
--- a/etc/profile-a-l/emacs.profile
+++ b/etc/profile-a-l/emacs.profile
@@ -15,7 +15,6 @@ noblacklist ${HOME}/.emacs.d
 include allow-common-devel.inc
 
 include disable-common.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 6c9a8a6ea..b45f6e25e 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -7,11 +7,12 @@ include email-common.local
 # added by caller profile
 #include globals.local
 
+noblacklist ${HOME}/.bogofilter
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.signature
 # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
-# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
+# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
 noblacklist ${HOME}/Mail
 
 noblacklist ${DOCUMENTS}
@@ -20,7 +21,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -66,7 +66,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 # encrypting and signing email
 writable-run-user
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
index ac17b1726..eff0f64ea 100644
--- a/etc/profile-a-l/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -49,7 +48,7 @@ x11 none
 private-bin enchant,enchant-*
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index f926610e2..1aca416d8 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile
index d982433e2..ef766c654 100644
--- a/etc/profile-a-l/enox.profile
+++ b/etc/profile-a-l/enox.profile
@@ -6,7 +6,6 @@ include enox.local
 include globals.local
 
 # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile
index feae5abb3..0d0d6f083 100644
--- a/etc/profile-a-l/enpass.profile
+++ b/etc/profile-a-l/enpass.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -32,10 +31,10 @@ whitelist ${DOCUMENTS}
 include whitelist-common.inc
 include whitelist-var-common.inc
 
-# machine-id and nosound break audio notification functionality
-# comment both if you need that functionality or put 'ignore machine-id'
-# and 'ignore nosound' in your enpass.local
-
+# machine-id and nosound break audio notification functionality.
+# Add the next lines to your enpass.local if you need that functionality.
+#ignore machine-id
+#ignore nosound
 caps.drop all
 machine-id
 netfilter
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 8e8047b00..31f39e210 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -11,11 +11,12 @@ noblacklist ${HOME}/.local/share/Trash
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.steam
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-write-mnt.inc
 
@@ -46,6 +47,6 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
index aabef65fc..65e5c6e69 100644
--- a/etc/profile-a-l/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -10,13 +10,15 @@ noblacklist ${HOME}/.config/eog
 
 whitelist /usr/share/eog
 
-# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'
-# comment those if you need that functionality
-# or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local
-private-bin eog
+# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'.
+# Add the next lines to your eog.local if you need that functionality.
+#ignore private-bin
+#ignore private-etc
+#ignore private-lib
 
+private-bin eog
 
-# broken on Debian 10 (buster) running LXDE got the folowing error:
+# broken on Debian 10 (buster) running LXDE got the following error:
 # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
 #dbus-user filter
 #dbus-user.own org.gnome.eog
diff --git a/etc/profile-a-l/eom.profile b/etc/profile-a-l/eom.profile
index 5bfeb8c8f..7143a8e03 100644
--- a/etc/profile-a-l/eom.profile
+++ b/etc/profile-a-l/eom.profile
@@ -10,9 +10,12 @@ noblacklist ${HOME}/.config/mate/eom
 
 whitelist /usr/share/eom
 
-# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'
-# comment those if you need that functionality
-# or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eom.local
+# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'.
+# Add the next lines to your eom.local if you need that functionality.
+#ignore private-bin
+#ignore private-etc
+#ignore private-lib
+
 private-bin eom
 
 # Redirect
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index 029f613c6..f88c64b23 100644
--- a/etc/profile-a-l/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -9,8 +9,8 @@ include globals.local
 # enforce private-cache
 #noblacklist ${HOME}/.cache/ephemeral
 
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
@@ -23,12 +23,12 @@ include disable-programs.inc
 
 # enforce private-cache
 #mkdir ${HOME}/.cache/ephemeral
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 # enforce private-cache
 #whitelist ${HOME}/.cache/ephemeral
-whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
@@ -41,6 +41,7 @@ caps.drop all
 netfilter
 nodvd
 nogroups
+noinput
 nonewprivs
 # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
 noroot
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
index 964d3b7ca..0c3b790d5 100644
--- a/etc/profile-a-l/equalx.profile
+++ b/etc/profile-a-l/equalx.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -55,7 +54,7 @@ disable-mnt
 private-bin equalx,gs,pdflatex,pdftocairo
 private-cache
 private-dev
-private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf
+private-etc alternatives,equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.cache,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index b970b0dfd..edeed69bf 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -8,11 +8,12 @@ include globals.local
 
 noblacklist ${HOME}/.etr
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -20,6 +21,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.etr
 whitelist ${HOME}/.etr
 whitelist /usr/share/etr
+# Debian version
+whitelist /usr/share/games/etr
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index adcb29063..5c6710748 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -13,11 +13,13 @@ include globals.local
 noblacklist ${HOME}/.config/evince
 noblacklist ${DOCUMENTS}
 
+blacklist /usr/libexec
+
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -50,12 +52,12 @@ seccomp.block-secondary
 shell none
 tracelog
 
-private-bin evince,evince-previewer,evince-thumbnailer
+private-bin evince,evince-previewer,evince-thumbnailer,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
 # private-lib might break two-page-view on some systems
-private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
+private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
 
 # dbus-user filtering might break two-page-view on some systems
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 7222493ac..a80327234 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -20,7 +20,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index 7b09a2c64..ae550e842 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /usr/share/perl-image-exiftool
@@ -49,7 +48,7 @@ x11 none
 #private-bin exiftool,perl
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index b2061db79..321cb0145 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -24,6 +23,7 @@ whitelist ${HOME}/.cache/falkon
 whitelist ${HOME}/.config/falkon
 whitelist /usr/share/falkon
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -47,7 +47,7 @@ disable-mnt
 # private-bin falkon
 private-cache
 private-dev
-private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 private-tmp
 
 # dbus-user filter
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile
index 8e81000fd..121c5ba26 100644
--- a/etc/profile-a-l/fbreader.profile
+++ b/etc/profile-a-l/fbreader.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index 31cb1776c..ee775566e 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -43,7 +42,7 @@ private
 private-bin bash,fdns,sh
 private-cache
 #private-dev
-private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
 # private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile
index 664ec2da6..e45df21fc 100644
--- a/etc/profile-a-l/feedreader.profile
+++ b/etc/profile-a-l/feedreader.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/feh-network.inc.profile b/etc/profile-a-l/feh-network.inc.profile
index 690b39171..7293e89a8 100644
--- a/etc/profile-a-l/feh-network.inc.profile
+++ b/etc/profile-a-l/feh-network.inc.profile
@@ -5,4 +5,4 @@ include feh-network.inc.local
 ignore net none
 netfilter
 protocol unix,inet,inet6
-private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 2f2d8a4c7..4b8d41170 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -37,7 +36,7 @@ shell none
 private-bin feh,jpegexiforient,jpegtran
 private-cache
 private-dev
-private-etc alternatives,feh
+private-etc alternatives,feh,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
index a2372ec8a..b6f69ccb9 100644
--- a/etc/profile-a-l/ferdi.profile
+++ b/etc/profile-a-l/ferdi.profile
@@ -9,8 +9,8 @@ ignore noexec /tmp
 
 noblacklist ${HOME}/.cache/Ferdi
 noblacklist ${HOME}/.config/Ferdi
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,13 +20,13 @@ include disable-programs.inc
 
 mkdir ${HOME}/.cache/Ferdi
 mkdir ${HOME}/.config/Ferdi
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/Ferdi
 whitelist ${HOME}/.config/Ferdi
-whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/fetchmail.profile b/etc/profile-a-l/fetchmail.profile
index 7358ed5c7..babfeab61 100644
--- a/etc/profile-a-l/fetchmail.profile
+++ b/etc/profile-a-l/fetchmail.profile
@@ -12,7 +12,6 @@ noblacklist ${HOME}/.netrc
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index 13ef1beb9..637e6fbf5 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile
index 04134cbf4..52abb99d4 100644
--- a/etc/profile-a-l/ffplay.profile
+++ b/etc/profile-a-l/ffplay.profile
@@ -14,7 +14,7 @@ ignore nogroups
 ignore nosound
 
 private-bin ffplay
-private-etc alsa,asound.conf,group
+private-etc alsa,alternatives,asound.conf,group,ld.so.cache,ld.so.preload
 
 # Redirect
 include ffmpeg.profile
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile
index 23ec4a432..dbae06f19 100644
--- a/etc/profile-a-l/file-manager-common.profile
+++ b/etc/profile-a-l/file-manager-common.profile
@@ -26,7 +26,6 @@ include allow-python3.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 #include disable-programs.inc
 
 allusers
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 0b8a8cd6c..06a8f6170 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -10,9 +10,10 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
+whitelist /usr/libexec/file-roller
+whitelist /usr/libexec/p7zip
 whitelist /usr/share/file-roller
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -42,7 +43,7 @@ tracelog
 private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
 # private-tmp
 
 dbus-system none
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
index 5c7583605..397120a0b 100644
--- a/etc/profile-a-l/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -11,7 +11,6 @@ blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 apparmor
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index d282f9a60..b2b7c362a 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -2,6 +2,7 @@
 # Persistent customizations should go in a .local file.
 include firefox-common-addons.local
 
+ignore whitelist ${RUNUSER}/*firefox*
 ignore include whitelist-runuser-common.inc
 ignore private-cache
 
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index b0ead7590..373f41ffe 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -12,21 +12,23 @@ include firefox-common.local
 # Add the next line to your firefox-common.local to allow access to common programs/addons/plugins.
 #include firefox-common-addons.profile
 
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
-whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
@@ -37,6 +39,7 @@ caps.drop all
 netfilter
 nodvd
 nogroups
+noinput
 nonewprivs
 # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
 noroot
@@ -56,6 +59,10 @@ disable-mnt
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
 
+blacklist ${PATH}/curl
+blacklist ${PATH}/wget
+blacklist ${PATH}/wget2
+
 # 'dbus-user none' breaks various desktop integration features like global menus, native notifications,
 # Gnome connector, KDE connect and power management on KDE Plasma.
 dbus-user none
diff --git a/etc/profile-a-l/firefox-developer-edition.profile b/etc/profile-a-l/firefox-developer-edition.profile
index 8c7ca3887..3a9b8cf92 100644
--- a/etc/profile-a-l/firefox-developer-edition.profile
+++ b/etc/profile-a-l/firefox-developer-edition.profile
@@ -7,5 +7,9 @@ include firefox-developer-edition.local
 # added by included profile
 #include globals.local
 
+# Edition-specific DBus filters
+dbus-user.own org.mozilla.FirefoxDeveloperEdition.*
+dbus-user.own org.mozilla.firefoxdeveloperedition.*
+
 # Redirect
 include firefox.profile
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index b22a78458..9138fed90 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -16,6 +16,9 @@ include globals.local
 
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
+noblacklist ${RUNUSER}/*firefox*
+
+blacklist /usr/libexec
 
 mkdir ${HOME}/.cache/mozilla/firefox
 mkdir ${HOME}/.mozilla
@@ -33,6 +36,7 @@ whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
 whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/mozilla
 whitelist /usr/share/webext
+whitelist ${RUNUSER}/*firefox*
 include whitelist-usr-share-common.inc
 
 # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
@@ -54,9 +58,8 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.*
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next two lines to your firefox.local to allow screen sharing under wayland.
-#whitelist ${RUNUSER}/pipewire-0
-#dbus-user.talk org.freedesktop.portal.*
+# Add the next line to your firefox.local to allow screen sharing under wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
 # Add the next line to your firefox.local if screen sharing sharing still does not work
 # with the above lines (might depend on the portal implementation).
 #ignore noroot
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 55af96c84..f80297022 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -53,7 +52,7 @@ tracelog
 disable-mnt
 private-bin flameshot
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl
 private-dev
 #private-tmp
 
@@ -64,6 +63,6 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.portal.Desktop
 dbus-user.talk org.gnome.Shell
 dbus-user.talk org.kde.KWin
-dbus-user.talk org.kde.StatusNotifierWatcher
-dbus-user.own org.kde.*
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.own org.kde.*
 dbus-system none
diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile
index 310fb378f..317a20bb7 100644
--- a/etc/profile-a-l/flashpeak-slimjet.profile
+++ b/etc/profile-a-l/flashpeak-slimjet.profile
@@ -6,7 +6,6 @@ include flashpeak-slimjet.local
 include globals.local
 
 # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
diff --git a/etc/profile-a-l/flowblade.profile b/etc/profile-a-l/flowblade.profile
index a4421e3ce..bc173d0f1 100644
--- a/etc/profile-a-l/flowblade.profile
+++ b/etc/profile-a-l/flowblade.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile
index cd0129436..02db368b7 100644
--- a/etc/profile-a-l/font-manager.profile
+++ b/etc/profile-a-l/font-manager.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/fontforge.profile b/etc/profile-a-l/fontforge.profile
index bd1495877..6020464b3 100644
--- a/etc/profile-a-l/fontforge.profile
+++ b/etc/profile-a-l/fontforge.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index 1b1d031b4..265eec1ca 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile
index 9b780a572..b16c90caf 100644
--- a/etc/profile-a-l/franz.profile
+++ b/etc/profile-a-l/franz.profile
@@ -9,8 +9,8 @@ ignore noexec /tmp
 
 noblacklist ${HOME}/.cache/Franz
 noblacklist ${HOME}/.config/Franz
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,13 +20,13 @@ include disable-programs.inc
 
 mkdir ${HOME}/.cache/Franz
 mkdir ${HOME}/.config/Franz
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/Franz
 whitelist ${HOME}/.config/Franz
-whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/freecad.profile b/etc/profile-a-l/freecad.profile
index 8043d0530..827dc8be9 100644
--- a/etc/profile-a-l/freecad.profile
+++ b/etc/profile-a-l/freecad.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/freeciv.profile b/etc/profile-a-l/freeciv.profile
index 23c19682c..5126e2d37 100644
--- a/etc/profile-a-l/freeciv.profile
+++ b/etc/profile-a-l/freeciv.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/freecol.profile b/etc/profile-a-l/freecol.profile
index 93fa7da03..4467b5869 100644
--- a/etc/profile-a-l/freecol.profile
+++ b/etc/profile-a-l/freecol.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile
index 699177039..fbe3d45e3 100644
--- a/etc/profile-a-l/freemind.profile
+++ b/etc/profile-a-l/freemind.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index e6aff533d..cb00ce11b 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -8,13 +8,15 @@ include globals.local
 
 noblacklist ${HOME}/.config/FreeTube
 
+include allow-bin-sh.inc
+
 include disable-shell.inc
 
 mkdir ${HOME}/.config/FreeTube
 whitelist ${HOME}/.config/FreeTube
 
-private-bin freetube
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index fa56d2b2d..8419998de 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -12,12 +12,12 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.frogatto
 whitelist ${HOME}/.frogatto
+whitelist /usr/libexec/frogatto
 whitelist /usr/share/frogatto
 include whitelist-common.inc
 include whitelist-runuser-common.inc
@@ -45,7 +45,7 @@ disable-mnt
 private-bin frogatto,sh
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index 76352e41e..88943760a 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -31,7 +30,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/ftp.profile b/etc/profile-a-l/ftp.profile
new file mode 100644
index 000000000..29470360c
--- /dev/null
+++ b/etc/profile-a-l/ftp.profile
@@ -0,0 +1,54 @@
+# Firejail profile for ftp
+# Description: standard File Access Protocol utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ftp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/ftp
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+#include disable-shell.inc
+include disable-write-mnt.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+tracelog
+
+#disable-mnt
+#private-bin PROGRAMS
+private-cache
+private-dev
+#private-etc FILES
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+noexec ${HOME}
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
new file mode 100644
index 000000000..4a08fca9b
--- /dev/null
+++ b/etc/profile-a-l/funnyboat.profile
@@ -0,0 +1,55 @@
+# Firejail profile for funnyboat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include funnyboat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.funnyboat
+
+ignore noexec /dev/shm
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+# include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.funnyboat
+whitelist ${HOME}/.funnyboat
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+whitelist /usr/share/funnyboat
+# Debian:
+whitelist /usr/share/games/funnyboat
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+# tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index ed3f0357d..6d764a0f9 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -19,7 +19,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 # Add 'ignore include disable-xdg.inc' to your gajim.local if you need to whitelist folders other than ~/Downloads.
 include disable-xdg.inc
@@ -60,7 +59,7 @@ disable-mnt
 private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 550b3808b..4efe41f8d 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -44,7 +43,7 @@ tracelog
 private-bin galculator
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile
new file mode 100644
index 000000000..2947873ef
--- /dev/null
+++ b/etc/profile-a-l/gallery-dl.profile
@@ -0,0 +1,18 @@
+# Firejail profile for gallery-dl
+# Description: Downloader of images from various sites
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gallery-dl.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/gallery-dl
+noblacklist ${HOME}/.gallery-dl.conf
+
+private-bin gallery-dl
+private-etc alternatives,gallery-dl.conf,ld.so.cache,ld.so.preload
+
+# Redirect
+include youtube-dl.profile
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index f2da60c87..ec5b733c8 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -7,12 +7,12 @@ include gapplication.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -49,7 +49,7 @@ private
 private-bin gapplication
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 # Add the next line to your gapplication.local to filter D-Bus names.
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile
index 388f4c0df..297e5d345 100644
--- a/etc/profile-a-l/gcloud.profile
+++ b/etc/profile-a-l/gcloud.profile
@@ -36,7 +36,7 @@ tracelog
 
 disable-mnt
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gconf-editor.profile b/etc/profile-a-l/gconf-editor.profile
index cb39174e5..67eddd2e5 100644
--- a/etc/profile-a-l/gconf-editor.profile
+++ b/etc/profile-a-l/gconf-editor.profile
@@ -13,5 +13,7 @@ whitelist /usr/share/gconf-editor
 
 ignore x11 none
 
+ignore memory-deny-write-execute
+
 # Redirect
 include gconf.profile
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
index fec1a555a..a45374d4e 100644
--- a/etc/profile-a-l/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -55,7 +54,7 @@ disable-mnt
 private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2*
 private-cache
 private-dev
-private-etc alternatives,fonts,gconf
+private-etc alternatives,fonts,gconf,ld.so.cache,ld.so.preload
 private-lib GConf,libpython*,python2*
 private-tmp
 
diff --git a/etc/profile-a-l/geany.profile b/etc/profile-a-l/geany.profile
index 6fdb9b37a..f244cb526 100644
--- a/etc/profile-a-l/geany.profile
+++ b/etc/profile-a-l/geany.profile
@@ -12,7 +12,6 @@ noblacklist ${HOME}/.config/geany
 include allow-common-devel.inc
 
 include disable-common.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index 74e135a7c..221fbff01 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -13,13 +13,16 @@ noblacklist ${HOME}/.config/evolution
 noblacklist ${HOME}/.config/geary
 noblacklist ${HOME}/.local/share/evolution
 noblacklist ${HOME}/.local/share/geary
+noblacklist ${HOME}/.local/share/pki
 noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.pki
+
+include allow-bin-sh.inc
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -39,7 +42,9 @@ whitelist ${HOME}/.config/evolution
 whitelist ${HOME}/.config/geary
 whitelist ${HOME}/.local/share/evolution
 whitelist ${HOME}/.local/share/geary
+whitelist ${HOME}/.local/share/pki
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.pki
 whitelist /usr/share/geary
 include whitelist-common.inc
 include whitelist-runuser-common.inc
@@ -48,7 +53,8 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-machine-id
+#ipc-namespace - may cause issues with X11
+#machine-id
 netfilter
 no3d
 nodvd
@@ -56,7 +62,7 @@ nogroups
 noinput
 nonewprivs
 noroot
-nosound
+#nosound
 notv
 nou2f
 novideo
@@ -67,21 +73,22 @@ shell none
 tracelog
 
 # disable-mnt
-# Add 'ignore private-bin' to geary.local for hyperlink support
-private-bin geary
+#private-bin geary,sh
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mailcap,mime.types,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
 private-tmp
 
 dbus-user filter
 dbus-user.own org.gnome.Geary
 dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.gnome.Contacts
 dbus-user.talk org.gnome.OnlineAccounts
 dbus-user.talk org.gnome.evolution.dataserver.AddressBook10
 dbus-user.talk org.gnome.evolution.dataserver.Sources5
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
 
 read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index 108b7041d..0726d17bd 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 # include disable-devel.inc
 include disable-exec.inc
 # include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index e0aadff24..243b893b9 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -6,14 +6,19 @@ include geekbench.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.geekbench5
+noblacklist /sbin
+noblacklist /usr/sbin
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.geekbench5
+whitelist ${HOME}/.geekbench5
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -40,16 +45,14 @@ shell none
 tracelog
 
 disable-mnt
-private-bin bash,geekbenc*,sh
+#private-bin bash,geekbench*,sh -- #4576
 private-cache
 private-dev
-private-etc alternatives,group,lsb-release,passwd
-private-lib gcc/*/*/libstdc++.so.*
-private-opt none
+private-etc alternatives,group,ld.so.cache,ld.so.preload,lsb-release,passwd
 private-tmp
 
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
+read-write ${HOME}/.geekbench5
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index dd33b3fb5..b79a82c83 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -13,7 +13,6 @@ noblacklist ${HOME}/.local/share/geeqie
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
@@ -26,7 +25,8 @@ nosound
 notv
 nou2f
 novideo
-protocol unix
+# remove inet,inet6 to disable network access
+protocol unix,inet,inet6
 seccomp
 shell none
 
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index 7ec8ba810..388f6496d 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -31,6 +30,7 @@ whitelist ${HOME}/.cache/gfeeds
 whitelist ${HOME}/.cache/org.gabmus.gfeeds
 whitelist ${HOME}/.config/org.gabmus.gfeeds.json
 whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/gfeeds
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
index d9c5a0d9a..bc1199914 100644
--- a/etc/profile-a-l/gget.profile
+++ b/etc/profile-a-l/gget.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -50,7 +49,7 @@ disable-mnt
 private-bin gget
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index 276ab76df..3dfdc0184 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index dfc1304d1..28070cb9c 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -13,7 +13,6 @@ include globals.local
 #ignore net
 #protocol unix,inet,inet6
 
-
 # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
 # If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local.
 ignore noexec ${HOME}
@@ -26,10 +25,13 @@ noblacklist ${HOME}/.gimp*
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 
+# See issue #4367, gimp 2.10.22-3: gegl:introspect broken
+noblacklist /sbin
+noblacklist /usr/sbin
+
 include disable-common.inc
 include disable-exec.inc
 include disable-devel.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -37,6 +39,7 @@ whitelist /usr/share/gegl-0.4
 whitelist /usr/share/gimp
 whitelist /usr/share/mypaint-data
 whitelist /usr/share/lensfun
+include whitelist-run-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
index 661c3a375..506ab7127 100644
--- a/etc/profile-a-l/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -19,7 +19,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -53,7 +52,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 5e4249376..6439c8821 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -28,7 +28,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -71,7 +70,7 @@ tracelog
 private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile
index bfa0081c6..b0318e4a3 100644
--- a/etc/profile-a-l/git.profile
+++ b/etc/profile-a-l/git.profile
@@ -26,7 +26,6 @@ blacklist ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /usr/share/git
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 05d7dffa9..314b797c0 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 #whitelist ${HOME}/YOUR_GIT_PROJECTS_DIRECTORY
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index 325c54ced..943a3c8c3 100644
--- a/etc/profile-a-l/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -14,6 +14,8 @@ include globals.local
 # Disabled until someone reported positive feedback
 ignore include disable-xdg.inc
 ignore whitelist ${DOWNLOADS}
+ignore whitelist ${HOME}/.config/Electron
+ignore whitelist ${HOME}/.config/electron-flag*.conf
 ignore include whitelist-common.inc
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 460e2b990..16358d064 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/Gitter
@@ -38,7 +37,7 @@ shell none
 
 disable-mnt
 private-bin bash,env,gitter
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,pulse,resolv.conf,ssl
 private-opt Gitter
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile
index ed68b3c2d..a52272852 100644
--- a/etc/profile-a-l/gjs.profile
+++ b/etc/profile-a-l/gjs.profile
@@ -19,7 +19,6 @@ include allow-gjs.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
index c8cefc67e..edb85048b 100644
--- a/etc/profile-a-l/gl-117.profile
+++ b/etc/profile-a-l/gl-117.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -30,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
index ee7af0546..b5f98b411 100644
--- a/etc/profile-a-l/glaxium.profile
+++ b/etc/profile-a-l/glaxium.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -30,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/globaltime.profile b/etc/profile-a-l/globaltime.profile
index 14b3ef811..d07f0ace4 100644
--- a/etc/profile-a-l/globaltime.profile
+++ b/etc/profile-a-l/globaltime.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index b3aad8b2c..e53297c06 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -45,7 +44,7 @@ tracelog
 disable-mnt
 #private-bin gmpc
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
index 34a7f557c..5b7eaa78d 100644
--- a/etc/profile-a-l/gnome-books.profile
+++ b/etc/profile-a-l/gnome-books.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile
index 37ca5aeff..9fe9ed6ba 100644
--- a/etc/profile-a-l/gnome-builder.profile
+++ b/etc/profile-a-l/gnome-builder.profile
@@ -16,7 +16,6 @@ noblacklist ${HOME}/.local/share/gnome-builder
 include allow-common-devel.inc
 
 include disable-common.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index 4c465cc49..ac130da21 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -10,7 +10,6 @@ include globals.local
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index eaf25b177..f9df83e2a 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -46,7 +45,7 @@ private
 private-bin gnome-calendar
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index 741fe9bf7..aaa1e3f5a 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index bd39f625c..dc9092a93 100644
--- a/etc/profile-a-l/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -51,5 +50,5 @@ disable-mnt
 private-bin fairymax,gnome-chess,gnuchess,hoichess
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0
+private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index 1e7c70b84..90665add6 100644
--- a/etc/profile-a-l/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -43,6 +42,6 @@ disable-mnt
 private-bin gnome-clocks,gsound-play
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index dcc6163b6..f96f750dd 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile
index 29ad67af8..0ed3c7541 100644
--- a/etc/profile-a-l/gnome-documents.profile
+++ b/etc/profile-a-l/gnome-documents.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/gnome-font-viewer.profile b/etc/profile-a-l/gnome-font-viewer.profile
index aa0844b8b..294729152 100644
--- a/etc/profile-a-l/gnome-font-viewer.profile
+++ b/etc/profile-a-l/gnome-font-viewer.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 2db956faf..ab6279608 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -43,7 +42,7 @@ private
 private-bin gnome-hexgl
 private-cache
 private-dev
-private-etc alsa,asound.conf,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index 25b4c47de..b74325102 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -12,7 +12,6 @@ noblacklist ${HOME}/.gnupg
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 1a7eafeca..39a6718a6 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /usr/share/gnome-latex
@@ -49,6 +48,6 @@ tracelog
 private-cache
 private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
-private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
+private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive
 
 dbus-system none
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 9d2ea7b7b..7ee4d8b75 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -41,7 +40,7 @@ disable-mnt
 private-bin gnome-logs
 private-cache
 private-dev
-private-etc alternatives,fonts,localtime,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 writable-var-log
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index cf2ac2f75..7732117ac 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -18,11 +18,12 @@ noblacklist ${HOME}/.local/share/maps-places.json
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
index 43fe71f5e..f8f40ea54 100644
--- a/etc/profile-a-l/gnome-mplayer.profile
+++ b/etc/profile-a-l/gnome-mplayer.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index 2fcbe9910..7b79fa15d 100644
--- a/etc/profile-a-l/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -43,6 +42,6 @@ tracelog
 # private-bin calls a file manager - whatever is installed!
 #private-bin env,gio-launch-desktop,gnome-music,python*,yelp
 private-dev
-private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg
+private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
index 814751db3..abf3dd759 100644
--- a/etc/profile-a-l/gnome-nettool.profile
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index 763d67b92..a96ec6f05 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -13,11 +13,12 @@ noblacklist ${HOME}/*.kdbx
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -52,7 +53,7 @@ disable-mnt
 private-bin gnome-passwordsafe,python3*
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,passwd
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 58bf3f349..4fd78eaab 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index 41903b136..6d30213cb 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -12,7 +12,6 @@ noblacklist ${HOME}/.config/gnome-pie
 include disable-devel.inc
 include disable-exec.inc
 #include disable-interpreters.inc
-include disable-passwdmgr.inc
 #include disable-programs.inc
 
 caps.drop all
@@ -35,7 +34,7 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index c2ba7556d..99d569a04 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -45,7 +44,7 @@ disable-mnt
 private-bin gnome-pomodoro
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index 48c98ebe0..b2ce4a92a 100644
--- a/etc/profile-a-l/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -48,7 +47,7 @@ shell none
 disable-mnt
 private-bin gnome-recipes,tar
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,ssl
 private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile
index 78ceb9c4f..7ee01dec1 100644
--- a/etc/profile-a-l/gnome-ring.profile
+++ b/etc/profile-a-l/gnome-ring.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
index 69c90b33d..8c3db651f 100644
--- a/etc/profile-a-l/gnome-schedule.profile
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -29,7 +29,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index b683b6f6c..36c6693a9 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -43,7 +42,7 @@ tracelog
 disable-mnt
 private-bin gnome-screenshot
 private-dev
-private-etc dconf,fonts,gtk-3.0,localtime,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,machine-id
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index 34f5fdeff..28a0205b9 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -41,5 +40,5 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg
 private-tmp
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index 8a818695d..02b023855 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -44,7 +43,7 @@ disable-mnt
 private-bin gnome-system-log
 private-cache
 private-dev
-private-etc alternatives,fonts,localtime,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id
 private-lib
 private-tmp
 writable-var-log
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index 3b147cd48..c6cd12250 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -47,7 +46,7 @@ disable-mnt
 private-bin gnome-todo
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,passwd,xdg
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile
index b8ec195d3..aef6b0fdd 100644
--- a/etc/profile-a-l/gnome-twitch.profile
+++ b/etc/profile-a-l/gnome-twitch.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.cache/gnome-twitch
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index 2e08fa41d..5592879ec 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
index 5627842f5..9b4f68808 100644
--- a/etc/profile-a-l/gnome_games-common.profile
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -42,7 +41,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pango,passwd,X11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index c3014a288..928f2c548 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -22,6 +21,7 @@ mkdir ${HOME}/.config/gnote
 mkdir ${HOME}/.local/share/gnote
 whitelist ${HOME}/.config/gnote
 whitelist ${HOME}/.local/share/gnote
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/gnote
 include whitelist-common.inc
 include whitelist-runuser-common.inc
@@ -51,7 +51,7 @@ disable-mnt
 private-bin gnote
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,pango,X11
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pango,X11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index 22851ce9f..c895b4ce9 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -44,7 +43,7 @@ private
 private-bin gnubik
 private-cache
 private-dev
-private-etc drirc,fonts,gtk-2.0
+private-etc alternatives,drirc,fonts,gtk-2.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index 09ca17caa..46b362db9 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -39,7 +38,7 @@ tracelog
 # private-bin godot
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.cache,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile
new file mode 100644
index 000000000..cffb03d57
--- /dev/null
+++ b/etc/profile-a-l/goldendict.profile
@@ -0,0 +1,58 @@
+# Firejail profile for goldendict
+# This file is overwritten after every install/update
+# Persistent local customizations
+include goldendict.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.goldendict
+noblacklist ${HOME}/.cache/GoldenDict
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.goldendict
+mkdir ${HOME}/.cache/GoldenDict
+whitelist ${HOME}/.goldendict
+whitelist ${HOME}/.cache/GoldenDict
+whitelist /usr/share/goldendict
+# The default path of dictionaries
+whitelist /usr/share/stardict/dic
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+# no3d leads to the libGL MESA-LOADER errors
+#no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin goldendict
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile
index 8399d77c4..2ff3bc8d9 100644
--- a/etc/profile-a-l/goobox.profile
+++ b/etc/profile-a-l/goobox.profile
@@ -11,7 +11,6 @@ noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile
index ebe5e870b..fed227b06 100644
--- a/etc/profile-a-l/google-chrome-beta.profile
+++ b/etc/profile-a-l/google-chrome-beta.profile
@@ -6,7 +6,6 @@ include google-chrome-beta.local
 include globals.local
 
 # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile
index 4d303f71b..91962c62a 100644
--- a/etc/profile-a-l/google-chrome-unstable.profile
+++ b/etc/profile-a-l/google-chrome-unstable.profile
@@ -6,7 +6,6 @@ include google-chrome-unstable.local
 include globals.local
 
 # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile
index ed2595f72..7a4cb5fc9 100644
--- a/etc/profile-a-l/google-chrome.profile
+++ b/etc/profile-a-l/google-chrome.profile
@@ -6,7 +6,6 @@ include google-chrome.local
 include globals.local
 
 # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
index 65ac04771..0153a58d1 100644
--- a/etc/profile-a-l/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/Google
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
index a7aabe105..fe61d727e 100644
--- a/etc/profile-a-l/google-play-music-desktop-player.profile
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/Google Play Music Desktop Player
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
new file mode 100644
index 000000000..a35813a09
--- /dev/null
+++ b/etc/profile-a-l/googler-common.profile
@@ -0,0 +1,61 @@
+# Firejail profile for googler clones
+# Description: common profile for googler clones
+# This file is overwritten after every install/update
+# Persistent local customizations
+include googler-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+noblacklist ${HOME}/.w3m
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${HOME}/.w3m
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin env,python3*,sh,w3m
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/googler.profile b/etc/profile-a-l/googler.profile
new file mode 100644
index 000000000..9d67006f6
--- /dev/null
+++ b/etc/profile-a-l/googler.profile
@@ -0,0 +1,13 @@
+# Firejail profile for googler
+# Description: Search Google from your terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include googler.local
+# Persistent global definitions
+include globals.local
+
+private-bin googler
+
+# Redirect
+include googler-common.profile
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile
index 37b4f0b1c..091851fa8 100644
--- a/etc/profile-a-l/gpa.profile
+++ b/etc/profile-a-l/gpa.profile
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.gnupg
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
index 7f0b614b1..c6ecef5ec 100644
--- a/etc/profile-a-l/gpg-agent.profile
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -15,7 +15,6 @@ blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile
index 4a4d6527c..cf58ebdb0 100644
--- a/etc/profile-a-l/gpg.profile
+++ b/etc/profile-a-l/gpg.profile
@@ -15,7 +15,6 @@ blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist ${RUNUSER}/gnupg
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
index fa53c26c8..26afe6e49 100644
--- a/etc/profile-a-l/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -42,7 +41,7 @@ tracelog
 private-bin gpicview
 private-cache
 private-dev
-private-etc alternatives,fonts,group,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
index 253d644f1..511be6fcc 100644
--- a/etc/profile-a-l/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -37,6 +36,6 @@ tracelog
 
 private-bin gpredict
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
 
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
index 2b4c536d2..9cc25e45c 100644
--- a/etc/profile-a-l/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -46,7 +45,7 @@ disable-mnt
 private-bin gradio
 private-cache
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile
index c7e0c2977..4baca353b 100644
--- a/etc/profile-a-l/gramps.profile
+++ b/etc/profile-a-l/gramps.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index 890ba2560..d76ca105f 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -41,7 +40,7 @@ private
 private-bin gravity-beams-and-evaporating-stars
 private-cache
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gthumb.profile b/etc/profile-a-l/gthumb.profile
index 5927e8c4d..4218f8545 100644
--- a/etc/profile-a-l/gthumb.profile
+++ b/etc/profile-a-l/gthumb.profile
@@ -13,7 +13,6 @@ noblacklist ${HOME}/.steam
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-a-l/gtk-pipe-viewer.profile b/etc/profile-a-l/gtk-pipe-viewer.profile
new file mode 100644
index 000000000..9c212ff6e
--- /dev/null
+++ b/etc/profile-a-l/gtk-pipe-viewer.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gtk-pipe-viewer
+# Description: Gtk front-end to pipe-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-pipe-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+# Redirect
+include pipe-viewer.profile
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile
index e2721360b..978b3d896 100644
--- a/etc/profile-a-l/gtk-straw-viewer.profile
+++ b/etc/profile-a-l/gtk-straw-viewer.profile
@@ -8,7 +8,5 @@ include gtk-straw-viewer.local
 
 ignore quiet
 
-include whitelist-runuser-common.inc
-
 # Redirect
 include straw-viewer.profile
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index c8addae75..ec8a614fd 100644
--- a/etc/profile-a-l/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -47,7 +46,7 @@ disable-mnt
 private-bin gtk-update-icon-cache
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/gtk-youtube-viewer.profile b/etc/profile-a-l/gtk-youtube-viewer.profile
index 848979b52..c814f0fef 100644
--- a/etc/profile-a-l/gtk-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk-youtube-viewer.profile
@@ -8,7 +8,5 @@ include gtk-youtube-viewer.local
 
 ignore quiet
 
-include whitelist-runuser-common.inc
-
 # Redirect
 include youtube-viewer.profile
diff --git a/etc/profile-a-l/guayadeque.profile b/etc/profile-a-l/guayadeque.profile
index 3d2b71e9d..39fb177dd 100644
--- a/etc/profile-a-l/guayadeque.profile
+++ b/etc/profile-a-l/guayadeque.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index 6adb79852..d47000e89 100644
--- a/etc/profile-a-l/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/gunzip.profile b/etc/profile-a-l/gunzip.profile
index 6e97c6b78..584d88f85 100644
--- a/etc/profile-a-l/gunzip.profile
+++ b/etc/profile-a-l/gunzip.profile
@@ -7,5 +7,7 @@ include gunzip.local
 # added by included profile
 #include globals.local
 
+include allow-bin-sh.inc
+
 # Redirect
 include gzip.profile
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
index 9221ca31c..8ddde3c47 100644
--- a/etc/profile-a-l/guvcview.profile
+++ b/etc/profile-a-l/guvcview.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index d33e2a673..d98d341ae 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -22,10 +22,10 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -47,7 +47,7 @@ shell none
 
 private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
 private-dev
-private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg
+private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,xdg
 
 # dbus-user none
 # dbus-system none
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile
index 847e1ec1e..9ad9aef33 100644
--- a/etc/profile-a-l/handbrake.profile
+++ b/etc/profile-a-l/handbrake.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile
index aab4b0c21..3be349176 100644
--- a/etc/profile-a-l/hashcat.profile
+++ b/etc/profile-a-l/hashcat.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile
index 44584f26b..8c1ada1d1 100644
--- a/etc/profile-a-l/hasher-common.profile
+++ b/etc/profile-a-l/hasher-common.profile
@@ -17,7 +17,6 @@ blacklist ${RUNUSER}
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 # Add the next line to your hasher-common.local if you don't need to hash files in disable-programs.inc.
 #include disable-programs.inc
 include disable-shell.inc
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile
index c0675d8ec..9c6f162c6 100644
--- a/etc/profile-a-l/hedgewars.profile
+++ b/etc/profile-a-l/hedgewars.profile
@@ -13,7 +13,6 @@ include allow-lua.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.hedgewars
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index f72af0b4a..88448ad45 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -8,6 +8,9 @@ include globals.local
 
 noblacklist ${HOME}/.config/hexchat
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
@@ -19,7 +22,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -48,7 +50,7 @@ tracelog
 
 disable-mnt
 # debug note: private-bin requires perl, python, etc on some systems
-private-bin hexchat,python*
+private-bin hexchat,python*,sh
 private-dev
 #private-lib - python problems
 private-tmp
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile
index 643736ac7..97f190723 100644
--- a/etc/profile-a-l/highlight.profile
+++ b/etc/profile-a-l/highlight.profile
@@ -8,10 +8,12 @@ include globals.local
 
 blacklist ${RUNUSER}
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index 199b1a5e5..f2dac5881 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -13,7 +13,6 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-include disable-passwdmgr.inc
 include disable-shell.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile
index 00d9f7a76..984e90e1f 100644
--- a/etc/profile-a-l/host.profile
+++ b/etc/profile-a-l/host.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile
index 267712c87..0a9c831f3 100644
--- a/etc/profile-a-l/hugin.profile
+++ b/etc/profile-a-l/hugin.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
index e66ffd7e1..498853b5d 100644
--- a/etc/profile-a-l/hyperrogue.profile
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -43,9 +42,9 @@ tracelog
 disable-mnt
 private-bin hyperrogue
 private-cache
-private-cwd ${HOME}
+private-cwd
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index 47c984175..200b4c8b1 100644
--- a/etc/profile-a-l/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
@@ -28,7 +28,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -69,5 +68,5 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
index 363d3dc2e..863dc8acf 100644
--- a/etc/profile-a-l/iagno.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index 680b8e777..7716a5f1a 100644
--- a/etc/profile-a-l/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
@@ -19,7 +19,6 @@ include allow-common-devel.inc
 include allow-ssh.inc
 
 include disable-common.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/imagej.profile b/etc/profile-a-l/imagej.profile
index 12ce7976b..4da127fab 100644
--- a/etc/profile-a-l/imagej.profile
+++ b/etc/profile-a-l/imagej.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile
index c26958d06..dd08e46f5 100644
--- a/etc/profile-a-l/img2txt.profile
+++ b/etc/profile-a-l/img2txt.profile
@@ -1,5 +1,6 @@
 # Firejail profile for img2txt
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include img2txt.local
 # Persistent global definitions
@@ -14,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/impressive.profile b/etc/profile-a-l/impressive.profile
index c152be01c..31ad641c1 100644
--- a/etc/profile-a-l/impressive.profile
+++ b/etc/profile-a-l/impressive.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/imv.profile b/etc/profile-a-l/imv.profile
new file mode 100644
index 000000000..65e7537bf
--- /dev/null
+++ b/etc/profile-a-l/imv.profile
@@ -0,0 +1,57 @@
+# Firejail profile for imv
+# Description: imv is an image viewer.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include imv.local
+# Persistent global definitions
+include globals.local
+
+include allow-bin-sh.inc
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+# Users may want to view images in ${HOME}
+#include disable-xdg.inc
+
+# Users may want to view images in ${HOME}
+#include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+# Users may want to view images in /usr/share
+#include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin imv,imv-wayland,imv-x11,sh
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 35dd86b32..016a4d6c8 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -1,6 +1,7 @@
 # Firejail profile for inkscape
 # Description: Vector-based drawing program
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include inkscape.local
 # Persistent global definitions
@@ -24,11 +25,11 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
 whitelist /usr/share/inkscape
+include whitelist-run-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/io.github.lainsce.Notejot.profile b/etc/profile-a-l/io.github.lainsce.Notejot.profile
new file mode 100644
index 000000000..6753cb332
--- /dev/null
+++ b/etc/profile-a-l/io.github.lainsce.Notejot.profile
@@ -0,0 +1,60 @@
+# Firejail profile for notejot
+# Description: Jot your ideas
+# This file is overwritten after every install/update
+# Persistent local customizations
+include io.github.lainsce.Notejot.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/io.github.lainsce.Notejot
+noblacklist ${HOME}/.local/share/io.github.lainsce.Notejot
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/io.github.lainsce.Notejot
+mkdir ${HOME}/.local/share/io.github.lainsce.Notejot
+whitelist ${HOME}/.cache/io.github.lainsce.Notejot
+whitelist ${HOME}/.local/share/io.github.lainsce.Notejot
+whitelist /usr/libexec/webkit2gtk-4.0
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin io.github.lainsce.Notejot
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.own io.github.lainsce.Notejot
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index 791065c1a..6eefd2945 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 # include disable-shell.inc
 include disable-write-mnt.inc
@@ -51,7 +50,7 @@ private-bin bash,ipcalc,ipcalc-ng,perl,sh
 # private-cache
 private-dev
 # empty etc directory
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-opt none
 private-tmp
diff --git a/etc/profile-a-l/iridium.profile b/etc/profile-a-l/iridium.profile
index 3037d00e9..ebb39b0a3 100644
--- a/etc/profile-a-l/iridium.profile
+++ b/etc/profile-a-l/iridium.profile
@@ -5,11 +5,6 @@ include iridium.local
 # Persistent global definitions
 include globals.local
 
-# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
-
 noblacklist ${HOME}/.cache/iridium
 noblacklist ${HOME}/.config/iridium
 
diff --git a/etc/profile-a-l/itch.profile b/etc/profile-a-l/itch.profile
index e02dcbdb1..37cde1577 100644
--- a/etc/profile-a-l/itch.profile
+++ b/etc/profile-a-l/itch.profile
@@ -14,7 +14,6 @@ noblacklist ${HOME}/.config/itch
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.itch
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile
index 3e9abf369..5c4cc74c2 100644
--- a/etc/profile-a-l/jami-gnome.profile
+++ b/etc/profile-a-l/jami-gnome.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 #include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/jami
diff --git a/etc/profile-a-l/jd-gui.profile b/etc/profile-a-l/jd-gui.profile
index 7d29f1068..37f99c2f0 100644
--- a/etc/profile-a-l/jd-gui.profile
+++ b/etc/profile-a-l/jd-gui.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
index 85b1f2120..6ca977512 100644
--- a/etc/profile-a-l/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -35,7 +34,7 @@ tracelog
 
 private-bin bash,jerry,sh,stockfish
 private-dev
-private-etc fonts,gtk-2.0,gtk-3.0
+private-etc alternatives,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/jitsi.profile b/etc/profile-a-l/jitsi.profile
index 223c360b8..0e578909a 100644
--- a/etc/profile-a-l/jitsi.profile
+++ b/etc/profile-a-l/jitsi.profile
@@ -13,7 +13,6 @@ include allow-java.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
index 8d391b90f..59d762f55 100644
--- a/etc/profile-a-l/jumpnbump-menu.profile
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -10,7 +10,7 @@ include jumpnbump-menu.local
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
-private-bin jumpnbump-menu,python3*
+private-bin env,jumpnbump-menu,python3*
 
 # Redirect
 include jumpnbump.profile
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index 9954b8aea..4a9232344 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -28,7 +27,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
@@ -43,7 +41,7 @@ disable-mnt
 private-bin jumpnbump
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
index 5ae90dff6..655257f08 100644
--- a/etc/profile-a-l/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -15,7 +15,6 @@ noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index d55fd22cb..e74c57546 100644
--- a/etc/profile-a-l/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
@@ -19,10 +19,10 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index 503dac4b6..6ad50cf14 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -43,7 +42,7 @@ disable-mnt
 private-bin kalgebra,kalgebramobile
 private-cache
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
index 27b87e7c3..8c340d536 100644
--- a/etc/profile-a-l/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -27,9 +27,9 @@ include disable-common.inc
 # include disable-devel.inc
 include disable-exec.inc
 # include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 # apparmor
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 9795cf168..277db1c24 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -21,7 +21,6 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-include disable-passwdmgr.inc
 include disable-shell.inc
 include disable-xdg.inc
 
@@ -50,7 +49,7 @@ disable-mnt
 # private-bin kazam,python*
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,X11,xdg
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index e36ee5ed2..06978cbf1 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -29,6 +28,7 @@ whitelist /usr/share/config.kcfg/kcalc.kcfg
 whitelist /usr/share/kcalc
 whitelist /usr/share/kconf_update/kcalcrc.upd
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -56,7 +56,7 @@ disable-mnt
 private-bin kcalc
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,locale,locale.conf
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.conf
 # private-lib - problems on Arch
 private-tmp
 
diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile
index 925ab3517..4ddd5dac5 100644
--- a/etc/profile-a-l/kdeinit4.profile
+++ b/etc/profile-a-l/kdeinit4.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
index d2a08a269..87808ced7 100644
--- a/etc/profile-a-l/kdenlive.profile
+++ b/etc/profile-a-l/kdenlive.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 apparmor
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index 7c1cb2294..df7ee31dc 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -18,12 +18,13 @@ blacklist ${HOME}/.gnupg
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 # Add the next line to your kdiff3.local if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+# Add the next line to your kdiff3.local if you don't need to compare files in /run.
+#include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 # Add the next line to your kdiff3.local if you don't need to compare files in /usr/share.
 #include whitelist-usr-share-common.inc
@@ -49,7 +50,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin  kdiff3
+private-bin kdiff3
 private-cache
 private-dev
 
diff --git a/etc/profile-a-l/keepass.profile b/etc/profile-a-l/keepass.profile
index ae8971ab4..8aa21308d 100644
--- a/etc/profile-a-l/keepass.profile
+++ b/etc/profile-a-l/keepass.profile
@@ -19,7 +19,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -33,13 +32,15 @@ nonewprivs
 noroot
 nosound
 notv
-nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
 private-cache
+# Note: private-dev prevents the program from seeing new devices (such as
+# hardware keys) on /dev after it has already started; add "ignore private-dev"
+# to keepassxc.local if this is an issue (see #4883).
 private-dev
 private-tmp
 
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile
index ac364986d..5e2d6d8df 100644
--- a/etc/profile-a-l/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -42,7 +41,7 @@ tracelog
 
 private-bin keepassx,keepassx2
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/keepassxc-cli.profile b/etc/profile-a-l/keepassxc-cli.profile
index 925609384..c292041f3 100644
--- a/etc/profile-a-l/keepassxc-cli.profile
+++ b/etc/profile-a-l/keepassxc-cli.profile
@@ -1,6 +1,7 @@
 # Firejail profile for keepassxc-cli
 # Description: command line interface for KeePassXC
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include keepassxc-cli.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index c352a5d89..a65c35804 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -22,11 +22,12 @@ noblacklist ${HOME}/.config/vivaldi
 noblacklist ${HOME}/.local/share/torbrowser
 noblacklist ${HOME}/.mozilla
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -36,16 +37,22 @@ include disable-xdg.inc
 #mkdir ${HOME}/Documents/KeePassXC
 #whitelist ${HOME}/Documents/KeePassXC
 # Needed for KeePassXC-Browser.
+#mkdir ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts
 #mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/chromium/NativeMessagingHosts
 #mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/google-chrome/NativeMessagingHosts
 #mkfile ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/vivaldi/NativeMessagingHosts
 #mkfile ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts
 #mkfile ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.mozilla/native-messaging-hosts
 #mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
 #mkdir ${HOME}/.cache/keepassxc
@@ -56,6 +63,7 @@ include disable-xdg.inc
 #include whitelist-common.inc
 
 whitelist /usr/share/keepassxc
+include whitelist-run-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -70,34 +78,34 @@ nonewprivs
 noroot
 nosound
 notv
-nou2f
 novideo
-protocol unix,netlink
+protocol unix
 seccomp !name_to_handle_at
 seccomp.block-secondary
 shell none
 tracelog
 
 private-bin keepassxc,keepassxc-cli,keepassxc-proxy
+# Note: private-dev prevents the program from seeing new devices (such as
+# hardware keys) on /dev after it has already started; add "ignore private-dev"
+# to keepassxc.local if this is an issue (see #4883).
 private-dev
-private-etc alternatives,fonts,ld.so.cache,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user filter
-#dbus-user.own org.keepassxc.KeePassXC
-dbus-user.talk com.canonical.Unity.Session
+dbus-user.own org.keepassxc.KeePassXC.*
+dbus-user.talk com.canonical.Unity
 dbus-user.talk org.freedesktop.ScreenSaver
-dbus-user.talk org.freedesktop.login1.Manager
-dbus-user.talk org.freedesktop.login1.Session
 dbus-user.talk org.gnome.ScreenSaver
 dbus-user.talk org.gnome.SessionManager
-dbus-user.talk org.gnome.SessionManager.Presence
+dbus-user.talk org.xfce.ScreenSaver
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.own org.kde.*
 # Add the next line to your keepassxc.local to allow notifications.
 #dbus-user.talk org.freedesktop.Notifications
-# Add the next line to your keepassxc.local to allow the tray menu.
-#dbus-user.talk org.kde.StatusNotifierWatcher
-#dbus-user.own org.kde.*
-dbus-system none
+dbus-system filter
+dbus-system.talk org.freedesktop.login1
 
 # Mutex is stored in /tmp by default, which is broken by private-tmp.
 join-or-start keepassxc
diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile
index 6f6fe8d0a..40fe65e3f 100644
--- a/etc/profile-a-l/kfind.profile
+++ b/etc/profile-a-l/kfind.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 # include disable-programs.inc
 
 apparmor
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
index 2c684504b..9b6646725 100644
--- a/etc/profile-a-l/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -18,9 +18,9 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
index e18292e99..5563aa410 100644
--- a/etc/profile-a-l/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -38,7 +37,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-a-l/kino.profile b/etc/profile-a-l/kino.profile
index 74014ffe6..1f42526d3 100644
--- a/etc/profile-a-l/kino.profile
+++ b/etc/profile-a-l/kino.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 40ee0bbc7..837ea9e36 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -45,7 +44,7 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/klatexformula.profile b/etc/profile-a-l/klatexformula.profile
index c6a9023f1..f089658af 100644
--- a/etc/profile-a-l/klatexformula.profile
+++ b/etc/profile-a-l/klatexformula.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 apparmor
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
index f5cd3a48c..46164403b 100644
--- a/etc/profile-a-l/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -46,7 +45,7 @@ disable-mnt
 private-bin bash,klavaro,sh,tclsh,tclsh*
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 95ae98e53..1bbc141e8 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -29,15 +29,16 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail
 noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
+noblacklist ${RUNUSER}/akonadi
 noblacklist /tmp/akonadi-*
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 # apparmor
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
index e88b53499..8d462c44c 100644
--- a/etc/profile-a-l/kmplayer.profile
+++ b/etc/profile-a-l/kmplayer.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
index b72632bf4..2277a74fe 100644
--- a/etc/profile-a-l/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -8,6 +8,16 @@ include globals.local
 
 # noexec ${HOME} breaks plugins
 ignore noexec ${HOME}
+# Add the following to your kodi.local if you use a CEC Adapter.
+#ignore nogroups
+#ignore noroot
+#ignore private-dev
+# Add the following to your kodi.local if you use the Lutris Kodi Addon
+#noblacklist /sbin
+#noblacklist /usr/sbin
+#noblacklist ${HOME}/.cache/lutris
+#noblacklist ${HOME}/.config/lutris
+#noblacklist ${HOME}/.local/share/lutris
 
 noblacklist ${HOME}/.kodi
 noblacklist ${MUSIC}
@@ -22,7 +32,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -34,7 +43,6 @@ netfilter
 nogroups
 noinput
 nonewprivs
-# Seems to cause issues with Nvidia drivers sometimes (#3501)
 noroot
 nou2f
 protocol unix,inet,inet6,netlink
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
index 5b5ed6e24..1121dc8a5 100644
--- a/etc/profile-a-l/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -16,11 +16,11 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/kopete.profile b/etc/profile-a-l/kopete.profile
index 88f47d1bf..9e75b03eb 100644
--- a/etc/profile-a-l/kopete.profile
+++ b/etc/profile-a-l/kopete.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /var/lib/winpopup
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile
index 8604e63d0..2d3225421 100644
--- a/etc/profile-a-l/krita.profile
+++ b/etc/profile-a-l/krita.profile
@@ -22,7 +22,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index 9cb5eff87..96eb6978d 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -22,7 +22,6 @@ noblacklist ${HOME}/.kde4/share/config/krunnerrc
 include disable-common.inc
 # include disable-devel.inc
 # include disable-interpreters.inc
-# include disable-passwdmgr.inc
 # include disable-programs.inc
 
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index 5a85194e0..f3eae6780 100644
--- a/etc/profile-a-l/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -38,6 +37,7 @@ whitelist ${HOME}/.kde4/share/config/ktorrentrc
 whitelist ${HOME}/.local/share/ktorrent
 whitelist ${HOME}/.local/share/kxmlgui5/ktorrent
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
@@ -62,4 +62,5 @@ private-dev
 # private-lib - problems on Arch
 private-tmp
 
+deterministic-shutdown
 # memory-deny-write-execute
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 4cf72b74c..44da8acca 100644
--- a/etc/profile-a-l/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -47,7 +46,7 @@ disable-mnt
 private-bin ktouch
 private-cache
 private-dev
-private-etc alternatives,fonts,kde5rc,machine-id
+private-etc alternatives,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 4e9a12e5f..718cbbf40 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -69,7 +68,7 @@ tracelog
 private-bin kube,sink_synchronizer
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index 15e7ceb17..0b8763c29 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -17,11 +17,11 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
@@ -43,5 +43,5 @@ tracelog
 disable-mnt
 private-bin kwin_x11
 private-dev
-private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg
+private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg
 private-tmp
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 804ffafeb..aff6f3181 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -20,11 +20,11 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -47,7 +47,7 @@ tracelog
 
 private-bin kbuildsycoca4,kdeinit4,kwrite
 private-dev
-private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
+private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,pulse,xdg
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/latex-common.profile b/etc/profile-a-l/latex-common.profile
index ac1b8785d..7993e97e3 100644
--- a/etc/profile-a-l/latex-common.profile
+++ b/etc/profile-a-l/latex-common.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /var/lib
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile
index 4bbb0a86d..75105abf2 100644
--- a/etc/profile-a-l/leafpad.profile
+++ b/etc/profile-a-l/leafpad.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
index 8eb5ad0c2..db61bf941 100644
--- a/etc/profile-a-l/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -14,7 +14,6 @@ noblacklist ${HOME}/.lesshst
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 
 apparmor
 caps.drop all
diff --git a/etc/profile-a-l/librecad.profile b/etc/profile-a-l/librecad.profile
new file mode 100644
index 000000000..c1ce4bb8d
--- /dev/null
+++ b/etc/profile-a-l/librecad.profile
@@ -0,0 +1,50 @@
+# Firejail profile for librecad
+# Persistent local customizations
+include librecad.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/LibreCAD
+noblacklist ${HOME}/.local/share/LibreCAD
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/librecad
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+#nogroups
+#noinput
+nonewprivs
+noroot
+notv
+#nou2f
+novideo
+protocol unix,inet,inet6
+netfilter
+seccomp
+shell none
+#tracelog
+
+#disable-mnt
+private-bin librecad
+private-dev
+# private-etc cups,drirc,fonts,passwd,xdg
+#private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index 0041f2540..12ff79748 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -9,39 +9,43 @@ include globals.local
 noblacklist /usr/local/sbin
 noblacklist ${HOME}/.config/libreoffice
 
-# libreoffice uses java for some certain operations
-# comment if you don't care about java functionality
+# libreoffice uses java for some functionality.
+# Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality.
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
-# ubuntu 18.04 comes with its own apparmor profile, but it is not in enforce mode.
-# comment the next line to use the ubuntu profile instead of firejail's apparmor profile
+# Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode.
+# Add the next lines to your libreoffice.local to use the Ubuntu profile instead of firejail's apparmor profile.
+#ignore apparmor
+#ignore nonewprivs
+#ignore protocol
+#ignore seccomp
+#ignore tracelog
+
 apparmor
 caps.drop all
 netfilter
 nodvd
 nogroups
 noinput
-# comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile
 nonewprivs
 noroot
 notv
 nou2f
 novideo
-# comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile
 protocol unix,inet,inet6
-# comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile
 seccomp
 shell none
-# comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile
 tracelog
 
 #private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index 0934e1271..b84cbb119 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -18,39 +18,41 @@ whitelist ${HOME}/.librewolf
 #noblacklist ${HOME}/.mozilla
 #whitelist ${HOME}/.mozilla
 
-# Uncomment or put in your librewolf.local one of the following whitelist to enable KeePassXC Plugin
-# NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them
+# To enable KeePassXC Plugin add one of the following lines to your librewolf.local.
+# NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
 
 whitelist /usr/share/doc
 whitelist /usr/share/gtk-doc/html
+whitelist /usr/share/librewolf
 whitelist /usr/share/mozilla
 whitelist /usr/share/webext
 include whitelist-usr-share-common.inc
 
 # Add the next line to your librewolf.local to enable private-bin (Arch Linux).
 #private-bin dbus-launch,dbus-send,librewolf,sh
-# Add the next line to your librewolf.local to enable private-etc. Note
-# that private-etc must first be enabled in firefox-common.local.
+# Add the next line to your librewolf.local to enable private-etc.
+# NOTE: private-etc must first be enabled in firefox-common.local.
 #private-etc librewolf
 
 dbus-user filter
-# Uncomment or put in your librewolf.local to enable native notifications.
+dbus-user.own io.gitlab.librewolf.*
+dbus-user.own org.mozilla.librewolf.*
+# Add the next line to your librewolf.local to enable native notifications.
 #dbus-user.talk org.freedesktop.Notifications
-# Uncomment or put in your librewolf.local to allow to inhibit screensavers
+# Add the next line to your librewolf.local to allow inhibiting screensavers.
 #dbus-user.talk org.freedesktop.ScreenSaver
-# Uncomment or put in your librewolf.local for plasma browser integration
+# Add the next lines to your librewolf.local for plasma browser integration.
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Uncomment or put in your librewolf.local to allow screen sharing under wayland.
-#whitelist ${RUNUSER}/pipewire-0
-#dbus-user.talk org.freedesktop.portal.*
-# Also uncomment or put in your librewolf.local if screen sharing sharing still
-# does not work with the above lines (might depend on the portal
-# implementation)
+# Add the next line to your librewolf.local to allow screensharing under Wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
+# Also add the next line to your librewolf.local if screensharing does not work with
+# the above lines (depends on the portal implementation).
 #ignore noroot
+ignore apparmor
 ignore dbus-user none
 
 # Redirect
diff --git a/etc/profile-a-l/lifeograph.profile b/etc/profile-a-l/lifeograph.profile
new file mode 100644
index 000000000..747fd85fa
--- /dev/null
+++ b/etc/profile-a-l/lifeograph.profile
@@ -0,0 +1,57 @@
+# Firejail profile for lifeograph
+# Description: Lifeograph is a diary program to take personal notes
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lifeograph.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOCUMENTS}
+whitelist /usr/share/lifeograph
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin lifeograph
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index 7afca1d5f..f7955e352 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.cache/liferea
diff --git a/etc/profile-a-l/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile
index 4254b7f33..073d814ec 100644
--- a/etc/profile-a-l/lincity-ng.profile
+++ b/etc/profile-a-l/lincity-ng.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
new file mode 100644
index 000000000..84f5dc50d
--- /dev/null
+++ b/etc/profile-a-l/links-common.profile
@@ -0,0 +1,62 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include links-common.local
+
+# common profile for links browsers
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# Additional noblacklist files/directories (blacklisted in disable-programs.inc)
+# used as associated programs can be added in your links-common.local.
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+# Add 'ignore machine-id' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+machine-id
+netfilter
+# Add 'ignore no3d' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+# Add 'ignore nosound' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs.
+private-bin sh
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+# Add the next line to your links-common.local to allow external media players.
+# private-etc alsa,asound.conf,machine-id,openal,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
index a1eeda14a..8ce39cc7f 100644
--- a/etc/profile-a-l/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -9,58 +9,10 @@ include globals.local
 
 noblacklist ${HOME}/.links
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# Additional noblacklist files/directories (blacklisted in disable-programs.inc)
-# used as associated programs can be added in your links.local.
-include disable-programs.inc
-include disable-xdg.inc
-
 mkdir ${HOME}/.links
 whitelist ${HOME}/.links
-whitelist ${DOWNLOADS}
-include whitelist-runuser-common.inc
-include whitelist-var-common.inc
-
-caps.drop all
-ipc-namespace
-# Add 'ignore machine-id' to your links.local if you want to restrict access to
-# the user-configured associated media player.
-machine-id
-netfilter
-# Add 'ignore no3d' to your links.local if you want to restrict access to
-# the user-configured associated media player.
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-# Add 'ignore nosound' to your links.local if you want to restrict access to
-# the user-configured associated media player.
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
 
-disable-mnt
-# Add  'private-bin PROGRAM1,PROGRAM2' to your links.local  if you want to use user-configured programs.
-private-bin links,sh
-private-cache
-private-dev
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
-# Add the next line to your links.local to allow external media players.
-# private-etc alsa,asound.conf,machine-id,openal,pulse
-private-tmp
+private-bin links
 
-memory-deny-write-execute
+# Redirect
+include links-common.profile
diff --git a/etc/profile-a-l/links2.profile b/etc/profile-a-l/links2.profile
new file mode 100644
index 000000000..5f91dfcd2
--- /dev/null
+++ b/etc/profile-a-l/links2.profile
@@ -0,0 +1,18 @@
+# Firejail profile for links2
+# Description: Text WWW browser with a graphic version
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include links2.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.links2
+
+mkdir ${HOME}/.links2
+whitelist ${HOME}/.links2
+
+private-bin links2
+
+# Redirect
+include links-common.profile
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile
index 7ebdbef4c..f821c7512 100644
--- a/etc/profile-a-l/linphone.profile
+++ b/etc/profile-a-l/linphone.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 # linphone 4.0 (released 2017-06-26) moved config and database files to respect
diff --git a/etc/profile-a-l/lmms.profile b/etc/profile-a-l/lmms.profile
index 48b0e14dc..d1a754a6e 100644
--- a/etc/profile-a-l/lmms.profile
+++ b/etc/profile-a-l/lmms.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
index f2676fec5..fde338ff0 100644
--- a/etc/profile-a-l/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -38,6 +37,6 @@ seccomp
 shell none
 
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 
diff --git a/etc/profile-a-l/lugaru.profile b/etc/profile-a-l/lugaru.profile
index 174c65a65..3d52d1266 100644
--- a/etc/profile-a-l/lugaru.profile
+++ b/etc/profile-a-l/lugaru.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile
index 31067034e..179bc37f2 100644
--- a/etc/profile-a-l/luminance-hdr.profile
+++ b/etc/profile-a-l/luminance-hdr.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index d750e5fcd..71309b48f 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -9,11 +9,16 @@ include globals.local
 noblacklist ${PATH}/llvm*
 noblacklist ${HOME}/Games
 noblacklist ${HOME}/.cache/lutris
+noblacklist ${HOME}/.cache/wine
 noblacklist ${HOME}/.cache/winetricks
 noblacklist ${HOME}/.config/lutris
 noblacklist ${HOME}/.local/share/lutris
 # noblacklist ${HOME}/.wine
 noblacklist /tmp/.wine-*
+# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
+# Lutris won't even start.
+noblacklist /sbin
+noblacklist /usr/sbin
 
 ignore noexec ${HOME}
 
@@ -25,12 +30,12 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/Games
 mkdir ${HOME}/.cache/lutris
+mkdir ${HOME}/.cache/wine
 mkdir ${HOME}/.cache/winetricks
 mkdir ${HOME}/.config/lutris
 mkdir ${HOME}/.local/share/lutris
@@ -38,6 +43,7 @@ mkdir ${HOME}/.local/share/lutris
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/Games
 whitelist ${HOME}/.cache/lutris
+whitelist ${HOME}/.cache/wine
 whitelist ${HOME}/.cache/winetricks
 whitelist ${HOME}/.config/lutris
 whitelist ${HOME}/.local/share/lutris
@@ -70,5 +76,7 @@ shell none
 #private-dev
 private-tmp
 
-dbus-user none
+dbus-user filter
+dbus-user.own net.lutris.Lutris
+dbus-user.talk com.feralinteractive.GameMode
 dbus-system none
diff --git a/etc/profile-a-l/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile
index b2a56012e..404535f91 100644
--- a/etc/profile-a-l/lximage-qt.profile
+++ b/etc/profile-a-l/lximage-qt.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/lxmusic.profile b/etc/profile-a-l/lxmusic.profile
index cc4b95551..0651b8329 100644
--- a/etc/profile-a-l/lxmusic.profile
+++ b/etc/profile-a-l/lxmusic.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index a919e924b..05a92e39d 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -13,7 +13,6 @@ blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index fa69463d1..ae2f2d434 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -32,7 +32,7 @@ apparmor
 machine-id
 
 # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
-private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
 
 # Redirect
 include latex-common.profile
diff --git a/etc/profile-m-z/Maelstrom.profile b/etc/profile-m-z/Maelstrom.profile
index 62d0a8b3a..3acb88e0e 100644
--- a/etc/profile-m-z/Maelstrom.profile
+++ b/etc/profile-m-z/Maelstrom.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/Mathematica.profile b/etc/profile-m-z/Mathematica.profile
index c2734b1c1..6286f066e 100644
--- a/etc/profile-m-z/Mathematica.profile
+++ b/etc/profile-m-z/Mathematica.profile
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.Wolfram Research
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.Mathematica
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
index e678b7204..59150f4c4 100644
--- a/etc/profile-m-z/PCSX2.profile
+++ b/etc/profile-m-z/PCSX2.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-write-mnt.inc
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index 86120587b..17ea38073 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -23,7 +23,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index 660378089..235640eeb 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -51,6 +50,6 @@ tracelog
 disable-mnt
 private-bin gio,QOwnNotes
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
 private-tmp
 
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index 3195e39fa..89ca53af6 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.ViberPC
@@ -34,5 +33,5 @@ shell none
 
 disable-mnt
 private-bin awk,bash,dig,sh,Viber
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
 private-tmp
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile
index d78e04595..9c797a3e5 100644
--- a/etc/profile-m-z/XMind.profile
+++ b/etc/profile-m-z/XMind.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.xmind
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 1acd43023..722e12d9c 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -43,5 +43,5 @@ private
 # private-bin sh,xkbcomp,Xvfb
 # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
 private-dev
-private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
+private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf
 private-tmp
diff --git a/etc/profile-m-z/ZeGrapher.profile b/etc/profile-m-z/ZeGrapher.profile
index 7686c3442..21482a161 100644
--- a/etc/profile-m-z/ZeGrapher.profile
+++ b/etc/profile-m-z/ZeGrapher.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-m-z/macrofusion.profile b/etc/profile-m-z/macrofusion.profile
index d1dcb6fe0..88b68d43f 100644
--- a/etc/profile-m-z/macrofusion.profile
+++ b/etc/profile-m-z/macrofusion.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
index 8a27b2626..47165dd3d 100644
--- a/etc/profile-m-z/magicor.profile
+++ b/etc/profile-m-z/magicor.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -46,7 +45,7 @@ disable-mnt
 private-bin magicor,python2*
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile
new file mode 100644
index 000000000..7e9638fe4
--- /dev/null
+++ b/etc/profile-m-z/make.profile
@@ -0,0 +1,13 @@
+# Firejail profile for make
+# Description: GNU make utility to maintain groups of programs
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include make.local
+# Persistent global definitions
+include globals.local
+
+memory-deny-write-execute
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index 513fcae55..3a68cce00 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -32,7 +32,6 @@ noblacklist /var/lib/pacman
 
 include disable-common.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index bd510fcac..ed3dac10e 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -26,7 +25,6 @@ include disable-xdg.inc
 whitelist /usr/share/groff
 whitelist /usr/share/info
 whitelist /usr/share/lintian
-whitelist /usr/share/locale
 whitelist /usr/share/man
 whitelist /var/cache/man
 #include whitelist-common.inc
@@ -59,7 +57,7 @@ disable-mnt
 #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
 private-cache
 private-dev
-private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
+private-etc alternatives,fonts,groff,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
 #private-tmp
 
 dbus-user none
@@ -67,4 +65,4 @@ dbus-system none
 
 memory-deny-write-execute
 read-only ${HOME}
-read-only /tmp
+#read-only /tmp # breaks mandoc (see #4927)
diff --git a/etc/profile-m-z/manaplus.profile b/etc/profile-m-z/manaplus.profile
index f59a56ac6..28dc5d914 100644
--- a/etc/profile-m-z/manaplus.profile
+++ b/etc/profile-m-z/manaplus.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
index 087c02964..746135ae5 100644
--- a/etc/profile-m-z/marker.profile
+++ b/etc/profile-m-z/marker.profile
@@ -20,11 +20,11 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/com.github.fabiocolacio.marker
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
index de1135071..764d040ab 100644
--- a/etc/profile-m-z/masterpdfeditor.profile
+++ b/etc/profile-m-z/masterpdfeditor.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
@@ -37,6 +36,6 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
index 39ee7439d..2be6b9af1 100644
--- a/etc/profile-m-z/mate-calc.profile
+++ b/etc/profile-m-z/mate-calc.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.cache/mate-calc
@@ -43,7 +42,7 @@ shell none
 
 disable-mnt
 private-bin mate-calc,mate-calculator
-private-etc alternatives,dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-dev
 private-opt none
 private-tmp
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile
index 007bab30d..e16b0fc6c 100644
--- a/etc/profile-m-z/mate-color-select.profile
+++ b/etc/profile-m-z/mate-color-select.profile
@@ -9,7 +9,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -34,7 +33,7 @@ shell none
 
 disable-mnt
 private-bin mate-color-select
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-dev
 private-lib
 private-tmp
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index ae1fcbf62..469416304 100644
--- a/etc/profile-m-z/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -38,7 +37,7 @@ shell none
 
 disable-mnt
 private-bin mate-dictionary
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-opt mate-dictionary
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile
index 38d2d8d63..4c4a6aa76 100644
--- a/etc/profile-m-z/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -12,7 +12,6 @@ noblacklist ${HOME}/.mcabberrc
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -32,4 +31,4 @@ shell none
 
 private-bin mcabber
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,ssl
diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile
new file mode 100644
index 000000000..5c965f55c
--- /dev/null
+++ b/etc/profile-m-z/mcomix.profile
@@ -0,0 +1,73 @@
+# Firejail profile for mcomix
+# Description: A comic book and manga viewer in python
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mcomix.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mcomix
+noblacklist ${HOME}/.local/share/mcomix
+noblacklist ${DOCUMENTS}
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+# mcomix <= 1.2 uses python2
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/mcomix
+mkdir ${HOME}/.local/share/mcomix
+whitelist /usr/share/mcomix
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+include whitelist-runuser-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+# mcomix <= 1.2 uses python2
+private-bin 7z,lha,mcomix,mutool,python*,rar,sh,unrar,unzip
+private-cache
+private-dev
+# mcomix <= 1.2 uses gtk-2.0
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.config/mcomix
+read-write ${HOME}/.local/share/mcomix
+#to allow ${HOME}/.local/share/recently-used.xbel
+read-write ${HOME}/.local/share
+# used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails
+read-write ${HOME}/.thumbnails
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index 5d3f8dc41..bcfd59cbb 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -46,7 +45,7 @@ disable-mnt
 private-bin mdr
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
index 17363624f..6a10edb9e 100644
--- a/etc/profile-m-z/mediainfo.profile
+++ b/etc/profile-m-z/mediainfo.profile
@@ -1,6 +1,7 @@
 # Firejail profile for mediainfo
 # Description: Command-line utility for reading information from audio/video files
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include mediainfo.local
 # Persistent global definitions
@@ -12,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -43,7 +43,7 @@ x11 none
 private-bin mediainfo
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile
index 0063badd8..f0ef7d010 100644
--- a/etc/profile-m-z/mediathekview.profile
+++ b/etc/profile-m-z/mediathekview.profile
@@ -17,6 +17,8 @@ noblacklist ${HOME}/.mediathek3
 noblacklist ${HOME}/.mplayer
 noblacklist ${VIDEOS}
 
+ignore noexec /tmp
+
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
 
@@ -24,10 +26,11 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.mediathek3
+whitelist ${HOME}/.mediathek3
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
index 972838729..d55745698 100644
--- a/etc/profile-m-z/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -20,6 +19,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.megaglest
 whitelist ${HOME}/.megaglest
 whitelist /usr/share/megaglest
+whitelist /usr/share/games/megaglest    # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 1225cc107..4aeca0f28 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -29,12 +29,13 @@ include allow-python3.inc
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
+blacklist /usr/libexec
+
 # Add the next line to your meld.local if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 # Add the next line to your meld.local if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
 include disable-shell.inc
diff --git a/etc/profile-m-z/mencoder.profile b/etc/profile-m-z/mencoder.profile
index caf238785..3909e543e 100644
--- a/etc/profile-m-z/mencoder.profile
+++ b/etc/profile-m-z/mencoder.profile
@@ -11,7 +11,6 @@ include mencoder.local
 #include disable-common.inc
 #include disable-devel.inc
 #include disable-interpreters.inc
-#include disable-passwdmgr.inc
 #include disable-programs.inc
 
 ipc-namespace
diff --git a/etc/profile-m-z/mendeleydesktop.profile b/etc/profile-m-z/mendeleydesktop.profile
index c0bdbb230..446109e9a 100644
--- a/etc/profile-m-z/mendeleydesktop.profile
+++ b/etc/profile-m-z/mendeleydesktop.profile
@@ -22,7 +22,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index 2081b8c96..ed0758a49 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -15,7 +15,6 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-include disable-passwdmgr.inc
 include disable-xdg.inc
 
 # Whitelist your system icon directory,varies by distro
@@ -53,7 +52,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile
new file mode 100644
index 000000000..b4909a9d8
--- /dev/null
+++ b/etc/profile-m-z/meson.profile
@@ -0,0 +1,14 @@
+# Firejail profile for meson
+# Description: A high productivity build system
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include meson.local
+# Persistent global definitions
+include globals.local
+
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile
index 85ed7bc74..bdd36949b 100644
--- a/etc/profile-m-z/meteo-qt.profile
+++ b/etc/profile-m-z/meteo-qt.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
new file mode 100644
index 000000000..095038f08
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Microsoft Edge Beta
+# Description: Web browser from Microsoft,beta channel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge-beta.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/microsoft-edge-beta
+noblacklist ${HOME}/.config/microsoft-edge-beta
+
+mkdir ${HOME}/.cache/microsoft-edge-beta
+mkdir ${HOME}/.config/microsoft-edge-beta
+whitelist ${HOME}/.cache/microsoft-edge-beta
+whitelist ${HOME}/.config/microsoft-edge-beta
+
+private-opt microsoft
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile
index e15259608..eb037f51b 100644
--- a/etc/profile-m-z/midori.profile
+++ b/etc/profile-m-z/midori.profile
@@ -12,10 +12,10 @@ include globals.local
 noblacklist ${HOME}/.cache/midori
 noblacklist ${HOME}/.config/midori
 noblacklist ${HOME}/.local/share/midori
+noblacklist ${HOME}/.local/share/pki
 # noblacklist ${HOME}/.local/share/webkit
 # noblacklist ${HOME}/.local/share/webkitgtk
 noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
 
 noblacklist ${HOME}/.cache/gnome-mplayer
 noblacklist ${HOME}/.config/gnome-mplayer
@@ -25,17 +25,16 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-#include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/midori
 mkdir ${HOME}/.config/midori
 mkdir ${HOME}/.local/share/midori
+mkdir ${HOME}/.local/share/pki
 mkdir ${HOME}/.local/share/webkit
 mkdir ${HOME}/.local/share/webkitgtk
 mkdir ${HOME}/.pki
-mkdir ${HOME}/.local/share/pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/midori
@@ -43,10 +42,10 @@ whitelist ${HOME}/.config/gnome-mplayer
 whitelist ${HOME}/.config/midori
 whitelist ${HOME}/.lastpass
 whitelist ${HOME}/.local/share/midori
+whitelist ${HOME}/.local/share/pki
 whitelist ${HOME}/.local/share/webkit
 whitelist ${HOME}/.local/share/webkitgtk
 whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
index fbf6b58e8..16ace7ce4 100644
--- a/etc/profile-m-z/mindless.profile
+++ b/etc/profile-m-z/mindless.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -43,7 +42,7 @@ private
 private-bin mindless
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
index cdea91b8f..d4f3e344e 100644
--- a/etc/profile-m-z/minecraft-launcher.profile
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -6,7 +6,8 @@ include minecraft-launcher.local
 # Persistent global definitions
 include globals.local
 
-# On some distros executable may be in '/opt/minecraft-launcher/', if so, run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it.
+# Some distros put the executable in /opt/minecraft-launcher.
+# Run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it.
 
 ignore noexec ${HOME}
 
@@ -18,7 +19,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -30,7 +30,6 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-apparmor
 caps.drop all
 netfilter
 nodvd
@@ -50,7 +49,8 @@ disable-mnt
 private-bin java,java-config,minecraft-launcher
 private-cache
 private-dev
-# If multiplayer or realms break add your own java folder from /etc or comment the line below.
+# If multiplayer or realms break, add 'private-etc <your-own-java-folder-from-/etc>'
+# or 'ignore private-etc' to your minecraft-launcher.local.
 private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg
 private-opt minecraft-launcher
 private-tmp
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index cad1adbda..ec5de821a 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -19,7 +19,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
index 3fe3428d0..581af9b81 100644
--- a/etc/profile-m-z/minitube.profile
+++ b/etc/profile-m-z/minitube.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -47,7 +46,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp !kcmp
+seccomp
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
index 505009283..5a8544965 100644
--- a/etc/profile-m-z/mirage.profile
+++ b/etc/profile-m-z/mirage.profile
@@ -19,7 +19,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index 58dfd56f5..be846ce63 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -45,7 +44,7 @@ private
 private-bin mirrormagic
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index e71ba4569..313d78030 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -43,7 +42,7 @@ tracelog
 private-bin mocp
 private-cache
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mousepad.profile b/etc/profile-m-z/mousepad.profile
index 98063fa7c..2939d9bde 100644
--- a/etc/profile-m-z/mousepad.profile
+++ b/etc/profile-m-z/mousepad.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index 37ce60e04..fe3c78b55 100644
--- a/etc/profile-m-z/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -38,7 +37,7 @@ tracelog
 private-bin mp3splt-gtk
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pulse
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
index 070de8451..c89c72ce4 100644
--- a/etc/profile-m-z/mp3splt.profile
+++ b/etc/profile-m-z/mp3splt.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -45,7 +44,7 @@ disable-mnt
 private-bin flacsplt,mp3splt,mp3wrap,oggsplt
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index 55a0b5897..18a839363 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -50,7 +49,7 @@ shell none
 private-bin mpDris2,notify-send,python*
 private-cache
 private-dev
-private-etc alternatives,hosts,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
 private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
 private-tmp
 
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile
index b517d4ab2..761d5b041 100644
--- a/etc/profile-m-z/mpd.profile
+++ b/etc/profile-m-z/mpd.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile
index 25187e894..c3bff23bc 100644
--- a/etc/profile-m-z/mpg123.profile
+++ b/etc/profile-m-z/mpg123.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index 5d023b7f1..2d51d9884 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 read-only ${DESKTOP}
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
index bfe57a132..ffc7698c7 100644
--- a/etc/profile-m-z/mpsyt.profile
+++ b/etc/profile-m-z/mpsyt.profile
@@ -27,7 +27,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -51,7 +50,6 @@ apparmor
 caps.drop all
 netfilter
 nodvd
-# Seems to cause issues with Nvidia drivers sometimes
 nogroups
 noinput
 nonewprivs
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 310f36ea1..e58beec0c 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,7 +11,7 @@ include globals.local
 # edit ~/.config/mpv/foobar.conf:
 #    screenshot-directory=~/Pictures
 
-# Mpv has a powerfull lua-API, some off these lua-scripts interact
+# Mpv has a powerful lua-API, some off these lua-scripts interact
 # with external resources which are blocked by firejail. In such cases
 # you need to allow these resources by
 #  - adding additional binaries to private-bin
@@ -26,7 +26,11 @@ include globals.local
 
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.config/yt-dlp
+noblacklist ${HOME}/.config/yt-dlp.conf
 noblacklist ${HOME}/.netrc
+noblacklist ${HOME}/yt-dlp.conf
+noblacklist ${HOME}/yt-dlp.conf.txt
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -35,33 +39,36 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
 read-only ${DESKTOP}
 mkdir ${HOME}/.config/mpv
-mkdir ${HOME}/.config/youtube-dl
 mkfile ${HOME}/.netrc
 whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.config/yt-dlp
+whitelist ${HOME}/.config/yt-dlp.conf
 whitelist ${HOME}/.netrc
-include whitelist-common.inc
-include whitelist-player-common.inc
+whitelist ${HOME}/yt-dlp.conf
+whitelist ${HOME}/yt-dlp.conf.txt
 whitelist /usr/share/lua
 whitelist /usr/share/lua*
 whitelist /usr/share/vulkan
+include whitelist-common.inc
+include whitelist-player-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
 netfilter
-# nogroups seems to cause issues with Nvidia drivers sometimes
 nogroups
 noinput
 nonewprivs
@@ -73,7 +80,7 @@ seccomp.block-secondary
 shell none
 tracelog
 
-private-bin env,mpv,python*,waf,youtube-dl
+private-bin env,mpv,python*,waf,youtube-dl,yt-dlp
 # private-cache causes slow OSD, see #2838
 #private-cache
 private-dev
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index 035a7e625..3fe88ec7f 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -14,11 +14,12 @@ include allow-bin-sh.inc
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -36,7 +37,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
@@ -52,7 +52,7 @@ disable-mnt
 private-bin love,mrrescue,sh
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile
index 38fc84ecc..e15b14db7 100644
--- a/etc/profile-m-z/ms-office.profile
+++ b/etc/profile-m-z/ms-office.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
@@ -36,7 +35,7 @@ tracelog
 
 disable-mnt
 private-bin bash,env,fonts,jak,ms-office,python*,sh
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile
index 85c3ee9f2..126336cb3 100644
--- a/etc/profile-m-z/mtpaint.profile
+++ b/etc/profile-m-z/mtpaint.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile
index 6df681df1..a61f9001d 100644
--- a/etc/profile-m-z/multimc5.profile
+++ b/etc/profile-m-z/multimc5.profile
@@ -9,6 +9,10 @@ noblacklist ${HOME}/.local/share/multimc
 noblacklist ${HOME}/.local/share/multimc5
 noblacklist ${HOME}/.multimc5
 
+# Ignore noexec on ${HOME} as MultiMC installs LWJGL native
+# libraries in ${HOME}/.local/share/multimc
+ignore noexec ${HOME}
+
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
 
@@ -16,7 +20,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.local/share/multimc
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile
index c7f59c5ee..ad0920979 100644
--- a/etc/profile-m-z/mumble.profile
+++ b/etc/profile-m-z/mumble.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile
index a04d386a2..006f64ba8 100644
--- a/etc/profile-m-z/mupdf-x11-curl.profile
+++ b/etc/profile-m-z/mupdf-x11-curl.profile
@@ -12,7 +12,7 @@ ignore net none
 netfilter
 protocol unix,inet,inet6
 
-private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 
 # Redirect
 include mupdf.profile
diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile
index 9e4609c48..22cb83cc4 100644
--- a/etc/profile-m-z/mupdf.profile
+++ b/etc/profile-m-z/mupdf.profile
@@ -4,7 +4,7 @@
 # Persistent local customizations
 include mupdf.local
 # Persistent global definitions
-#include globals.local
+include globals.local
 
 noblacklist ${DOCUMENTS}
 
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/mupen64plus.profile b/etc/profile-m-z/mupen64plus.profile
index 00983a8f3..093767c27 100644
--- a/etc/profile-m-z/mupen64plus.profile
+++ b/etc/profile-m-z/mupen64plus.profile
@@ -11,8 +11,6 @@ noblacklist ${HOME}/.local/share/mupen64plus
 
 include disable-common.inc
 include disable-devel.inc
-include disable-passwdmgr.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 # you'll need to manually whitelist ROM files
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile
index 679e82ae8..12bb653a8 100644
--- a/etc/profile-m-z/musescore.profile
+++ b/etc/profile-m-z/musescore.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile
index 04500ac6a..226fb4810 100644
--- a/etc/profile-m-z/musictube.profile
+++ b/etc/profile-m-z/musictube.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index 74b3e9a5f..796d7fbb0 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -10,7 +10,6 @@ noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -30,9 +29,9 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 
 disable-mnt
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,machine-id,pki,pulse,ssl
 
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index debf81659..d10c55549 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -47,7 +47,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -135,7 +134,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile
index d8d487fe7..74301df06 100644
--- a/etc/profile-m-z/mypaint.profile
+++ b/etc/profile-m-z/mypaint.profile
@@ -19,7 +19,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -44,7 +43,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 45d5f59dd..f7c1f0ff7 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /usr/share/nano
@@ -47,8 +46,12 @@ x11 none
 private-bin nano,rnano
 private-cache
 private-dev
-# Comment the next line if you want to edit files in /etc directly
-private-etc alternatives,nanorc
+# Add the next lines to your nano.local if you want to edit files in /etc directly.
+#ignore private-etc
+#writable-etc
+private-etc alternatives,ld.so.cache,ld.so.preload,nanorc
+# Add the next line to your nano.local if you want to edit files in /var directly.
+#writable-var
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile
index 5bf152f84..2464844c4 100644
--- a/etc/profile-m-z/natron.profile
+++ b/etc/profile-m-z/natron.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile
index 063e30366..5578cfc9c 100644
--- a/etc/profile-m-z/ncdu.profile
+++ b/etc/profile-m-z/ncdu.profile
@@ -1,6 +1,7 @@
 # Firejail profile for ncdu
 # Description: Ncurses disk usage viewer
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include ncdu.local
 # Persistent global definitions
diff --git a/etc/profile-m-z/ncdu2.profile b/etc/profile-m-z/ncdu2.profile
new file mode 100644
index 000000000..220692b3a
--- /dev/null
+++ b/etc/profile-m-z/ncdu2.profile
@@ -0,0 +1,12 @@
+# Firejail profile for ncdu2
+# Description: Ncurses disk usage viewer (zig rewrite)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ncdu2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include ncdu.profile
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index 9f00448c8..0f55b674f 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -61,6 +60,6 @@ private-tmp
 dbus-user filter
 dbus-user.own org.kde.neochat
 dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-user.talk org.kde.kwalletd5
 dbus-system none
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index fafa129e4..f31cf9dcb 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -46,7 +46,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -138,7 +137,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile
index 5d45dd7bc..d6ac8d5bc 100644
--- a/etc/profile-m-z/netactview.profile
+++ b/etc/profile-m-z/netactview.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -46,7 +45,7 @@ disable-mnt
 private-bin netactview,netactview_polkit
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile
index c9a537370..4da43a2d0 100644
--- a/etc/profile-m-z/nethack-vultures.profile
+++ b/etc/profile-m-z/nethack-vultures.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.vultures
diff --git a/etc/profile-m-z/nethack.profile b/etc/profile-m-z/nethack.profile
index b57abe260..5037133f2 100644
--- a/etc/profile-m-z/nethack.profile
+++ b/etc/profile-m-z/nethack.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /var/games/nethack
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile
index ecfbb14e4..9b7826fd0 100644
--- a/etc/profile-m-z/neverball.profile
+++ b/etc/profile-m-z/neverball.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index 13bc3a615..cf72bf802 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -54,7 +53,7 @@ disable-mnt
 private-bin gzip,lynx,newsboat,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
index 18d8c6ed4..9966a0e1b 100644
--- a/etc/profile-m-z/newsflash.profile
+++ b/etc/profile-m-z/newsflash.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -52,7 +51,7 @@ disable-mnt
 private-bin com.gitlab.newsflash,newsflash
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index 9fd76fbe7..2e4a95125 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -19,7 +19,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -30,6 +29,7 @@ mkdir ${HOME}/.local/share/Nextcloud
 whitelist ${HOME}/Nextcloud
 whitelist ${HOME}/.config/Nextcloud
 whitelist ${HOME}/.local/share/Nextcloud
+whitelist /usr/share/nextcloud
 # Add the next lines to your nextcloud.local to allow sync in more directories.
 #whitelist ${DOCUMENTS}
 #whitelist ${MUSIC}
@@ -44,7 +44,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-no3d
 nodvd
 nogroups
 noinput
@@ -63,10 +62,11 @@ tracelog
 disable-mnt
 private-bin nextcloud,nextcloud-desktop
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 private-dev
 private-tmp
 
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index f8062891c..89a146a09 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -52,11 +51,9 @@ private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
 
-
-# Add the next lines to your nheko.local to enable notification support.
-#ignore dbus-user none
-#dbus-user filter
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# Add the next line to your nheko.local to enable notification support.
 #dbus-user.talk org.freedesktop.Notifications
-#dbus-user.talk org.kde.StatusNotifierWatcher
-dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index 1c7dbc009..0b55a0d3a 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index 8dba84f02..d6234cd04 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-usr-share-common.inc
@@ -43,7 +42,7 @@ disable-mnt
 private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl
+private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,ssl
 # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
 private-tmp
 
diff --git a/etc/profile-m-z/node.profile b/etc/profile-m-z/node.profile
new file mode 100644
index 000000000..cd48ed3c7
--- /dev/null
+++ b/etc/profile-m-z/node.profile
@@ -0,0 +1,11 @@
+# Firejail profile for node
+# Description: Evented I/O for V8 javascript
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include node.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index 4095337dd..ab69136f6 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -10,17 +10,56 @@ include nodejs-common.local
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
+ignore read-only ${HOME}/.npm-packages
+ignore read-only ${HOME}/.npmrc
+ignore read-only ${HOME}/.nvm
+ignore read-only ${HOME}/.yarnrc
+
+noblacklist ${HOME}/.node-gyp
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+noblacklist ${HOME}/.nvm
+noblacklist ${HOME}/.yarn
+noblacklist ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarncache
+noblacklist ${HOME}/.yarnrc
+
 ignore noexec ${HOME}
 
 include allow-bin-sh.inc
 
 include disable-common.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+# If you want whitelisting, change ${HOME}/Projects below to your node projects directory
+# and add the next lines to your nodejs-common.local.
+#mkdir ${HOME}/.node-gyp
+#mkdir ${HOME}/.npm
+#mkdir ${HOME}/.npm-packages
+#mkfile ${HOME}/.npmrc
+#mkdir ${HOME}/.nvm
+#mkdir ${HOME}/.yarn
+#mkdir ${HOME}/.yarn-config
+#mkdir ${HOME}/.yarncache
+#mkfile ${HOME}/.yarnrc
+#whitelist ${HOME}/.node-gyp
+#whitelist ${HOME}/.npm
+#whitelist ${HOME}/.npm-packages
+#whitelist ${HOME}/.npmrc
+#whitelist ${HOME}/.nvm
+#whitelist ${HOME}/.yarn
+#whitelist ${HOME}/.yarn-config
+#whitelist ${HOME}/.yarncache
+#whitelist ${HOME}/.yarnrc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+whitelist /usr/share/doc/node
+whitelist /usr/share/nvm
+whitelist /usr/share/systemtap/tapset/node.stp
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -46,10 +85,11 @@ shell none
 
 disable-mnt
 private-dev
-# May need to add `passwd` to `private-etc` below to enable debugging with some IDEs
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
-# May need to be commented out in order to enable debugging with some IDEs
-private-tmp
+private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl,xdg
+#private-tmp
 
 dbus-user none
 dbus-system none
+
+# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry.
+#env GATSBY_TELEMETRY_DISABLED=1
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
index a36dee874..7ffb09e56 100644
--- a/etc/profile-m-z/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -42,5 +41,5 @@ tracelog
 #private-bin nomacs
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile
new file mode 100644
index 000000000..db4113f94
--- /dev/null
+++ b/etc/profile-m-z/noprofile.profile
@@ -0,0 +1,29 @@
+# This is the weakest possible firejail profile.
+# If a program still fail with this profile, it is incompatible with firejail.
+# (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)
+#
+# Usage:
+#   1. download
+#   2. firejail --profile=noprofile.profile /path/to/program
+
+# Keep in mind that even with this profile some things are done
+# which can break the program.
+# - some env-vars are cleared
+# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'
+# - a new private pid-namespace is created
+# - a minimal hardcoded blacklist is applied
+# - ...
+
+noblacklist /sys/fs
+noblacklist /sys/module
+
+allow-debuggers
+allusers
+keep-config-pulse
+keep-dev-shm
+keep-fd all
+keep-var-tmp
+writable-etc
+writable-run-user
+writable-var
+writable-var-log
diff --git a/etc/profile-m-z/notable.profile b/etc/profile-m-z/notable.profile
new file mode 100644
index 000000000..7c790539d
--- /dev/null
+++ b/etc/profile-m-z/notable.profile
@@ -0,0 +1,37 @@
+# Firejail profile for notable
+# Description: The Markdown-based note-taking app that doesn't suck
+# This file is overwritten after every install/update
+# Persistent local customizations
+include notable.local
+# Persistent global definitions
+include globals.local
+
+# Note: On debian-based distributions the binary might be located in
+# /opt/Notable/notable, and therefore not be in PATH.
+# If that's the case you can start Notable with firejail via
+# `firejail "/opt/Notable/notable"`.
+
+noblacklist ${HOME}/.config/Notable
+noblacklist ${HOME}/.notable
+
+net none
+nosound
+
+?HAS_APPIMAGE: ignore private-dev
+private-opt Notable
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+ignore dbus-user none
+
+# Notable keeps claiming it is started for the first time when whitelisting - see #4812.
+ignore whitelist ${DOWNLOADS}
+ignore whitelist ${HOME}/.config/Electron
+ignore whitelist ${HOME}/.config/electron-flag*.conf
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index 650118c98..9f23c099d 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-write-mnt.inc
@@ -50,7 +49,7 @@ private
 private-bin notify-send
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile
index f51d58782..4d8beea5a 100644
--- a/etc/profile-m-z/npm.profile
+++ b/etc/profile-m-z/npm.profile
@@ -7,23 +7,5 @@ include npm.local
 # Persistent global definitions
 include globals.local
 
-ignore read-only ${HOME}/.npm-packages
-ignore read-only ${HOME}/.npmrc
-
-noblacklist ${HOME}/.node-gyp
-noblacklist ${HOME}/.npm
-noblacklist ${HOME}/.npmrc
-
-# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory
-# and add the next lines to your npm.local.
-#mkdir ${HOME}/.node-gyp
-#mkdir ${HOME}/.npm
-#mkfile ${HOME}/.npmrc
-#whitelist ${HOME}/.node-gyp
-#whitelist ${HOME}/.npm
-#whitelist ${HOME}/.npmrc
-#whitelist ${HOME}/Projects
-#include whitelist-common.inc
-
 # Redirect
 include nodejs-common.profile
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile
index c7a131a2c..baa8ddfeb 100644
--- a/etc/profile-m-z/nslookup.profile
+++ b/etc/profile-m-z/nslookup.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index 886403b9e..9f4a6ec46 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -18,7 +18,7 @@ whitelist ${HOME}/.config/nuclear
 no3d
 
 # private-bin nuclear
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt nuclear
 
 # Redirect
diff --git a/etc/profile-m-z/nvim.profile b/etc/profile-m-z/nvim.profile
new file mode 100644
index 000000000..27a0aec28
--- /dev/null
+++ b/etc/profile-m-z/nvim.profile
@@ -0,0 +1,52 @@
+# Firejail profile for neovim
+# Description: Nvim is open source and freely distributable
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nvim.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.vim
+noblacklist ${HOME}/.vimrc
+noblacklist ${HOME}/.cache/nvim
+noblacklist ${HOME}/.config/nvim
+noblacklist ${HOME}/.local/share/nvim
+
+include disable-common.inc
+include disable-devel.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+blacklist ${RUNUSER}
+
+include whitelist-runuser-common.inc
+
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+x11 none
+
+private-dev
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}/.config
+read-write ${HOME}/.config/nvim
+read-write ${HOME}/.local/share/nvim
+read-write ${HOME}/.vim
+read-write ${HOME}/.vimrc
diff --git a/etc/profile-m-z/nvm.profile b/etc/profile-m-z/nvm.profile
new file mode 100644
index 000000000..80da22834
--- /dev/null
+++ b/etc/profile-m-z/nvm.profile
@@ -0,0 +1,13 @@
+# Firejail profile for nvm
+# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nvm.local
+# Persistent global definitions
+include globals.local
+
+ignore noroot
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/nylas.profile b/etc/profile-m-z/nylas.profile
index fe0c2116b..3474a075f 100644
--- a/etc/profile-m-z/nylas.profile
+++ b/etc/profile-m-z/nylas.profile
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.nylas-mail
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/Nylas Mail
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile
index d040d42af..653591482 100644
--- a/etc/profile-m-z/nyx.profile
+++ b/etc/profile-m-z/nyx.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -46,7 +45,7 @@ disable-mnt
 private-bin nyx,python*
 private-cache
 private-dev
-private-etc alternatives,fonts,passwd,tor
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,passwd,tor
 private-opt none
 private-srv none
 private-tmp
diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile
index 9345cee4f..1ff9ad48a 100644
--- a/etc/profile-m-z/obs.profile
+++ b/etc/profile-m-z/obs.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 7be68a201..0bfb35333 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -46,7 +45,7 @@ tracelog
 private-bin ocenaudio
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
+private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,pulse
 private-tmp
 
 # breaks preferences
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
index 6163d2e22..de62f4114 100644
--- a/etc/profile-m-z/odt2txt.profile
+++ b/etc/profile-m-z/odt2txt.profile
@@ -13,7 +13,6 @@ noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -39,7 +38,7 @@ x11 none
 private-bin odt2txt
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index ab8ccf623..fb28ad89f 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -23,7 +23,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -37,6 +36,7 @@ whitelist /usr/share/kconf_update/okular.upd
 whitelist /usr/share/kxmlgui5/okular
 whitelist /usr/share/okular
 whitelist /usr/share/poppler
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -62,7 +62,7 @@ tracelog
 
 private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
 private-dev
-private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg
+private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,xdg
 # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
 
 # dbus-user none
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index 5b367b639..e05e58cad 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -17,7 +17,6 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-include disable-passwdmgr.inc
 include disable-shell.inc
 include disable-xdg.inc
 
@@ -51,7 +50,7 @@ disable-mnt
 private-cache
 private-bin onboard,python*,tput
 private-dev
-private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
+private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-m-z/onionshare-cli.profile b/etc/profile-m-z/onionshare-cli.profile
new file mode 100644
index 000000000..2e2331351
--- /dev/null
+++ b/etc/profile-m-z/onionshare-cli.profile
@@ -0,0 +1,12 @@
+# Firejail profile for onionshare-cli
+# Description: Share a file over Tor Hidden Services anonymously and securely (CLI)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include onionshare-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include onionshare-gui.profile
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index 960df9034..cf4d7db30 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/onionshare.profile b/etc/profile-m-z/onionshare.profile
new file mode 100644
index 000000000..b0390d392
--- /dev/null
+++ b/etc/profile-m-z/onionshare.profile
@@ -0,0 +1,11 @@
+# Firejail profile for onionshare
+# Description: Share a file over Tor Hidden Services anonymously and securely (GUI)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include onionshare.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include onionshare-gui.profile
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index 7a840d4a9..c2c22f42d 100644
--- a/etc/profile-m-z/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -26,7 +25,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 36ce0316f..c3ac097a0 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -44,7 +43,7 @@ disable-mnt
 private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
 private-cache
 private-dev
-private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
+private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/opencity.profile b/etc/profile-m-z/opencity.profile
index a3d371e15..560bc6cbc 100644
--- a/etc/profile-m-z/opencity.profile
+++ b/etc/profile-m-z/opencity.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 32b40df42..68362cbc8 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -29,7 +28,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile
index d1fe67aed..ce3399ad6 100644
--- a/etc/profile-m-z/openmw.profile
+++ b/etc/profile-m-z/openmw.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-write-mnt.inc
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile
index 6118630c4..e2af2e714 100644
--- a/etc/profile-m-z/openshot.profile
+++ b/etc/profile-m-z/openshot.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /usr/share/blender
diff --git a/etc/profile-m-z/openstego.profile b/etc/profile-m-z/openstego.profile
new file mode 100644
index 000000000..f6622b38d
--- /dev/null
+++ b/etc/profile-m-z/openstego.profile
@@ -0,0 +1,58 @@
+# Firejail profile for OpenStego
+# Description: Steganography application that provides data hiding and watermarking functionality
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openstego.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/openstego.ini
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+
+mkfile ${HOME}/openstego.ini
+whitelist ${HOME}/openstego.ini
+whitelist ${HOME}/.java
+whitelist ${PICTURES}
+whitelist ${DOCUMENTS}
+whitelist ${DESKTOP}
+whitelist /usr/share/java
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+net none
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,dirname,openstego,readlink,sh
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/openttd.profile b/etc/profile-m-z/openttd.profile
index 546958bb7..6c31ebf65 100644
--- a/etc/profile-m-z/openttd.profile
+++ b/etc/profile-m-z/openttd.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/opera-beta.profile b/etc/profile-m-z/opera-beta.profile
index 551f1aba4..becd3f86c 100644
--- a/etc/profile-m-z/opera-beta.profile
+++ b/etc/profile-m-z/opera-beta.profile
@@ -5,18 +5,16 @@ include opera-beta.local
 # Persistent global definitions
 include globals.local
 
-# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
-ignore whitelist /usr/share/chromium
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
-
-noblacklist ${HOME}/.cache/opera
+noblacklist ${HOME}/.cache/opera-beta
 noblacklist ${HOME}/.config/opera-beta
+noblacklist ${HOME}/.opera-beta
 
-mkdir ${HOME}/.cache/opera
+mkdir ${HOME}/.cache/opera-beta
 mkdir ${HOME}/.config/opera-beta
-whitelist ${HOME}/.cache/opera
+mkdir ${HOME}/.opera-beta
+whitelist ${HOME}/.cache/opera-beta
 whitelist ${HOME}/.config/opera-beta
+whitelist ${HOME}/.opera-beta
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/opera-developer.profile b/etc/profile-m-z/opera-developer.profile
new file mode 100644
index 000000000..52c850227
--- /dev/null
+++ b/etc/profile-m-z/opera-developer.profile
@@ -0,0 +1,20 @@
+# Firejail profile for opera-developer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include opera-developer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/opera-developer
+noblacklist ${HOME}/.config/opera-developer
+noblacklist ${HOME}/.opera-developer
+
+mkdir ${HOME}/.cache/opera-developer
+mkdir ${HOME}/.config/opera-developer
+mkdir ${HOME}/.opera-developer
+whitelist ${HOME}/.cache/opera-developer
+whitelist ${HOME}/.config/opera-developer
+whitelist ${HOME}/.opera-developer
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile
index 2c7c5fc35..b342b3961 100644
--- a/etc/profile-m-z/opera.profile
+++ b/etc/profile-m-z/opera.profile
@@ -6,11 +6,6 @@ include opera.local
 # Persistent global definitions
 include globals.local
 
-# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
-ignore whitelist /usr/share/chromium
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
-
 noblacklist ${HOME}/.cache/opera
 noblacklist ${HOME}/.config/opera
 noblacklist ${HOME}/.opera
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile
index 4e4d8bea5..a3ec6a386 100644
--- a/etc/profile-m-z/orage.profile
+++ b/etc/profile-m-z/orage.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile
index e0be078a7..de6a6d3f5 100644
--- a/etc/profile-m-z/ostrichriders.profile
+++ b/etc/profile-m-z/ostrichriders.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -29,6 +28,7 @@ ipc-namespace
 net none
 nodvd
 nogroups
+# Add 'ignore noinput' to your ostrichriders.local if you need controller support.
 noinput
 nonewprivs
 noroot
@@ -43,7 +43,6 @@ tracelog
 disable-mnt
 private-bin ostrichriders
 private-cache
-# comment the following line if you need controller support
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index aa26ddd4e..e2687bf6b 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -10,26 +10,25 @@ include globals.local
 
 noblacklist ${HOME}/.cache/Otter
 noblacklist ${HOME}/.config/otter
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/Otter
 mkdir ${HOME}/.config/otter
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/Otter
 whitelist ${HOME}/.config/otter
-whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
 whitelist /usr/share/otter-browser
 include whitelist-common.inc
 include whitelist-runuser-common.inc
@@ -41,6 +40,7 @@ caps.drop all
 netfilter
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index 513b4119e..c016b5103 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -11,15 +11,17 @@ blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 # breaks pdf output
 #include whitelist-var-common.inc
 
@@ -40,15 +42,15 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
 
 disable-mnt
-private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
 private-cache
 private-dev
-private-etc alternatives,texlive,texmf
+private-etc alternatives,ld.so.cache,ld.so.preload,texlive,texmf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile
index 0a4422a73..3d380542f 100644
--- a/etc/profile-m-z/parole.profile
+++ b/etc/profile-m-z/parole.profile
@@ -12,7 +12,6 @@ noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -28,4 +27,4 @@ shell none
 
 private-bin dbus-launch,parole
 private-cache
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,pulse,ssl
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 0de968185..3973c1b4a 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-shell.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
index b46fb3026..d64aab200 100644
--- a/etc/profile-m-z/pavucontrol.profile
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -46,7 +45,7 @@ disable-mnt
 private-bin pavucontrol
 private-cache
 private-dev
-private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
+private-etc alternatives,asound.conf,avahi,fonts,ld.so.cache,ld.so.preload,machine-id,pulse
 private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile
index a6dab2a9a..e52a1c4a9 100644
--- a/etc/profile-m-z/pcsxr.profile
+++ b/etc/profile-m-z/pcsxr.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-write-mnt.inc
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
index d72417914..41ec98a39 100644
--- a/etc/profile-m-z/pdfchain.profile
+++ b/etc/profile-m-z/pdfchain.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -35,7 +34,7 @@ shell none
 
 private-bin pdfchain,pdftk,sh
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pdfmod.profile b/etc/profile-m-z/pdfmod.profile
index a19826555..c8397a31e 100644
--- a/etc/profile-m-z/pdfmod.profile
+++ b/etc/profile-m-z/pdfmod.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/pdfsam.profile b/etc/profile-m-z/pdfsam.profile
index e2808d4d2..0c2ce0588 100644
--- a/etc/profile-m-z/pdfsam.profile
+++ b/etc/profile-m-z/pdfsam.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index d3902a51c..291d533a6 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -1,6 +1,7 @@
 # Firejail profile for pdftotext
 # Description: Portable Document Format (PDF) to text converter
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include pdftotext.local
 # Persistent global definitions
@@ -14,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -49,7 +49,7 @@ x11 none
 private-bin pdftotext
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index c33953687..f5c295b5d 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -49,7 +48,7 @@ tracelog
 disable-mnt
 private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
 private-dev
-private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11
+private-etc alternatives,dconf,firejail,fonts,gtk-3.0,ld.so.cache,ld.so.preload,login.defs,pango,passwd,X11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/penguin-command.profile b/etc/profile-m-z/penguin-command.profile
index f5ad0321d..13e89616e 100644
--- a/etc/profile-m-z/penguin-command.profile
+++ b/etc/profile-m-z/penguin-command.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
index 40068ff78..80efedec7 100644
--- a/etc/profile-m-z/photoflare.profile
+++ b/etc/profile-m-z/photoflare.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -44,7 +43,7 @@ disable-mnt
 private-bin photoflare
 private-cache
 private-dev
-private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/picard.profile b/etc/profile-m-z/picard.profile
index a5ea47088..dbbfc5275 100644
--- a/etc/profile-m-z/picard.profile
+++ b/etc/profile-m-z/picard.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index 26872e9a1..904c17e09 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/pinball.profile b/etc/profile-m-z/pinball.profile
index ab433e729..3c76ad99c 100644
--- a/etc/profile-m-z/pinball.profile
+++ b/etc/profile-m-z/pinball.profile
@@ -12,14 +12,16 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/emilia
 whitelist ${HOME}/.config/emilia
+
 whitelist /usr/share/pinball
+# on debian games are stored under /usr/share/games
+whitelist /usr/share/games/pinball
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index e914007c0..b4923c38a 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index 3889d87d2..69c78740d 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -11,11 +11,12 @@ noblacklist ${HOME}/.pingus
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -49,7 +50,7 @@ disable-mnt
 private-bin pingus,pingus.bin,sh
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pinta.profile b/etc/profile-m-z/pinta.profile
index 19406c399..f52803d50 100644
--- a/etc/profile-m-z/pinta.profile
+++ b/etc/profile-m-z/pinta.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/pioneer.profile b/etc/profile-m-z/pioneer.profile
index 721b3944a..7c9bb352b 100644
--- a/etc/profile-m-z/pioneer.profile
+++ b/etc/profile-m-z/pioneer.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile
new file mode 100644
index 000000000..a0926371f
--- /dev/null
+++ b/etc/profile-m-z/pip.profile
@@ -0,0 +1,18 @@
+# Firejail profile for pip
+# Description: package manager for Python packages
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include meson.local
+# Persistent global definitions
+include globals.local
+
+ignore read-only ${HOME}/.local/lib
+
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+#whitelist ${HOME}/.local/lib/python*
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/pipe-viewer.profile b/etc/profile-m-z/pipe-viewer.profile
new file mode 100644
index 000000000..3de064311
--- /dev/null
+++ b/etc/profile-m-z/pipe-viewer.profile
@@ -0,0 +1,21 @@
+# Firejail profile for pipe-viewer
+# Description: Fork of youtube-viewer, scrapes youtube directly and with invidious
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include pipe-viewer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/pipe-viewer
+noblacklist ${HOME}/.config/pipe-viewer
+
+mkdir ${HOME}/.config/pipe-viewer
+mkdir ${HOME}/.cache/pipe-viewer
+whitelist ${HOME}/.cache/pipe-viewer
+whitelist ${HOME}/.config/pipe-viewer
+
+private-bin gtk-pipe-viewer,pipe-viewer
+
+# Redirect
+include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/pithos.profile b/etc/profile-m-z/pithos.profile
index 18990f0b2..91814d8bb 100644
--- a/etc/profile-m-z/pithos.profile
+++ b/etc/profile-m-z/pithos.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/pitivi.profile b/etc/profile-m-z/pitivi.profile
index a2dd809c4..245ffae22 100644
--- a/etc/profile-m-z/pitivi.profile
+++ b/etc/profile-m-z/pitivi.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/pix.profile b/etc/profile-m-z/pix.profile
index 81d3e9370..6bd1ad02e 100644
--- a/etc/profile-m-z/pix.profile
+++ b/etc/profile-m-z/pix.profile
@@ -13,7 +13,6 @@ noblacklist ${HOME}/.steam
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
index 4eb41b3bd..69b954f53 100644
--- a/etc/profile-m-z/pkglog.profile
+++ b/etc/profile-m-z/pkglog.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -45,7 +44,7 @@ private
 private-bin pkglog,python*
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-opt none
 private-tmp
 writable-var-log
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile
index 10e12e5b1..567725be4 100644
--- a/etc/profile-m-z/pluma.profile
+++ b/etc/profile-m-z/pluma.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 5201fd853..38ccf72e8 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -47,7 +46,7 @@ disable-mnt
 private-bin plv
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-opt none
 private-tmp
 writable-var-log
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 8a181d5a8..6b989202f 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -39,9 +38,8 @@ nosound
 notv
 nou2f
 novideo
-# protocol can be empty, but this is not yet supported see #639
-protocol inet
-seccomp
+# block the socket syscall to simulate an be empty protocol line, see #639
+seccomp socket
 shell none
 tracelog
 x11 none
@@ -49,7 +47,7 @@ x11 none
 private-bin pngquant
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index 1f73c1d89..3e06cf300 100644
--- a/etc/profile-m-z/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile
index f138d785e..fd595c27a 100644
--- a/etc/profile-m-z/pragha.profile
+++ b/etc/profile-m-z/pragha.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -34,6 +33,6 @@ seccomp
 shell none
 
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile
index 743458725..25a248425 100644
--- a/etc/profile-m-z/profanity.profile
+++ b/etc/profile-m-z/profanity.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -45,7 +44,7 @@ shell none
 private-bin profanity
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
index 5ac58b0ac..5f598cec5 100644
--- a/etc/profile-m-z/psi-plus.profile
+++ b/etc/profile-m-z/psi-plus.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.cache/psi+
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index 7e0ef99fc..99a72adee 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -72,7 +71,7 @@ disable-mnt
 private-bin getopt,psi
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile
index 60ae37930..8d8729d4a 100644
--- a/etc/profile-m-z/pybitmessage.profile
+++ b/etc/profile-m-z/pybitmessage.profile
@@ -16,7 +16,6 @@ include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-interpreters.inc
 
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile
index 00d7239ae..f3d40e7f3 100644
--- a/etc/profile-m-z/pycharm-community.profile
+++ b/etc/profile-m-z/pycharm-community.profile
@@ -15,7 +15,6 @@ include allow-common-devel.inc
 
 include disable-common.inc
 include disable-devel.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
index 506b738cc..ebe67c63b 100644
--- a/etc/profile-m-z/qbittorrent.profile
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.cache/qBittorrent
 noblacklist ${HOME}/.config/qBittorrent
 noblacklist ${HOME}/.config/qBittorrentrc
 noblacklist ${HOME}/.local/share/data/qBittorrent
+noblacklist ${HOME}/.local/share/qBittorrent
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -19,7 +20,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -27,11 +27,13 @@ mkdir ${HOME}/.cache/qBittorrent
 mkdir ${HOME}/.config/qBittorrent
 mkfile ${HOME}/.config/qBittorrentrc
 mkdir ${HOME}/.local/share/data/qBittorrent
+mkdir ${HOME}/.local/share/qBittorrent
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/qBittorrent
 whitelist ${HOME}/.config/qBittorrent
 whitelist ${HOME}/.config/qBittorrentrc
 whitelist ${HOME}/.local/share/data/qBittorrent
+whitelist ${HOME}/.local/share/qBittorrent
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile
new file mode 100644
index 000000000..4d4d3694b
--- /dev/null
+++ b/etc/profile-m-z/qcomicbook.profile
@@ -0,0 +1,67 @@
+# Firejail profile for qcomicbook
+# Description: A comic book and manga viewer in QT
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qcomicbook.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/PawelStolowski
+noblacklist ${HOME}/.config/PawelStolowski
+noblacklist ${HOME}/.local/share/PawelStolowski
+noblacklist ${DOCUMENTS}
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/PawelStolowski
+mkdir ${HOME}/.config/PawelStolowski
+mkdir ${HOME}/.local/share/PawelStolowski
+whitelist /usr/share/qcomicbook
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,Trolltech.conf,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.cache/PawelStolowski
+read-write ${HOME}/.config/PawelStolowski
+read-write ${HOME}/.local/share/PawelStolowski
+#to allow ${HOME}/.local/share/recently-used.xbel
+read-write ${HOME}/.local/share
diff --git a/etc/profile-m-z/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile
index ac60384fd..2aea715dc 100644
--- a/etc/profile-m-z/qemu-launcher.profile
+++ b/etc/profile-m-z/qemu-launcher.profile
@@ -8,7 +8,6 @@ include globals.local
 noblacklist ${HOME}/.qemu-launcher
 
 include disable-common.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/qemu-system-x86_64.profile b/etc/profile-m-z/qemu-system-x86_64.profile
index d7d7905dd..2333e07d9 100644
--- a/etc/profile-m-z/qemu-system-x86_64.profile
+++ b/etc/profile-m-z/qemu-system-x86_64.profile
@@ -7,7 +7,6 @@ include qemu-system-x86_64.local
 include globals.local
 
 include disable-common.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile
index 2e97daea2..555e1e41b 100644
--- a/etc/profile-m-z/qgis.profile
+++ b/etc/profile-m-z/qgis.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -53,7 +52,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/qlipper.profile b/etc/profile-m-z/qlipper.profile
index 6e94d5845..7176d8a39 100644
--- a/etc/profile-m-z/qlipper.profile
+++ b/etc/profile-m-z/qlipper.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile
index c3d982c17..af85c95e7 100644
--- a/etc/profile-m-z/qmmp.profile
+++ b/etc/profile-m-z/qmmp.profile
@@ -12,7 +12,6 @@ noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
index ca11df5be..4a3ce366e 100644
--- a/etc/profile-m-z/qnapi.profile
+++ b/etc/profile-m-z/qnapi.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -48,7 +47,7 @@ tracelog
 private-bin 7z,qnapi
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-opt none
 private-tmp
 
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
index be690ffa4..3ad8a19c8 100644
--- a/etc/profile-m-z/qpdfview.profile
+++ b/etc/profile-m-z/qpdfview.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
index 6cbf8519f..dd3f24875 100644
--- a/etc/profile-m-z/qrencode.profile
+++ b/etc/profile-m-z/qrencode.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-write-mnt.inc
@@ -48,7 +47,7 @@ disable-mnt
 private-bin qrencode
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib libpcre*
 private-tmp
 
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index 8ffe24d11..60e1539fa 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -44,7 +43,7 @@ disable-mnt
 private-bin qtox
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile
index 1d146aa39..dfb46ddae 100644
--- a/etc/profile-m-z/quaternion.profile
+++ b/etc/profile-m-z/quaternion.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile
index 9490089b2..8f89931c7 100644
--- a/etc/profile-m-z/quiterss.profile
+++ b/etc/profile-m-z/quiterss.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-m-z/quodlibet.profile b/etc/profile-m-z/quodlibet.profile
index 92b02b2bf..bc435653d 100644
--- a/etc/profile-m-z/quodlibet.profile
+++ b/etc/profile-m-z/quodlibet.profile
@@ -21,7 +21,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/qupzilla.profile b/etc/profile-m-z/qupzilla.profile
index 7aa71c848..c29d87a73 100644
--- a/etc/profile-m-z/qupzilla.profile
+++ b/etc/profile-m-z/qupzilla.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.cache/qupzilla
diff --git a/etc/profile-m-z/raincat.profile b/etc/profile-m-z/raincat.profile
new file mode 100644
index 000000000..104577bdb
--- /dev/null
+++ b/etc/profile-m-z/raincat.profile
@@ -0,0 +1,49 @@
+# Firejail profile for raincat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include raincat.local
+# Persistent global definitions
+include globals.local
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/games
+whitelist /usr/share/timidity
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+net none
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin raincat
+private-cache
+private-dev
+private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,timidity,timidity.cfg
+#private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
diff --git a/etc/profile-m-z/rambox.profile b/etc/profile-m-z/rambox.profile
index ffa2022ee..a14d7862b 100644
--- a/etc/profile-m-z/rambox.profile
+++ b/etc/profile-m-z/rambox.profile
@@ -7,8 +7,8 @@ include rambox.local
 include globals.local
 
 noblacklist ${HOME}/.config/Rambox
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,12 +16,12 @@ include disable-interpreters.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/Rambox
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Rambox
-whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile
index 9bc196a16..436b98f29 100644
--- a/etc/profile-m-z/redeclipse.profile
+++ b/etc/profile-m-z/redeclipse.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/rednotebook.profile b/etc/profile-m-z/rednotebook.profile
new file mode 100644
index 000000000..d1dd365ab
--- /dev/null
+++ b/etc/profile-m-z/rednotebook.profile
@@ -0,0 +1,66 @@
+# Firejail profile for rednotebook
+# Description: Daily journal with calendar, templates and keyword searching
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rednotebook.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/rednotebook
+noblacklist ${HOME}/.rednotebook
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.cache/rednotebook
+mkdir ${HOME}/.rednotebook
+whitelist ${HOME}/.cache/rednotebook
+whitelist ${HOME}/.rednotebook
+whitelist ${DESKTOP}
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+whitelist /usr/libexec/webkit2gtk-4.0
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin python3*,rednotebook
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/redshift.profile b/etc/profile-m-z/redshift.profile
index f87c5f67c..06ae67ae1 100644
--- a/etc/profile-m-z/redshift.profile
+++ b/etc/profile-m-z/redshift.profile
@@ -13,7 +13,6 @@ noblacklist ${HOME}/.config/redshift.conf
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index f5131c5d0..f1ce313e7 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -9,7 +9,6 @@ include globals.local
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
@@ -44,7 +43,7 @@ disable-mnt
 private-bin regextester
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib libgranite.so.*
 private-tmp
 
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile
index aca22f187..16da40daf 100644
--- a/etc/profile-m-z/remmina.profile
+++ b/etc/profile-m-z/remmina.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/retroarch.profile b/etc/profile-m-z/retroarch.profile
new file mode 100644
index 000000000..1887a9b72
--- /dev/null
+++ b/etc/profile-m-z/retroarch.profile
@@ -0,0 +1,54 @@
+# Firejail profile for retroarch
+# Description: retroarch is a frontend to libretro emulator cores.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include retroarch.local
+# Persistent global definitions
+include globals.local
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/retroarch
+whitelist ${HOME}/.config/retroarch
+whitelist /run/udev
+whitelist /usr/share/retroarch
+whitelist /usr/share/libretro
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+# If you need access to cameras, add `ignore novideo` to retroarch.local
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin retroarch
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index 970e8ffba..26b62e456 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -21,7 +21,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/ricochet.profile b/etc/profile-m-z/ricochet.profile
index b664a2be3..705ca0045 100644
--- a/etc/profile-m-z/ricochet.profile
+++ b/etc/profile-m-z/ricochet.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-m-z/ripperx.profile b/etc/profile-m-z/ripperx.profile
index be815e714..81aef5a65 100644
--- a/etc/profile-m-z/ripperx.profile
+++ b/etc/profile-m-z/ripperx.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/ristretto.profile b/etc/profile-m-z/ristretto.profile
index 5572cab5a..79f090d95 100644
--- a/etc/profile-m-z/ristretto.profile
+++ b/etc/profile-m-z/ristretto.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile
new file mode 100644
index 000000000..147afb236
--- /dev/null
+++ b/etc/profile-m-z/rpcs3.profile
@@ -0,0 +1,62 @@
+# Firejail profile for RPCS3 emulator
+# Description: RPCS3 emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rpcs3.local 
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/rpcs3
+noblacklist ${HOME}/.cache/rpcs3
+# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
+# won't even start.
+noblacklist /sbin
+noblacklist /usr/sbin
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc # disable if PPU compilation crashes
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/rpcs3
+mkdir ${HOME}/.config/rpcs3
+whitelist ${HOME}/.cache/rpcs3
+whitelist ${HOME}/.config/rpcs3
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+netfilter
+nodvd
+nogroups
+#noinput
+nonewprivs
+noroot
+noprinters
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+#private-cache
+#private-etc ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index 690b44bb1..e44e55a12 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -50,7 +49,7 @@ disable-mnt
 private-bin rsync
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile
new file mode 100644
index 000000000..cd84ce05e
--- /dev/null
+++ b/etc/profile-m-z/rtin.profile
@@ -0,0 +1,8 @@
+# Firejail profile for rtin
+# Description: ncurses-based Usenet newsreader
+#              symlink to tin, same as `tin -r`
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rtin.local
+
+include tin.profile
diff --git a/etc/profile-m-z/rtorrent.profile b/etc/profile-m-z/rtorrent.profile
index 6ef51b7f1..757624938 100644
--- a/etc/profile-m-z/rtorrent.profile
+++ b/etc/profile-m-z/rtorrent.profile
@@ -10,7 +10,6 @@ include globals.local
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-m-z/rtv-addons.profile b/etc/profile-m-z/rtv-addons.profile
index c9da0b628..cc6db5043 100644
--- a/etc/profile-m-z/rtv-addons.profile
+++ b/etc/profile-m-z/rtv-addons.profile
@@ -21,3 +21,8 @@ whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.mailcap
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/.w3m
+
+#private-bin w3m,mpv,youtube-dl
+
+# tells rtv, which browser to use
+#env RTV_BROWSER=w3m
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile
index f0b8d31e9..03d812270 100644
--- a/etc/profile-m-z/rtv.profile
+++ b/etc/profile-m-z/rtv.profile
@@ -12,6 +12,9 @@ blacklist ${RUNUSER}/wayland-*
 noblacklist ${HOME}/.config/rtv
 noblacklist ${HOME}/.local/share/rtv
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
@@ -24,7 +27,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -54,10 +56,10 @@ shell none
 tracelog
 
 disable-mnt
-private-bin python*,rtv,sh,xdg-settings
+private-bin less,python*,rtv,sh,xdg-settings
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/sayonara.profile b/etc/profile-m-z/sayonara.profile
index de79913cc..d447be443 100644
--- a/etc/profile-m-z/sayonara.profile
+++ b/etc/profile-m-z/sayonara.profile
@@ -11,7 +11,6 @@ noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/scallion.profile b/etc/profile-m-z/scallion.profile
index eb8468c3b..1fa45a747 100644
--- a/etc/profile-m-z/scallion.profile
+++ b/etc/profile-m-z/scallion.profile
@@ -14,7 +14,6 @@ noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
index aac3e721f..77b3d8923 100644
--- a/etc/profile-m-z/scorched3d.profile
+++ b/etc/profile-m-z/scorched3d.profile
@@ -12,13 +12,13 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.scorched3d
 whitelist ${HOME}/.scorched3d
 whitelist /usr/share/scorched3d
+whitelist /usr/share/games/scorched3d
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
index 2cb1df6b5..70b5d844a 100644
--- a/etc/profile-m-z/scorchwentbonkers.profile
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -44,7 +43,7 @@ disable-mnt
 private-bin scorchwentbonkers
 private-cache
 private-dev
-private-etc alsa,asound.conf,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile
index 1fdeaa145..5cf60baea 100644
--- a/etc/profile-m-z/scribus.profile
+++ b/etc/profile-m-z/scribus.profile
@@ -34,7 +34,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/sdat2img.profile b/etc/profile-m-z/sdat2img.profile
index aa2fa9b1b..81a7dc929 100644
--- a/etc/profile-m-z/sdat2img.profile
+++ b/etc/profile-m-z/sdat2img.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/seafile-applet.profile b/etc/profile-m-z/seafile-applet.profile
new file mode 100644
index 000000000..79e072475
--- /dev/null
+++ b/etc/profile-m-z/seafile-applet.profile
@@ -0,0 +1,62 @@
+# Firejail profile for Seafile
+# Description: Seafile desktop client.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seafile-applet.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Seafile
+noblacklist ${HOME}/Seafile/.seafile-data
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.ccnet
+mkdir ${HOME}/.config/Seafile
+mkdir ${HOME}/Seafile
+whitelist ${HOME}/.ccnet
+whitelist ${HOME}/.config/Seafile
+whitelist ${HOME}/Seafile
+
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin seaf-cli,seaf-daemon,seafile-applet
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+#private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index 131dcbb68..72d6d5cf7 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -6,6 +6,9 @@ include seahorse-adventures.local
 # Persistent global definitions
 include globals.local
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
@@ -14,12 +17,12 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/seahorse-adventures
+whitelist /usr/share/games/seahorse-adventures
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -42,10 +45,10 @@ tracelog
 
 disable-mnt
 private
-private-bin python*,seahorse-adventures
+private-bin bash,dash,python*,seahorse-adventures,sh
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile
index 96ff74edf..9ef174606 100644
--- a/etc/profile-m-z/seahorse-tool.profile
+++ b/etc/profile-m-z/seahorse-tool.profile
@@ -8,7 +8,7 @@ include seahorse-tool.local
 #include globals.local
 
 # private-etc workaround for: #2877
-private-etc firejail,login.defs,passwd
+private-etc alternatives,firejail,ld.so.cache,ld.so.preload,login.defs,passwd
 private-tmp
 
 # Redirect
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index d3d8e453f..7382e4712 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -61,7 +60,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
 writable-run-user
 
 dbus-user filter
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
index 807effbeb..e67e51620 100644
--- a/etc/profile-m-z/seamonkey.profile
+++ b/etc/profile-m-z/seamonkey.profile
@@ -8,8 +8,8 @@ include globals.local
 
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.cache/mozilla
 mkdir ${HOME}/.mozilla
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/mozilla
@@ -28,11 +28,11 @@ whitelist ${HOME}/.config/pipelight-silverlight5.1
 whitelist ${HOME}/.config/pipelight-widevine
 whitelist ${HOME}/.keysnail.js
 whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.local/share/pki
 whitelist ${HOME}/.mozilla
 whitelist ${HOME}/.pentadactyl
 whitelist ${HOME}/.pentadactylrc
 whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
 whitelist ${HOME}/.vimperator
 whitelist ${HOME}/.vimperatorrc
 whitelist ${HOME}/.wine-pipelight
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 7d56684db..9e40796a6 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -7,7 +7,6 @@
 #       [sudo] password for netblue:
 #       Reading profile /etc/firejail/server.profile
 #       Reading profile /etc/firejail/disable-common.inc
-#       Reading profile /etc/firejail/disable-passwdmgr.inc
 #       Reading profile /etc/firejail/disable-programs.inc
 #
 #       ** Note: you can use --noprofile to disable server.profile **
@@ -43,7 +42,6 @@ include disable-common.inc
 # include disable-devel.inc
 # include disable-exec.inc
 # include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
@@ -85,6 +83,7 @@ private-tmp
 dbus-user none
 # dbus-system none
 
+# deterministic-shutdown
 # memory-deny-write-execute
 # read-only ${HOME}
 # writable-run-user
diff --git a/etc/profile-m-z/servo.profile b/etc/profile-m-z/servo.profile
index df8fbc3e3..7788974ce 100644
--- a/etc/profile-m-z/servo.profile
+++ b/etc/profile-m-z/servo.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
index b7f398f45..61fe534d6 100644
--- a/etc/profile-m-z/shellcheck.profile
+++ b/etc/profile-m-z/shellcheck.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -51,5 +50,3 @@ private-tmp
 
 dbus-user none
 dbus-system none
-
-memory-deny-write-execute
diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile
index d629240ec..0bcf5f693 100644
--- a/etc/profile-m-z/shortwave.profile
+++ b/etc/profile-m-z/shortwave.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/shotcut.profile b/etc/profile-m-z/shotcut.profile
index 63af4d367..e5dbf5c5f 100644
--- a/etc/profile-m-z/shotcut.profile
+++ b/etc/profile-m-z/shotcut.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
index ddc8a7743..3b569eeaf 100644
--- a/etc/profile-m-z/shotwell.profile
+++ b/etc/profile-m-z/shotwell.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -50,7 +49,7 @@ tracelog
 private-bin shotwell
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-opt none
 private-tmp
 
diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile
index 478377344..24f1464f9 100644
--- a/etc/profile-m-z/signal-cli.profile
+++ b/etc/profile-m-z/signal-cli.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 77a7f5b38..1166f378b 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -21,9 +21,15 @@ whitelist ${HOME}/.config/Signal
 
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 
-# allow D-Bus notifications
 dbus-user filter
+
+# allow D-Bus notifications
 dbus-user.talk org.freedesktop.Notifications
+
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.Firefox.*
+dbus-user.talk org.mozilla.firefox.*
+
 ignore dbus-user none
 
 # Redirect
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile
index 3f3e2a75d..4351a4d43 100644
--- a/etc/profile-m-z/silentarmy.profile
+++ b/etc/profile-m-z/silentarmy.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 # include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile
index 17920677b..b0ab0d039 100644
--- a/etc/profile-m-z/simple-scan.profile
+++ b/etc/profile-m-z/simple-scan.profile
@@ -12,7 +12,6 @@ noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/simplescreenrecorder.profile b/etc/profile-m-z/simplescreenrecorder.profile
index d664f8bf5..03a350327 100644
--- a/etc/profile-m-z/simplescreenrecorder.profile
+++ b/etc/profile-m-z/simplescreenrecorder.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile
index afaa0f6d8..55e472dbe 100644
--- a/etc/profile-m-z/simutrans.profile
+++ b/etc/profile-m-z/simutrans.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.simutrans
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile
index 093a61398..4965d3882 100644
--- a/etc/profile-m-z/skanlite.profile
+++ b/etc/profile-m-z/skanlite.profile
@@ -11,7 +11,6 @@ noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile
index ed04eda8e..3734f8f4a 100644
--- a/etc/profile-m-z/skypeforlinux.profile
+++ b/etc/profile-m-z/skypeforlinux.profile
@@ -6,24 +6,28 @@ include skypeforlinux.local
 include globals.local
 
 # Disabled until someone reported positive feedback
-ignore whitelist ${DOWNLOADS}
-ignore include whitelist-common.inc
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 ignore include whitelist-var-common.inc
 ignore nou2f
-ignore novideo
-ignore private-dev
-ignore dbus-user none
-ignore dbus-system none
 
 # breaks Skype
 ignore apparmor
+ignore dbus-user none
 ignore noexec /tmp
+ignore novideo
+ignore private-dev # needs /dev/disk
 
 noblacklist ${HOME}/.config/skypeforlinux
 
-# private-dev - needs /dev/disk
+mkdir ${HOME}/.config/skypeforlinux
+whitelist ${HOME}/.config/skypeforlinux
+
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+# Note: Skype will log out the current session on start-up without this:
+dbus-user.talk org.kde.StatusNotifierWatcher
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index 9ad772cd5..a511ebb1c 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -18,13 +18,15 @@ ignore dbus-system none
 
 noblacklist ${HOME}/.config/Slack
 
+include allow-bin-sh.inc
+
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
 
-private-bin locale,slack
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
+private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/slashem.profile b/etc/profile-m-z/slashem.profile
index c5a31c237..bebf77ccc 100644
--- a/etc/profile-m-z/slashem.profile
+++ b/etc/profile-m-z/slashem.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /var/games/slashem
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 01547e5c1..7c1e18ac3 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -24,7 +24,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/smtube.profile b/etc/profile-m-z/smtube.profile
index 196950eaf..65e6d38e4 100644
--- a/etc/profile-m-z/smtube.profile
+++ b/etc/profile-m-z/smtube.profile
@@ -19,7 +19,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
index c3a9bb858..0cdb5537e 100644
--- a/etc/profile-m-z/smuxi-frontend-gnome.profile
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -49,7 +48,7 @@ disable-mnt
 private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile
index 83493652c..9d3ed8c1a 100644
--- a/etc/profile-m-z/snox.profile
+++ b/etc/profile-m-z/snox.profile
@@ -5,8 +5,7 @@ include snox.local
 # Persistent global definitions
 include globals.local
 
-# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
-ignore whitelist /usr/share/chromium
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index 83315231f..099e6a2ad 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -6,9 +6,9 @@ include softmaker-common.local
 # added by caller profile
 #include globals.local
 
-# The offical packages install the desktop file under /usr/local/share/applications
-# with an absolute Exec line. These files are NOT handelt by firecfg,
-# therefore you must manualy copy them in you home and remove '/usr/bin/'.
+# The official packages install the desktop file under /usr/local/share/applications
+# with an absolute Exec line. These files are NOT handled by firecfg,
+# therefore you must manually copy them in you home and remove '/usr/bin/'.
 
 noblacklist ${HOME}/SoftMaker
 
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /usr/share/office2018
@@ -44,7 +43,7 @@ tracelog
 private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile
index 6b8a17813..0af88e048 100644
--- a/etc/profile-m-z/sol.profile
+++ b/etc/profile-m-z/sol.profile
@@ -9,7 +9,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
index ef00fdfff..4c37ece8a 100644
--- a/etc/profile-m-z/sound-juicer.profile
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/soundconverter.profile b/etc/profile-m-z/soundconverter.profile
index 4dbf34100..e5ff26327 100644
--- a/etc/profile-m-z/soundconverter.profile
+++ b/etc/profile-m-z/soundconverter.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index 4468f21e7..fc4ae2b04 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -19,11 +19,10 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-mkfile  ${HOME}/.config/spectaclerc
+mkfile ${HOME}/.config/spectaclerc
 whitelist ${HOME}/.config/spectaclerc
 whitelist ${PICTURES}
 whitelist /usr/share/kconf_update/spectacle_newConfig.upd
@@ -57,7 +56,7 @@ disable-mnt
 private-bin spectacle
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index 283674517..3f7f68009 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -50,10 +49,8 @@ private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
 
-dbus-user none
-# Add the next lines to your spectral.local to enable notification support.
-#ignore dbus-user none
-#dbus-user filter
+dbus-user filter
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# Add the next line to your spectral.local to enable notification support.
 #dbus-user.talk org.freedesktop.Notifications
-#dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/spectre-meltdown-checker.profile b/etc/profile-m-z/spectre-meltdown-checker.profile
index 984461f90..19d7f8ae3 100644
--- a/etc/profile-m-z/spectre-meltdown-checker.profile
+++ b/etc/profile-m-z/spectre-meltdown-checker.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index f679be9e7..0ce918161 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.cache/spotify
@@ -44,8 +43,8 @@ tracelog
 disable-mnt
 private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
 private-dev
-# Comment the next line or put 'ignore private-etc' in your spotify.local if want to see the albums covers or if you want to use the radio
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+# If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local.
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
 private-opt spotify
 private-srv none
 private-tmp
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index 4dd2c7262..deaf37f52 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -43,7 +42,7 @@ shell none
 private-bin sqlitebrowser
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,ssl
 private-tmp
 
 # breaks proxy creation
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index 5802299a3..11723664f 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -13,7 +13,6 @@ blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
 include disable-common.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index a58642192..4da0db517 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -16,7 +16,6 @@ include allow-ssh.inc
 
 include disable-common.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
@@ -51,4 +50,5 @@ writable-run-user
 dbus-user none
 dbus-system none
 
+deterministic-shutdown
 memory-deny-write-execute
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 48a532876..7a59274bf 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/Standard Notes Backups
@@ -39,7 +38,7 @@ seccomp !chroot
 disable-mnt
 private-dev
 private-tmp
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 369255324..b0be8a517 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${HOME}/.config/Epic
 noblacklist ${HOME}/.config/Loop_Hero
+noblacklist ${HOME}/.config/MangoHud
 noblacklist ${HOME}/.config/ModTheSpire
 noblacklist ${HOME}/.config/RogueLegacy
 noblacklist ${HOME}/.config/RogueLegacyStorageContainer
@@ -51,11 +52,11 @@ include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/Epic
 mkdir ${HOME}/.config/Loop_Hero
+mkdir ${HOME}/.config/MangoHud
 mkdir ${HOME}/.config/ModTheSpire
 mkdir ${HOME}/.config/RogueLegacy
 mkdir ${HOME}/.config/unity3d
@@ -86,6 +87,7 @@ mkfile ${HOME}/.steampath
 mkfile ${HOME}/.steampid
 whitelist ${HOME}/.config/Epic
 whitelist ${HOME}/.config/Loop_Hero
+whitelist ${HOME}/.config/MangoHud
 whitelist ${HOME}/.config/ModTheSpire
 whitelist ${HOME}/.config/RogueLegacy
 whitelist ${HOME}/.config/RogueLegacyStorageContainer
@@ -119,7 +121,7 @@ whitelist ${HOME}/.steampid
 include whitelist-common.inc
 include whitelist-var-common.inc
 
-# Note: The following were intentionally left out as they are alternative
+# NOTE: The following were intentionally left out as they are alternative
 # (i.e.: unnecessary and/or legacy) paths whose existence may potentially
 # clobber other paths (see #4225).  If you use any, either add the entry to
 # steam.local or move the contents to a path listed above (or open an issue if
@@ -131,34 +133,37 @@ caps.drop all
 #ipc-namespace
 netfilter
 nodvd
-# nVidia users may need to comment / ignore nogroups and noroot
 nogroups
 nonewprivs
 noroot
 notv
 nou2f
-# novideo should be commented for VR
+# For VR support add 'ignore novideo' to your steam.local.
 novideo
 protocol unix,inet,inet6,netlink
-# seccomp sometimes causes issues (see #2951, #3267),
-# comment it or add 'ignore seccomp' to steam.local if so.
+# seccomp sometimes causes issues (see #2951, #3267).
+# Add 'ignore seccomp' to your steam.local if you experience this.
 seccomp !ptrace
 shell none
 # tracelog breaks integrated browser
 #tracelog
 
-# private-bin is disabled while in testing, but has been tested working with multiple games
-#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
-# extra programs are available which might be needed for select games
+# private-bin is disabled while in testing, but is known to work with multiple games.
+# Add the next line to your steam.local to enable private-bin.
+#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,wget2,which,whoami,xterm,xz,zenity
+# Extra programs are available which might be needed for select games.
+# Add the next line to your steam.local to enable support for these programs.
 #private-bin java,java-config,mono
-# picture viewers are needed for viewing screenshots
+# To view screenshots add the next line to your steam.local.
 #private-bin eog,eom,gthumb,pix,viewnior,xviewer
 
 private-dev
-# private-etc breaks a small selection of games on some systems, comment to support those
-private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
+# private-etc breaks a small selection of games on some systems. Add 'ignore private-etc'
+# to your steam.local to support those.
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl,vulkan
 private-tmp
 
-# breaks appindicator support
 # dbus-user none
 # dbus-system none
+
+read-only ${HOME}/.config/MangoHud
diff --git a/etc/profile-m-z/stellarium.profile b/etc/profile-m-z/stellarium.profile
index a752ab53c..d2ebce45f 100644
--- a/etc/profile-m-z/stellarium.profile
+++ b/etc/profile-m-z/stellarium.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
index f8108c9d6..513abc21b 100644
--- a/etc/profile-m-z/straw-viewer.profile
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -1,7 +1,7 @@
 # Firejail profile for straw-viewer
 # Description: Fork of youtube-viewer acts like an invidious frontend
-quiet
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include straw-viewer.local
 # Persistent global definitions
@@ -10,55 +10,12 @@ include globals.local
 noblacklist ${HOME}/.cache/straw-viewer
 noblacklist ${HOME}/.config/straw-viewer
 
-# Allow lua (blacklisted by disable-interpreters.inc)
-include allow-lua.inc
-
-# Allow perl (blacklisted by disable-interpreters.inc)
-include allow-perl.inc
-
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-
 mkdir ${HOME}/.config/straw-viewer
 mkdir ${HOME}/.cache/straw-viewer
 whitelist ${HOME}/.cache/straw-viewer
 whitelist ${HOME}/.config/straw-viewer
-whitelist ${DOWNLOADS}
-include whitelist-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-netfilter
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
 
-disable-mnt
-private-bin bash,ffmpeg,ffprobe,gtk-straw-viewer,mpv,perl,python*,sh,smplayer,straw-viewer,stty,vlc,wget,which,youtube-dl
-private-cache
-private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
-private-tmp
+private-bin gtk-straw-viewer,straw-viewer
 
-dbus-user none
-dbus-system none
+# Redirect
+include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
index b87906f55..32e43f079 100644
--- a/etc/profile-m-z/strawberry.profile
+++ b/etc/profile-m-z/strawberry.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -44,7 +43,7 @@ disable-mnt
 private-bin strawberry,strawberry-tagreader
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile
index 1ebcded7f..9298e6614 100644
--- a/etc/profile-m-z/strings.profile
+++ b/etc/profile-m-z/strings.profile
@@ -13,7 +13,6 @@ blacklist ${RUNUSER}
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 #include disable-programs.inc
 include disable-shell.inc
 #include disable-xdg.inc
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index bbe92fd38..a9f22085b 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -45,7 +44,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index dd456f085..464fa1b08 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -20,6 +19,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.local/share/supertux2
 whitelist ${HOME}/.local/share/supertux2
 whitelist /usr/share/supertux2
+whitelist /usr/share/games/supertux2    # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -30,7 +30,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
@@ -45,7 +44,7 @@ tracelog
 disable-mnt
 # private-bin supertux2
 private-cache
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 6a0ed46e0..23c8a6c58 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -10,11 +10,12 @@ noblacklist ${HOME}/.config/supertuxkart
 noblacklist ${HOME}/.cache/supertuxkart
 noblacklist ${HOME}/.local/share/supertuxkart
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -26,6 +27,7 @@ whitelist ${HOME}/.config/supertuxkart
 whitelist ${HOME}/.cache/supertuxkart
 whitelist ${HOME}/.local/share/supertuxkart
 whitelist /usr/share/supertuxkart
+whitelist /usr/share/games/supertuxkart # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -41,7 +43,7 @@ noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6,bluetooth
+protocol unix,inet,inet6,netlink,bluetooth
 seccomp
 seccomp.block-secondary
 shell none
@@ -52,7 +54,7 @@ private-bin supertuxkart
 private-cache
 # Add the next line to your supertuxkart.local if you do not need controller support.
 #private-dev
-private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.cache,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile
index 8db7d2433..c04f00cab 100644
--- a/etc/profile-m-z/surf.profile
+++ b/etc/profile-m-z/surf.profile
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.surf
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.surf
@@ -35,6 +34,6 @@ tracelog
 disable-mnt
 private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl
 private-tmp
 
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile
index 2a15a5d09..621622043 100644
--- a/etc/profile-m-z/sushi.profile
+++ b/etc/profile-m-z/sushi.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 # include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-a-l/sway.profile b/etc/profile-m-z/sway.profile
index 4637419bf..046d1b4be 100644
--- a/etc/profile-a-l/sway.profile
+++ b/etc/profile-m-z/sway.profile
@@ -1,5 +1,5 @@
 # Firejail profile for Sway
-# Description: i3-compatible Wayland compositor 
+# Description: i3-compatible Wayland compositor
 # This file is overwritten after every install/update
 # Persistent local customizations
 include sway.local
diff --git a/etc/profile-m-z/synfigstudio.profile b/etc/profile-m-z/synfigstudio.profile
index c60186c42..7f23992a8 100644
--- a/etc/profile-m-z/synfigstudio.profile
+++ b/etc/profile-m-z/synfigstudio.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index 2473988e4..c7119ae0f 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -11,12 +11,18 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-# help menu functionality (yelp) - comment or add this block prepended with 'ignore'
-# to your sysprof.local if you don't need the help functionality
+# Add the next lines to your sysprof.local if you don't need (yelp) help menu functionality.
+#ignore noblacklist ${HOME}/.config/yelp
+#ignore mkdir ${HOME}/.config/yelp
+#nowhitelist ${HOME}/.config/yelp
+#nowhitelist /usr/share/help/C/sysprof
+#nowhitelist /usr/share/yelp
+#nowhitelist /usr/share/yelp-tools
+#nowhitelist /usr/share/yelp-xsl
+
 noblacklist ${HOME}/.config/yelp
 mkdir ${HOME}/.config/yelp
 whitelist ${HOME}/.config/yelp
@@ -41,7 +47,8 @@ nodvd
 nogroups
 noinput
 nonewprivs
-# Ubuntu 16.04 version needs root privileges - comment or put 'ignore noroot' in sysprof.local if you run Xenial
+# Some older Debian/Ubuntu sysprof versions need root privileges.
+# Add 'ignore noroot' to your sysprof.local if you run one of these.
 noroot
 nosound
 notv
@@ -56,8 +63,8 @@ disable-mnt
 #private-bin sysprof - breaks help menu
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
-# private-lib breaks help menu
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
+# private-lib - breaks help menu
 #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
 private-tmp
 
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 0d3a900e9..0817adda8 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -14,7 +14,7 @@ ignore include disable-shell.inc
 # all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
 
-private-etc alternatives,group,localtime,login.defs,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,login.defs,passwd
 #private-lib libfakeroot,liblzma.so.*,libreadline.so.*
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile
index e2ba5893c..57301a54d 100644
--- a/etc/profile-m-z/tcpdump.profile
+++ b/etc/profile-m-z/tcpdump.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index eee083332..5711c1b36 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -11,6 +11,8 @@ ignore include disable-xdg.inc
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
+ignore noinput
+
 ignore dbus-user none
 ignore dbus-system none
 
@@ -19,8 +21,8 @@ noblacklist ${HOME}/.config/teams-for-linux
 mkdir ${HOME}/.config/teams-for-linux
 whitelist ${HOME}/.config/teams-for-linux
 
-private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
-private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
+private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
index c8d98cbaa..ad52ca45f 100644
--- a/etc/profile-m-z/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -13,6 +13,8 @@ ignore include whitelist-usr-share-common.inc
 ignore novideo
 ignore private-tmp
 
+ignore novideo
+
 # see #3404
 ignore apparmor
 ignore dbus-user none
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
index 02a2c8ae4..c149473f6 100644
--- a/etc/profile-m-z/teamspeak3.profile
+++ b/etc/profile-m-z/teamspeak3.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.ts3client
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
index be01aee12..d0fb0d43e 100644
--- a/etc/profile-m-z/teeworlds.profile
+++ b/etc/profile-m-z/teeworlds.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -27,7 +26,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile
index e0c5aee9e..7463b761f 100644
--- a/etc/profile-m-z/telegram-desktop.profile
+++ b/etc/profile-m-z/telegram-desktop.profile
@@ -2,7 +2,7 @@
 # Description: Official Telegram Desktop client
 # This file is overwritten after every install/update
 # Persistent local customizations
-include tekegram-desktop.local
+include telegram-desktop.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index 05c621fb2..ce0119078 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -8,11 +8,13 @@ include globals.local
 noblacklist ${HOME}/.TelegramDesktop
 noblacklist ${HOME}/.local/share/TelegramDesktop
 
+# Allow opening hyperlinks
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -22,6 +24,7 @@ mkdir ${HOME}/.local/share/TelegramDesktop
 whitelist ${HOME}/.TelegramDesktop
 whitelist ${HOME}/.local/share/TelegramDesktop
 whitelist ${DOWNLOADS}
+whitelist /usr/share/TelegramDesktop
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -39,18 +42,18 @@ protocol unix,inet,inet6,netlink
 seccomp
 seccomp.block-secondary
 shell none
-tracelog
 
 disable-mnt
-#private-bin telegram,Telegram,telegram-desktop
+private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open
 private-cache
 private-dev
-private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 
 dbus-user filter
+dbus-user.own org.telegram.desktop.*
 dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.freedesktop.ScreenSaver
 dbus-system none
diff --git a/etc/profile-m-z/telnet.profile b/etc/profile-m-z/telnet.profile
new file mode 100644
index 000000000..ea91364ab
--- /dev/null
+++ b/etc/profile-m-z/telnet.profile
@@ -0,0 +1,54 @@
+# Firejail profile for telnet
+# Description: standard telnet client
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include telnet.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/telnet
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+#include disable-shell.inc
+include disable-write-mnt.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+tracelog
+
+#disable-mnt
+#private-bin PROGRAMS
+private-cache
+private-dev
+#private-etc FILES
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+noexec ${HOME}
diff --git a/etc/profile-m-z/terasology.profile b/etc/profile-m-z/terasology.profile
index ce2ca1d17..0f6691b49 100644
--- a/etc/profile-m-z/terasology.profile
+++ b/etc/profile-m-z/terasology.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.java
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index b478fbe1e..1ac80bc9a 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -31,7 +31,6 @@ noblacklist ${HOME}/.gnupg
 # noblacklist ${HOME}/.icedove
 noblacklist ${HOME}/.thunderbird
 
-include disable-passwdmgr.inc
 include disable-xdg.inc
 
 # If you have setup Thunderbird to archive emails to a local folder,
@@ -48,6 +47,7 @@ whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.thunderbird
 
 whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
 whitelist /usr/share/mozilla
 whitelist /usr/share/thunderbird
 whitelist /usr/share/webext
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile
index dd4a372c4..d2db44b1c 100644
--- a/etc/profile-m-z/tilp.profile
+++ b/etc/profile-m-z/tilp.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -31,6 +30,6 @@ tracelog
 disable-mnt
 private-bin tilp
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
new file mode 100644
index 000000000..1d4ee9370
--- /dev/null
+++ b/etc/profile-m-z/tin.profile
@@ -0,0 +1,68 @@
+# Firejail profile for tin
+# Description: ncurses-based Usenet newsreader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tin.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.newsrc
+noblacklist ${HOME}/.tin
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.tin
+mkfile ${HOME}/.newsrc
+# Note: files/directories directly in ${HOME} can't be whitelisted, as
+#       tin saves .newsrc by renaming a temporary file, which is not possible for
+#       bind-mounted files.
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.tin
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin rtin,tin
+private-cache
+private-dev
+private-etc alternatives,ld.so.cache,ld.so.preload,passwd,resolv.conf,terminfo,tin
+private-lib terminfo
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile
index 0139d7515..1e783d2b9 100644
--- a/etc/profile-m-z/tmux.profile
+++ b/etc/profile-m-z/tmux.profile
@@ -15,7 +15,6 @@ noblacklist /tmp/tmux-*
 # include disable-common.inc
 # include disable-devel.inc
 # include disable-exec.inc
-include disable-passwdmgr.inc
 # include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile
index 76a0e1fa5..13f422b0a 100644
--- a/etc/profile-m-z/tor-browser.profile
+++ b/etc/profile-m-z/tor-browser.profile
@@ -7,9 +7,12 @@ include tor-browser.local
 #include globals.local
 
 noblacklist ${HOME}/.tor-browser
+noblacklist ${HOME}/.local/opt/tor-browser
 
 mkdir ${HOME}/.tor-browser
 whitelist ${HOME}/.tor-browser
+mkdir ${HOME}/.local/opt/tor-browser
+whitelist ${HOME}/.local/opt/tor-browser
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile
index 73ef290f4..d8cd8eb44 100644
--- a/etc/profile-m-z/tor.profile
+++ b/etc/profile-m-z/tor.profile
@@ -21,7 +21,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -47,6 +46,6 @@ private
 private-bin bash,tor
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
 private-tmp
 writable-var
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 7659ed1e9..469e99d02 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -15,14 +15,12 @@ noblacklist ${HOME}/.local/share/torbrowser
 include allow-python2.inc
 include allow-python3.inc
 
-blacklist /opt
 blacklist /srv
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -31,6 +29,7 @@ mkdir ${HOME}/.local/share/torbrowser
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/torbrowser
 whitelist ${HOME}/.local/share/torbrowser
+whitelist /opt/tor-browser
 whitelist /usr/share/torbrowser-launcher
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/torbrowser.profile b/etc/profile-m-z/torbrowser.profile
new file mode 100644
index 000000000..fc579b973
--- /dev/null
+++ b/etc/profile-m-z/torbrowser.profile
@@ -0,0 +1,26 @@
+# Firejail profile for torbrowser
+# Description: This profile was tested with www-client/torbrowser::torbrowser
+# on Gentoo Linux.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include torbrowser.local
+# Persistent global definitions
+include globals.local
+
+ignore dbus-user none
+
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.mozilla
+
+blacklist /usr/libexec
+
+mkdir ${HOME}/.cache/mozilla/torbrowser
+mkdir ${HOME}/.mozilla
+whitelist ${HOME}/.cache/mozilla/torbrowser
+whitelist ${HOME}/.mozilla
+include whitelist-usr-share-common.inc
+
+dbus-user filter
+dbus-user.own org.mozilla.torbrowser.*
+
+include firefox-common.profile
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
index 0f98a8f64..19e586db4 100644
--- a/etc/profile-m-z/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -29,7 +28,6 @@ ipc-namespace
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index 70d9e0aee..dac753fd1 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -20,7 +20,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile
index 87c5de076..ba44224f9 100644
--- a/etc/profile-m-z/tracker.profile
+++ b/etc/profile-m-z/tracker.profile
@@ -14,7 +14,6 @@ blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index ea118a9f0..4acb8e7e8 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -46,7 +45,7 @@ tracelog
 private-bin geoiplookup,geoiplookup6,transgui
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
 private-tmp
 
diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile
index 486be5fe6..8a1711e97 100644
--- a/etc/profile-m-z/transmission-cli.profile
+++ b/etc/profile-m-z/transmission-cli.profile
@@ -8,7 +8,7 @@ include transmission-cli.local
 include globals.local
 
 private-bin transmission-cli
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
index 82671b709..9d9b8cc2c 100644
--- a/etc/profile-m-z/transmission-common.profile
+++ b/etc/profile-m-z/transmission-common.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.cache/transmission
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
index 348d3cb80..5d28f2f10 100644
--- a/etc/profile-m-z/transmission-daemon.profile
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -17,7 +17,7 @@ caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
 protocol packet
 
 private-bin transmission-daemon
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 
 read-write /var/lib/transmission
 writable-var-log
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile
index a6400e2c0..6a0f1bde3 100644
--- a/etc/profile-m-z/transmission-remote-gtk.profile
+++ b/etc/profile-m-z/transmission-remote-gtk.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/transmission-remote-gtk
 mkdir ${HOME}/.config/transmission-remote-gtk
 whitelist ${HOME}/.config/transmission-remote-gtk
 
-private-etc fonts,hostname,hosts,resolv.conf
+private-etc alternatives,fonts,hostname,hosts,ld.so.cache,ld.so.preload,resolv.conf
 # Problems with private-lib (see issue #2889)
 ignore private-lib
 
diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile
index fee4999e6..565433d99 100644
--- a/etc/profile-m-z/transmission-remote.profile
+++ b/etc/profile-m-z/transmission-remote.profile
@@ -8,7 +8,7 @@ include transmission-remote.local
 include globals.local
 
 private-bin transmission-remote
-private-etc alternatives,hosts,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
 
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile
index 5a3c83f58..0a5826ec4 100644
--- a/etc/profile-m-z/transmission-show.profile
+++ b/etc/profile-m-z/transmission-show.profile
@@ -8,7 +8,7 @@ include transmission-show.local
 include globals.local
 
 private-bin transmission-show
-private-etc alternatives,hosts,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
 
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
index aba563fac..96541ae25 100644
--- a/etc/profile-m-z/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -8,11 +8,13 @@ include globals.local
 
 noblacklist ${HOME}/.tremulous
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -42,7 +44,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin tremded,tremulous,tremulous-wrapper
+private-bin env,sh,tremded,tremulous,tremulous-wrapper
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 2d95081f6..60a192ac1 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -55,7 +54,7 @@ tracelog
 private-bin trojita
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/truecraft.profile b/etc/profile-m-z/truecraft.profile
index 749626475..503e1ae64 100644
--- a/etc/profile-m-z/truecraft.profile
+++ b/etc/profile-m-z/truecraft.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/mono
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile
index d0bcbe79f..807d43281 100644
--- a/etc/profile-m-z/tuxguitar.profile
+++ b/etc/profile-m-z/tuxguitar.profile
@@ -6,6 +6,9 @@ include tuxguitar.local
 # Persistent global definitions
 include globals.local
 
+# tuxguitar fails to launch
+ignore noexec ${HOME}
+
 noblacklist ${HOME}/.tuxguitar*
 noblacklist ${DOCUMENTS}
 noblacklist ${MUSIC}
@@ -17,7 +20,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -41,6 +43,3 @@ tracelog
 
 private-dev
 private-tmp
-
-# noexec ${HOME} - tuxguitar may fail to launch
-noexec /tmp
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
index dae7d86da..8a18519ac 100644
--- a/etc/profile-m-z/tvbrowser.profile
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index 2f573c872..987a2b719 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -17,8 +17,8 @@ include disable-shell.inc
 mkdir ${HOME}/.config/Twitch
 whitelist ${HOME}/.config/Twitch
 
-private-bin twitch
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-bin electron,electron[0-9],electron[0-9][0-9],twitch
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Twitch
 
 # Redirect
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile
index 601b818c2..02f05af16 100644
--- a/etc/profile-m-z/udiskie.profile
+++ b/etc/profile-m-z/udiskie.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/uefitool.profile b/etc/profile-m-z/uefitool.profile
index 3e4fdbb03..2e5630f3d 100644
--- a/etc/profile-m-z/uefitool.profile
+++ b/etc/profile-m-z/uefitool.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile
index 0c077babf..e8424cd7d 100644
--- a/etc/profile-m-z/unbound.profile
+++ b/etc/profile-m-z/unbound.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index 6db7ba362..1b82ad881 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -50,7 +49,7 @@ private-bin unf
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib gcc/*/*/libgcc_s.so.*
 private-tmp
 
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
index 956492f52..b8f4dc431 100644
--- a/etc/profile-m-z/unknown-horizons.profile
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -10,7 +10,6 @@ noblacklist ${HOME}/.unknown-horizons
 
 include disable-common.inc
 include disable-exec.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.unknown-horizons
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
index 9d3d9b40e..443d1f415 100644
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -8,7 +8,7 @@ include unrar.local
 include globals.local
 
 private-bin unrar
-private-etc alternatives,group,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
 private-tmp
 
 # Redirect
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 0231e3dba..97df693ba 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -10,7 +10,7 @@ include globals.local
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
 
-private-etc alternatives,group,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
 
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile
index dd881f091..5a867a683 100644
--- a/etc/profile-m-z/utox.profile
+++ b/etc/profile-m-z/utox.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -44,7 +43,7 @@ disable-mnt
 private-bin utox
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
index 2adc044e5..426766e17 100644
--- a/etc/profile-m-z/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -42,7 +41,7 @@ x11 none
 private-bin uudeview
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/uzbl-browser.profile b/etc/profile-m-z/uzbl-browser.profile
index 41487a8f2..dcdae279f 100644
--- a/etc/profile-m-z/uzbl-browser.profile
+++ b/etc/profile-m-z/uzbl-browser.profile
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/uzbl
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/uzbl
+noblacklist ${HOME}/.password-store
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index a9ba344dd..585a8eddb 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -44,7 +43,7 @@ tracelog
 private-bin viewnior
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/viking.profile b/etc/profile-m-z/viking.profile
index 8f8ef5939..fd15228cf 100644
--- a/etc/profile-m-z/viking.profile
+++ b/etc/profile-m-z/viking.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/vim.profile b/etc/profile-m-z/vim.profile
index c3cfe5980..a6e05a32a 100644
--- a/etc/profile-m-z/vim.profile
+++ b/etc/profile-m-z/vim.profile
@@ -14,7 +14,6 @@ noblacklist ${HOME}/.vimrc
 include allow-common-devel.inc
 
 include disable-common.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index c22fb0ff9..227ad83cc 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -46,7 +45,7 @@ tracelog
 #disable-mnt
 #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
 private-cache
-private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
index cd7dccd8a..68db032aa 100644
--- a/etc/profile-m-z/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 read-only ${DESKTOP}
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile
index f07c31b68..278a66149 100644
--- a/etc/profile-m-z/vmware-view.profile
+++ b/etc/profile-m-z/vmware-view.profile
@@ -7,6 +7,7 @@ include vmware-view.local
 include globals.local
 
 noblacklist ${HOME}/.vmware
+noblacklist /usr/lib/vmware
 
 noblacklist /sbin
 noblacklist /usr/sbin
@@ -17,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 5241e27b3..57fbbae96 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -8,12 +8,12 @@ include globals.local
 
 noblacklist ${HOME}/.cache/vmware
 noblacklist ${HOME}/.vmware
+noblacklist /usr/lib/vmware
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -39,6 +39,6 @@ tracelog
 #disable-mnt
 # Add the next line to your vmware.local to enable private-bin.
 #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
-private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile
index a4a4fb7d8..9c0a887b2 100644
--- a/etc/profile-m-z/vscodium.profile
+++ b/etc/profile-m-z/vscodium.profile
@@ -1,4 +1,4 @@
-# Firejail profile alias for Visual Studio Code
+# Firejail profile alias for VSCodium
 # This file is overwritten after every install/update
 # Persistent local customizations
 include vscodium.local
@@ -7,6 +7,8 @@ include vscodium.local
 #include globals.local
 
 noblacklist ${HOME}/.VSCodium
+noblacklist ${HOME}/.config/VSCodium
+noblacklist ${HOME}/.vscode-oss
 
 # Redirect
 include code.profile
diff --git a/etc/profile-m-z/vym.profile b/etc/profile-m-z/vym.profile
index 5421c4e4b..6632ccb6b 100644
--- a/etc/profile-m-z/vym.profile
+++ b/etc/profile-m-z/vym.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index 131213ed2..c9e209142 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -17,18 +17,31 @@ noblacklist ${HOME}/.w3m
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.w3m
+whitelist /usr/share/w3m
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.w3m
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
+ipc-namespace
+machine-id
 netfilter
 no3d
 nodvd
@@ -45,8 +58,14 @@ seccomp
 shell none
 tracelog
 
-# private-bin w3m
+disable-mnt
+private-bin perl,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
index 1227a202c..0a6f19b1e 100644
--- a/etc/profile-m-z/warmux.profile
+++ b/etc/profile-m-z/warmux.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -50,7 +49,7 @@ disable-mnt
 private-bin warmux
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index e0cd3daad..2f818b733 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -11,11 +11,13 @@ ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/warsow-2.1
 noblacklist ${HOME}/.local/share/warsow-2.1
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -35,19 +37,18 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
 
 disable-mnt
-private-bin warsow
+private-bin basename,bash,dirname,sed,sh,uname,warsow
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 420e8927e..5519c3c1e 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -7,20 +7,22 @@ include warzone2100.local
 include globals.local
 
 noblacklist ${HOME}/.warzone2100-3.*
+noblacklist ${HOME}/.local/share/warzone2100-3.*
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-shell.inc
+#include disable-shell.inc - problems on Debian 11
 
 mkdir ${HOME}/.warzone2100-3.1
 mkdir ${HOME}/.warzone2100-3.2
+whitelist ${HOME}/.local/share/warzone2100-3.3.0 # config dir moved under .local/share
 whitelist ${HOME}/.warzone2100-3.1
 whitelist ${HOME}/.warzone2100-3.2
 whitelist /usr/share/games
+whitelist /usr/share/gdm
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -43,6 +45,6 @@ shell none
 tracelog
 
 disable-mnt
-private-bin warzone2100
+private-bin bash,dash,sh,warzone2100,which
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile
index 69e96d0cd..4d849c582 100644
--- a/etc/profile-m-z/webstorm.profile
+++ b/etc/profile-m-z/webstorm.profile
@@ -24,7 +24,6 @@ noblacklist ${HOME}/.nvm
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile
index d5a998f35..2fe727b9c 100644
--- a/etc/profile-m-z/webui-aria2.profile
+++ b/etc/profile-m-z/webui-aria2.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/weechat-curses.profile b/etc/profile-m-z/weechat-curses.profile
index 92c968fb6..3e84375a7 100644
--- a/etc/profile-m-z/weechat-curses.profile
+++ b/etc/profile-m-z/weechat-curses.profile
@@ -1,5 +1,6 @@
 # Firejail profile alias for weechat
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include weechat-curses.local
 # Persistent global definitions
diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile
index 3a93d2ec7..07babd502 100644
--- a/etc/profile-m-z/weechat.profile
+++ b/etc/profile-m-z/weechat.profile
@@ -1,6 +1,7 @@
 # Firejail profile for weechat
 # Description: Fast, light and extensible chat client
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include weechat.local
 # Persistent global definitions
@@ -11,6 +12,7 @@ noblacklist ${HOME}/.weechat
 include disable-common.inc
 include disable-programs.inc
 
+whitelist /usr/share/weechat
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile
index 199b3c6f0..345b26a2c 100644
--- a/etc/profile-m-z/wesnoth.profile
+++ b/etc/profile-m-z/wesnoth.profile
@@ -13,7 +13,6 @@ noblacklist ${HOME}/.local/share/wesnoth
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.cache/wesnoth
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index 53c4711bd..4c21d6965 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 # Depending on workflow you can add the next line to your wget.local.
diff --git a/etc/profile-m-z/wget2.profile b/etc/profile-m-z/wget2.profile
new file mode 100644
index 000000000..18918c6af
--- /dev/null
+++ b/etc/profile-m-z/wget2.profile
@@ -0,0 +1,19 @@
+# Firejail profile for wget2
+# Description: Updated version of the popular wget URL retrieval tool
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include wget2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/wget
+ignore noblacklist ${HOME}/.wgetrc
+
+private-bin wget2
+# Depending on workflow you can add the next line to your wget2.local.
+#private-etc wget2rc
+
+# Redirect
+include wget.profile
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 22a84274d..92ebebdae 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -20,8 +20,8 @@ whitelist ${HOME}/.config/Whalebird
 
 no3d
 
-private-bin whalebird
-private-etc fonts,machine-id
+private-bin electron,electron[0-9],electron[0-9][0-9],whalebird
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 93871a5a4..afff6f587 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -48,7 +47,7 @@ private
 private-bin bash,sh,whois
 private-cache
 private-dev
-private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf
+private-etc alternatives,hosts,jwhois.conf,ld.so.cache,ld.so.preload,resolv.conf,services,whois.conf
 private-lib gconv
 private-tmp
 
diff --git a/etc/profile-m-z/widelands.profile b/etc/profile-m-z/widelands.profile
index 0dc26b11d..6561be784 100644
--- a/etc/profile-m-z/widelands.profile
+++ b/etc/profile-m-z/widelands.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 0ea24aafd..f30fc971f 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -6,6 +6,7 @@ include wine.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/wine
 noblacklist ${HOME}/.cache/winetricks
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.local/share/Steam
@@ -17,7 +18,6 @@ noblacklist /tmp/.wine-*
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 # whitelist /usr/share/wine
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index 151cd2adb..d8742cd71 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
 
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
-private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
index 1824026a8..c336efb86 100644
--- a/etc/profile-m-z/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -17,7 +17,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -27,7 +26,7 @@ include whitelist-var-common.inc
 
 apparmor
 # caps.drop all
-caps.keep dac_override,net_admin,net_raw
+caps.keep dac_override,dac_read_search,net_admin,net_raw
 netfilter
 no3d
 # nogroups - breaks network traffic capture for unprivileged users
@@ -46,7 +45,9 @@ tracelog
 
 # private-bin wireshark
 private-cache
-private-dev
+# private-dev prevents (some) interfaces from being shown.
+# Add the below line to your wirehsark.local if you only want to inspect pcap files.
+#private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl
 private-tmp
 
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index 9c724a5d2..3147c2ac3 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -46,7 +45,7 @@ private
 private-bin wordwarvi
 private-cache
 private-dev
-private-etc alsa,asound.conf,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile
index a44b6490e..cb0301378 100644
--- a/etc/profile-m-z/wps.profile
+++ b/etc/profile-m-z/wps.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile
index 557f07cd9..3fcac351d 100644
--- a/etc/profile-m-z/x2goclient.profile
+++ b/etc/profile-m-z/x2goclient.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 apparmor
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index 384f76acc..bb119996c 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -10,7 +10,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -45,7 +44,7 @@ private
 private-bin xbill
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/xcalc.profile b/etc/profile-m-z/xcalc.profile
index 7fb483289..3f8aa2d34 100644
--- a/etc/profile-m-z/xcalc.profile
+++ b/etc/profile-m-z/xcalc.profile
@@ -9,7 +9,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile
index 4a3022e83..26383bda3 100644
--- a/etc/profile-m-z/xed.profile
+++ b/etc/profile-m-z/xed.profile
@@ -18,7 +18,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile
index cd9561e74..91e25048d 100644
--- a/etc/profile-m-z/xfburn.profile
+++ b/etc/profile-m-z/xfburn.profile
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.config/xfburn
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/xfce4-dict.profile b/etc/profile-m-z/xfce4-dict.profile
index ecd321c7e..fcfec10d0 100644
--- a/etc/profile-m-z/xfce4-dict.profile
+++ b/etc/profile-m-z/xfce4-dict.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index bb38dbebd..386ef2bd6 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -47,7 +46,7 @@ disable-mnt
 private-bin xfce4-mixer,xfconf-query
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,machine-id,pulse
+private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/xfce4-notes.profile b/etc/profile-m-z/xfce4-notes.profile
index ebfb4333c..5004b8fb6 100644
--- a/etc/profile-m-z/xfce4-notes.profile
+++ b/etc/profile-m-z/xfce4-notes.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index b1e5bafbf..d74ed5754 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -43,7 +42,7 @@ tracelog
 disable-mnt
 private-bin xfce4-screenshooter,xfconf-query
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile
index 81d98db7a..c7fd0799b 100644
--- a/etc/profile-m-z/xiphos.profile
+++ b/etc/profile-m-z/xiphos.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
@@ -48,5 +47,5 @@ disable-mnt
 private-bin xiphos
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf
 private-tmp
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile
index 7987af280..404baf607 100644
--- a/etc/profile-m-z/xlinks.profile
+++ b/etc/profile-m-z/xlinks.profile
@@ -8,14 +8,13 @@ include xlinks.local
 #include globals.local
 
 noblacklist /tmp/.X11-unix
-noblacklist ${HOME}/.links
 
 include whitelist-common.inc
 
 # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
 # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
 private-bin xlinks
-private-etc fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 
 # Redirect
 include links.profile
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2
new file mode 100644
index 000000000..d7edd3543
--- /dev/null
+++ b/etc/profile-m-z/xlinks2
@@ -0,0 +1,20 @@
+# Firejail profile for xlinks2
+# Description: Text WWW browser (X11)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xlinks2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist /tmp/.X11-unix
+
+include whitelist-common.inc
+
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
+# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin xlinks2
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+
+# Redirect
+include links2.profile
diff --git a/etc/profile-m-z/xmms.profile b/etc/profile-m-z/xmms.profile
index 25261d925..4003f69a2 100644
--- a/etc/profile-m-z/xmms.profile
+++ b/etc/profile-m-z/xmms.profile
@@ -11,7 +11,6 @@ noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index e7020f36b..e541436a4 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -11,7 +11,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -39,7 +38,7 @@ disable-mnt
 private ${HOME}/.xmr-stak
 private-bin xmr-stak
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
 private-opt cuda
 private-tmp
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 53c9a0a08..7c2b38d1d 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -33,7 +32,6 @@ caps.drop all
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index c4f092d50..a0e77b4e7 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -12,7 +12,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -44,7 +43,7 @@ tracelog
 private-bin xournal
 private-cache
 private-dev
-private-etc alternatives,fonts,group,machine-id,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
 # TODO should use private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile
index 988b878b9..a23ad68df 100644
--- a/etc/profile-m-z/xournalpp.profile
+++ b/etc/profile-m-z/xournalpp.profile
@@ -7,6 +7,8 @@ include xournalpp.local
 # added by included profile
 #include globals.local
 
+noblacklist ${HOME}/.cache/xournalpp
+noblacklist ${HOME}/.config/xournalpp
 noblacklist ${HOME}/.xournalpp
 
 include allow-lua.inc
@@ -16,14 +18,17 @@ whitelist /usr/share/xournalpp
 whitelist /var/lib/texmf
 include whitelist-runuser-common.inc
 
-#mkdir ${HOME}/.xournalpp
+#mkdir ${HOME}/.cache/xournalpp
+#mkdir ${HOME}/.config/xournalpp
+#whitelist ${HOME}/.cache/xournalpp
+#whitelist ${HOME}/.config/xournalpp
 #whitelist ${HOME}/.xournalpp
 #whitelist ${HOME}/.texlive20*
 #whitelist ${DOCUMENTS}
 #include whitelist-common.inc
 
 private-bin kpsewhich,pdflatex,xournalpp
-private-etc latexmk.conf,texlive
+private-etc alternatives,latexmk.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,texlive
 
 # Redirect
 include xournal.profile
diff --git a/etc/profile-m-z/xpdf.profile b/etc/profile-m-z/xpdf.profile
index 1447ec9a7..0149d36a3 100644
--- a/etc/profile-m-z/xpdf.profile
+++ b/etc/profile-m-z/xpdf.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index c3bb3292c..d1ea2c9d5 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 read-only ${DESKTOP}
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile
index 6e409e1aa..aed6c102f 100644
--- a/etc/profile-m-z/xpra.profile
+++ b/etc/profile-m-z/xpra.profile
@@ -22,7 +22,6 @@ include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /var/lib/xkb
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index 3ab35edfc..8b880426f 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -40,7 +39,7 @@ tracelog
 
 private-bin xreader,xreader-previewer,xreader-thumbnailer
 private-dev
-private-etc alternatives,fonts,ld.so.cache
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile
index 4d454f81c..5c8d6a47e 100644
--- a/etc/profile-m-z/xviewer.profile
+++ b/etc/profile-m-z/xviewer.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
diff --git a/etc/profile-m-z/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile
index 81cd021f7..3ae6b1cf0 100644
--- a/etc/profile-m-z/yandex-browser.profile
+++ b/etc/profile-m-z/yandex-browser.profile
@@ -5,8 +5,7 @@ include yandex-browser.local
 # Persistent global definitions
 include globals.local
 
-# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
-ignore whitelist /usr/share/chromium
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile
index 360bd8442..05b55d071 100644
--- a/etc/profile-m-z/yarn.profile
+++ b/etc/profile-m-z/yarn.profile
@@ -6,25 +6,5 @@ include yarn.local
 # Persistent global definitions
 include globals.local
 
-ignore read-only ${HOME}/.yarnrc
-
-noblacklist ${HOME}/.yarn
-noblacklist ${HOME}/.yarn-config
-noblacklist ${HOME}/.yarncache
-noblacklist ${HOME}/.yarnrc
-
-# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and
-# add the next lines to you yarn.local.
-#mkdir ${HOME}/.yarn
-#mkdir ${HOME}/.yarn-config
-#mkdir ${HOME}/.yarncache
-#mkfile ${HOME}/.yarnrc
-#whitelist ${HOME}/.yarn
-#whitelist ${HOME}/.yarn-config
-#whitelist ${HOME}/.yarncache
-#whitelist ${HOME}/.yarnrc
-#whitelist ${HOME}/Projects
-#include whitelist-common.inc
-
 # Redirect
 include nodejs-common.profile
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index 93054bfed..31a51b2c4 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -12,13 +12,13 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/yelp
 whitelist ${HOME}/.config/yelp
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/doc
 whitelist /usr/share/groff
 whitelist /usr/share/help
@@ -56,7 +56,7 @@ disable-mnt
 private-bin groff,man,tbl,troff,yelp
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile
index b52271a2c..94f37a92b 100644
--- a/etc/profile-m-z/youtube-dl-gui.profile
+++ b/etc/profile-m-z/youtube-dl-gui.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -50,7 +49,7 @@ disable-mnt
 private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,locale,locale.conf,passwd,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 24c4d6db3..71e50ab11 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -27,7 +27,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -59,7 +58,7 @@ tracelog
 private-bin env,ffmpeg,python*,youtube-dl
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
+private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index 7d6e9b0eb..825599fcc 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -10,51 +10,12 @@ include globals.local
 noblacklist ${HOME}/.cache/youtube-viewer
 noblacklist ${HOME}/.config/youtube-viewer
 
-# Allow perl (blacklisted by disable-interpreters.inc)
-include allow-perl.inc
-
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-
 mkdir ${HOME}/.cache/youtube-viewer
 mkdir ${HOME}/.config/youtube-viewer
 whitelist ${HOME}/.cache/youtube-viewer
 whitelist ${HOME}/.config/youtube-viewer
-include whitelist-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-netfilter
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
 
-disable-mnt
-private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,sh,smplayer,stty,vlc,which,youtube-dl,youtube-viewer
-private-cache
-private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
-private-tmp
+private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer
 
-dbus-user none
-dbus-system none
+# Redirect
+include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
new file mode 100644
index 000000000..f212a6721
--- /dev/null
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -0,0 +1,60 @@
+# Firejail profile for youtube-viewer clones
+# Description: common profile for Trizen's Youtube viewers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include youtube-viewers-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/youtube-dl
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,xterm,youtube-dl,yt-dlp
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index ad7ceaee4..5c4d697da 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -16,8 +16,8 @@ include disable-shell.inc
 mkdir ${HOME}/.config/Youtube
 whitelist ${HOME}/.config/Youtube
 
-private-bin youtube
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-bin electron,electron[0-9],electron[0-9][0-9],youtube
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Youtube
 
 # Redirect
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index 74b0e38b9..2b5ffeaaf 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -13,8 +13,8 @@ include disable-shell.inc
 mkdir ${HOME}/.config/youtubemusic-nativefier-040164
 whitelist ${HOME}/.config/youtubemusic-nativefier-040164
 
-private-bin youtubemusic-nativefier
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt youtubemusic-nativefier
 
 # Redirect
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
new file mode 100644
index 000000000..6e835b03f
--- /dev/null
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -0,0 +1,21 @@
+# Firejail profile for yt-dlp
+# Description: Downloader of videos of various sites
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include yt-dlp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/yt-dlp
+noblacklist ${HOME}/.config/yt-dlp
+noblacklist ${HOME}/.config/yt-dlp.conf
+noblacklist ${HOME}/yt-dlp.conf
+noblacklist ${HOME}/yt-dlp.conf.txt
+
+private-bin ffprobe,yt-dlp
+private-etc alternatives,ld.so.cache,ld.so.preload,yt-dlp.conf
+
+# Redirect
+include youtube-dl.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index ab46fccc2..59b6e2543 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtube-music-desktop-app
 whitelist ${HOME}/.config/youtube-music-desktop-app
 
 # private-bin env,ytmdesktop
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 # private-opt
 
 # Redirect
diff --git a/etc/profile-m-z/zaproxy.profile b/etc/profile-m-z/zaproxy.profile
index 5a168feb6..1f11f133f 100644
--- a/etc/profile-m-z/zaproxy.profile
+++ b/etc/profile-m-z/zaproxy.profile
@@ -15,7 +15,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.java
diff --git a/etc/profile-m-z/zart.profile b/etc/profile-m-z/zart.profile
index 10f83aa30..f534aee8f 100644
--- a/etc/profile-m-z/zart.profile
+++ b/etc/profile-m-z/zart.profile
@@ -13,7 +13,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile
index a39729685..68c9b0a93 100644
--- a/etc/profile-m-z/zathura.profile
+++ b/etc/profile-m-z/zathura.profile
@@ -14,15 +14,16 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-write-mnt.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/zathura
 mkdir ${HOME}/.local/share/zathura
 whitelist /usr/share/doc
 whitelist /usr/share/zathura
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -41,6 +42,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index 2c6f6910f..eaf06b66a 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -6,27 +6,35 @@ include zeal.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Zeal
 noblacklist ${HOME}/.cache/Zeal
+noblacklist ${HOME}/.config/Zeal
 noblacklist ${HOME}/.local/share/Zeal
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+# Allow zeal to open links in Firefox.
+# This also requires dbus-user filtering (see below).
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
 mkdir ${HOME}/.cache/Zeal
-mkdir ${HOME}/.config/qt5ct
 mkdir ${HOME}/.config/Zeal
 mkdir ${HOME}/.local/share/Zeal
 whitelist ${HOME}/.cache/Zeal
 whitelist ${HOME}/.config/Zeal
 whitelist ${HOME}/.local/share/Zeal
 include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -45,6 +53,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
@@ -55,7 +64,10 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
 private-tmp
 
-dbus-user none
+dbus-user filter
+dbus-user.talk org.mozilla.Firefox.*
+dbus-user.talk org.mozilla.firefox.*
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
 
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-m-z/zim.profile b/etc/profile-m-z/zim.profile
new file mode 100644
index 000000000..fa67b76c7
--- /dev/null
+++ b/etc/profile-m-z/zim.profile
@@ -0,0 +1,71 @@
+# Firejail profile for Zim
+# Description: Desktop wiki & notekeeper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zim.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/zim
+noblacklist ${HOME}/.config/zim
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.cache/zim
+mkdir ${HOME}/.config/zim
+mkdir ${HOME}/Notebooks
+whitelist ${HOME}/.cache/zim
+whitelist ${HOME}/.config/zim
+whitelist ${HOME}/Notebooks
+whitelist ${DESKTOP}
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+whitelist /usr/share/zim
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin python*,zim
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile
index 093da5212..8acfdd651 100644
--- a/etc/profile-m-z/zulip.profile
+++ b/etc/profile-m-z/zulip.profile
@@ -14,7 +14,6 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -45,5 +44,5 @@ disable-mnt
 private-bin locale,zulip
 private-cache
 private-dev
-private-etc asound.conf,fonts,machine-id
+private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index a7144a29f..aefb75c2c 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -59,14 +59,6 @@ include globals.local
 ##ignore noexec ${HOME}
 ##ignore noexec /tmp
 
-##blacklist PATH
-# Disable X11 (CLI only), see also 'x11 none' below
-#blacklist /tmp/.X11-unix
-# Disable Wayland
-#blacklist ${RUNUSER}/wayland-*
-# Disable RUNUSER (cli only)
-#blacklist ${RUNUSER}
-
 # It is common practice to add files/dirs containing program-specific configuration
 # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
 # (keep list sorted) and then disable blacklisting below.
@@ -109,14 +101,26 @@ include globals.local
 # Allow ssh (blacklisted by disable-common.inc)
 #include allow-ssh.inc
 
+##blacklist PATH
+# Disable Wayland
+#blacklist ${RUNUSER}/wayland-*
+# Disable RUNUSER (cli only; supersedes Disable Wayland)
+#blacklist ${RUNUSER}
+# Remove the next blacklist if you system has no /usr/libexec dir,
+# otherwise try to add it.
+#blacklist /usr/libexec
+
+# disable-*.inc includes
+# remove disable-write-mnt.inc if you set disable-mnt
 #include disable-common.inc
 #include disable-devel.inc
 #include disable-exec.inc
 #include disable-interpreters.inc
-#include disable-passwdmgr.inc
+#include disable-proc.inc
 #include disable-programs.inc
 #include disable-shell.inc
 #include disable-write-mnt.inc
+#include disable-X11.inc
 #include disable-xdg.inc
 
 # This section often mirrors noblacklist section above. The idea is
@@ -128,6 +132,7 @@ include globals.local
 ##mkfile PATH
 #whitelist PATH
 #include whitelist-common.inc
+#include whitelist-run-common.inc
 #include whitelist-runuser-common.inc
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
@@ -150,6 +155,7 @@ include globals.local
 #nogroups
 #noinput
 #nonewprivs
+#noprinters
 #noroot
 #nosound
 #notv
@@ -168,7 +174,7 @@ include globals.local
 ##seccomp-error-action log (only for debugging seccomp issues)
 #shell none
 #tracelog
-# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
+# Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set
 ##x11 none
 
 #disable-mnt
@@ -187,7 +193,7 @@ include globals.local
 #  GUI: fonts,pango,X11
 #  GTK: dconf,gconf,gtk-2.0,gtk-3.0
 #  KDE: kde4rc,kde5rc
-#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,services,rpc,ssl
+#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 #    Extra: gai.conf,proxychains.conf
 #  Qt: Trolltech.conf
 ##private-lib LIBS
@@ -200,7 +206,7 @@ include globals.local
 
 # Since 0.9.63 also a more granular control of dbus is supported.
 # To get the dbus-addresses an application needs access to you can
-# check with flatpak (when the application is distriputed that way):
+# check with flatpak (when the application is distributed that way):
 #    flatpak remote-info --show-metadata flathub <APP-ID>
 # Notes:
 #  - flatpak implicitly allows an app to own <APP-ID> on the session bus
@@ -215,8 +221,10 @@ include globals.local
 #dbus-user.talk org.freedesktop.Notifications
 #dbus-system none
 
+##deterministic-shutdown
 ##env VAR=VALUE
 ##join-or-start NAME
 #memory-deny-write-execute
 ##noexec PATH
 ##read-only ${HOME}
+##read-write ${HOME}
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 0775f60ff..827b075e5 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -33,7 +33,7 @@ Definition of groups
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
-@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
+@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
 @default-nodebuggers=@default,ptrace,personality,process_vm_readv
 @default-keep=execveat,execve,prctl
 @file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
@@ -89,18 +89,24 @@ Inheritance of groups
 What to do if seccomp breaks a program
 --------------------------------------
 
+Start `journalctl --grep=SECCOMP --follow` in a terminal and run
+`firejail --seccomp-error-action=log /path/to/program` in a second terminal.
+Now switch back to the first terminal (where `journalctl` is running) and look
+for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you
+have found them, you can stop `journalctl` (^C) and execute
+`firejail --debug-syscalls | grep NUMBER` to get the name of the syscall.
+In the particular case that it is a 32bit syscall on a 64bit system, use `firejail --debug-syscalls32 | grep NUMBER`.
+Now you can add a seccomp exception using `seccomp !NAME`.
+
+If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
+
 ```
-$ journalctl --grep=syscall --follow
-<...> audit[…]: SECCOMP <...> syscall=161 <...>
-$ firejail --debug-syscalls | grep 161
-161 - chroot
+term1$ journalctl --grep=SECCOMP --follow
+term2$ firejail --seccomp-error-action=log /usr/bin/signal-desktop
+term1$ (journalctl --grep=SECCOMP --follow)
+audit[1234]: SECCOMP ... comm="signal-desktop" exe="/usr/bin/signal-desktop" sig=31 arch=c000003e syscall=161 ...
+^C
+term1$ firejail --debug-syscalls | grep "^161[[:space:]]"
+161     - chroot
 ```
 Profile: `seccomp -> seccomp !chroot`
-
-Start `journalctl --grep=syscall --follow` in a terminal, then start the broken
-program. Now you see one or more long lines containing `syscall=NUMBER` somewhere.
-Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You
-will see something like `NUMBER  - NAME`, because you now know the name of the
-syscall, you can add an exception to seccomp by putting `!NAME` to seccomp.
-
-If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
diff --git a/gcov.sh b/gcov.sh
index 65f06a4d4..79736d3d8 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -1,10 +1,10 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 gcov_init() {
-        USER=`whoami`
+        USER="$(whoami)"
         firejail --help > /dev/null
         firemon --help > /dev/null
         /usr/lib/firejail/fnet --help > /dev/null
@@ -20,22 +20,22 @@ gcov_init() {
         /usr/lib/firejail/faudit --help > /dev/null
         /usr/lib/firejail/fbuilder --help > /dev/null
 
-        sudo chown $USER:$USER `find .`
+        find . -exec sudo chown "$USER:$USER" '{}' +
 }
 
 generate() {
-        lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d  src/fcopy -d  src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new
-        lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new  --output-file gcov-file
+        lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new
+        lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file
         rm -fr gcov-dir
         genhtml -q gcov-file --output-directory gcov-dir
-        sudo rm `find . -name *.gcda`
+        find . -name '*.gcda' -exec sudo rm '{}' +
         cp gcov-file gcov-file-old
         gcov_init
 }
 
 
 gcov_init
-lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d  src/fcopy -d  src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd  --output-file gcov-file-old
+lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old
 
 #make test-utils
 #generate
diff --git a/install.sh b/install.sh
index e26cea7b0..2d5f29d41 100755
--- a/install.sh
+++ b/install.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 echo "installing..."
diff --git a/linecnt.sh b/linecnt.sh
index ccce2da82..06d136d8c 100755
--- a/linecnt.sh
+++ b/linecnt.sh
@@ -1,10 +1,10 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 gcov_init() {
-        USER=`whoami`
+        USER="$(whoami)"
         firejail --help > /dev/null
         firemon --help > /dev/null
         /usr/lib/firejail/fnet --help > /dev/null
@@ -20,12 +20,12 @@ gcov_init() {
         /usr/lib/firejail/faudit --help > /dev/null
         /usr/lib/firejail/fbuilder --help > /dev/null
 
-        sudo chown $USER:$USER `find .`
+        find . -exec sudo chown "$USER:$USER" '{}' +
 }
 
 rm -fr gcov-dir
 gcov_init
 lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \
-        -d  src/fcopy -d  src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \
-        -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd  --output-file gcov-file
+        -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \
+        -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file
 genhtml -q gcov-file --output-directory gcov-dir
diff --git a/mkasc.sh b/mkasc.sh
index 31c3f4ffd..6de64c6f2 100755
--- a/mkasc.sh
+++ b/mkasc.sh
@@ -1,13 +1,13 @@
 #!/bin/sh
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 echo "Calculating SHA256 for all files in /transfer - firejail version $1"
 
-cd /transfer
-sha256sum * > firejail-$1-unsigned
-gpg --clearsign --digest-algo SHA256 < firejail-$1-unsigned > firejail-$1.asc
-gpg --verify firejail-$1.asc
-gpg --detach-sign --armor firejail-$1.tar.xz
-rm firejail-$1-unsigned
+cd /transfer || exit 1
+sha256sum ./* > "firejail-$1-unsigned"
+gpg --clearsign --digest-algo SHA256 < "firejail-$1-unsigned" > "firejail-$1.asc"
+gpg --verify "firejail-$1.asc"
+gpg --detach-sign --armor "firejail-$1.tar.xz"
+rm "firejail-$1-unsigned"
diff --git a/mkdeb.sh.in b/mkdeb.sh.in
index e45acf8eb..6d6981417 100755
--- a/mkdeb.sh.in
+++ b/mkdeb.sh.in
@@ -1,6 +1,6 @@
 #!/bin/sh
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 # based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/
@@ -22,7 +22,7 @@ if [ -n "$HAVE_SELINUX" ]; then
     CONFIG_ARGS="$CONFIG_ARGS --enable-selinux"
 fi
 
-TOP=`pwd`
+TOP="$PWD"
 CODE_ARCHIVE="$NAME-$VERSION.tar.xz"
 CODE_DIR="$NAME-$VERSION"
 INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian"
@@ -35,9 +35,9 @@ echo "install directory: $INSTALL_DIR"
 echo "debian control directory: $DEBIAN_CTRL_DIR"
 echo "*****************************************"
 
-tar -xJvf $CODE_ARCHIVE
-#mkdir -p $INSTALL_DIR
-cd $CODE_DIR
+tar -xJvf "$CODE_ARCHIVE"
+#mkdir -p "$INSTALL_DIR"
+cd "$CODE_DIR"
 ./configure $CONFIG_ARGS
 make -j2
 mkdir debian
@@ -45,26 +45,26 @@ DESTDIR=debian make install-strip
 
 cd ..
 echo "*****************************************"
-SIZE=`du -s $INSTALL_DIR`
+SIZE="$(du -s "$INSTALL_DIR")"
 echo "install size $SIZE"
 echo "*****************************************"
 
-mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
-gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
-rm $INSTALL_DIR/usr/share/doc/firejail/COPYING
-install -m644 $CODE_DIR/platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
-mkdir -p $DEBIAN_CTRL_DIR
-sed "s/FIREJAILVER/$VERSION/g"  $CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
+mv "$INSTALL_DIR/usr/share/doc/firejail/RELNOTES" "$INSTALL_DIR/usr/share/doc/firejail/changelog.Debian"
+gzip -9 -n "$INSTALL_DIR/usr/share/doc/firejail/changelog.Debian"
+rm "$INSTALL_DIR/usr/share/doc/firejail/COPYING"
+install -m644 "$CODE_DIR/platform/debian/copyright" "$INSTALL_DIR/usr/share/doc/firejail/."
+mkdir -p "$DEBIAN_CTRL_DIR"
+sed "s/FIREJAILVER/$VERSION/g" "$CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH)" > "$DEBIAN_CTRL_DIR/control"
 
-mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/
-install -m644 $CODE_DIR/platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
+mkdir -p "$INSTALL_DIR/usr/share/lintian/overrides/"
+install -m644 "$CODE_DIR/platform/debian/firejail.lintian-overrides" "$INSTALL_DIR/usr/share/lintian/overrides/firejail"
 
-find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles
-chmod 644 $DEBIAN_CTRL_DIR/conffiles
-find $INSTALL_DIR  -type d | xargs chmod 755
-cd $CODE_DIR
+find "$INSTALL_DIR/etc" -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > "$DEBIAN_CTRL_DIR/conffiles"
+chmod 644 "$DEBIAN_CTRL_DIR/conffiles"
+find "$INSTALL_DIR" -type d -exec chmod 755 '{}' +
+cd "$CODE_DIR"
 fakeroot dpkg-deb --build debian
 lintian --no-tag-display-limit debian.deb
-mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb
+mv debian.deb "../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb"
 cd ..
-rm -fr $CODE_DIR
+rm -fr "$CODE_DIR"
diff --git a/mketc.sh b/mketc.sh
index 0aa313b17..0e681fa28 100755
--- a/mketc.sh
+++ b/mketc.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 sed -i -e '
diff --git a/mkman.sh b/mkman.sh
index 8767972d1..79ad16252 100755
--- a/mkman.sh
+++ b/mkman.sh
@@ -1,12 +1,12 @@
 #!/bin/sh
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set -e
 
-sed "s/VERSION/$1/g" $2 > $3
-MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b`
-sed -i "s/MONTH/$MONTH/g" $3
-YEAR=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y`
-sed -i "s/YEAR/$YEAR/g" $3
+sed "s/VERSION/$1/g" "$2" > "$3"
+MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)"
+sed -i "s/MONTH/$MONTH/g" "$3"
+YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)"
+sed -i "s/YEAR/$YEAR/g" "$3"
diff --git a/mkuid.sh b/mkuid.sh
index 0264628cc..7db6c9ac5 100755
--- a/mkuid.sh
+++ b/mkuid.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 echo "extracting UID_MIN and GID_MIN"
@@ -9,8 +9,8 @@ echo "#define FIREJAIL_UIDS_H" >> uids.h
 
 if [ -r /etc/login.defs ]
 then
-        UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
-        GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
+        UID_MIN="$(awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs)"
+        GID_MIN="$(awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs)"
 fi
 
 # use default values if not found
diff --git a/platform/debian/copyright b/platform/debian/copyright
index d4bdb1283..aef85743e 100644
--- a/platform/debian/copyright
+++ b/platform/debian/copyright
@@ -7,7 +7,7 @@ This is the Debian/Ubuntu prepackaged version of firejail.
     and networking stack isolation, and it runs on any recent Linux system. It
     includes a sandbox profile for Mozilla Firefox.
 
-    Copyright (C) 2014-2021 Firejail Authors (see README file for more details)
+    Copyright (C) 2014-2022 Firejail Authors (see README file for more details)
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index 85df1b4eb..86cd6006e 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -35,7 +35,7 @@ rm -rf %{buildroot}
 %attr(4755, -, -) %{_bindir}/__NAME__
 %{_bindir}/firecfg
 %{_bindir}/firemon
-%{_bindir}/jailtest
+%{_bindir}/jailcheck
 %{_libdir}/__NAME__
 %{_datarootdir}/bash-completion/completions/__NAME__
 %{_datarootdir}/bash-completion/completions/firecfg
@@ -45,8 +45,8 @@ rm -rf %{buildroot}
 %{_mandir}/man1/__NAME__.1.gz
 %{_mandir}/man1/firecfg.1.gz
 %{_mandir}/man1/firemon.1.gz
+%{_mandir}/man1/jailcheck.1.gz
 %{_mandir}/man5/__NAME__-login.5.gz
 %{_mandir}/man5/__NAME__-profile.5.gz
 %{_mandir}/man5/__NAME__-users.5.gz
-%{_mandir}/man5/jailtest.5.gz
 %config(noreplace) %{_sysconfdir}/__NAME__
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh
index b8470dd71..d597d32fd 100755
--- a/platform/rpm/mkrpm.sh
+++ b/platform/rpm/mkrpm.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # Usage: ./platform/rpm/mkrpm.sh firejail <version> "<config options>"
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in
index f68edf380..ff411c807 100644
--- a/src/bash_completion/firejail.bash_completion.in
+++ b/src/bash_completion/firejail.bash_completion.in
@@ -5,7 +5,7 @@
 # http://bash-completion.alioth.debian.org
 #*******************************************************************
 
-__interfaces(){
+__interfaces() {
     cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs
 }
 
@@ -90,11 +90,11 @@ _firejail()
             _filedir
             return 0
             ;;
-         --net)
-                comps=$(__interfaces)
+        --net)
+            comps=$(__interfaces)
             COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
             return 0
-                ;;
+            ;;
     esac
 
     $split && return 0
diff --git a/src/common.mk.in b/src/common.mk.in
index b379aef7f..38c05bc69 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -15,7 +15,6 @@ HAVE_NETWORK=@HAVE_NETWORK@
 HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
-HAVE_WHITELIST=@HAVE_WHITELIST@
 HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
 HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
@@ -23,11 +22,13 @@ HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_GCOV=@HAVE_GCOV@
 HAVE_SELINUX=@HAVE_SELINUX@
+HAVE_SUID=@HAVE_SUID@
 HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
 HAVE_USERTMPFS=@HAVE_USERTMPFS@
 HAVE_OUTPUT=@HAVE_OUTPUT@
 HAVE_LTS=@HAVE_LTS@
 HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
+HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@
 
 H_FILE_LIST       = $(sort $(wildcard *.h))
 C_FILE_LIST       = $(sort $(wildcard *.c))
@@ -36,11 +37,11 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
-CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_FORCE_NONEWPRIVS)
+CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'   -DVARDIR='"/var/lib/firejail"'
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
-LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 
 ifdef NO_EXTRA_CFLAGS
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
index 9577042c4..041c52629 100644
--- a/src/fbuilder/build_bin.c
+++ b/src/fbuilder/build_bin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 8700e0ba1..4766337ff 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -236,9 +236,6 @@ void build_share(const char *fname, FILE *fp) {
 //*******************************************
 static FileDB *tmp_out = NULL;
 static void tmp_callback(char *ptr) {
-        // skip strace file
-        if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
-                return;
         if (strncmp(ptr, "/tmp/runtime-", 13) == 0)
                 return;
         if (strcmp(ptr, "/tmp") == 0)
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index b3ec6cffd..d6d421259 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -68,6 +68,8 @@ void process_home(const char *fname, char *home, int home_len) {
                         ptr += 7;
                 else if (strncmp(ptr, "open /home", 10) == 0)
                         ptr += 5;
+                else if (strncmp(ptr, "opendir /home", 13) == 0)
+                        ptr += 8;
                 else
                         continue;
 
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index fb53f70a6..941f43562 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -22,22 +22,6 @@
 #include <sys/wait.h>
 
 #define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX"
-#define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX"
-
-/* static char *cmdlist[] = { */
-/*      "/usr/bin/firejail", */
-/*      "--quiet", */
-/*      "--output=" TRACE_OUTPUT, */
-/*      "--noprofile", */
-/*      "--caps.drop=all", */
-/*      "--nonewprivs", */
-/*      "--trace", */
-/*      "--shell=none", */
-/*      "/usr/bin/strace", // also used as a marker in build_profile() */
-/*      "-c", */
-/*      "-f", */
-/*      "-o" STRACE_OUTPUT, */
-/* }; */
 
 void build_profile(int argc, char **argv, int index, FILE *fp) {
         // next index is the application name
@@ -47,78 +31,42 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
         }
 
         char trace_output[] = "/tmp/firejail-trace.XXXXXX";
-        char strace_output[] = "/tmp/firejail-strace.XXXXXX";
-
         int tfile = mkstemp(trace_output);
-        int stfile = mkstemp(strace_output);
-        if(tfile == -1 || stfile == -1)
+        if(tfile == -1)
                 errExit("mkstemp");
-
-        // close the files, firejail/strace will overwrite them!
         close(tfile);
-        close(stfile);
-
 
         char *output;
-        char *stroutput;
         if(asprintf(&output,"--trace=%s",trace_output) == -1)
                 errExit("asprintf");
-        if(asprintf(&stroutput,"-o%s",strace_output) == -1)
-                errExit("asprintf");
-
-        char *cmdlist[] = {
-          BINDIR "/firejail",
-          "--quiet",
-          "--noprofile",
-          "--caps.drop=all",
-          "--nonewprivs",
-          output,
-          "--shell=none",
-          "/usr/bin/strace", // also used as a marker in build_profile()
-          "-c",
-          "-f",
-          stroutput,
-        };
-
-        // detect strace and check if Yama LSM allows us to use it
-        int have_strace = 0;
-        int have_yama_permission = 1;
-        if (access("/usr/bin/strace", X_OK) == 0) {
-                have_strace = 1;
-                FILE *ps = fopen("/proc/sys/kernel/yama/ptrace_scope", "r");
-                if (ps) {
-                        unsigned val;
-                        if (fscanf(ps, "%u", &val) == 1)
-                                have_yama_permission = (val < 2);
-                        fclose(ps);
-                }
-        }
 
         // calculate command length
-        unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1;
-        if (arg_debug)
-                printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index);
-        char *cmd[len];
-        cmd[0] = cmdlist[0];    // explicit assignment to clean scan-build error
+        unsigned len = 64;      // plenty of space for firejail command line
+        len += argc - index;    // program command line
+        len += 1;               // NULL
 
         // build command
-        // skip strace if not installed, or no permission to use it
-        int skip_strace = !(have_strace && have_yama_permission);
-        unsigned i = 0;
-        for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) {
-                if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0)
-                        break;
-                cmd[i] = cmdlist[i];
-        }
-
-        int i2 = index;
-        for (; i < (len - 1); i++, i2++)
-                cmd[i] = argv[i2];
-        assert(i < len);
-        cmd[i] = NULL;
+        char *cmd[len];
+        unsigned curr_len = 0;
+        cmd[curr_len++] = BINDIR "/firejail";
+        cmd[curr_len++] = "--quiet";
+        cmd[curr_len++] = "--noprofile";
+        cmd[curr_len++] = "--caps.drop=all";
+        cmd[curr_len++] = "--seccomp=!chroot";
+        cmd[curr_len++] = "--shell=none";
+        cmd[curr_len++] = output;
+        if (arg_appimage)
+                cmd[curr_len++] = "--appimage";
+
+        int i;
+        for (i = index; i < argc; i++)
+                cmd[curr_len++] = argv[i];
+
+        assert(curr_len < len);
+        cmd[curr_len] = NULL;
 
         if (arg_debug) {
-                for (i = 0; i < len; i++)
+                for (i = 0; cmd[i]; i++)
                         printf("%s%s\n", (i)?"\t":"", cmd[i]);
         }
 
@@ -140,14 +88,14 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 
         if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
                 if (fp == stdout)
-                        printf("--- Built profile beings after this line ---\n");
+                        printf("--- Built profile begins after this line ---\n");
                 fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n");
                 fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n");
                 fprintf(fp, "# automatically every time you sandbox your application.\n#\n");
                 fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n");
-                fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n");
+                fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n\n");
 
-                fprintf(fp, "\n# Firejail profile for %s\n", argv[index]);
+                fprintf(fp, "# Firejail profile for %s\n", argv[index]);
                 fprintf(fp, "# Persistent local customizations\n");
                 fprintf(fp, "#include %s.local\n", argv[index]);
                 fprintf(fp, "# Persistent global definitions\n");
@@ -158,58 +106,62 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                 fprintf(fp, "### Enable as many of them as you can! A very important one is\n");
                 fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n");
                 fprintf(fp, "### and /tmp directories non-executable.\n");
-                fprintf(fp, "include disable-common.inc\n");
-                fprintf(fp, "#include disable-devel.inc\n");
-                fprintf(fp, "#include disable-exec.inc\n");
-                fprintf(fp, "#include disable-interpreters.inc\n");
-                fprintf(fp, "include disable-passwdmgr.inc\n");
-                fprintf(fp, "include disable-programs.inc\n");
-                fprintf(fp, "#include disable-xdg.inc\n");
+                fprintf(fp, "include disable-common.inc\t# dangerous directories like ~/.ssh and ~/.gnupg\n");
+                fprintf(fp, "#include disable-devel.inc\t# development tools such as gcc and gdb\n");
+                fprintf(fp, "#include disable-exec.inc\t# non-executable directories such as /var, /tmp, and /home\n");
+                fprintf(fp, "#include disable-interpreters.inc\t# perl, python, lua etc.\n");
+                fprintf(fp, "include disable-programs.inc\t# user configuration for programs such as firefox, vlc etc.\n");
+                fprintf(fp, "#include disable-shell.inc\t# sh, bash, zsh etc.\n");
+                fprintf(fp, "#include disable-xdg.inc\t# standard user directories: Documents, Pictures, Videos, Music\n");
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### Home Directory Whitelisting ###\n");
                 fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n");
                 fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n");
                 build_home(trace_output, fp);
+                fprintf(fp, "\n");
 
-                fprintf(fp, "\n### The Rest of the Filesystem ###\n");
+                fprintf(fp, "### Filesystem Whitelisting ###\n");
                 build_share(trace_output, fp);
+                //todo: include whitelist-runuser-common.inc
                 build_var(trace_output, fp);
-                build_bin(trace_output, fp);
-                build_dev(trace_output, fp);
-                fprintf(fp, "#nodvd\n");
-                fprintf(fp, "#noinput\n");
-                fprintf(fp, "#notv\n");
-                fprintf(fp, "#nou2f\n");
-                fprintf(fp, "#novideo\n");
-                build_etc(trace_output, fp);
-                build_tmp(trace_output, fp);
+                fprintf(fp, "\n");
 
-                fprintf(fp, "\n### Security Filters ###\n");
-                fprintf(fp, "#apparmor\n");
+                fprintf(fp, "#apparmor\t# if you have AppArmor running, try this one!\n");
                 fprintf(fp, "caps.drop all\n");
+                fprintf(fp, "ipc-namespace\n");
                 fprintf(fp, "netfilter\n");
-                fprintf(fp, "#nogroups\n");
-                fprintf(fp, "#noroot\n");
+                fprintf(fp, "#no3d\t# disable 3D acceleration\n");
+                fprintf(fp, "#nodvd\t# disable DVD and CD devices\n");
+                fprintf(fp, "#nogroups\t# disable supplementary user groups\n");
+                fprintf(fp, "#noinput\t# disable input devices\n");
                 fprintf(fp, "nonewprivs\n");
+                fprintf(fp, "noroot\n");
+                fprintf(fp, "#notv\t# disable DVB TV devices\n");
+                fprintf(fp, "#nou2f\t# disable U2F devices\n");
+                fprintf(fp, "#novideo\t# disable video capture devices\n");
                 build_protocol(trace_output, fp);
+                fprintf(fp, "seccomp !chroot\t# allowing chroot, just in case this is an Electron app\n");
+                fprintf(fp, "shell none\n");
+                fprintf(fp, "tracelog\n");
+                fprintf(fp, "\n");
+
+                fprintf(fp, "#disable-mnt\t# no access to /mnt, /media, /run/mount and /run/media\n");
+                build_bin(trace_output, fp);
+                fprintf(fp, "#private-cache\t# run with an empty ~/.cache directory\n");
+                build_dev(trace_output, fp);
+                build_etc(trace_output, fp);
+                fprintf(fp, "#private-lib\n");
+                build_tmp(trace_output, fp);
+                fprintf(fp, "\n");
+
+                fprintf(fp, "#dbus-user none\n");
+                fprintf(fp, "#dbus-system none\n");
+                fprintf(fp, "\n");
+                fprintf(fp, "#memory-deny-write-execute\n");
 
-                fprintf(fp, "seccomp\n");
-                if (!have_strace) {
-                        fprintf(fp, "### If you install strace on your system, Firejail will also create a\n");
-                        fprintf(fp, "### whitelisted seccomp filter.\n");
-                }
-                else if (!have_yama_permission)
-                        fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n");
-                else
-                        build_seccomp(strace_output, fp);
-                fprintf(fp, "#shell none\n");
-                fprintf(fp, "#tracelog\n");
-
-                if (!arg_debug) {
+                if (!arg_debug)
                         unlink(trace_output);
-                        unlink(strace_output);
-                }
         }
         else {
                 fprintf(stderr, "Error: cannot run the sandbox\n");
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c
index dc3cce456..7b4727e1a 100644
--- a/src/fbuilder/build_seccomp.c
+++ b/src/fbuilder/build_seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,6 +20,7 @@
 
 #include "fbuilder.h"
 
+#if 0
 void build_seccomp(const char *fname, FILE *fp) {
         assert(fname);
         assert(fp);
@@ -78,15 +79,17 @@ void build_seccomp(const char *fname, FILE *fp) {
 
         fclose(fp2);
 }
+#endif
 
 //***************************************
 // protocol
 //***************************************
-int unix_s = 0;
-int inet = 0;
-int inet6 = 0;
-int netlink = 0;
-int packet = 0;
+static int unix_s = 0;
+static int inet = 0;
+static int inet6 = 0;
+static int netlink = 0;
+static int packet = 0;
+static int bluetooth = 0;
 static void process_protocol(const char *fname) {
         assert(fname);
 
@@ -135,6 +138,8 @@ static void process_protocol(const char *fname) {
                         netlink = 1;
                 else if (strncmp(ptr, "AF_PACKET ", 10) == 0)
                         packet = 1;
+                else if (strncmp(ptr, "AF_BLUETOOTH ", 13) == 0)
+                        bluetooth = 1;
         }
 
         fclose(fp);
@@ -161,22 +166,22 @@ void build_protocol(const char *fname, FILE *fp) {
         }
 
         int net = 0;
-        if (unix_s || inet || inet6 || netlink || packet) {
+        if (unix_s || inet || inet6 || netlink || packet || bluetooth) {
                 fprintf(fp, "protocol ");
                 if (unix_s)
                         fprintf(fp, "unix,");
-                if (inet) {
-                        fprintf(fp, "inet,");
-                        net = 1;
-                }
-                if (inet6) {
-                        fprintf(fp, "inet6,");
+                if (inet || inet6) {
+                        fprintf(fp, "inet,inet6,");
                         net = 1;
                 }
                 if (netlink)
                         fprintf(fp, "netlink,");
                 if (packet) {
-                        fprintf(fp, "packet");
+                        fprintf(fp, "packet,");
+                        net = 1;
+                }
+                if (bluetooth) {
+                        fprintf(fp, "bluetooth");
                         net = 1;
                 }
                 fprintf(fp, "\n");
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h
index 08dd35e10..3e23d7854 100644
--- a/src/fbuilder/fbuilder.h
+++ b/src/fbuilder/fbuilder.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -31,6 +31,7 @@
 #define MAX_BUF 4096
 // main.c
 extern int arg_debug;
+extern int arg_appimage;
 
 // build_profile.c
 void build_profile(int argc, char **argv, int index, FILE *fp);
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c
index 94a226cb7..454b9f40b 100644
--- a/src/fbuilder/filedb.c
+++ b/src/fbuilder/filedb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c
index f4917aefc..aa49b2489 100644
--- a/src/fbuilder/main.c
+++ b/src/fbuilder/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,6 +19,7 @@
 */
 #include "fbuilder.h"
 int arg_debug = 0;
+int arg_appimage = 0;
 
 static void usage(void) {
         printf("Firejail profile builder\n");
@@ -39,7 +40,7 @@ printf("\n");
         int i;
         int prog_index = 0;
         FILE *fp = stdout;
-        int prof_file = 0;
+        char *prof_file = NULL;
 
         // parse arguments and extract program index
         for (i = 1; i < argc; i++) {
@@ -49,6 +50,8 @@ printf("\n");
                 }
                 else if (strcmp(argv[i], "--debug") == 0)
                         arg_debug = 1;
+                else if (strcmp(argv[i], "--appimage") == 0)
+                        arg_appimage = 1;
                 else if (strcmp(argv[i], "--build") == 0)
                         ; // do nothing, this is passed down from firejail
                 else if (strncmp(argv[i], "--build=", 8) == 0) {
@@ -58,18 +61,23 @@ printf("\n");
                                 exit(1);
                         }
 
+                        // don't run if the file exists
+                        if (access(argv[i] + 8, F_OK) == 0) {
+                                fprintf(stderr, "Error: the profile file already exists. Please use a different file name.\n");
+                                exit(1);
+                        }
+
                         // check file access
                         fp = fopen(argv[i] + 8, "w");
                         if (!fp) {
-                                fprintf(stderr, "Error fbuild: cannot open profile file.\n");
+                                fprintf(stderr, "Error: cannot open profile file.\n");
                                 exit(1);
                         }
-                        prof_file = 1;
-                        // do nothing, this is passed down from firejail
+                        prof_file = argv[i] + 8;
                 }
                 else {
                         if (*argv[i] == '-') {
-                                fprintf(stderr, "Error fbuilder: invalid program\n");
+                                fprintf(stderr, "Error: invalid program\n");
                                 usage();
                                 exit(1);
                         }
@@ -79,10 +87,13 @@ printf("\n");
         }
 
         if (prog_index == 0) {
-                fprintf(stderr, "Error fbuilder: program and arguments required\n");
+                fprintf(stderr, "Error : program and arguments required\n");
                 usage();
-                if (prof_file)
+                if (prof_file) {
                         fclose(fp);
+                        int rv = unlink(prof_file);
+                        (void) rv;
+                }
                 exit(1);
         }
 
diff --git a/src/fbuilder/utils.c b/src/fbuilder/utils.c
index 52493f470..f89e69679 100644
--- a/src/fbuilder/utils.c
+++ b/src/fbuilder/utils.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 572e9f601..e56d853c8 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,11 +19,15 @@
  */
 
 #include "../include/common.h"
-#include <fcntl.h>
 #include <ftw.h>
 #include <errno.h>
 #include <pwd.h>
 
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
 #if HAVE_SELINUX
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -55,7 +59,7 @@ static void selinux_relabel_path(const char *path, const char *inside_path) {
         assert(path);
         assert(inside_path);
 #if HAVE_SELINUX
-        char procfs_path[64];
+        char procfs_path[64];
         char *fcon = NULL;
         int fd;
         struct stat st;
@@ -69,20 +73,24 @@ static void selinux_relabel_path(const char *path, const char *inside_path) {
         if (!label_hnd)
                 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
 
+        if (!label_hnd)
+                errExit("selabel_open");
+
         /* Open the file as O_PATH, to pin it while we determine and adjust the label */
-        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
         if (fd < 0)
                 return;
         if (fstat(fd, &st) < 0)
                 goto close;
 
-        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
+        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
                 sprintf(procfs_path, "/proc/self/fd/%i", fd);
                 if (arg_debug)
                         printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
 
-                setfilecon_raw(procfs_path, fcon);
-        }
+                if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug)
+                        printf("Cannot relabel %s: %s\n", path, strerror(errno));
+        }
         freecon(fcon);
  close:
         close(fd);
@@ -192,7 +200,8 @@ static char *proc_pid_to_self(const char *target) {
 
         // check where /proc/self points to
         static const char proc_self[] = "/proc/self";
-        if (!(proc_pid = realpath(proc_self, NULL)))
+        proc_pid = realpath(proc_self, NULL);
+        if (proc_pid == NULL)
                 goto done;
 
         // redirect /proc/PID/xxx -> /proc/self/XXX
@@ -340,7 +349,7 @@ static char *check(const char *src) {
 
 errexit:
         free(rsrc);
-        fprintf(stderr, "Error fcopy: invalid file %s\n", src);
+        fprintf(stderr, "Error fcopy: invalid ownership for file %s\n", src);
         exit(1);
 }
 
@@ -463,18 +472,12 @@ int main(int argc, char **argv) {
         size_t len = strlen(src);
         while (len > 1 && src[len - 1] == '/')
                 src[--len] = '\0';
-        if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != len) {
-                fprintf(stderr, "Error fcopy: invalid source file name %s\n", src);
-                exit(1);
-        }
+        reject_meta_chars(src, 0);
 
         len = strlen(dest);
         while (len > 1 && dest[len - 1] == '/')
                 dest[--len] = '\0';
-        if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != len) {
-                fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest);
-                exit(1);
-        }
+        reject_meta_chars(dest, 0);
 
         // the destination should be a directory;
         struct stat s;
diff --git a/src/fids/Makefile.in b/src/fids/Makefile.in
new file mode 100644
index 000000000..5530bcee2
--- /dev/null
+++ b/src/fids/Makefile.in
@@ -0,0 +1,18 @@
+.PHONY: all
+all: fids
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+#fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o
+fids: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+.PHONY: clean
+clean:; rm -fr *.o fids *.gcov *.gcda *.gcno *.plist
+
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/fids/blake2b.c b/src/fids/blake2b.c
new file mode 100644
index 000000000..ec7cf8602
--- /dev/null
+++ b/src/fids/blake2b.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+/* A simple unkeyed BLAKE2b Implementation based on the official reference
+ * from https://github.com/BLAKE2/BLAKE2.
+ *
+ * The original code was released under CC0 1.0 Universal license (Creative Commons),
+ * a public domain license.
+ */
+
+#include "fids.h"
+
+// little-endian vs big-endian is irrelevant since the checksum is calculated and checked on the same computer.
+static inline uint64_t load64( const void *src ) {
+        uint64_t w;
+        memcpy( &w, src, sizeof( w ) );
+        return w;
+}
+
+// mixing function
+#define ROTR64(x, y)  (((x) >> (y)) ^ ((x) << (64 - (y))))
+#define G(a, b, c, d, x, y) {   \
+                v[a] = v[a] + v[b] + x;         \
+                v[d] = ROTR64(v[d] ^ v[a], 32); \
+                v[c] = v[c] + v[d];             \
+                v[b] = ROTR64(v[b] ^ v[c], 24); \
+                v[a] = v[a] + v[b] + y;         \
+                v[d] = ROTR64(v[d] ^ v[a], 16); \
+                v[c] = v[c] + v[d];             \
+                v[b] = ROTR64(v[b] ^ v[c], 63); }
+
+// init vector
+static const uint64_t iv[8] = {
+        0x6A09E667F3BCC908, 0xBB67AE8584CAA73B,
+        0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1,
+        0x510E527FADE682D1, 0x9B05688C2B3E6C1F,
+        0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179
+};
+
+
+const uint8_t sigma[12][16] = {
+        { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+        { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
+        { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
+        { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
+        { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
+        { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
+        { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
+        { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
+        { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
+        { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
+        { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+        { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
+};
+
+// blake2b context
+typedef struct {
+        uint8_t b[128];                     // input buffer
+        uint64_t h[8];                      // chained state
+        uint64_t t[2];                      // total number of bytes
+        size_t c;                           // pointer for b[]
+        size_t outlen;                      // digest size
+} CTX;
+
+// compress function
+static void compress(CTX *ctx, int last) {
+        uint64_t m[16];
+        uint64_t v[16];
+        size_t i;
+
+        for (i = 0; i < 16; i++)
+                m[i] = load64(&ctx->b[8 * i]);
+
+        for (i = 0; i < 8; i++) {
+                v[i] = ctx->h[i];
+                v[i + 8] = iv[i];
+        }
+
+        v[12] ^= ctx->t[0];
+        v[13] ^= ctx->t[1];
+        if (last)
+                v[14] = ~v[14];
+
+        for (i = 0; i < 12; i++) {
+                G( 0, 4,  8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]);
+                G( 1, 5,  9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]);
+                G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]);
+                G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]);
+                G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]);
+                G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]);
+                G( 2, 7,  8, 13, m[sigma[i][12]], m[sigma[i][13]]);
+                G( 3, 4,  9, 14, m[sigma[i][14]], m[sigma[i][15]]);
+        }
+
+        for( i = 0; i < 8; ++i )
+                ctx->h[i] ^= v[i] ^ v[i + 8];
+}
+
+static int init(CTX *ctx, size_t outlen) {      // (keylen=0: no key)
+        size_t i;
+
+        if (outlen == 0 || outlen > 64)
+                return -1;
+
+        for (i = 0; i < 8; i++)
+                ctx->h[i] = iv[i];
+        ctx->h[0] ^= 0x01010000  ^ outlen;
+
+        ctx->t[0] = 0;
+        ctx->t[1] = 0;
+        ctx->c = 0;
+        ctx->outlen = outlen;
+
+        return 0;
+}
+
+static void update(CTX *ctx, const void *in, size_t inlen) {
+        size_t i;
+
+        for (i = 0; i < inlen; i++) {
+                if (ctx->c == 128) {
+                        ctx->t[0] += ctx->c;
+                        if (ctx->t[0] < ctx->c)
+                                ctx->t[1]++;
+                        compress(ctx, 0);
+                        ctx->c = 0;
+                }
+                ctx->b[ctx->c++] = ((const uint8_t *) in)[i];
+        }
+}
+
+static void final(CTX *ctx, void *out) {
+        size_t i;
+
+        ctx->t[0] += ctx->c;
+        if (ctx->t[0] < ctx->c)
+                ctx->t[1]++;
+
+        while (ctx->c < 128)
+                ctx->b[ctx->c++] = 0;
+        compress(ctx, 1);
+
+        for (i = 0; i < ctx->outlen; i++) {
+                ((uint8_t *) out)[i] =
+                        (ctx->h[i >> 3] >> (8 * (i & 7))) & 0xFF;
+        }
+}
+
+// public function
+int blake2b(void *out, size_t outlen, const void *in, size_t inlen) {
+        CTX ctx;
+
+        if (init(&ctx, outlen))
+                return -1;
+        update(&ctx, in, inlen);
+        final(&ctx, out);
+
+        return 0;
+}
diff --git a/src/fids/config b/src/fids/config
new file mode 100644
index 000000000..c18c97260
--- /dev/null
+++ b/src/fids/config
@@ -0,0 +1,16 @@
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/games
+/opt
+/usr/share/ca-certificates
+
+
+/home/netblue/.bashrc
+/home/netblue/.config/firejail
+/home/netblue/.config/autostart
+/home/netblue/Desktop/*.desktop
+/home/netblue/.ssh
+/home/netblue/.gnupg
+
diff --git a/src/fids/db.c b/src/fids/db.c
new file mode 100644
index 000000000..e8dfab1ac
--- /dev/null
+++ b/src/fids/db.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include"fids.h"
+
+typedef struct db_t {
+        struct db_t *next;
+        char *fname;
+        char *checksum;
+        char *mode;
+        int checked;
+} DB;
+
+#define MAXBUF 4096
+static DB *database[HASH_MAX] = {NULL};
+
+// djb2 hash function by Dan Bernstein
+static unsigned hash(const char *str) {
+        unsigned long hash = 5381;
+        int c;
+
+        while ((c = *str++) != '\0')
+                hash = ((hash << 5) + hash) + c; /* hash * 33 + c */
+
+        return hash & (HASH_MAX - 1);
+}
+
+#if 0
+// for testing the hash table
+static void db_print(void) {
+        int i;
+        for (i = 0; i < HASH_MAX; i++) {
+                int cnt = 0;
+                DB *ptr = database[i];
+                while (ptr) {
+                        cnt++;
+                        ptr = ptr->next;
+                }
+                printf("%d ", cnt);
+                fflush(0);
+        }
+        printf("\n");
+}
+#endif
+
+static void db_add(const char *fname, const char *checksum, const char *mode) {
+        DB *ptr = malloc(sizeof(DB));
+        if (!ptr)
+                errExit("malloc");
+        ptr->fname = strdup(fname);
+        ptr->checksum = strdup(checksum);
+        ptr->mode = strdup(mode);
+        ptr->checked = 0;
+        if (!ptr->fname || !ptr->checksum || !ptr->mode)
+                errExit("strdup");
+
+        unsigned h = hash(fname);
+        ptr->next = database[h];
+        database[h] = ptr;
+}
+
+void db_check(const char *fname, const char *checksum, const char *mode) {
+        assert(fname);
+        assert(checksum);
+        assert(mode);
+
+        unsigned h =hash(fname);
+        DB *ptr = database[h];
+        while (ptr) {
+                if (strcmp(fname, ptr->fname) == 0) {
+                        ptr->checked = 1;
+                        break;
+                }
+                ptr = ptr->next;
+        }
+
+        if (ptr ) {
+                if (strcmp(checksum, ptr->checksum)) {
+                        f_modified++;
+                        fprintf(stderr, "\nWarning: modified %s\n", fname);
+                }
+                if (strcmp(mode, ptr->mode)) {
+                        f_permissions++;
+                        fprintf(stderr, "\nWarning: permissions %s: old %s, new %s\n",
+                                fname, ptr->mode, mode);
+                }
+        }
+        else {
+                f_new++;
+                fprintf(stderr, "\nWarning: new file %s\n", fname);
+        }
+}
+
+void db_missing(void) {
+        int i;
+        for (i = 0; i < HASH_MAX; i++) {
+                DB *ptr = database[i];
+                while (ptr) {
+                        if (!ptr->checked) {
+                                f_removed++;
+                                fprintf(stderr, "Warning: removed %s\n", ptr->fname);
+                        }
+                        ptr = ptr->next;
+                }
+        }
+}
+
+// return 0 if ok, 1 if error
+int db_init(void) {
+        char buf[MAXBUF];
+        while(fgets(buf, MAXBUF, stdin)) {
+                // split - tab separated
+
+                char *mode = buf;
+                char *ptr = strchr(buf, '\t');
+                if (!ptr)
+                        goto errexit;
+                *ptr = '\0';
+
+                char *checksum = ptr + 1;
+                ptr = strchr(checksum, '\t');
+                if (!ptr)
+                        goto errexit;
+                *ptr = '\0';
+
+                char *fname = ptr + 1;
+                ptr = strchr(fname, '\n');
+                if (!ptr)
+                        goto errexit;
+                *ptr = '\0';
+
+                db_add(fname, checksum, mode);
+        }
+//      db_print();
+
+        return 0;
+
+errexit:
+        fprintf(stderr, "Error fids: database corrupted\n");
+        exit(1);
+}
+
diff --git a/src/fids/db_exclude.c b/src/fids/db_exclude.c
new file mode 100644
index 000000000..cfb37219c
--- /dev/null
+++ b/src/fids/db_exclude.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include"fids.h"
+
+typedef struct db_exclude_t {
+        struct db_exclude_t *next;
+        char *fname;
+        int len;
+} DB_EXCLUDE;
+static DB_EXCLUDE *database = NULL;
+
+void db_exclude_add(const char *fname) {
+        assert(fname);
+
+        DB_EXCLUDE *ptr = malloc(sizeof(DB_EXCLUDE));
+        if (!ptr)
+                errExit("malloc");
+
+        ptr->fname = strdup(fname);
+        if (!ptr->fname)
+                errExit("strdup");
+        ptr->len = strlen(fname);
+        ptr->next = database;
+        database = ptr;
+}
+
+int db_exclude_check(const char *fname) {
+        assert(fname);
+
+        DB_EXCLUDE *ptr = database;
+        while (ptr != NULL) {
+                if (strncmp(fname, ptr->fname, ptr->len) == 0)
+                        return 1;
+                ptr = ptr->next;
+        }
+
+        return 0;
+}
+
diff --git a/src/fids/fids.h b/src/fids/fids.h
new file mode 100644
index 000000000..93ae106a1
--- /dev/null
+++ b/src/fids/fids.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FIDS_H
+#define FIDS_H
+
+#include "../include/common.h"
+
+// main.c
+#define MAX_DIR_LEVEL 20        // max directory tree depth
+#define MAX_INCLUDE_LEVEL 10    // max include level for config files
+extern int f_scanned;
+extern int f_modified;
+extern int f_new;
+extern int f_removed;
+extern int f_permissions;
+
+// db.c
+#define HASH_MAX 2048   // power of 2
+int db_init(void);
+void db_check(const char *fname, const char *checksum, const char *mode);
+void db_missing(void);
+
+// db_exclude.c
+void db_exclude_add(const char *fname);
+int db_exclude_check(const char *fname);
+
+
+// blake2b.c
+//#define KEY_SIZE 128 // key size in bytes
+#define KEY_SIZE 256
+//#define KEY_SIZE 512
+int blake2b(void *out, size_t outlen, const void *in, size_t inlen);
+
+#endif
diff --git a/src/fids/main.c b/src/fids/main.c
new file mode 100644
index 000000000..e6be365d1
--- /dev/null
+++ b/src/fids/main.c
@@ -0,0 +1,378 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fids.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <dirent.h>
+#include <glob.h>
+
+#define MAXBUF 4096
+
+static int dir_level = 1;
+static int include_level = 0;
+int arg_init = 0;
+int arg_check = 0;
+char *arg_homedir = NULL;
+char *arg_dbfile = NULL;
+
+int f_scanned = 0;
+int f_modified = 0;
+int f_new = 0;
+int f_removed = 0;
+int f_permissions = 0;
+
+
+
+static inline int is_dir(const char *fname) {
+        assert(fname);
+
+        struct stat s;
+        if (stat(fname, &s) == 0) {
+                if (S_ISDIR(s.st_mode))
+                        return 1;
+        }
+        return 0;
+}
+
+static inline int is_link(const char *fname) {
+        assert(fname);
+
+        char c;
+        ssize_t rv = readlink(fname, &c, 1);
+        return (rv != -1);
+}
+
+// mode is an array of 10 chars or more
+static inline void file_mode(const char *fname, char *mode) {
+        assert(fname);
+        assert(mode);
+
+        struct stat s;
+        if (stat(fname, &s)) {
+                *mode = '\0';
+                return;
+        }
+
+        sprintf(mode, (s.st_mode & S_IRUSR) ? "r" : "-");
+        sprintf(mode + 1, (s.st_mode & S_IWUSR) ? "w" : "-");
+        sprintf(mode + 2, (s.st_mode & S_IXUSR) ? "x" : "-");
+        sprintf(mode + 3, (s.st_mode & S_IRGRP) ? "r" : "-");
+        sprintf(mode + 4, (s.st_mode & S_IWGRP) ? "w" : "-");
+        sprintf(mode + 5, (s.st_mode & S_IXGRP) ? "x" : "-");
+        sprintf(mode + 6, (s.st_mode & S_IROTH) ? "r" : "-");
+        sprintf(mode + 7, (s.st_mode & S_IWOTH) ? "w" : "-");
+        sprintf(mode + 8, (s.st_mode & S_IXOTH) ? "x" : "-");
+}
+
+
+static void file_checksum(const char *fname) {
+        assert(fname);
+
+        int fd = open(fname, O_RDONLY);
+        if (fd == -1)
+                return;
+
+        off_t size = lseek(fd, 0, SEEK_END);
+        if (size < 0) {
+                close(fd);
+                return;
+        }
+
+        char *content = "empty";
+        int mmapped = 0;
+        if (size == 0) {
+                // empty files don't mmap - use "empty" string as the file content
+                size = 6; // strlen("empty") + 1
+        }
+        else {
+                content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
+                close(fd);
+                mmapped = 1;
+        }
+
+        unsigned char checksum[KEY_SIZE / 8];
+        blake2b(checksum, sizeof(checksum), content, size);
+        if (mmapped)
+                munmap(content, size);
+
+        // calculate blake2 checksum
+        char str_checksum[(KEY_SIZE / 8) * 2 + 1];
+        int long unsigned i;
+        char *ptr = str_checksum;
+        for (i = 0; i < sizeof(checksum); i++, ptr += 2)
+                sprintf(ptr, "%02x", (unsigned char ) checksum[i]);
+
+        // build permissions string
+        char mode[10];
+        file_mode(fname, mode);
+
+        if (arg_init)
+                printf("%s\t%s\t%s\n", mode, str_checksum, fname);
+        else if (arg_check)
+                db_check(fname, str_checksum, mode);
+        else
+                assert(0);
+
+        f_scanned++;
+        if (f_scanned % 500 == 0)
+                fprintf(stderr, "%d ", f_scanned);
+        fflush(0);
+}
+
+void list_directory(const char *fname) {
+        assert(fname);
+        if (dir_level > MAX_DIR_LEVEL) {
+                fprintf(stderr, "Warning fids: maximum depth level exceeded for %s\n", fname);
+                return;
+        }
+
+        if (db_exclude_check(fname))
+                return;
+
+        if (is_link(fname))
+                return;
+
+        if (!is_dir(fname)) {
+                file_checksum(fname);
+                return;
+        }
+
+        DIR *dir;
+        struct dirent *entry;
+
+        if (!(dir = opendir(fname)))
+                return;
+
+        dir_level++;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                char *path;
+                if (asprintf(&path, "%s/%s", fname, entry->d_name) == -1)
+                        errExit("asprintf");
+                list_directory(path);
+                free(path);
+        }
+        closedir(dir);
+        dir_level--;
+}
+
+void globbing(const char *fname) {
+        assert(fname);
+
+        // filter top directory
+        if (strcmp(fname, "/") == 0)
+                return;
+
+        glob_t globbuf;
+        int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
+        if (globerr) {
+                fprintf(stderr, "Error fids: failed to glob pattern %s\n", fname);
+                exit(1);
+        }
+
+        long unsigned i;
+        for (i = 0; i < globbuf.gl_pathc; i++) {
+                char *path = globbuf.gl_pathv[i];
+                assert(path);
+
+                list_directory(path);
+        }
+
+        globfree(&globbuf);
+}
+
+static void process_config(const char *fname) {
+        assert(fname);
+
+        if (++include_level >= MAX_INCLUDE_LEVEL) {
+                fprintf(stderr, "Error ids: maximum include level for config files exceeded\n");
+                exit(1);
+        }
+
+        fprintf(stderr, "Opening config file %s\n", fname);
+        int fd = open(fname, O_RDONLY|O_CLOEXEC);
+        if (fd < 0) {
+                if (include_level == 1) {
+                        fprintf(stderr, "Error ids: cannot open config file %s\n", fname);
+                        exit(1);
+                }
+                return;
+        }
+
+        // make sure the file is owned by root
+        struct stat s;
+        if (fstat(fd, &s)) {
+                fprintf(stderr, "Error ids: cannot stat config file %s\n", fname);
+                exit(1);
+        }
+        if (s.st_uid || s.st_gid) {
+                fprintf(stderr, "Error ids: config file not owned by root\n");
+                exit(1);
+        }
+
+        fprintf(stderr, "Loading config file %s\n", fname);
+        FILE *fp = fdopen(fd, "r");
+        if (!fp) {
+                fprintf(stderr, "Error fids: cannot open config file %s\n", fname);
+                exit(1);
+        }
+
+        char buf[MAXBUF];
+        int line = 0;
+        while (fgets(buf, MAXBUF, fp)) {
+                line++;
+
+                // trim \n
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+
+                // comments
+                ptr = strchr(buf, '#');
+                if (ptr)
+                        *ptr = '\0';
+
+                // empty space
+                ptr = buf;
+                while (*ptr == ' ' || *ptr == '\t')
+                        ptr++;
+                char *start = ptr;
+
+                // empty line
+                if (*start == '\0')
+                        continue;
+
+                // trailing spaces
+                ptr = start + strlen(start);
+                ptr--;
+                while (*ptr == ' ' || *ptr == '\t')
+                        *ptr-- = '\0';
+
+                // replace ${HOME}
+                if (strncmp(start, "include", 7) == 0) {
+                        ptr = start + 7;
+                        if ((*ptr != ' ' && *ptr != '\t') || *ptr == '\0') {
+                                fprintf(stderr, "Error fids: invalid line %d in %s\n", line, fname);
+                                exit(1);
+                        }
+                        while (*ptr == ' ' || *ptr == '\t')
+                                ptr++;
+
+                        if (*ptr == '/')
+                                process_config(ptr);
+                        else {
+                                // assume the file is in /etc/firejail
+                                char *tmp;
+                                if (asprintf(&tmp, "/etc/firejail/%s", ptr) == -1)
+                                        errExit("asprintf");
+                                process_config(tmp);
+                                free(tmp);
+                        }
+                }
+                else if (*start == '!') {
+                        // exclude file or dir
+                        start++;
+                        if (strncmp(start, "${HOME}", 7))
+                                db_exclude_add(start);
+                        else {
+                                char *fname;
+                                if (asprintf(&fname, "%s%s", arg_homedir, start + 7) == -1)
+                                        errExit("asprintf");
+                                db_exclude_add(fname);
+                                free(fname);
+                        }
+                }
+                else if (strncmp(start, "${HOME}", 7))
+                        globbing(start);
+                else {
+                        char *fname;
+                        if (asprintf(&fname, "%s%s", arg_homedir, start + 7) == -1)
+                                errExit("asprintf");
+                        globbing(fname);
+                        free(fname);
+                }
+        }
+
+        fclose(fp);
+        include_level--;
+}
+
+
+
+void usage(void) {
+        printf("Usage: fids [--help|-h|-?] --init|--check homedir\n");
+}
+
+int main(int argc, char **argv) {
+        int i;
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "-h") == 0 ||
+                    strcmp(argv[i], "-?") == 0 ||
+                    strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--init") == 0)
+                        arg_init = 1;
+                else if (strcmp(argv[i], "--check") == 0)
+                        arg_check = 1;
+                else if (strncmp(argv[i], "--", 2) == 0) {
+                        fprintf(stderr, "Error fids: invalid argument %s\n", argv[i]);
+                        exit(1);
+                }
+        }
+
+        if (argc != 3) {
+                fprintf(stderr, "Error fids: invalid number of arguments\n");
+                exit(1);
+        }
+        arg_homedir = argv[2];
+
+        int op = arg_check + arg_init;
+        if (op == 0 || op == 2) {
+                fprintf(stderr, "Error fids: use either --init or --check\n");
+                exit(1);
+        }
+
+        if (arg_init) {
+                process_config(SYSCONFDIR"/ids.config");
+                fprintf(stderr, "\n%d files scanned\n", f_scanned);
+                fprintf(stderr, "IDS database initialized\n");
+        }
+        else if (arg_check) {
+                if (db_init()) {
+                        fprintf(stderr, "Error: IDS database not initialized, please run \"firejail --ids-init\"\n");
+                        exit(1);
+                }
+
+                process_config(SYSCONFDIR"/ids.config");
+                fprintf(stderr, "\n%d files scanned: modified %d, permissions %d, new %d, removed %d\n",
+                        f_scanned, f_modified, f_permissions, f_new, f_removed);
+                db_missing();
+        }
+        else
+                assert(0);
+
+        return 0;
+}
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index 06b0a117f..408662907 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -24,11 +24,16 @@
 static int check_profile(const char *name, const char *homedir) {
         // build profile name
         char *profname1;
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
         char *profname2;
+#endif
         if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, name) == -1)
                 errExit("asprintf");
+
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
         if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, name) == -1)
                 errExit("asprintf");
+#endif
 
         int rv = 0;
         if (access(profname1, R_OK) == 0) {
@@ -36,14 +41,18 @@ static int check_profile(const char *name, const char *homedir) {
                         printf("found %s\n", profname1);
                 rv = 1;
         }
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
         else if (access(profname2, R_OK) == 0) {
                 if (arg_debug)
                         printf("found %s\n", profname2);
                 rv = 1;
         }
+#endif
 
         free(profname1);
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
         free(profname2);
+#endif
         return rv;
 }
 
@@ -168,9 +177,9 @@ void fix_desktop_files(char *homedir) {
 
                 char *filename = entry->d_name;
 
-                // skip links
-                if (is_link(filename))
-                        continue;
+                // skip links - Discord on Arch #4235 seems to be a symlink to /opt directory
+//              if (is_link(filename))
+//                      continue;
 
                 // no profile in /etc/firejail, no desktop file fixing
                 if (!have_profile(filename, homedir))
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 474904ebf..618093193 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -1,8 +1,8 @@
-# /usr/lib/firejail/firecfg.config - firecfg utility configuration file
+# /etc/firejail/firecfg.config - firecfg utility configuration file
 # This is the list of programs in alphabetical order handled by firecfg utility
 #
-#qemu-system-x86_64
 0ad
+1password
 2048-qt
 Books
 Builder
@@ -38,13 +38,15 @@ abrowser
 akonadi_control
 akregator
 alacarte
+alpine
+alpinef
 amarok
 amule
 amuled
 android-studio
 anydesk
-apostrophe
 apktool
+apostrophe
 # ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 arch-audit
 archaudit-report
@@ -92,6 +94,7 @@ bleachbit
 blender
 blender-2.8
 bless
+blobby
 blobwars
 bluefish
 bnox
@@ -107,6 +110,7 @@ brave-browser-stable
 # bzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 bzflag
 # bzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+cachy-browser
 calibre
 calligra
 calligraauthor
@@ -136,23 +140,27 @@ clamdscan
 clamdtop
 clamscan
 clamtk
-claws-mail
 clawsker
+claws-mail
 clementine
 clion
-clipit
+clion-eap
 clipgrab
+clipit
 cliqz
 clocks
 cmus
 code
 code-oss
+codium
+cointop
 cola
 colorful
 com.github.bleakgrey.tootle
 com.github.dahenson.agenda
 com.github.johnfactotum.Foliate
 com.github.phase1geo.minder
+com.github.tchx84.Flatseal
 com.gitlab.newsflash
 conkeror
 conky
@@ -167,12 +175,14 @@ cvlc
 cyberfox
 darktable
 dconf-editor
+ddgr
 ddgtk
 deadbeef
 deluge
 desktopeditors
 devhelp
 dex2jar
+d-feet
 dia
 dig
 digikam
@@ -186,7 +196,6 @@ display-im6.q16
 dnox
 dnscrypt-proxy
 dnsmasq
-dolphin
 dolphin-emu
 dooble
 dooble-qt4
@@ -195,13 +204,12 @@ dragon
 drawio
 drill
 dropbox
-d-feet
 easystroke
-ebook-viewer
 ebook-convert
 ebook-edit
 ebook-meta
 ebook-polish
+ebook-viewer
 electron-mail
 electrum
 element-desktop
@@ -251,8 +259,8 @@ flacsplt
 flameshot
 flashpeak-slimjet
 flowblade
-font-manager
 fontforge
+font-manager
 fossamail
 four-in-a-row
 fractal
@@ -271,9 +279,12 @@ freetube
 freshclam
 frogatto
 frozen-bubble
+ftp
+funnyboat
 gajim
 gajim-history-manager
 galculator
+gallery-dl
 gapplication
 gcalccmd
 gcloud
@@ -291,8 +302,8 @@ gimp-2.10
 gimp-2.8
 gist
 gist-paste
-gitg
 git-cola
+gitg
 github-desktop
 gitter
 # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
@@ -342,6 +353,7 @@ gnome-weather
 gnote
 gnubik
 godot
+goldendict
 goobox
 google-chrome
 google-chrome-beta
@@ -350,6 +362,7 @@ google-chrome-unstable
 google-earth
 google-earth-pro
 google-play-music-desktop-player
+googler
 gpa
 gpicview
 gpredict
@@ -357,10 +370,11 @@ gradio
 gramps
 gravity-beams-and-evaporating-stars
 gthumb
-gtk-straw-viewer
-gtk-youtube-viewer
 gtk2-youtube-viewer
 gtk3-youtube-viewer
+gtk-pipe-viewer
+gtk-straw-viewer
+gtk-youtube-viewer
 guayadeque
 gucharmap
 gummi
@@ -386,9 +400,11 @@ idea.sh
 imagej
 img2txt
 impressive
+imv
 inkscape
 inkview
 inox
+io.github.lainsce.Notejot
 ipcalc
 ipcalc-ng
 iridium
@@ -443,13 +459,16 @@ kube
 kwrite
 leafpad
 # less - breaks man
+librecad
 libreoffice
 librewolf
 librewolf-nightly
+lifeograph
 liferea
 lightsoff
 lincity-ng
 links
+links2
 linphone
 lmms
 lobase
@@ -489,6 +508,7 @@ mathematica
 matrix-mirage
 mattermost-desktop
 mcabber
+mcomix
 mediainfo
 mediathekview
 megaglest
@@ -499,6 +519,7 @@ mendeleydesktop
 menulibre
 meteo-qt
 microsoft-edge
+microsoft-edge-beta
 microsoft-edge-dev
 midori
 min
@@ -515,8 +536,8 @@ mp3splt-gtk
 mp3wrap
 mpDris2
 mpg123
-mpg123.bin
 mpg123-alsa
+mpg123.bin
 mpg123-id3dump
 mpg123-jack
 mpg123-nas
@@ -555,6 +576,7 @@ mypaint
 mypaint-ora-thumbnailer
 natron
 ncdu
+ncdu2
 neochat
 neomutt
 netactview
@@ -575,6 +597,7 @@ nitroshare-nmh
 nitroshare-send
 nitroshare-ui
 nomacs
+notable
 nslookup
 nuclear
 nylas
@@ -585,22 +608,26 @@ odt2txt
 oggsplt
 okular
 onboard
+onionshare
+onionshare-cli
 onionshare-gui
 ooffice
 ooviewdoc
-open-invaders
 openarena
 openarena_ded
 opencity
 openclonk
+open-invaders
 openmw
 openmw-launcher
 openoffice.org
 openshot
 openshot-qt
+openstego
 openttd
 opera
 opera-beta
+opera-developer
 orage
 ostrichriders
 otter-browser
@@ -626,6 +653,7 @@ pinball
 pingus
 pinta
 pioneer
+pipe-viewer
 pithos
 pitivi
 pix
@@ -648,7 +676,9 @@ pybitmessage
 # pycharm-professional
 # pzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 qbittorrent
+qcomicbook
 qemu-launcher
+#qemu-system-x86_64
 qgis
 qlipper
 qmmp
@@ -662,11 +692,14 @@ quaternion
 quiterss
 qupzilla
 qutebrowser
+raincat
 rambox
 redeclipse
+rednotebook
 redshift
 regextester
 remmina
+retroarch
 rhythmbox
 rhythmbox-client
 ricochet
@@ -675,6 +708,7 @@ riot-web
 ripperx
 ristretto
 rocketchat
+rpcs3
 rtorrent
 runenpass.sh
 sayonara
@@ -683,6 +717,7 @@ scorched3d
 scorchwentbonkers
 scribus
 sdat2img
+seafile-applet
 seahorse
 seahorse-adventures
 seahorse-daemon
@@ -710,8 +745,8 @@ smuxi-frontend-gnome
 snox
 soffice
 sol
-sound-juicer
 soundconverter
+sound-juicer
 spectacle
 spectral
 spotify
@@ -745,6 +780,7 @@ teamspeak3
 teeworlds
 telegram
 telegram-desktop
+telnet
 terasology
 textmaker18
 textmaker18free
@@ -753,6 +789,7 @@ thunderbird-beta
 thunderbird-wayland
 tilp
 tor-browser
+torbrowser
 tor-browser-ar
 tor-browser-ca
 tor-browser-cs
@@ -774,6 +811,7 @@ tor-browser-it
 tor-browser-ja
 tor-browser-ka
 tor-browser-ko
+torbrowser-launcher
 tor-browser-nb
 tor-browser-nl
 tor-browser-pl
@@ -784,7 +822,6 @@ tor-browser-tr
 tor-browser-vi
 tor-browser-zh-cn
 tor-browser-zh-tw
-torbrowser-launcher
 torcs
 totem
 tracker
@@ -844,6 +881,7 @@ weechat
 weechat-curses
 wesnoth
 wget
+wget2
 whalebird
 whois
 widelands
@@ -852,10 +890,10 @@ wire-desktop
 wireshark
 wireshark-gtk
 wireshark-qt
+wordwarvi
 wpp
 wps
 wpspdf
-wordwarvi
 x2goclient
 xbill
 xcalc
@@ -868,6 +906,7 @@ xfce4-notes
 xfce4-screenshooter
 xiphos
 xlinks
+xlinks2
 xmms
 xmr-stak
 xonotic
@@ -889,13 +928,15 @@ yelp
 youtube
 youtube-dl
 youtube-dl-gui
-youtube-viewer
 youtubemusic-nativefier
+youtube-viewer
+yt-dlp
 ytmdesktop
 zaproxy
 zart
 zathura
 zeal
+zim
 zoom
 # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h
index 15826cf37..f54bfd5b5 100644
--- a/src/firecfg/firecfg.h
+++ b/src/firecfg/firecfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 363000e15..2f346fecd 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -171,17 +171,17 @@ static void set_file(const char *name, const char *firejail_exec) {
         free(fname);
 }
 
-// parse /usr/lib/firejail/firecfg.cfg file
+// parse /etc/firejail/firecfg.config file
 static void set_links_firecfg(void) {
         char *cfgfile;
-        if (asprintf(&cfgfile, "%s/firejail/firecfg.config", LIBDIR) == -1)
+        if (asprintf(&cfgfile, "%s/firecfg.config", SYSCONFDIR) == -1)
                 errExit("asprintf");
 
         char *firejail_exec;
         if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
                 errExit("asprintf");
 
-        // parse /usr/lib/firejail/firecfg.cfg file
+        // parse /etc/firejail/firecfg.config file
         FILE *fp = fopen(cfgfile, "r");
         if (!fp) {
                 perror("fopen");
@@ -440,7 +440,7 @@ int main(int argc, char **argv) {
         // clear all symlinks
         clean();
 
-        // set new symlinks based on /usr/lib/firejail/firecfg.cfg
+        // set new symlinks based on /etc/firejail/firecfg.config
         set_links_firecfg();
 
         if (getuid() == 0) {
diff --git a/src/firecfg/sound.c b/src/firecfg/sound.c
index e3fcdbd83..9d04c951b 100644
--- a/src/firecfg/sound.c
+++ b/src/firecfg/sound.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firecfg/util.c b/src/firecfg/util.c
index 14d90b549..4697e7dd9 100644
--- a/src/firecfg/util.c
+++ b/src/firecfg/util.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 59758bf2d..479473572 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -21,6 +21,7 @@
 // sudo mount -o loop krita-3.0-x86_64.appimage mnt
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
@@ -30,6 +31,7 @@
 
 static char *devloop = NULL;    // device file
 static long unsigned size = 0;  // offset into appimage file
+#define MAXBUF 4096
 
 #ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
 static void err_loop(void) {
@@ -38,6 +40,36 @@ static void err_loop(void) {
 }
 #endif
 
+// return 1 if found
+int appimage_find_profile(const char *archive) {
+        assert(archive);
+        assert(strlen(archive));
+
+        // try to match the name of the archive with the list of programs in /etc/firejail/firecfg.config
+        FILE *fp = fopen(SYSCONFDIR "/firecfg.config", "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", SYSCONFDIR "/firecfg.config");
+                exit(1);
+        }
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (*buf == '#')
+                        continue;
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                if (strcasestr(archive, buf)) {
+                        fclose(fp);
+                        return profile_find_firejail(buf, 1);
+                }
+        }
+
+        fclose(fp);
+        return 0;
+
+}
+
+
 void appimage_set(const char *appimage) {
         assert(appimage);
         assert(devloop == NULL);        // don't call this twice!
@@ -67,7 +99,7 @@ void appimage_set(const char *appimage) {
 
         // find or allocate a free loop device to use
         EUID_ROOT();
-        int cfd = open("/dev/loop-control", O_RDWR);
+        int cfd = open("/dev/loop-control", O_RDWR|O_CLOEXEC);
         if (cfd == -1)
                 err_loop();
         int devnr = ioctl(cfd, LOOP_CTL_GET_FREE);
@@ -78,7 +110,7 @@ void appimage_set(const char *appimage) {
                 errExit("asprintf");
 
         // associate loop device with appimage
-        int lfd = open(devloop, O_RDONLY);
+        int lfd = open(devloop, O_RDONLY|O_CLOEXEC);
         if (lfd == -1)
                 err_loop();
         if (ioctl(lfd, LOOP_SET_FD, ffd) == -1)
@@ -109,9 +141,8 @@ void appimage_set(const char *appimage) {
 
         if (cfg.cwd)
                 env_store_name_val("OWD", cfg.cwd, SETENV);
-#ifdef HAVE_GCOV
+
         __gcov_flush();
-#endif
 #else
         fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n");
         exit(1);
@@ -146,7 +177,7 @@ void appimage_mount(void) {
 void appimage_clear(void) {
         EUID_ROOT();
         if (devloop) {
-                int lfd = open(devloop, O_RDONLY);
+                int lfd = open(devloop, O_RDONLY|O_CLOEXEC);
                 if (lfd != -1) {
                         if (ioctl(lfd, LOOP_CLR_FD, 0) != -1)
                                 fmessage("AppImage detached\n");
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c
index 43ca501da..4f8c7a7aa 100644
--- a/src/firejail/appimage_size.c
+++ b/src/firejail/appimage_size.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index 1e9641097..cbd80dee0 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,6 +20,7 @@
 #include "firejail.h"
 #include <sys/socket.h>
 #include <sys/ioctl.h>
+#include <sys/time.h>
 #include <linux/if_ether.h>                       //TCP/IP Protocol Suite for Linux
 #include <net/if.h>
 #include <netinet/in.h>
@@ -188,9 +189,14 @@ int arp_check(const char *dev, uint32_t destaddr) {
         FD_SET(sock, &fds);
         int maxfd = sock;
         struct timeval ts;
-        ts.tv_sec = 0; // 0.5 seconds wait time
-        ts.tv_usec = 500000;
+        gettimeofday(&ts, NULL);
+        double timerend = ts.tv_sec + ts.tv_usec / 1000000.0 + 0.5;
         while (1) {
+                gettimeofday(&ts, NULL);
+                double now = ts.tv_sec + ts.tv_usec / 1000000.0;
+                double timeout = timerend - now;
+                ts.tv_sec = timeout;
+                ts.tv_usec = (timeout - ts.tv_sec) * 1000000;
                 int nready = select(maxfd + 1,  &fds, (fd_set *) 0, (fd_set *) 0, &ts);
                 if (nready < 0)
                         errExit("select");
@@ -201,8 +207,8 @@ int arp_check(const char *dev, uint32_t destaddr) {
                         }
                         if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0)
                                 errExit("send");
-                        ts.tv_sec = 0; // 0.5 seconds wait time
-                        ts.tv_usec = 500000;
+                        gettimeofday(&ts, NULL);
+                        timerend = ts.tv_sec + ts.tv_usec / 1000000.0 + 0.5;
                         fflush(0);
                 }
                 else {
@@ -277,7 +283,7 @@ static uint32_t arp_random(const char *dev, Bridge *br) {
         int i = 0;
         for (i = 0; i < 10; i++) {
                 dest = start + ((uint32_t) rand()) % range;
-                if (dest == ifip)       // do not allow the interface address
+                if (dest == ifip || dest == cfg.defaultgw)      // do not allow the interface address or the default gateway
                         continue;               // try again
 
                 // if we've made it up to here, we have a valid address
@@ -325,7 +331,7 @@ static uint32_t arp_sequential(const char *dev, Bridge *br) {
 
         // loop through addresses and stop as soon as you find an unused one
         while (dest <= last) {
-                if (dest == ifip) {
+                if (dest == ifip || dest == cfg.defaultgw) {
                         dest++;
                         continue;
                 }
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 1c952c0bc..fa9d3a940 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -22,6 +22,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
+#include <errno.h>
 #include <net/if.h>
 #include "firejail.h"
 
@@ -119,26 +120,19 @@ static void bandwidth_create_run_file(pid_t pid) {
         if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
                 errExit("asprintf");
 
-        // if the file already exists, do nothing
-        struct stat s;
-        if (stat(fname, &s) == 0) {
-                free(fname);
-                return;
-        }
-
         // create an empty file and set mod and ownership
-        /* coverity[toctou] */
-        FILE *fp = fopen(fname, "w");
-        if (fp) {
-                SET_PERMS_STREAM(fp, 0, 0, 0644);
-                fclose(fp);
-        }
-        else {
+        // if the file already exists, do nothing
+        FILE *fp = fopen(fname, "wxe");
+        free(fname);
+        if (!fp) {
+                if (errno == EEXIST)
+                        return;
                 fprintf(stderr, "Error: cannot create bandwidth file\n");
                 exit(1);
         }
 
-        free(fname);
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
+        fclose(fp);
 }
 
 
@@ -148,7 +142,7 @@ void network_set_run_file(pid_t pid) {
                 errExit("asprintf");
 
         // create an empty file and set mod and ownership
-        FILE *fp = fopen(fname, "w");
+        FILE *fp = fopen(fname, "we");
         if (fp) {
                 if (cfg.bridge0.configured)
                         fprintf(fp, "%s:%s\n", cfg.bridge0.dev, cfg.bridge0.devsandbox);
@@ -178,7 +172,7 @@ static void read_bandwidth_file(pid_t pid) {
         if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
                 errExit("asprintf");
 
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         if (fp) {
                 char buf[1024];
                 while (fgets(buf, 1024,fp)) {
@@ -214,7 +208,7 @@ static void write_bandwidth_file(pid_t pid) {
         if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
                 errExit("asprintf");
 
-        FILE *fp = fopen(fname, "w");
+        FILE *fp = fopen(fname, "we");
         if (fp) {
                 IFBW *ptr = ifbw;
                 while (ptr) {
@@ -307,7 +301,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
                 char *fname;
                 if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1)
                         errExit("asprintf");
-                FILE *fp = fopen(fname, "r");
+                FILE *fp = fopen(fname, "re");
                 if (!fp) {
                         fprintf(stderr, "Error: cannot read network map file %s\n", fname);
                         exit(1);
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 597f9915b..c5c06c675 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -389,7 +389,7 @@ static uint64_t extract_caps(int pid) {
                 errExit("asprintf");
 
         EUID_ROOT();    // grsecurity
-        FILE *fp = fopen(file, "r");
+        FILE *fp = fopen(file, "re");
         EUID_USER();    // grsecurity
         if (!fp)
                 goto errexit;
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index 986b1157d..f1e16187f 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,7 +18,9 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
-#include <sys/stat.h>
+#include "../include/gcov_wrapper.h"
+#include <sys/wait.h>
+#include <errno.h>
 
 #define MAXBUF 4096
 
@@ -26,7 +28,7 @@ void save_cgroup(void) {
         if (cfg.cgroup == NULL)
                 return;
 
-        FILE *fp = fopen(RUN_CGROUP_CFG, "w");
+        FILE *fp = fopen(RUN_CGROUP_CFG, "wxe");
         if (fp) {
                 fprintf(fp, "%s", cfg.cgroup);
                 fflush(0);
@@ -48,7 +50,7 @@ void load_cgroup(const char *fname) {
         if (!fname)
                 return;
 
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         if (fp) {
                 char buf[MAXBUF];
                 if (fgets(buf, MAXBUF, fp)) {
@@ -68,52 +70,63 @@ errout:
                 fclose(fp);
 }
 
+static int is_cgroup_path(const char *fname) {
+        // path starts with /sys/fs/cgroup
+        if (strncmp(fname, "/sys/fs/cgroup", 14) != 0)
+                return 0;
 
-void set_cgroup(const char *path) {
-        EUID_ASSERT();
+        // no .. traversal
+        char *ptr = strstr(fname, "..");
+        if (ptr)
+                return 0;
 
-        invalid_filename(path, 0); // no globbing
+        return 1;
+}
 
-        // path starts with /sys/fs/cgroup
-        if (strncmp(path, "/sys/fs/cgroup", 14) != 0)
-                goto errout;
+void check_cgroup_file(const char *fname) {
+        assert(fname);
+        invalid_filename(fname, 0); // no globbing
 
-        // path ends in tasks
-        char *ptr = strstr(path, "tasks");
-        if (!ptr)
-                goto errout;
-        if (*(ptr + 5) != '\0')
+        if (!is_cgroup_path(fname))
                 goto errout;
 
-        // no .. traversal
-        ptr = strstr(path, "..");
-        if (ptr)
+        const char *base = gnu_basename(fname);
+        if (strcmp(base, "tasks") != 0 &&  // cgroup v1
+            strcmp(base, "cgroup.procs") != 0)
                 goto errout;
 
-        // tasks file exists
-        struct stat s;
-        if (stat(path, &s) == -1)
-                goto errout;
+        if (access(fname, W_OK) == 0)
+                return;
 
-        // task file belongs to the user running the sandbox
-        if (s.st_uid != getuid() && s.st_gid != getgid())
-                goto errout2;
+errout:
+        fprintf(stderr, "Error: invalid cgroup\n");
+        exit(1);
+}
+
+static void do_set_cgroup(const char *fname, pid_t pid) {
+        FILE *fp = fopen(fname, "ae");
+        if (!fp) {
+                fwarning("cannot open %s for writing: %s\n", fname, strerror(errno));
+                return;
+        }
 
-        // add the task to cgroup
-        /* coverity[toctou] */
-        FILE *fp = fopen(path,  "a");
-        if (!fp)
-                goto errout;
-        pid_t pid = getpid();
         int rv = fprintf(fp, "%d\n", pid);
         (void) rv;
         fclose(fp);
-        return;
+}
 
-errout:
-        fprintf(stderr, "Error: invalid cgroup\n");
-        exit(1);
-errout2:
-        fprintf(stderr, "Error: you don't have permissions to use this control group\n");
-        exit(1);
+void set_cgroup(const char *fname, pid_t pid) {
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                drop_privs(0);
+
+                do_set_cgroup(fname, pid);
+
+                __gcov_flush();
+
+                _exit(0);
+        }
+        waitpid(child, NULL, 0);
 }
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index e1613b325..6fc70318b 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -35,6 +35,8 @@ char *xvfb_extra_params = "";
 char *netfilter_default = NULL;
 unsigned long join_timeout = 5000000; // microseconds
 char *config_seccomp_error_action_str = "EPERM";
+char *config_seccomp_filter_add = NULL;
+char **whitelist_reject_topdirs = NULL;
 
 int checkcfg(int val) {
         assert(val < CFG_MAX);
@@ -56,10 +58,11 @@ int checkcfg(int val) {
                 cfg_val[CFG_XPRA_ATTACH] = 0;
                 cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1;
                 cfg_val[CFG_BROWSER_ALLOW_DRM] = 0;
+                cfg_val[CFG_ALLOW_TRAY] = 0;
 
                 // open configuration file
                 const char *fname = SYSCONFDIR "/firejail.config";
-                fp = fopen(fname, "r");
+                fp = fopen(fname, "re");
                 if (!fp) {
 #ifdef HAVE_GLOBALCFG
                         fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname);
@@ -102,22 +105,25 @@ int checkcfg(int val) {
                         PARSE_YESNO(CFG_USERNS, "userns")
                         PARSE_YESNO(CFG_CHROOT, "chroot")
                         PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt")
-                        PARSE_YESNO(CFG_FOLLOW_SYMLINK_AS_USER, "follow-symlink-as-user")
                         PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs")
                         PARSE_YESNO(CFG_SECCOMP, "seccomp")
-                        PARSE_YESNO(CFG_WHITELIST, "whitelist")
                         PARSE_YESNO(CFG_NETWORK, "network")
                         PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
                         PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
                         PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
-                        PARSE_YESNO(CFG_PRIVATE_HOME, "private-home")
+                        PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
+                        PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
                         PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache")
+                        PARSE_YESNO(CFG_PRIVATE_ETC, "private-etc")
+                        PARSE_YESNO(CFG_PRIVATE_HOME, "private-home")
                         PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib")
-                        PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
+                        PARSE_YESNO(CFG_PRIVATE_OPT, "private-opt")
+                        PARSE_YESNO(CFG_PRIVATE_SRV, "private-srv")
                         PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt")
                         PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
                         PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
                         PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
+                        PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray")
 #undef PARSE_YESNO
 
                         // netfilter
@@ -130,8 +136,7 @@ int checkcfg(int val) {
                                         *end = '\0';
 
                                 // is the file present?
-                                struct stat s;
-                                if (stat(fname, &s) == -1) {
+                                if (access(fname, F_OK) == -1) {
                                         fprintf(stderr, "Error: netfilter-default file %s not available\n", fname);
                                         exit(1);
                                 }
@@ -222,6 +227,10 @@ int checkcfg(int val) {
                         else if (strncmp(ptr, "join-timeout ", 13) == 0)
                                 join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds
 
+                        // add rules to default seccomp filter
+                        else if (strncmp(ptr, "seccomp-filter-add ", 19) == 0)
+                                config_seccomp_filter_add = seccomp_check_list(ptr + 19);
+
                         // seccomp error action
                         else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
                                 if (strcmp(ptr + 21, "kill") == 0)
@@ -238,6 +247,31 @@ int checkcfg(int val) {
                                         errExit("strdup");
                         }
 
+                        else if (strncmp(ptr, "whitelist-disable-topdir ", 25) == 0) {
+                                char *str = strdup(ptr + 25);
+                                if (!str)
+                                        errExit("strdup");
+
+                                size_t cnt = 0;
+                                size_t sz = 4;
+                                whitelist_reject_topdirs = malloc(sz * sizeof(char *));
+                                if (!whitelist_reject_topdirs)
+                                        errExit("malloc");
+
+                                char *tok = strtok(str, ",");
+                                while (tok) {
+                                        whitelist_reject_topdirs[cnt++] = tok;
+                                        if (cnt >= sz) {
+                                                sz *= 2;
+                                                whitelist_reject_topdirs = realloc(whitelist_reject_topdirs, sz * sizeof(char *));
+                                                if (!whitelist_reject_topdirs)
+                                                        errExit("realloc");
+                                        }
+                                        tok = strtok(NULL, ",");
+                                }
+                                whitelist_reject_topdirs[cnt] = NULL;
+                        }
+
                         else
                                 goto errout;
 
@@ -269,7 +303,7 @@ errout:
 
 void print_compiletime_support(void) {
         printf("Compile time support:\n");
-        printf("\t- Always force nonewprivs support is %s\n",
+        printf("\t- always force nonewprivs support is %s\n",
 #ifdef HAVE_FORCE_NONEWPRIVS
                 "enabled"
 #else
@@ -309,14 +343,6 @@ void print_compiletime_support(void) {
 #endif
                 );
 
-        printf("\t- file and directory whitelisting support is %s\n",
-#ifdef HAVE_WHITELIST
-                "enabled"
-#else
-                "disabled"
-#endif
-                );
-
         printf("\t- file transfer support is %s\n",
 #ifdef HAVE_FILE_TRANSFER
                 "enabled"
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index d7e96cf4c..551948318 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,6 +20,7 @@
 
 #ifdef HAVE_CHROOT
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/mount.h>
 #include <sys/sendfile.h>
 #include <errno.h>
@@ -29,7 +30,6 @@
 #define O_PATH 010000000
 #endif
 
-
 // exit if error
 void fs_check_chroot_dir(void) {
         EUID_ASSERT();
@@ -86,7 +86,7 @@ static void update_file(int parentfd, const char *relpath) {
         if (arg_debug)
                 printf("Updating chroot /%s\n", relpath);
         unlinkat(parentfd, relpath, 0);
-        int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (out == -1) {
                 close(in);
                 goto errout;
@@ -131,9 +131,9 @@ void fs_chroot(const char *rootdir) {
         assert(rootdir);
 
         // fails if there is any symlink or if rootdir is not a directory
-        int parentfd = safe_fd(rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        int parentfd = safer_openat(-1, rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (parentfd == -1)
-                errExit("safe_fd");
+                errExit("safer_openat");
         // rootdir has to be owned by root and is not allowed to be generally writable,
         // this also excludes /tmp and friends
         struct stat s;
@@ -163,12 +163,8 @@ void fs_chroot(const char *rootdir) {
         int fd = openat(parentfd, "dev", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
                 errExit("open");
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount("/dev", proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_path_to_fd("/dev", fd))
                 errExit("mounting /dev");
-        free(proc);
         close(fd);
 
 #ifdef HAVE_X11
@@ -192,11 +188,8 @@ void fs_chroot(const char *rootdir) {
                 fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
                 if (fd == -1)
                         errExit("open");
-                if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                        errExit("asprintf");
-                if (mount("/tmp/.X11-unix", proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+                if (bind_mount_path_to_fd("/tmp/.X11-unix", fd))
                         errExit("mounting /tmp/.X11-unix");
-                free(proc);
                 close(fd);
         }
 #endif // HAVE_X11
@@ -215,29 +208,21 @@ void fs_chroot(const char *rootdir) {
 
                 if (arg_debug)
                         printf("Mounting %s on chroot %s\n", orig_pulse, orig_pulse);
-                int src = safe_fd(orig_pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                int src = safer_openat(-1, orig_pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
                 if (src == -1) {
                         fprintf(stderr, "Error: cannot open %s\n", orig_pulse);
                         exit(1);
                 }
-                int dst = safe_fd(pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                int dst = safer_openat(-1, pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
                 if (dst == -1) {
                         fprintf(stderr, "Error: cannot open %s\n", pulse);
                         exit(1);
                 }
-                free(pulse);
-
-                char *proc_src, *proc_dst;
-                if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
-                        errExit("asprintf");
-                if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
-                        errExit("asprintf");
-                if (mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-                free(proc_src);
-                free(proc_dst);
+                if (bind_mount_by_fd(src, dst))
+                        errExit("mounting pulseaudio");
                 close(src);
                 close(dst);
+                free(pulse);
 
                 // update /etc/machine-id in chroot
                 update_file(parentfd, "etc/machine-id");
@@ -256,11 +241,8 @@ void fs_chroot(const char *rootdir) {
         fd = openat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
                 errExit("open");
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(RUN_FIREJAIL_LIB_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_path_to_fd(RUN_FIREJAIL_LIB_DIR, fd))
                 errExit("mount bind");
-        free(proc);
         close(fd);
 
         // create /run/firejail/mnt directory in chroot
@@ -271,29 +253,22 @@ void fs_chroot(const char *rootdir) {
         fd = openat(parentfd, &RUN_MNT_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
                 errExit("open");
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(RUN_MNT_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_path_to_fd(RUN_MNT_DIR, fd))
                 errExit("mount bind");
-        free(proc);
         close(fd);
 
         // update chroot resolv.conf
         update_file(parentfd, "etc/resolv.conf");
 
-#ifdef HAVE_GCOV
         __gcov_flush();
-#endif
+
         // create /run/firejail/mnt/oroot
         char *oroot = RUN_OVERLAY_ROOT;
         if (mkdir(oroot, 0755) == -1)
                 errExit("mkdir");
         // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay
-        if (asprintf(&proc, "/proc/self/fd/%d", parentfd) == -1)
-                errExit("asprintf");
-        if (mount(proc, oroot, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_fd_to_path(parentfd, oroot))
                 errExit("mounting rootdir oroot");
-        free(proc);
         close(parentfd);
         // chroot into the new directory
         if (arg_debug)
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
index f902c4e1c..6f7739da0 100644
--- a/src/firejail/cmdline.c
+++ b/src/firejail/cmdline.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -26,7 +26,7 @@
 #include <assert.h>
 #include <errno.h>
 
-static int cmdline_length(int argc, char **argv, int index) {
+static int cmdline_length(int argc, char **argv, int index, bool want_extra_quotes) {
         assert(index != -1);
 
         unsigned i,j;
@@ -46,10 +46,11 @@ static int cmdline_length(int argc, char **argv, int index) {
                                         len += 3;
                                 in_quotes = false;
                         } else {
-                                if (!in_quotes)
+                                if (!in_quotes && want_extra_quotes)
                                         len++;
                                 len++;
-                                in_quotes = true;
+                                if (want_extra_quotes)
+                                        in_quotes = true;
                         }
                 }
                 if (in_quotes) {
@@ -64,7 +65,7 @@ static int cmdline_length(int argc, char **argv, int index) {
         return len;
 }
 
-static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) {
+static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index, bool want_extra_quotes) {
         assert(index != -1);
 
         unsigned i,j;
@@ -103,14 +104,15 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a
                         // anything other
                         else
                         {
-                                if (!in_quotes) {
+                                if (!in_quotes && want_extra_quotes) {
                                         // open quotes
                                         ptr1[0] = '\'';
                                         ptr1++;
                                 }
                                 ptr1[0] = argv[i + index][j];
                                 ptr1++;
-                                in_quotes = true;
+                                if (want_extra_quotes)
+                                        in_quotes = true;
                         }
                 }
                 // close quotes
@@ -134,12 +136,12 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a
         assert((unsigned) len == strlen(command_line));
 }
 
-void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) {
+void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes) {
         // index == -1 could happen if we have --shell=none and no program was specified
         // the program should exit with an error before entering this function
         assert(index != -1);
 
-        int len = cmdline_length(argc, argv, index);
+        int len = cmdline_length(argc, argv, index, want_extra_quotes);
         if (len > ARG_MAX) {
                 errno = E2BIG;
                 errExit("cmdline_length");
@@ -152,7 +154,7 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
         if (!*window_title)
                         errExit("malloc");
 
-        quote_cmdline(*command_line, *window_title, len, argc, argv, index);
+        quote_cmdline(*command_line, *window_title, len, argc, argv, index, want_extra_quotes);
 
         if (arg_debug)
                 printf("Building quoted command line: %s\n", *command_line);
@@ -161,17 +163,17 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
         assert(*window_title);
 }
 
-void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) {
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes) {
         // index == -1 could happen if we have --shell=none and no program was specified
         // the program should exit with an error before entering this function
         assert(index != -1);
 
         char *apprun_path = RUN_FIREJAIL_APPIMAGE_DIR "/AppRun";
 
-        int len1 = cmdline_length(argc, argv, index);  // length of argv w/o changes
-        int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage
-        int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/AppRun
-        int len4 = (len1 - len2 + len3) + 1;           // apptest.AppImage is replaced by /path/to/AppRun
+        int len1 = cmdline_length(argc, argv, index, want_extra_quotes);  // length of argv w/o changes
+        int len2 = cmdline_length(1, &argv[index], 0, want_extra_quotes); // apptest.AppImage
+        int len3 = cmdline_length(1, &apprun_path, 0, want_extra_quotes); // /run/firejail/appimage/AppRun
+        int len4 = (len1 - len2 + len3) + 1;                              // apptest.AppImage is replaced by /path/to/AppRun
 
         if (len4 > ARG_MAX) {
                 errno = E2BIG;
@@ -187,7 +189,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
                         errExit("malloc");
 
         // run default quote_cmdline
-        quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index);
+        quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index, want_extra_quotes);
 
         assert(command_line_tmp);
         assert(*window_title);
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 3427e8ade..1ec510456 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -75,7 +75,7 @@ void save_cpu(void) {
         if (cfg.cpus == 0)
                 return;
 
-        FILE *fp = fopen(RUN_CPU_CFG, "w");
+        FILE *fp = fopen(RUN_CPU_CFG, "wxe");
         if (fp) {
                 fprintf(fp, "%x\n", cfg.cpus);
                 SET_PERMS_STREAM(fp, 0, 0, 0600);
@@ -91,7 +91,7 @@ void load_cpu(const char *fname) {
         if (!fname)
                 return;
 
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         if (fp) {
                 unsigned tmp;
                 int rv = fscanf(fp, "%x", &tmp);
@@ -139,7 +139,7 @@ static void print_cpu(int pid) {
         }
 
         EUID_ROOT();    // grsecurity
-        FILE *fp = fopen(file, "r");
+        FILE *fp = fopen(file, "re");
         EUID_USER();    // grsecurity
         if (!fp) {
                 printf("  Error: cannot open %s\n", file);
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index 658b84537..66738bd4b 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -180,7 +180,7 @@ static void dbus_check_bus_profile(char const *prefix, DbusPolicy *policy) {
                 }
         }
 
-        if (num_matches > 0) {
+        if (num_matches > 0 && !arg_quiet) {
                 assert(first_match != NULL);
                 if (num_matches == 1) {
                         fprintf(stderr, "Ignoring \"%s\".\n", first_match);
@@ -258,12 +258,8 @@ static char *find_user_socket_by_format(char *format) {
         if (asprintf(&dbus_user_socket, format, (int) getuid()) == -1)
                 errExit("asprintf");
         struct stat s;
-        if (stat(dbus_user_socket, &s) == -1) {
-                if (errno == ENOENT)
-                        goto fail;
-                return NULL;
-                errExit("stat");
-        }
+        if (lstat(dbus_user_socket, &s) == -1)
+                goto fail;
         if (!S_ISSOCK(s.st_mode))
                 goto fail;
         return dbus_user_socket;
@@ -301,11 +297,12 @@ void dbus_proxy_start(void) {
         if (dbus_proxy_pid == -1)
                 errExit("fork");
         if (dbus_proxy_pid == 0) {
-                int i;
-                for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) {
-                        if (i != status_pipe[1] && i != args_pipe[0])
-                                close(i); // close open files
-                }
+                // close open files
+                int keep[2];
+                keep[0] = status_pipe[1];
+                keep[1] = args_pipe[0];
+                close_all(keep, ARRAY_SIZE(keep));
+
                 if (arg_dbus_log_file != NULL) {
                         int output_fd = creat(arg_dbus_log_file, 0666);
                         if (output_fd < 0)
@@ -416,7 +413,7 @@ void dbus_proxy_stop(void) {
 }
 
 static void socket_overlay(char *socket_path, char *proxy_path) {
-        int fd = safe_fd(proxy_path, O_PATH | O_NOFOLLOW | O_CLOEXEC);
+        int fd = safer_openat(-1, proxy_path, O_PATH | O_NOFOLLOW | O_CLOEXEC);
         if (fd == -1)
                 errExit("opening DBus proxy socket");
         struct stat s;
@@ -426,12 +423,8 @@ static void socket_overlay(char *socket_path, char *proxy_path) {
                 errno = ENOTSOCK;
                 errExit("mounting DBus proxy socket");
         }
-        char *proxy_fd_path;
-        if (asprintf(&proxy_fd_path, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proxy_path, socket_path, NULL, MS_BIND | MS_REC, NULL) == -1)
+        if (bind_mount_fd_to_path(fd, socket_path))
                 errExit("mount bind");
-        free(proxy_fd_path);
         close(fd);
 }
 
@@ -478,7 +471,7 @@ void dbus_apply_policy(void) {
         create_empty_dir_as_root(RUN_DBUS_DIR, 0755);
 
         if (arg_dbus_user != DBUS_POLICY_ALLOW) {
-                create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0700);
+                create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0600);
 
                 if (arg_dbus_user == DBUS_POLICY_FILTER) {
                         assert(dbus_user_proxy_socket != NULL);
@@ -517,7 +510,7 @@ void dbus_apply_policy(void) {
         }
 
         if (arg_dbus_system != DBUS_POLICY_ALLOW) {
-                create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0700);
+                create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0600);
 
                 if (arg_dbus_system == DBUS_POLICY_FILTER) {
                         assert(dbus_system_proxy_socket != NULL);
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c
index bdbb338d5..fb66d74ff 100644
--- a/src/firejail/dhcp.c
+++ b/src/firejail/dhcp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -93,7 +93,7 @@ static pid_t dhcp_read_pidfile(const Dhclient *client) {
         while (found == 0 && tries < 10) {
                 if (tries >= 1)
                         usleep(100000);
-                FILE *pidfile = fopen(client->pid_file, "r");
+                FILE *pidfile = fopen(client->pid_file, "re");
                 if (pidfile) {
                         long pid;
                         if (fscanf(pidfile, "%ld", &pid) == 1)
@@ -153,19 +153,13 @@ void dhcp_start(void) {
         if (!any_dhcp())
                 return;
 
-        char *dhclient_path = RUN_MNT_DIR "/dhclient";;
+        char *dhclient_path = RUN_MNT_DIR "/dhclient";
         struct stat s;
         if (stat(dhclient_path, &s) == -1) {
-                dhclient_path = "/usr/sbin/dhclient";
-                if (stat(dhclient_path, &s) == -1) {
-                        fprintf(stderr, "Error: dhclient was not found.\n");
-                        exit(1);
-                }
+                fprintf(stderr, "Error: %s was not found.\n", dhclient_path);
+                exit(1);
         }
 
-        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR);
-        dhclient_path = RUN_MNT_DIR "/dhclient";
-
         EUID_ROOT();
         if (mkdir(RUN_DHCLIENT_DIR, 0700))
                 errExit("mkdir");
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 03818df0b..963288459 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -22,6 +22,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <dirent.h>
+#include <limits.h>
 
 typedef struct env_t {
         struct env_t *next;
@@ -59,12 +60,7 @@ void env_ibus_load(void) {
         if (asprintf(&dirname, "%s/.config/ibus/bus", cfg.homedir) == -1)
                 errExit("asprintf");
 
-        struct stat s;
-        if (stat(dirname, &s) == -1)
-                return;
-
         // find the file
-        /* coverity[toctou] */
         DIR *dir = opendir(dirname);
         if (!dir) {
                 free(dirname);
@@ -84,7 +80,7 @@ void env_ibus_load(void) {
                 char *fname;
                 if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1)
                         errExit("asprintf");
-                FILE *fp = fopen(fname, "r");
+                FILE *fp = fopen(fname, "re");
                 free(fname);
                 if (!fp)
                         continue;
@@ -267,7 +263,7 @@ static const char * const env_whitelist[] = {
         "LANG",
         "LANGUAGE",
         "LC_MESSAGES",
-        "PATH",
+        // "PATH",
         "DISPLAY"       // required by X11
 };
 
@@ -316,6 +312,10 @@ void env_apply_whitelist(void) {
                 errExit("clearenv");
 
         env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist));
+
+        // hardcoding PATH
+        if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0)
+                errExit("setenv");
 }
 
 // Filter env variables for a sbox app
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e07035ae6..316518534 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -22,6 +22,7 @@
 #include "../include/common.h"
 #include "../include/euid_common.h"
 #include "../include/rundefs.h"
+#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
 #include <stdarg.h>
 #include <sys/stat.h>
 
@@ -45,6 +46,15 @@
                 assert(s.st_gid == gid);\
                 assert((s.st_mode & 07777) == (mode));\
         } while (0)
+#define ASSERT_PERMS_AS_USER(file, uid, gid, mode) \
+        do { \
+                assert(file);\
+                struct stat s;\
+                if (stat_as_user(file, &s) == -1) errExit("stat");\
+                assert(s.st_uid == uid);\
+                assert(s.st_gid == gid);\
+                assert((s.st_mode & 07777) == (mode));\
+        } while (0)
 #define ASSERT_PERMS_FD(fd, uid, gid, mode) \
         do { \
                 struct stat s;\
@@ -122,26 +132,22 @@ typedef struct interface_t {
         uint8_t configured;
 } Interface;
 
+typedef struct topdir_t {
+        char *path;
+        int fd;
+} TopDir;
+
 typedef struct profile_entry_t {
         struct profile_entry_t *next;
         char *data;     // command
 
         // whitelist command parameters
-        char *link;     // link name - set if the file is a link
-        enum {
-                WLDIR_HOME = 1, // whitelist in home directory
-                WLDIR_TMP,      // whitelist in /tmp directory
-                WLDIR_MEDIA,    // whitelist in /media directory
-                WLDIR_MNT,      // whitelist in /mnt directory
-                WLDIR_VAR,      // whitelist in /var directory
-                WLDIR_DEV,      // whitelist in /dev directory
-                WLDIR_OPT,      // whitelist in /opt directory
-                WLDIR_SRV,      // whitelist in /srv directory
-                WLDIR_ETC,      // whitelist in /etc directory
-                WLDIR_SHARE,    // whitelist in /usr/share directory
-                WLDIR_MODULE,   // whitelist in /sys/module directory
-                WLDIR_RUN       // whitelist in /run/user/$uid directory
-        } wldir;
+        struct wparam_t {
+                char *file;             // resolved file path
+                char *link;             // link path
+                TopDir *top;    // top level directory
+        } *wparam;
+
 } ProfileEntry;
 
 typedef struct config_t {
@@ -151,8 +157,11 @@ typedef struct config_t {
 
         // filesystem
         ProfileEntry *profile;
+        ProfileEntry *profile_rebuild_etc;      // blacklist files in /etc directory used by fs_rebuild_etc()
+
 #define MAX_PROFILE_IGNORE 32
         char *profile_ignore[MAX_PROFILE_IGNORE];
+        char *keep_fd;          // inherit file descriptors to sandbox
         char *chrootdir;        // chroot directory
         char *home_private;     // private home directory
         char *home_private_keep;        // keep list for private home directory
@@ -314,15 +323,16 @@ extern int arg_private_cwd;	// private working directory
 extern int arg_scan;            // arp-scan all interfaces
 extern int arg_whitelist;       // whitelist command
 extern int arg_nosound; // disable sound
-extern int arg_noautopulse; // disable automatic ~/.config/pulse init
 extern int arg_novideo; //disable video devices in /dev
 extern int arg_no3d;            // disable 3d hardware acceleration
+extern int arg_noprinters;      // disable printers
 extern int arg_quiet;           // no output for scripting
 extern int arg_join_network;    // join only the network namespace
 extern int arg_join_filesystem; // join only the mount namespace
 extern int arg_nice;            // nice value configured
 extern int arg_ipc;             // enable ipc namespace
 extern int arg_writable_etc;    // writable etc
+extern int arg_keep_config_pulse;       // disable automatic ~/.config/pulse init
 extern int arg_writable_var;    // writable var
 extern int arg_keep_var_tmp; // don't overwrite /var/tmp
 extern int arg_writable_run_user;       // writable /run/user
@@ -333,7 +343,7 @@ extern int arg_allow_debuggers;	// allow debuggers
 extern int arg_x11_block;       // block X11
 extern int arg_x11_xorg;        // use X11 security extension
 extern int arg_allusers;        // all user home directories visible
-extern int arg_machineid;       // preserve /etc/machine-id
+extern int arg_machineid;       // spoof /etc/machine-id
 extern int arg_disable_mnt;     // disable /mnt and /media
 extern int arg_noprofile;       // use default.profile if none other found/specified
 extern int arg_memory_deny_write_execute;       // block writable and executable memory
@@ -342,6 +352,8 @@ extern int arg_nodvd;	// --nodvd
 extern int arg_nou2f;   // --nou2f
 extern int arg_noinput; // --noinput
 extern int arg_deterministic_exit_code; // always exit with first child's exit status
+extern int arg_deterministic_shutdown;  // shut down the sandbox if first child dies
+extern int arg_keep_fd_all;     // inherit all file descriptors to sandbox
 
 typedef enum {
         DBUS_POLICY_ALLOW,      // Allow unrestricted access to the bus
@@ -353,6 +365,7 @@ extern DbusPolicy arg_dbus_system; // --dbus-system
 extern int arg_dbus_log_user;
 extern int arg_dbus_log_system;
 extern const char *arg_dbus_log_file;
+extern int arg_tab;
 
 extern int login_shell;
 extern int parent_to_child_fds[2];
@@ -426,13 +439,15 @@ void fs_proc_sys_dev_boot(void);
 void disable_config(void);
 // build a basic read-only filesystem
 void fs_basic_fs(void);
-// mount overlayfs on top of / directory
-char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
-void fs_overlayfs(void);
 void fs_private_tmp(void);
 void fs_private_cache(void);
 void fs_mnt(const int enforce);
 
+// fs_overlayfs.c
+char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
+void fs_overlayfs(void);
+int remove_overlay_directory(void);
+
 // chroot.c
 // chroot into an existing directory; mount existing /dev and update /etc/resolv.conf
 void fs_check_chroot_dir(void);
@@ -493,7 +508,9 @@ int macro_id(const char *name);
 void errLogExit(char* fmt, ...) __attribute__((noreturn));
 void fwarning(char* fmt, ...);
 void fmessage(char* fmt, ...);
-void drop_privs(int nogroups);
+long long unsigned parse_arg_size(char *str);
+int check_can_drop_all_groups();
+void drop_privs(int force_nogroups);
 int mkpath_as_root(const char* path);
 void extract_command_name(int index, char **argv);
 void logsignal(int s);
@@ -502,11 +519,15 @@ void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
 void set_nice(int inc);
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
-void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void copy_file_as_user(const char *srcname, const char *destname, mode_t mode);
 void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 void touch_file_as_user(const char *fname, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
+char *realpath_as_user(const char *fname);
+ssize_t readlink_as_user(const char *fname, char *buf, size_t sz);
+int stat_as_user(const char *fname, struct stat *s);
+int lstat_as_user(const char *fname, struct stat *s);
 void trim_trailing_slash_or_dot(char *path);
 char *line_remove_spaces(const char *buf);
 char *split_comma(char *str);
@@ -518,8 +539,7 @@ void update_map(char *mapping, char *map_file);
 void wait_for_other(int fd);
 void notify_other(int fd);
 uid_t pid_get_uid(pid_t pid);
-uid_t get_group_id(const char *group);
-int remove_overlay_directory(void);
+gid_t get_group_id(const char *groupname);
 void flush_stdin(void);
 int create_empty_dir_as_user(const char *dir, mode_t mode);
 void create_empty_dir_as_root(const char *dir, mode_t mode);
@@ -529,12 +549,17 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid);
 unsigned extract_timeout(const char *str);
 void disable_file_or_dir(const char *fname);
 void disable_file_path(const char *path, const char *file);
-int safe_fd(const char *path, int flags);
+int safer_openat(int dirfd, const char *path, int flags);
+int remount_by_fd(int dst, unsigned long mountflags);
+int bind_mount_by_fd(int src, int dst);
+int bind_mount_path_to_fd(const char *srcname, int dst);
+int bind_mount_fd_to_path(int src, const char *destname);
+void close_all(int *keep_list, size_t sz);
 int has_handler(pid_t pid, int signal);
 void enter_network_namespace(pid_t pid);
 int read_pid(const char *name, pid_t *pid);
 pid_t require_pid(const char *name);
-void check_homedir(void);
+void check_homedir(const char *dir);
 
 // Get info regarding the last kernel mount operation from /proc/self/mountinfo
 // The return value points to a static area, and will be overwritten by subsequent calls.
@@ -548,8 +573,8 @@ typedef struct {
 
 // mountinfo.c
 MountData *get_last_mount(void);
-int get_mount_id(const char *path);
-char **build_mount_array(const int mount_id, const char *path);
+int get_mount_id(int fd);
+char **build_mount_array(const int mountid, const char *path);
 
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
@@ -606,13 +631,13 @@ void caps_print_filter(pid_t pid) __attribute__((noreturn));
 void caps_drop_dac_override(void);
 
 // fs_trace.c
-void fs_trace_preload(void);
+void fs_trace_touch_preload(void);
+void fs_trace_touch_or_store_preload(void);
 void fs_tracefile(void);
 void fs_trace(void);
 
 // fs_hostname.c
 void fs_hostname(const char *hostname);
-void fs_resolvconf(void);
 char *fs_check_hosts_file(const char *fname);
 void fs_store_hosts_file(void);
 void fs_mount_hosts_file(void);
@@ -630,12 +655,15 @@ void cpu_print_filter(pid_t pid) __attribute__((noreturn));
 // cgroup.c
 void save_cgroup(void);
 void load_cgroup(const char *fname);
-void set_cgroup(const char *path);
+void check_cgroup_file(const char *fname);
+void set_cgroup(const char *fname, pid_t pid);
 
 // output.c
 void check_output(int argc, char **argv);
 
 // netfilter.c
+void netfilter_netlock(pid_t pid);
+void netfilter_trace(pid_t pid);
 void check_netfilter_file(const char *fname);
 void netfilter(const char *fname);
 void netfilter6(const char *fname);
@@ -655,6 +683,7 @@ void fs_machineid(void);
 void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list);
 void fs_private_dir_mount(const char *private_dir, const char *private_run_dir);
 void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list);
+void fs_rebuild_etc(void);
 
 // no_sandbox.c
 int check_namespace_virt(void);
@@ -682,6 +711,7 @@ void env_ibus_load(void);
 void fs_whitelist(void);
 
 // pulseaudio.c
+void pipewire_disable(void);
 void pulseaudio_init(void);
 void pulseaudio_disable(void);
 
@@ -689,6 +719,8 @@ void pulseaudio_disable(void);
 void fs_private_bin_list(void);
 
 // fs_lib.c
+int is_firejail_link(const char *fname);
+char *find_in_path(const char *program);
 void fs_private_lib(void);
 
 // protocol.c
@@ -763,27 +795,30 @@ enum {
         CFG_NETWORK,
         CFG_RESTRICTED_NETWORK,
         CFG_FORCE_NONEWPRIVS,
-        CFG_WHITELIST,
         CFG_XEPHYR_WINDOW_TITLE,
         CFG_OVERLAYFS,
-        CFG_PRIVATE_HOME,
+        CFG_PRIVATE_BIN,
         CFG_PRIVATE_BIN_NO_LOCAL,
+        CFG_PRIVATE_CACHE,
+        CFG_PRIVATE_ETC,
+        CFG_PRIVATE_HOME,
+        CFG_PRIVATE_LIB,
+        CFG_PRIVATE_OPT,
+        CFG_PRIVATE_SRV,
         CFG_FIREJAIL_PROMPT,
-        CFG_FOLLOW_SYMLINK_AS_USER,
         CFG_DISABLE_MNT,
         CFG_JOIN,
         CFG_ARP_PROBES,
         CFG_XPRA_ATTACH,
         CFG_BROWSER_DISABLE_U2F,
         CFG_BROWSER_ALLOW_DRM,
-        CFG_PRIVATE_LIB,
         CFG_APPARMOR,
         CFG_DBUS,
-        CFG_PRIVATE_CACHE,
         CFG_CGROUP,
         CFG_NAME_CHANGE,
         CFG_SECCOMP_ERROR_ACTION,
         // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
+        CFG_ALLOW_TRAY,
         CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
@@ -794,11 +829,14 @@ extern char *xvfb_extra_params;
 extern char *netfilter_default;
 extern unsigned long join_timeout;
 extern char *config_seccomp_error_action_str;
+extern char *config_seccomp_filter_add;
+extern char **whitelist_reject_topdirs;
 
 int checkcfg(int val);
 void print_compiletime_support(void);
 
 // appimage.c
+int appimage_find_profile(const char *archive);
 void appimage_set(const char *appimage_path);
 void appimage_mount(void);
 void appimage_clear(void);
@@ -807,15 +845,14 @@ void appimage_clear(void);
 long unsigned int appimage2_size(int fd);
 
 // cmdline.c
-void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
-void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
+void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes);
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes);
 
 // sbox.c
 // programs
 #define PATH_FNET_MAIN (LIBDIR "/firejail/fnet")                // when called from main thread
 #define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/fnet")        // when called from sandbox thread
 
-//#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
 #define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/fnetfilter")
 
 #define PATH_FIREMON (PREFIX "/bin/firemon")
@@ -828,17 +865,16 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 // it is also run from inside the sandbox by --debug; in this case we do an access(filename, X_OK) test first
 #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")
 
-//#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
 #define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/fsec-optimize")
 
-//#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
 #define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/fcopy")
 
 #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
 
-//#define PATH_FLDD (LIBDIR "/firejail/fldd")
 #define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/fldd")
 
+#define PATH_FIDS (LIBDIR "/firejail/fids")
+
 // bitmapped filters for sbox_run
 #define SBOX_ROOT (1 << 0)                      // run the sandbox as root
 #define SBOX_USER (1 << 1)                      // run the sandbox as a regular user
@@ -850,7 +886,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define SBOX_CAPS_HIDEPID (1 << 7)      // hidepid caps filter for running firemon
 #define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services
 #define SBOX_KEEP_FDS (1 << 9) // keep file descriptors open
-#define FIREJAIL_MAX_FD 20 // getdtablesize() is overkill for a firejail process
 
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
@@ -883,4 +918,7 @@ void dhcp_start(void);
 // selinux.c
 void selinux_relabel_path(const char *path, const char *inside_path);
 
+// ids.c
+void run_ids(int argc, char **argv);
+
 #endif
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index fc67a15f3..c03cd7a12 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,11 +18,9 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/mount.h>
-#include <sys/stat.h>
 #include <sys/statvfs.h>
-#include <sys/wait.h>
-#include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
@@ -34,7 +32,7 @@
 #endif
 
 #define MAX_BUF 4096
-#define EMPTY_STRING ("")
+
 // check noblacklist statements not matched by a proper blacklist in disable-*.inc files
 //#define TEST_NO_BLACKLIST_MATCHING
 
@@ -54,16 +52,10 @@ static char *opstr[] = {
         [MOUNT_RDWR_NOCHECK] = "read-write",
 };
 
-typedef enum {
-        UNSUCCESSFUL,
-        SUCCESSFUL
-} LAST_DISABLE_OPERATION;
-LAST_DISABLE_OPERATION last_disable = UNSUCCESSFUL;
-
 static void disable_file(OPERATION op, const char *filename) {
         assert(filename);
         assert(op <OPERATION_MAX);
-        last_disable = UNSUCCESSFUL;
+        EUID_ASSERT();
 
         // Resolve all symlinks
         char* fname = realpath(filename, NULL);
@@ -71,20 +63,24 @@ static void disable_file(OPERATION op, const char *filename) {
                 return;
         }
         if (fname == NULL && errno == EACCES) {
-                if (arg_debug)
-                        printf("Debug: no access to file %s, forcing mount\n", filename);
                 // realpath and stat functions will fail on FUSE filesystems
                 // they don't seem to like a uid of 0
                 // force mounting
-                int rv = mount(RUN_RO_DIR, filename, "none", MS_BIND, "mode=400,gid=0");
-                if (rv == 0)
-                        last_disable = SUCCESSFUL;
-                else {
-                        rv = mount(RUN_RO_FILE, filename, "none", MS_BIND, "mode=400,gid=0");
-                        if (rv == 0)
-                                last_disable = SUCCESSFUL;
+                int fd = open(filename, O_PATH|O_CLOEXEC);
+                if (fd < 0) {
+                        if (arg_debug)
+                                printf("Warning (blacklisting): cannot open %s: %s\n", filename, strerror(errno));
+                        return;
                 }
-                if (last_disable == SUCCESSFUL) {
+
+                EUID_ROOT();
+                int err = bind_mount_path_to_fd(RUN_RO_DIR, fd);
+                if (err != 0)
+                        err = bind_mount_path_to_fd(RUN_RO_FILE, fd);
+                EUID_USER();
+                close(fd);
+
+                if (err == 0) {
                         if (arg_debug)
                                 printf("Disable %s\n", filename);
                         if (op == BLACKLIST_FILE)
@@ -92,31 +88,39 @@ static void disable_file(OPERATION op, const char *filename) {
                         else
                                 fs_logger2("blacklist-nolog", filename);
                 }
-                else {
-                        if (arg_debug)
-                                printf("Warning (blacklisting): %s is an invalid file, skipping...\n", filename);
-                }
+                else if (arg_debug)
+                        printf("Warning (blacklisting): cannot mount on %s\n", filename);
 
                 return;
         }
 
-        // if the file is not present, do nothing
-        struct stat s;
-        if (fname == NULL)
+        assert(fname);
+        // check for firejail executable
+        // we might have a file found in ${PATH} pointing to /usr/bin/firejail
+        // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
+        //     and expects Firefox to open in the same sandbox
+        if (strcmp(BINDIR "/firejail", fname) == 0) {
+                free(fname);
                 return;
-        if (stat(fname, &s) == -1) {
+        }
+
+        // if the file is not present, do nothing
+        int fd = open(fname, O_PATH|O_CLOEXEC);
+        if (fd < 0) {
                 if (arg_debug)
-                        fwarning("%s does not exist, skipping...\n", fname);
+                        printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno));
                 free(fname);
                 return;
         }
 
-        // check for firejail executable
-        // we migth have a file found in ${PATH} pointing to /usr/bin/firejail
-        // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
-        //     and expects Firefox to open in the same sandbox
-        if (strcmp(BINDIR "/firejail", fname) == 0)
+        struct stat s;
+        if (fstat(fd, &s) < 0) {
+                if (arg_debug)
+                        printf("Warning (blacklisting): cannot stat %s: %s\n", fname, strerror(errno));
+                free(fname);
+                close(fd);
                 return;
+        }
 
         // modify the file
         if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) {
@@ -141,44 +145,64 @@ static void disable_file(OPERATION op, const char *filename) {
                                         printf(" - no logging\n");
                         }
 
+                        EUID_ROOT();
                         if (S_ISDIR(s.st_mode)) {
-                                if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0)
                                         errExit("disable file");
                         }
                         else {
-                                if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                if (bind_mount_path_to_fd(RUN_RO_FILE, fd) < 0)
                                         errExit("disable file");
                         }
-                        last_disable = SUCCESSFUL;
+                        EUID_USER();
+
                         if (op == BLACKLIST_FILE)
                                 fs_logger2("blacklist", fname);
                         else
                                 fs_logger2("blacklist-nolog", fname);
+
+                        // files in /etc will be reprocessed during /etc rebuild
+                        if (strncmp(fname, "/etc/", 5) == 0) {
+                                ProfileEntry *prf = malloc(sizeof(ProfileEntry));
+                                if (!prf)
+                                        errExit("malloc");
+                                memset(prf, 0, sizeof(ProfileEntry));
+                                prf->data = strdup(fname);
+                                if (!prf->data)
+                                        errExit("strdup");
+                                prf->next = cfg.profile_rebuild_etc;
+                                cfg.profile_rebuild_etc = prf;
+                        }
                 }
         }
         else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) {
                 fs_remount_rec(fname, op);
-                // todo: last_disable = SUCCESSFUL;
         }
         else if (op == MOUNT_TMPFS) {
-                if (S_ISDIR(s.st_mode)) {
-                        if (getuid()) {
-                                if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
-                                    fname[strlen(cfg.homedir)] != '/') {
-                                        fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
-                                        exit(1);
-                                }
+                if (!S_ISDIR(s.st_mode)) {
+                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
+                        goto out;
+                }
+
+                uid_t uid = getuid();
+                if (uid != 0) {
+                        // only user owned directories in user home
+                        if (s.st_uid != uid ||
+                            strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+                            fname[strlen(cfg.homedir)] != '/') {
+                                fwarning("you are not allowed to mount a tmpfs on %s\n", fname);
+                                goto out;
                         }
-                        fs_tmpfs(fname, getuid());
-                        selinux_relabel_path(fname, fname);
-                        last_disable = SUCCESSFUL;
                 }
-                else
-                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
+
+                fs_tmpfs(fname, uid);
+                selinux_relabel_path(fname, fname);
         }
         else
                 assert(0);
 
+out:
+        close(fd);
         free(fname);
 }
 
@@ -191,6 +215,7 @@ static int *nbcheck = NULL;
 // Treat pattern as a shell glob pattern and blacklist matching files
 static void globbing(OPERATION op, const char *pattern, const char *noblacklist[], size_t noblacklist_len) {
         assert(pattern);
+        EUID_ASSERT();
 
 #ifdef TEST_NO_BLACKLIST_MATCHING
         if (nbcheck_start == 0) {
@@ -253,6 +278,8 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
 
 // blacklist files or directories by mounting empty files on top of them
 void fs_blacklist(void) {
+        EUID_ASSERT();
+
         ProfileEntry *entry = cfg.profile;
         if (!entry)
                 return;
@@ -294,11 +321,13 @@ void fs_blacklist(void) {
                         if (arg_debug)
                                 printf("Mount-bind %s on top of %s\n", dname1, dname2);
                         // preserve dname2 mode and ownership
+                        // EUID_ROOT(); - option not accessible to non-root users
                         if (mount(dname1, dname2, NULL, MS_BIND|MS_REC, NULL) < 0)
                                 errExit("mount bind");
                         /* coverity[toctou] */
                         if (set_perms(dname2,  s.st_uid, s.st_gid,s.st_mode))
                                 errExit("set_perms");
+                        // EUID_USER();
 
                         entry = entry->next;
                         continue;
@@ -376,16 +405,12 @@ void fs_blacklist(void) {
                         op = MOUNT_TMPFS;
                 }
                 else if (strncmp(entry->data, "mkdir ", 6) == 0) {
-                        EUID_USER();
                         fs_mkdir(entry->data + 6);
-                        EUID_ROOT();
                         entry = entry->next;
                         continue;
                 }
                 else if (strncmp(entry->data, "mkfile ", 7) == 0) {
-                        EUID_USER();
                         fs_mkfile(entry->data + 7);
-                        EUID_ROOT();
                         entry = entry->next;
                         continue;
                 }
@@ -449,11 +474,12 @@ void fs_blacklist(void) {
 
 // mount a writable tmpfs on directory; requires a resolved path
 void fs_tmpfs(const char *dir, unsigned check_owner) {
+        EUID_ASSERT();
         assert(dir);
         if (arg_debug)
                 printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
         // get a file descriptor for dir, fails if there is any symlink
-        int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        int fd = safer_openat(-1, dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
                 errExit("while opening directory");
         struct stat s;
@@ -471,13 +497,15 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
         struct statvfs buf;
         if (fstatvfs(fd, &buf) == -1)
                 errExit("fstatvfs");
-        unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND);
+        unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT);
         // mount via the symbolic link in /proc/self/fd
         char *proc;
         if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
                 errExit("asprintf");
+        EUID_ROOT();
         if (mount("tmpfs", proc, "tmpfs", flags|MS_NOSUID|MS_NODEV, options) < 0)
                 errExit("mounting tmpfs");
+        EUID_USER();
         // check the last mount operation
         MountData *mdata = get_last_mount();
         if (strcmp(mdata->fstype, "tmpfs") != 0 || strcmp(mdata->dir, dir) != 0)
@@ -490,38 +518,42 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
 
 // remount path, preserving other mount flags; requires a resolved path
 static void fs_remount_simple(const char *path, OPERATION op) {
+        EUID_ASSERT();
         assert(path);
 
         // open path without following symbolic links
-        int fd1 = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        if (fd1 == -1)
+        int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (fd < 0)
                 goto out;
-        struct stat s1;
-        if (fstat(fd1, &s1) == -1) {
+
+        struct stat s;
+        if (fstat(fd, &s) < 0) {
                 // fstat can fail with EACCES if path is a FUSE mount,
                 // mounted without 'allow_root' or 'allow_other'
                 if (errno != EACCES)
                         errExit("fstat");
-                close(fd1);
+                close(fd);
                 goto out;
         }
         // get mount flags
         struct statvfs buf;
-        if (fstatvfs(fd1, &buf) == -1)
-                errExit("fstatvfs");
+        if (fstatvfs(fd, &buf) < 0) {
+                close(fd);
+                goto out;
+        }
         unsigned long flags = buf.f_flag;
 
         // read-write option
         if (op == MOUNT_RDWR || op == MOUNT_RDWR_NOCHECK) {
                 // nothing to do if there is no read-only flag
                 if ((flags & MS_RDONLY) == 0) {
-                        close(fd1);
+                        close(fd);
                         return;
                 }
                 // allow only user owned directories, except the user is root
-                if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s1.st_uid != getuid()) {
+                if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s.st_uid != getuid()) {
                         fwarning("you are not allowed to change %s to read-write\n", path);
-                        close(fd1);
+                        close(fd);
                         return;
                 }
                 flags &= ~MS_RDONLY;
@@ -530,7 +562,7 @@ static void fs_remount_simple(const char *path, OPERATION op) {
         else if (op == MOUNT_NOEXEC) {
                 // nothing to do if path is mounted noexec already
                 if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) {
-                        close(fd1);
+                        close(fd);
                         return;
                 }
                 flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
@@ -539,7 +571,7 @@ static void fs_remount_simple(const char *path, OPERATION op) {
         else if (op == MOUNT_READONLY) {
                 // nothing to do if path is mounted read-only already
                 if ((flags & MS_RDONLY) == MS_RDONLY) {
-                        close(fd1);
+                        close(fd);
                         return;
                 }
                 flags |= MS_RDONLY;
@@ -549,29 +581,37 @@ static void fs_remount_simple(const char *path, OPERATION op) {
 
         if (arg_debug)
                 printf("Mounting %s %s\n", opstr[op], path);
+
+        // make path a mount point:
         // mount --bind path path
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd1) == -1)
-                errExit("asprintf");
-        if (mount(proc, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount");
-        free(proc);
+        EUID_ROOT();
+        int err = bind_mount_by_fd(fd, fd);
+        EUID_USER();
+        if (err) {
+                close(fd);
+                goto out;
+        }
 
-        // mount --bind -o remount,ro path
-        // need to open path again without following symbolic links
-        int fd2 = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        if (fd2 == -1)
-                errExit("open");
+        // remount the mount point
+        // need to open path again
+        int fd2 = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        close(fd); // earliest timepoint to close fd
+        if (fd2 < 0)
+                goto out;
+
+        // device and inode number should be the same
         struct stat s2;
-        if (fstat(fd2, &s2) == -1)
+        if (fstat(fd2, &s2) < 0)
                 errExit("fstat");
-        // device and inode number should be the same
-        if (s1.st_dev != s2.st_dev || s1.st_ino != s2.st_ino)
+        if (s.st_dev != s2.st_dev || s.st_ino != s2.st_ino)
                 errLogExit("invalid %s mount", opstr[op]);
-        if (asprintf(&proc, "/proc/self/fd/%d", fd2) == -1)
-                errExit("asprintf");
-        if (mount(NULL, proc, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
-                errExit("mount");
+
+        EUID_ROOT();
+        err = remount_by_fd(fd2, flags);
+        EUID_USER();
+        close(fd2);
+        if (err)
+                goto out;
 
         // run a sanity check on /proc/self/mountinfo and confirm that target of the last
         // mount operation was path; if there are other mount points contained inside path,
@@ -582,10 +622,8 @@ static void fs_remount_simple(const char *path, OPERATION op) {
            (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
            && strcmp(path, "/") != 0) // support read-only=/
                 errLogExit("invalid %s mount", opstr[op]);
+
         fs_logger2(opstr[op], path);
-        free(proc);
-        close(fd1);
-        close(fd2);
         return;
 
 out:
@@ -593,38 +631,37 @@ out:
 }
 
 // remount recursively; requires a resolved path
-static void fs_remount_rec(const char *dir, OPERATION op) {
-        assert(dir);
-        struct stat s;
-        if (stat(dir, &s) != 0)
-                return;
-        if (!S_ISDIR(s.st_mode)) {
-                // no need to search in /proc/self/mountinfo for submounts if not a directory
-                fs_remount_simple(dir, op);
+static void fs_remount_rec(const char *path, OPERATION op) {
+        EUID_ASSERT();
+        assert(op < OPERATION_MAX);
+        assert(path);
+
+        // no need to search /proc/self/mountinfo for submounts if not a directory
+        int fd = open(path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd < 0) {
+                fs_remount_simple(path, op);
                 return;
         }
-        // get mount point of the directory
-        int mountid = get_mount_id(dir);
-        if (mountid == -1)
-                return;
-        if (mountid == -2) {
-                // falling back to a simple remount on old kernels
-                static int mount_warning = 0;
-                if (!mount_warning) {
-                        fwarning("read-only, read-write and noexec options are not applied recursively\n");
-                        mount_warning = 1;
-                }
-                fs_remount_simple(dir, op);
+
+        // get mount id of the directory
+        int mountid = get_mount_id(fd);
+        close(fd);
+        if (mountid < 0) {
+                // falling back to a simple remount
+                fwarning("%s %s not applied recursively\n", opstr[op], path);
+                fs_remount_simple(path, op);
                 return;
         }
+
         // build array with all mount points that need to get remounted
-        char **arr = build_mount_array(mountid, dir);
-        assert(arr);
+        char **arr = build_mount_array(mountid, path);
+        if (!arr)
+                return;
         // remount
-        char **tmp = arr;
-        while (*tmp) {
-                fs_remount_simple(*tmp, op);
-                free(*tmp++);
+        int i;
+        for (i = 0; arr[i]; i++) {
+                fs_remount_simple(arr[i], op);
+                free(arr[i]);
         }
         free(arr);
 }
@@ -632,6 +669,14 @@ static void fs_remount_rec(const char *dir, OPERATION op) {
 // resolve a path and remount it
 void fs_remount(const char *path, OPERATION op, int rec) {
         assert(path);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
         char *rpath = realpath(path, NULL);
         if (rpath) {
                 if (rec)
@@ -640,10 +685,14 @@ void fs_remount(const char *path, OPERATION op, int rec) {
                         fs_remount_simple(rpath, op);
                 free(rpath);
         }
+
+        if (called_as_root)
+                EUID_ROOT();
 }
 
 // Disable /mnt, /media, /run/mount and /run/media access
 void fs_mnt(const int enforce) {
+        EUID_USER();
         if (enforce) {
                 // disable-mnt set in firejail.config
                 // overriding with noblacklist is not possible in this case
@@ -653,13 +702,12 @@ void fs_mnt(const int enforce) {
                 disable_file(BLACKLIST_FILE, "/run/media");
         }
         else {
-                EUID_USER();
                 profile_add("blacklist /mnt");
                 profile_add("blacklist /media");
                 profile_add("blacklist /run/mount");
                 profile_add("blacklist /run/media");
-                EUID_ROOT();
         }
+        EUID_ROOT();
 }
 
 
@@ -674,7 +722,6 @@ void fs_proc_sys_dev_boot(void) {
                 errExit("mounting /proc/sys");
         fs_logger("read-only /proc/sys");
 
-
         /* Mount a version of /sys that describes the network namespace */
         if (arg_debug)
                 printf("Remounting /sys directory\n");
@@ -689,13 +736,13 @@ void fs_proc_sys_dev_boot(void) {
         else
                 fs_logger("remount /sys");
 
+        EUID_USER();
+
         disable_file(BLACKLIST_FILE, "/sys/firmware");
         disable_file(BLACKLIST_FILE, "/sys/hypervisor");
         { // allow user access to some directories in /sys/ by specifying 'noblacklist' option
-                EUID_USER();
                 profile_add("blacklist /sys/fs");
                 profile_add("blacklist /sys/module");
-                EUID_ROOT();
         }
         disable_file(BLACKLIST_FILE, "/sys/power");
         disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
@@ -739,12 +786,8 @@ void fs_proc_sys_dev_boot(void) {
         // disable /dev/port
         disable_file(BLACKLIST_FILE, "/dev/port");
 
-
-
         // disable various ipc sockets in /run/user
         if (!arg_writable_run_user) {
-                struct stat s;
-
                 char *fname;
                 if (asprintf(&fname, "/run/user/%d", getuid()) == -1)
                         errExit("asprintf");
@@ -755,8 +798,7 @@ void fs_proc_sys_dev_boot(void) {
                                 errExit("asprintf");
                         if (create_empty_dir_as_user(fnamegpg, 0700))
                                 fs_logger2("create", fnamegpg);
-                        if (stat(fnamegpg, &s) == 0)
-                                disable_file(BLACKLIST_FILE, fnamegpg);
+                        disable_file(BLACKLIST_FILE, fnamegpg);
                         free(fnamegpg);
 
                         // disable /run/user/{uid}/systemd
@@ -765,8 +807,7 @@ void fs_proc_sys_dev_boot(void) {
                                 errExit("asprintf");
                         if (create_empty_dir_as_user(fnamesysd, 0755))
                                 fs_logger2("create", fnamesysd);
-                        if (stat(fnamesysd, &s) == 0)
-                                disable_file(BLACKLIST_FILE, fnamesysd);
+                        disable_file(BLACKLIST_FILE, fnamesysd);
                         free(fnamesysd);
                 }
                 free(fname);
@@ -777,35 +818,32 @@ void fs_proc_sys_dev_boot(void) {
                 disable_file(BLACKLIST_FILE, "/dev/kmsg");
                 disable_file(BLACKLIST_FILE, "/proc/kmsg");
         }
+
+        EUID_ROOT();
 }
 
 // disable firejail configuration in ~/.config/firejail
 void disable_config(void) {
-        struct stat s;
-
+        EUID_USER();
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
         char *fname;
         if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
                 errExit("asprintf");
-        if (stat(fname, &s) == 0)
-                disable_file(BLACKLIST_FILE, fname);
+        disable_file(BLACKLIST_FILE, fname);
         free(fname);
+#endif
 
         // disable run time information
-        if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
-        if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR);
-        if (stat(RUN_FIREJAIL_NAME_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR);
-        if (stat(RUN_FIREJAIL_PROFILE_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR);
-        if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
+        EUID_ROOT();
 }
 
 
 // build a basic read-only filesystem
-// top level directories could be links, run no after-mount checks
 void fs_basic_fs(void) {
         uid_t uid = getuid();
 
@@ -815,6 +853,7 @@ void fs_basic_fs(void) {
         if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                 errExit("mounting /proc");
 
+        EUID_USER();
         if (arg_debug)
                 printf("Basic read-only filesystem:\n");
         if (!arg_writable_etc) {
@@ -834,6 +873,7 @@ void fs_basic_fs(void) {
         fs_remount("/lib64", MOUNT_READONLY, 1);
         fs_remount("/lib32", MOUNT_READONLY, 1);
         fs_remount("/libx32", MOUNT_READONLY, 1);
+        EUID_ROOT();
 
         // update /var directory in order to support multiple sandboxes running on the same root directory
         fs_var_lock();
@@ -858,369 +898,9 @@ void fs_basic_fs(void) {
 }
 
 
-
-#ifdef HAVE_OVERLAYFS
-char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
-        assert(subdirname);
-        struct stat s;
-        char *dirname;
-
-        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
-                errExit("asprintf");
-        // check if ~/.firejail already exists
-        if (lstat(dirname, &s) == 0) {
-                if (!S_ISDIR(s.st_mode)) {
-                        if (S_ISLNK(s.st_mode))
-                                fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
-                        else
-                                fprintf(stderr, "Error: %s is not a directory\n", dirname);
-                        exit(1);
-                }
-                if (s.st_uid != getuid()) {
-                        fprintf(stderr, "Error: %s is not owned by the current user\n", dirname);
-                        exit(1);
-                }
-        }
-        else {
-                // create ~/.firejail directory
-                create_empty_dir_as_user(dirname, 0700);
-                if (stat(dirname, &s) == -1) {
-                        fprintf(stderr, "Error: cannot create directory %s\n", dirname);
-                        exit(1);
-                }
-        }
-        free(dirname);
-
-        // check overlay directory
-        if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
-                errExit("asprintf");
-        if (lstat(dirname, &s) == 0) {
-                if (!S_ISDIR(s.st_mode)) {
-                        if (S_ISLNK(s.st_mode))
-                                fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
-                        else
-                                fprintf(stderr, "Error: %s is not a directory\n", dirname);
-                        exit(1);
-                }
-                if (s.st_uid != 0) {
-                        fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname);
-                        exit(1);
-                }
-                if (allow_reuse == 0) {
-                        fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n");
-                        exit(1);
-                }
-        }
-
-        return dirname;
-}
-
-
-
-// mount overlayfs on top of / directory
-// mounting an overlay and chrooting into it:
-//
-// Old Ubuntu kernel
-// # cd ~
-// # mkdir -p overlay/root
-// # mkdir -p overlay/diff
-// # mount -t overlayfs -o lowerdir=/,upperdir=/root/overlay/diff overlayfs /root/overlay/root
-// # chroot /root/overlay/root
-// to shutdown, first exit the chroot and then  unmount the overlay
-// # exit
-// # umount /root/overlay/root
-//
-// Kernels 3.18+
-// # cd ~
-// # mkdir -p overlay/root
-// # mkdir -p overlay/diff
-// # mkdir -p overlay/work
-// # mount -t overlay -o lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work overlay /root/overlay/root
-// # cat /etc/mtab | grep overlay
-// /root/overlay /root/overlay/root overlay rw,relatime,lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work 0 0
-// # chroot /root/overlay/root
-// to shutdown, first exit the chroot and then  unmount the overlay
-// # exit
-// # umount /root/overlay/root
-
-
-// to do: fix the code below; also, it might work without /dev, but consider keeping /dev/shm; add locking mechanism for overlay-clean
-#include <sys/utsname.h>
-void fs_overlayfs(void) {
-        struct stat s;
-
-        // check kernel version
-        struct utsname u;
-        int rv = uname(&u);
-        if (rv != 0)
-                errExit("uname");
-        int major;
-        int minor;
-        if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
-                fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
-                exit(1);
-        }
-
-        if (arg_debug)
-                printf("Linux kernel version %d.%d\n", major, minor);
-        int oldkernel = 0;
-        if (major < 3) {
-                fprintf(stderr, "Error: minimum kernel version required 3.x\n");
-                exit(1);
-        }
-        if (major == 3 && minor < 18)
-                oldkernel = 1;
-
-        // mounting an overlayfs on top of / seems to be broken for kernels > 4.19
-        // we disable overlayfs for now, pending fixing
-        if (major >= 4 &&minor >= 19) {
-                fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n");
-                exit(1);
-        }
-
-        char *oroot = RUN_OVERLAY_ROOT;
-        mkdir_attr(oroot, 0755, 0, 0);
-
-        // set base for working and diff directories
-        char *basedir = RUN_MNT_DIR;
-        int basefd = -1;
-
-        if (arg_overlay_keep) {
-                basedir = cfg.overlay_dir;
-                assert(basedir);
-                // get a file descriptor for ~/.firejail, fails if there is any symlink
-                char *firejail;
-                if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1)
-                        errExit("asprintf");
-                int fd = safe_fd(firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-                if (fd == -1)
-                        errExit("safe_fd");
-                free(firejail);
-                // create basedir if it doesn't exist
-                // the new directory will be owned by root
-                const char *dirname = gnu_basename(basedir);
-                if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) {
-                        perror("mkdir");
-                        fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir);
-                        exit(1);
-                }
-                // open basedir
-                basefd = openat(fd, dirname, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-                close(fd);
-        }
-        else {
-                basefd = open(basedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-        }
-        if (basefd == -1) {
-                perror("open");
-                fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir);
-                exit(1);
-        }
-
-        // confirm once more base is owned by root
-        if (fstat(basefd, &s) == -1)
-                errExit("fstat");
-        if (s.st_uid != 0) {
-                fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir);
-                exit(1);
-        }
-        // confirm permissions of base are 0755
-        if (((S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) & s.st_mode) != (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) {
-                fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir);
-                exit(1);
-        }
-
-        // create diff and work directories inside base
-        // no need to check arg_overlay_reuse
-        char *odiff;
-        if (asprintf(&odiff, "%s/odiff", basedir) == -1)
-                errExit("asprintf");
-        // the new directory will be owned by root
-        if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) {
-                perror("mkdir");
-                fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff);
-                exit(1);
-        }
-        ASSERT_PERMS(odiff, 0, 0, 0755);
-
-        char *owork;
-        if (asprintf(&owork, "%s/owork", basedir) == -1)
-                errExit("asprintf");
-        // the new directory will be owned by root
-        if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) {
-                perror("mkdir");
-                fprintf(stderr, "Error: cannot create overlay directory %s\n", owork);
-                exit(1);
-        }
-        ASSERT_PERMS(owork, 0, 0, 0755);
-
-        // mount overlayfs
-        if (arg_debug)
-                printf("Mounting OverlayFS\n");
-        char *option;
-        if (oldkernel) { // old Ubuntu/OpenSUSE kernels
-                if (arg_overlay_keep) {
-                        fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n");
-                        exit(1);
-                }
-                if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1)
-                        errExit("asprintf");
-                if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0)
-                        errExit("mounting overlayfs");
-        }
-        else { // kernel 3.18 or newer
-                if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1)
-                        errExit("asprintf");
-                if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) {
-                        fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor);
-                        errExit("mounting overlayfs");
-                }
-
-                //***************************
-                // issue #263 start code
-                // My setup has a separate mount point for /home. When the overlay is mounted,
-                // the overlay does not contain the original /home contents.
-                // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work
-                // @dshmgh, Jan 2016
-                {
-                        char *overlayhome;
-                        struct stat s;
-                        char *hroot;
-                        char *hdiff;
-                        char *hwork;
-
-                        // dons add debug
-                        if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s  odiff %s  owork %s\n",oroot,odiff,owork);
-
-                        // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it?
-                        // must create var for oroot/cfg.homedir
-                        if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1)
-                                errExit("asprintf");
-                        if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome);
-
-                        // if no homedir in overlay -- create another overlay for /home
-                        if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) {
-
-                                // no need to check arg_overlay_reuse
-                                if (asprintf(&hdiff, "%s/hdiff", basedir) == -1)
-                                        errExit("asprintf");
-                                // the new directory will be owned by root
-                                if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) {
-                                        perror("mkdir");
-                                        fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff);
-                                        exit(1);
-                                }
-                                ASSERT_PERMS(hdiff, 0, 0, 0755);
-
-                                // no need to check arg_overlay_reuse
-                                if (asprintf(&hwork, "%s/hwork", basedir) == -1)
-                                        errExit("asprintf");
-                                // the new directory will be owned by root
-                                if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) {
-                                        perror("mkdir");
-                                        fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork);
-                                        exit(1);
-                                }
-                                ASSERT_PERMS(hwork, 0, 0, 0755);
-
-                                // no homedir in overlay so now mount another overlay for /home
-                                if (asprintf(&hroot, "%s/home", oroot) == -1)
-                                        errExit("asprintf");
-                                if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
-                                        errExit("asprintf");
-                                if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0)
-                                        errExit("mounting overlayfs for mounted home directory");
-
-                                printf("OverlayFS for /home configured in %s directory\n", basedir);
-                                free(hroot);
-                                free(hdiff);
-                                free(hwork);
-
-                        } // stat(overlayhome)
-                        free(overlayhome);
-                }
-                // issue #263 end code
-                //***************************
-        }
-        fmessage("OverlayFS configured in %s directory\n", basedir);
-        close(basefd);
-
-        // /dev, /run and /tmp are not covered by the overlay
-        // mount-bind dev directory
-        if (arg_debug)
-                printf("Mounting /dev\n");
-        char *dev;
-        if (asprintf(&dev, "%s/dev", oroot) == -1)
-                errExit("asprintf");
-        if (mount("/dev", dev, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mounting /dev");
-        fs_logger("whitelist /dev");
-
-        // mount-bind run directory
-        if (arg_debug)
-                printf("Mounting /run\n");
-        char *run;
-        if (asprintf(&run, "%s/run", oroot) == -1)
-                errExit("asprintf");
-        if (mount("/run", run, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mounting /run");
-        fs_logger("whitelist /run");
-
-        // mount-bind tmp directory
-        if (arg_debug)
-                printf("Mounting /tmp\n");
-        char *tmp;
-        if (asprintf(&tmp, "%s/tmp", oroot) == -1)
-                errExit("asprintf");
-        if (mount("/tmp", tmp, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mounting /tmp");
-        fs_logger("whitelist /tmp");
-
-        // chroot in the new filesystem
-#ifdef HAVE_GCOV
-        __gcov_flush();
-#endif
-        if (chroot(oroot) == -1)
-                errExit("chroot");
-
-        // mount a new proc filesystem
-        if (arg_debug)
-                printf("Mounting /proc filesystem representing the PID namespace\n");
-        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
-                errExit("mounting /proc");
-
-        // update /var directory in order to support multiple sandboxes running on the same root directory
-//      if (!arg_private_dev)
-//              fs_dev_shm();
-        fs_var_lock();
-        if (!arg_keep_var_tmp)
-                fs_var_tmp();
-        if (!arg_writable_var_log)
-                fs_var_log();
-        fs_var_lib();
-        fs_var_cache();
-        fs_var_utmp();
-        fs_machineid();
-
-        // don't leak user information
-        restrict_users();
-
-        // when starting as root, firejail config is not disabled;
-        if (getuid() != 0)
-                disable_config();
-
-        // cleanup and exit
-        free(option);
-        free(odiff);
-        free(owork);
-        free(dev);
-        free(run);
-        free(tmp);
-}
-#endif
-
 // this function is called from sandbox.c before blacklist/whitelist functions
 void fs_private_tmp(void) {
+        EUID_ASSERT();
         if (arg_debug)
                 printf("Generate private-tmp whitelist commands\n");
 
@@ -1241,8 +921,10 @@ void fs_private_tmp(void) {
 
         // whitelist x11 directory
         profile_add("whitelist /tmp/.X11-unix");
-        // read-only x11 directory
-        profile_add("read-only /tmp/.X11-unix");
+        profile_add("read-only /tmp/.X11-unix");
+
+        // whitelist sndio directory
+        profile_add("whitelist /tmp/sndio");
 
         // whitelist any pulse* file in /tmp directory
         // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 61398f12b..2b0b3003e 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -41,9 +41,9 @@ static char *paths[] = {
 
 // return 1 if found, 0 if not found
 static char *check_dir_or_file(const char *name) {
+        EUID_ASSERT();
         assert(name);
         struct stat s;
-        char *fname = NULL;
 
         int i = 0;
         while (paths[i]) {
@@ -54,50 +54,34 @@ static char *check_dir_or_file(const char *name) {
                 }
 
                 // check file
+                char *fname;
                 if (asprintf(&fname, "%s/%s", paths[i], name) == -1)
                         errExit("asprintf");
                 if (arg_debug)
                         printf("Checking %s/%s\n", paths[i], name);
-                if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories
-                        // check symlink to firejail executable in /usr/local/bin
-                        if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) {
-                                /* coverity[toctou] */
-                                char *actual_path = realpath(fname, NULL);
-                                if (actual_path) {
-                                        char *ptr = strstr(actual_path, "/firejail");
-                                        if (ptr && strlen(ptr) == strlen("/firejail")) {
-                                                if (arg_debug)
-                                                        printf("firejail exec symlink detected\n");
-                                                free(actual_path);
-                                                free(fname);
-                                                fname = NULL;
-                                                i++;
-                                                continue;
-                                        }
-                                        free(actual_path);
-                                }
-
-                        }
+                if (stat(fname, &s) == 0 &&
+                    !S_ISDIR(s.st_mode) &&      // do not allow directories
+                    !is_firejail_link(fname)) { // skip symlinks to firejail executable, as created by firecfg
+                        free(fname);
                         break; // file found
                 }
 
                 free(fname);
-                fname = NULL;
                 i++;
         }
 
-        if (!fname) {
+        if (!paths[i]) {
                 if (arg_debug)
                         fwarning("file %s not found\n", name);
                 return NULL;
         }
 
-        free(fname);
         return paths[i];
 }
 
 // return 1 if the file is in paths[]
 static int valid_full_path_file(const char *name) {
+        EUID_ASSERT();
         assert(name);
 
         if (*name != '/')
@@ -149,6 +133,7 @@ static void report_duplication(const char *fname) {
 }
 
 static void duplicate(char *fname) {
+        EUID_ASSERT();
         assert(fname);
 
         if (*fname == '~' || strstr(fname, "..")) {
@@ -220,6 +205,7 @@ static void duplicate(char *fname) {
 }
 
 static void globbing(char *fname) {
+        EUID_ASSERT();
         assert(fname);
 
         // go directly to duplicate() if no globbing char is present - see man 7 glob
@@ -256,6 +242,9 @@ static void globbing(char *fname) {
                         // testing for GLOB_NOCHECK - no pattern matched returns the original pattern
                         if (strcmp(globbuf.gl_pathv[j], pattern) == 0)
                                 continue;
+                        // skip symlinks to firejail executable, as created by firecfg
+                        if (is_firejail_link(globbuf.gl_pathv[j]))
+                                continue;
 
                         duplicate(globbuf.gl_pathv[j]);
                 }
@@ -267,6 +256,7 @@ static void globbing(char *fname) {
 }
 
 void fs_private_bin_list(void) {
+        EUID_ASSERT();
         char *private_list = cfg.bin_private_keep;
         assert(private_list);
 
@@ -274,7 +264,9 @@ void fs_private_bin_list(void) {
         timetrace_start();
 
         // create /run/firejail/mnt/bin directory
+        EUID_ROOT();
         mkdir_attr(RUN_BIN_DIR, 0755, 0, 0);
+        EUID_USER();
 
         if (arg_debug)
                 printf("Copying files in the new bin directory\n");
@@ -293,9 +285,9 @@ void fs_private_bin_list(void) {
         while ((ptr = strtok(NULL, ",")) != NULL)
                 globbing(ptr);
         free(dlist);
-        fs_logger_print();
 
         // mount-bind
+        EUID_ROOT();
         int i = 0;
         while (paths[i]) {
                 struct stat s;
@@ -309,6 +301,9 @@ void fs_private_bin_list(void) {
                 }
                 i++;
         }
+        fs_logger_print();
+        EUID_USER();
+
         selinux_relabel_path(RUN_BIN_DIR, "/bin");
         fmessage("%d %s installed in %0.2f ms\n", prog_cnt, (prog_cnt == 1)? "program": "programs", timetrace_end());
 }
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 2f0067c93..a6fbbb89a 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
@@ -122,7 +121,7 @@ static void deventry_mount(void) {
                                                 i++;
                                                 continue;
                                         }
-                                        FILE *fp = fopen(dev[i].dev_fname, "w");
+                                        FILE *fp = fopen(dev[i].dev_fname, "we");
                                         if (fp) {
                                                 fprintf(fp, "\n");
                                                 SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
@@ -187,8 +186,10 @@ static void mount_dev_shm(void) {
 static void process_dev_shm(void) {
         // Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...)
         // looking for jack socket
+        EUID_USER();
         glob_t globbuf;
         int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
+        EUID_ROOT();
         if (globerr && !arg_keep_dev_shm) {
                 empty_dev_shm();
                 return;
@@ -218,7 +219,7 @@ void fs_private_dev(void){
         struct stat s;
         if (stat("/dev/log", &s) == 0) {
                 have_devlog = 1;
-                FILE *fp = fopen(RUN_DEVLOG_FILE, "w");
+                FILE *fp = fopen(RUN_DEVLOG_FILE, "we");
                 if (!fp)
                         have_devlog = 0;
                 else {
@@ -239,7 +240,7 @@ void fs_private_dev(void){
 
         // bring back /dev/log
         if (have_devlog) {
-                FILE *fp = fopen("/dev/log", "w");
+                FILE *fp = fopen("/dev/log", "we");
                 if (fp) {
                         fprintf(fp, "\n");
                         fclose(fp);
@@ -328,8 +329,10 @@ void fs_dev_disable_sound(void) {
         }
 
         // disable all jack sockets in /dev/shm
+        EUID_USER();
         glob_t globbuf;
         int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
+        EUID_ROOT();
         if (globerr)
                 return;
 
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 8cb25a1ff..deaee31bb 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -24,6 +24,7 @@
 #include <sys/types.h>
 #include <time.h>
 #include <unistd.h>
+#include <dirent.h>
 
 // spoof /etc/machine_id
 void fs_machineid(void) {
@@ -52,7 +53,7 @@ void fs_machineid(void) {
         mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80;
 
         // write it in a file
-        FILE *fp = fopen(RUN_MACHINEID, "w");
+        FILE *fp = fopen(RUN_MACHINEID, "we");
         if (!fp)
                 errExit("fopen");
         fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]);
@@ -141,7 +142,7 @@ errexit:
 static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) {
         assert(fname);
 
-        if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) {
+        if (*fname == '~' || *fname == '/' || strstr(fname, "..")) {
                 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
                 exit(1);
         }
@@ -164,7 +165,14 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr
                 errExit("asprintf");
 
         build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));
-        sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
+
+        // follow links! this will make a copy of the file or directory pointed by the symlink
+        // this will solve problems such as NixOS #4887
+        // don't follow links to dynamic directories such as /proc
+        if (strcmp(src, "/etc/mtab") == 0)
+                sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
+        else
+                sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", src, dst);
 
         free(dst);
         fs_logger2("clone", src);
@@ -250,3 +258,128 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
         fs_private_dir_mount(private_dir, private_run_dir);
         fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end());
 }
+
+void fs_rebuild_etc(void) {
+        int have_dhcp = 1;
+        if (cfg.dns1 == NULL && !any_dhcp())
+                have_dhcp = 0;
+
+        if (arg_debug)
+                printf("rebuilding /etc directory\n");
+        if (mkdir(RUN_DNS_ETC, 0755))
+                errExit("mkdir");
+        selinux_relabel_path(RUN_DNS_ETC, "/etc");
+        fs_logger("tmpfs /etc");
+
+        DIR *dir = opendir("/etc");
+        if (!dir)
+                errExit("opendir");
+
+        struct stat s;
+        struct dirent *entry;
+        while ((entry = readdir(dir))) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+
+                // skip files in cfg.profile_rebuild_etc list
+                // these files are already blacklisted
+                {
+                        ProfileEntry *prf = cfg.profile_rebuild_etc;
+                        int found = 0;
+                        while (prf) {
+                                if (strcmp(entry->d_name, prf->data + 5) == 0) { // 5 is strlen("/etc/")
+                                        found = 1;
+                                        break;
+                                }
+                                prf = prf->next;
+                        }
+                        if (found)
+                                continue;
+                }
+
+                // for resolv.conf we might have to  create a brand new file later
+                if (have_dhcp &&
+                    (strcmp(entry->d_name, "resolv.conf") == 0 ||
+                     strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0))
+                        continue;
+//              printf("linking %s\n", entry->d_name);
+
+                char *src;
+                if (asprintf(&src, "/etc/%s", entry->d_name) == -1)
+                        errExit("asprintf");
+                if (stat(src, &s) != 0) {
+                        free(src);
+                        continue;
+                }
+
+                char *dest;
+                if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1)
+                        errExit("asprintf");
+
+                int symlink_done = 0;
+                if (is_link(src)) {
+                        char *rp =realpath(src, NULL);
+                        if (rp == NULL) {
+                                free(src);
+                                free(dest);
+                                continue;
+                        }
+                        if (symlink(rp, dest))
+                                errExit("symlink");
+                        else
+                                symlink_done = 1;
+                }
+                else if (S_ISDIR(s.st_mode))
+                        create_empty_dir_as_root(dest, s.st_mode);
+                else
+                        create_empty_file_as_root(dest, s.st_mode);
+
+                // bind-mount src on top of dest
+                if (!symlink_done) {
+                        if (mount(src, dest, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mount bind mirroring /etc");
+                }
+                fs_logger2("clone", src);
+
+                free(src);
+                free(dest);
+        }
+        closedir(dir);
+
+        // mount bind our private etc directory on top of /etc
+        if (arg_debug)
+                printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC);
+        if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind mirroring /etc");
+        fs_logger("mount /etc");
+
+        if (have_dhcp == 0)
+                return;
+
+        if (arg_debug)
+                printf("Creating a new /etc/resolv.conf file\n");
+        FILE *fp = fopen("/etc/resolv.conf", "wxe");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n");
+                exit(1);
+        }
+
+        if (cfg.dns1) {
+                if (any_dhcp())
+                        fwarning("network setup uses DHCP, nameservers will likely be overwritten\n");
+                fprintf(fp, "nameserver %s\n", cfg.dns1);
+        }
+        if (cfg.dns2)
+                fprintf(fp, "nameserver %s\n", cfg.dns2);
+        if (cfg.dns3)
+                fprintf(fp, "nameserver %s\n", cfg.dns3);
+        if (cfg.dns4)
+                fprintf(fp, "nameserver %s\n", cfg.dns4);
+
+        // mode and owner
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
+
+        fclose(fp);
+
+        fs_logger("create /etc/resolv.conf");
+}
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 46f32d7ad..061461590 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,7 +19,6 @@
 */
 #include "firejail.h"
 #include <sys/mount.h>
-#include <linux/limits.h>
 #include <dirent.h>
 #include <errno.h>
 #include <sys/stat.h>
@@ -34,24 +33,48 @@
 #define O_PATH 010000000
 #endif
 
-static void skel(const char *homedir, uid_t u, gid_t g) {
+static void disable_tab_completion(const char *homedir) {
+        if (arg_tab)
+                return;
+
         char *fname;
+        if (asprintf(&fname, "%s/.inputrc", homedir) == -1)
+                errExit("asprintf");
+
+        // don't create a new one if we already have it
+        if (access(fname, F_OK)) {
+                FILE *fp = fopen(fname, "w");
+                if (!fp)
+                        errExit("fopen");
+                fprintf(fp, "set disable-completion on\n");
+                fclose(fp);
+                if (chmod(fname, 0644))
+                        errExit("chmod");
+        }
+        free(fname);
+}
+
+
+static void skel(const char *homedir) {
+        EUID_ASSERT();
+        char *fname;
+
+        disable_tab_completion(homedir);
 
         // zsh
         if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) {
                 // copy skel files
                 if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
                         errExit("asprintf");
-                struct stat s;
                 // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (stat("/etc/skel/.zshrc", &s) == 0) {
-                        copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user
+                if (access("/etc/skel/.zshrc", R_OK) == 0) {
+                        copy_file_as_user("/etc/skel/.zshrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.zshrc");
                         fs_logger2("clone", fname);
                 }
@@ -67,17 +90,15 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 // copy skel files
                 if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                         errExit("asprintf");
-                struct stat s;
-
                 // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (stat("/etc/skel/.cshrc", &s) == 0) {
-                        copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user
+                if (access("/etc/skel/.cshrc", R_OK) == 0) {
+                        copy_file_as_user("/etc/skel/.cshrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.cshrc");
                         fs_logger2("clone", fname);
                 }
@@ -93,16 +114,15 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 // copy skel files
                 if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
                         errExit("asprintf");
-                struct stat s;
                 // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (stat("/etc/skel/.bashrc", &s) == 0) {
-                        copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user
+                if (access("/etc/skel/.bashrc", R_OK) == 0) {
+                        copy_file_as_user("/etc/skel/.bashrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.bashrc");
                         fs_logger2("clone", fname);
                 }
@@ -112,6 +132,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
 }
 
 static int store_xauthority(void) {
+        EUID_ASSERT();
         if (arg_x11_block)
                 return 0;
 
@@ -122,15 +143,16 @@ static int store_xauthority(void) {
                 errExit("asprintf");
 
         struct stat s;
-        if (stat(src, &s) == 0) {
-                if (is_link(src)) {
+        if (lstat(src, &s) == 0) {
+                if (S_ISLNK(s.st_mode)) {
                         fwarning("invalid .Xauthority file\n");
                         free(src);
                         return 0;
                 }
 
                 // create an empty file as root, and change ownership to user
-                FILE *fp = fopen(dest, "w");
+                EUID_ROOT();
+                FILE *fp = fopen(dest, "we");
                 if (fp) {
                         fprintf(fp, "\n");
                         SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
@@ -138,10 +160,11 @@ static int store_xauthority(void) {
                 }
                 else
                         errExit("fopen");
+                EUID_USER();
 
-                copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user
-                fs_logger2("clone", dest);
+                copy_file_as_user(src, dest, 0600); // regular user
                 selinux_relabel_path(dest, src);
+                fs_logger2("clone", dest);
                 free(src);
                 return 1; // file copied
         }
@@ -151,6 +174,7 @@ static int store_xauthority(void) {
 }
 
 static int store_asoundrc(void) {
+        EUID_ASSERT();
         if (arg_nosound)
                 return 0;
 
@@ -161,11 +185,11 @@ static int store_asoundrc(void) {
                 errExit("asprintf");
 
         struct stat s;
-        if (stat(src, &s) == 0) {
-                if (is_link(src)) {
+        if (lstat(src, &s) == 0) {
+                if (S_ISLNK(s.st_mode)) {
                         // make sure the real path of the file is inside the home directory
                         /* coverity[toctou] */
-                        char* rp = realpath(src, NULL);
+                        char *rp = realpath(src, NULL);
                         if (!rp) {
                                 fprintf(stderr, "Error: Cannot access %s\n", src);
                                 exit(1);
@@ -178,7 +202,8 @@ static int store_asoundrc(void) {
                 }
 
                 // create an empty file as root, and change ownership to user
-                FILE *fp = fopen(dest, "w");
+                EUID_ROOT();
+                FILE *fp = fopen(dest, "we");
                 if (fp) {
                         fprintf(fp, "\n");
                         SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
@@ -186,10 +211,11 @@ static int store_asoundrc(void) {
                 }
                 else
                         errExit("fopen");
+                EUID_USER();
 
-                copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user
-                selinux_relabel_path(dest, src);
+                copy_file_as_user(src, dest, 0644); // regular user
                 fs_logger2("clone", dest);
+                selinux_relabel_path(dest, src);
                 free(src);
                 return 1; // file copied
         }
@@ -199,6 +225,7 @@ static int store_asoundrc(void) {
 }
 
 static void copy_xauthority(void) {
+        EUID_ASSERT();
         // copy XAUTHORITY_FILE in the new home directory
         char *src = RUN_XAUTHORITY_FILE ;
         char *dest;
@@ -211,16 +238,18 @@ static void copy_xauthority(void) {
                 exit(1);
         }
 
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
-        selinux_relabel_path(dest, src);
+        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
         fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
         free(dest);
 
-        // delete the temporary file
-        unlink(src);
+        EUID_ROOT();
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 
 static void copy_asoundrc(void) {
+        EUID_ASSERT();
         // copy ASOUNDRC_FILE in the new home directory
         char *src = RUN_ASOUNDRC_FILE ;
         char *dest;
@@ -233,12 +262,14 @@ static void copy_asoundrc(void) {
                 exit(1);
         }
 
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
         fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
         free(dest);
 
-        // delete the temporary file
-        unlink(src);
+        EUID_ROOT();
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 
 // private mode (--private=homedir):
@@ -251,21 +282,22 @@ void fs_private_homedir(void) {
         char *private_homedir = cfg.home_private;
         assert(homedir);
         assert(private_homedir);
+        EUID_ASSERT();
+
+        uid_t u = getuid();
+        // gid_t g = getgid();
 
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
-        uid_t u = getuid();
-        gid_t g = getgid();
-
         // mount bind private_homedir on top of homedir
         if (arg_debug)
                 printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
         // get file descriptors for homedir and private_homedir, fails if there is any symlink
-        int src = safe_fd(private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        int src = safer_openat(-1, private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (src == -1)
                 errExit("opening private directory");
-        int dst = safe_fd(homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        int dst = safer_openat(-1, homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (dst == -1)
                 errExit("opening home directory");
         // both mount source and target should be owned by the user
@@ -286,17 +318,11 @@ void fs_private_homedir(void) {
                 exit(1);
         }
         // mount via the links in /proc/self/fd
-        char *proc_src, *proc_dst;
-        if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
-                errExit("asprintf");
-        if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
-                errExit("asprintf");
-        if (mount(proc_src, proc_dst, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0)
+        EUID_ROOT();
+        if (bind_mount_by_fd(src, dst))
                 errExit("mount bind");
-        free(proc_src);
-        free(proc_dst);
-        close(src);
-        close(dst);
+        EUID_USER();
+
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
         size_t len = strlen(homedir);
@@ -304,6 +330,8 @@ void fs_private_homedir(void) {
            (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
                 errLogExit("invalid private mount");
 
+        close(src);
+        close(dst);
         fs_logger3("mount-bind", private_homedir, homedir);
         fs_logger2("whitelist", homedir);
 // preserve mode and ownership
@@ -312,6 +340,7 @@ void fs_private_homedir(void) {
 //      if (chmod(homedir, s.st_mode) == -1)
 //              errExit("mount-bind chmod");
 
+        EUID_ROOT();
         if (u != 0) {
                 // mask /root
                 if (arg_debug)
@@ -330,8 +359,9 @@ void fs_private_homedir(void) {
                 selinux_relabel_path("/home", "/home");
                 fs_logger("tmpfs /home");
         }
+        EUID_USER();
 
-        skel(homedir, u, g);
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
@@ -346,12 +376,15 @@ void fs_private_homedir(void) {
 void fs_private(void) {
         char *homedir = cfg.homedir;
         assert(homedir);
+        EUID_ASSERT();
+
         uid_t u = getuid();
         gid_t g = getgid();
 
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
+        EUID_ROOT();
         // mask /root
         if (arg_debug)
                 printf("Mounting a new /root directory\n");
@@ -369,12 +402,14 @@ void fs_private(void) {
                 selinux_relabel_path("/home", "/home");
                 fs_logger("tmpfs /home");
         }
+        EUID_USER();
 
         if (u != 0) {
                 if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) {
                         // create new empty /home/user directory
                         if (arg_debug)
                                 printf("Create a new user directory\n");
+                        EUID_ROOT();
                         if (mkdir(homedir, S_IRWXU) == -1) {
                                 if (mkpath_as_root(homedir) == -1)
                                         errExit("mkpath");
@@ -383,7 +418,7 @@ void fs_private(void) {
                         }
                         if (chown(homedir, u, g) < 0)
                                 errExit("chown");
-
+                        EUID_USER();
                         fs_logger2("mkdir", homedir);
                         fs_logger2("tmpfs", homedir);
                 }
@@ -395,7 +430,7 @@ void fs_private(void) {
                 selinux_relabel_path(homedir, homedir);
         }
 
-        skel(homedir, u, g);
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
@@ -420,24 +455,40 @@ void fs_check_private_dir(void) {
 }
 
 // check new private working directory (--private-cwd= option) - exit if it fails
+// for testing:
+//    $ firejail --private --private-cwd=. --noprofile ls
+//      issue #4780: exposes full home directory, not the --private one
+//   $ firejail --private-cwd=.. --noprofile ls  -> error: full dir path required
+//   $ firejail --private-cwd=/etc --noprofile ls  -> OK
+//   $ firejail --private-cwd=FULL-SYMLINK-PATH  --noprofile ls  -> error: no symlinks
+//   $ firejail --private --private-cwd="${HOME}" --noprofile ls -al  --> OK
+//   $ firejail --private --private-cwd='${HOME}' --noprofile ls -al  --> OK
+//   $ firejail --private-cwd  --> OK: should go in top of the home dir
+//   profile with "private-cwd ${HOME}
 void fs_check_private_cwd(const char *dir) {
         EUID_ASSERT();
         invalid_filename(dir, 0); // no globbing
+        if (strcmp(dir, ".") == 0)
+                goto errout;
 
         // Expand the working directory
         cfg.cwd = expand_macros(dir);
 
         // realpath/is_dir not used because path may not exist outside of jail
-        if (strstr(cfg.cwd, "..")) {
-                fprintf(stderr, "Error: invalid private working directory\n");
-                exit(1);
-        }
+        if (strstr(cfg.cwd, "..") || *cfg.cwd != '/')
+                goto errout;
+
+        return;
+errout:
+        fprintf(stderr, "Error: invalid private working directory\n");
+        exit(1);
 }
 
 //***********************************************************************************
 // --private-home
 //***********************************************************************************
 static char *check_dir_or_file(const char *name) {
+        EUID_ASSERT();
         assert(name);
 
         // basic checks
@@ -498,6 +549,7 @@ errexit:
 }
 
 static void duplicate(char *name) {
+        EUID_ASSERT();
         char *fname = check_dir_or_file(name);
 
         if (arg_debug)
@@ -535,28 +587,32 @@ static void duplicate(char *name) {
 //      set skel files,
 //      restore .Xauthority
 void fs_private_home_list(void) {
-        timetrace_start();
-
         char *homedir = cfg.homedir;
         char *private_list = cfg.home_private_keep;
         assert(homedir);
         assert(private_list);
+        EUID_ASSERT();
 
-        int xflag = store_xauthority();
-        int aflag = store_asoundrc();
+        timetrace_start();
 
         uid_t uid = getuid();
         gid_t gid = getgid();
 
+        int xflag = store_xauthority();
+        int aflag = store_asoundrc();
+
+        EUID_ROOT();
         // create /run/firejail/mnt/home directory
         mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
         selinux_relabel_path(RUN_HOME_DIR, homedir);
-        fs_logger_print();      // save the current log
 
-        if (arg_debug)
-                printf("Copying files in the new home:\n");
+        // save the current log
+        fs_logger_print();
+        EUID_USER();
 
         // copy the list of files in the new home directory
+        if (arg_debug)
+                printf("Copying files in the new home:\n");
         char *dlist = strdup(cfg.home_private_keep);
         if (!dlist)
                 errExit("strdup");
@@ -576,7 +632,7 @@ void fs_private_home_list(void) {
         if (arg_debug)
                 printf("Mount-bind %s on top of %s\n", RUN_HOME_DIR, homedir);
 
-        int fd = safe_fd(homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        int fd = safer_openat(-1, homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
                 errExit("opening home directory");
         // home directory should be owned by the user
@@ -589,24 +645,19 @@ void fs_private_home_list(void) {
                 exit(1);
         }
         // mount using the file descriptor
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(RUN_HOME_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+        EUID_ROOT();
+        if (bind_mount_path_to_fd(RUN_HOME_DIR, fd))
                 errExit("mount bind");
-        free(proc);
+        EUID_USER();
         close(fd);
+
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
         if (strcmp(mptr->dir, homedir) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
                 errLogExit("invalid private-home mount");
         fs_logger2("tmpfs", homedir);
 
-        // mask RUN_HOME_DIR, it is writable and not noexec
-        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                errExit("mounting tmpfs");
-        fs_logger2("tmpfs", RUN_HOME_DIR);
-
+        EUID_ROOT();
         if (uid != 0) {
                 // mask /root
                 if (arg_debug)
@@ -626,7 +677,12 @@ void fs_private_home_list(void) {
                 fs_logger("tmpfs /home");
         }
 
-        skel(homedir, uid, gid);
+        // mask RUN_HOME_DIR, it is writable and not noexec
+        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mounting tmpfs");
+        EUID_USER();
+
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 8a3bb71ea..dca394865 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
@@ -33,7 +32,7 @@ void fs_hostname(const char *hostname) {
                 if (arg_debug)
                         printf("Creating a new /etc/hostname file\n");
 
-                create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+                create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
 
                 // bind-mount the file on top of /etc/hostname
                 if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0)
@@ -47,11 +46,11 @@ void fs_hostname(const char *hostname) {
                         printf("Creating a new /etc/hosts file\n");
                 // copy /etc/host into our new file, and modify it on the fly
                 /* coverity[toctou] */
-                FILE *fp1 = fopen("/etc/hosts", "r");
+                FILE *fp1 = fopen("/etc/hosts", "re");
                 if (!fp1)
                         goto errexit;
 
-                FILE *fp2 = fopen(RUN_HOSTS_FILE, "w");
+                FILE *fp2 = fopen(RUN_HOSTS_FILE, "we");
                 if (!fp2) {
                         fclose(fp1);
                         goto errexit;
@@ -75,7 +74,7 @@ void fs_hostname(const char *hostname) {
                 }
                 fclose(fp1);
                 // mode and owner
-                SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+                SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
                 fclose(fp2);
 
                 // bind-mount the file on top of /etc/hostname
@@ -88,118 +87,11 @@ errexit:
         exit(1);
 }
 
-void fs_resolvconf(void) {
-        if (cfg.dns1 == NULL && !any_dhcp())
-                return;
-
-        if (arg_debug)
-                printf("mirroring /etc directory\n");
-        if (mkdir(RUN_DNS_ETC, 0755))
-                errExit("mkdir");
-        selinux_relabel_path(RUN_DNS_ETC, "/etc");
-        fs_logger("tmpfs /etc");
-
-        DIR *dir = opendir("/etc");
-        if (!dir)
-                errExit("opendir");
-
-        struct stat s;
-        struct dirent *entry;
-        while ((entry = readdir(dir))) {
-                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
-                        continue;
-                // for resolv.conf we create a brand new file
-                if (strcmp(entry->d_name, "resolv.conf") == 0 ||
-        strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0)
-                        continue;
-//              printf("linking %s\n", entry->d_name);
-
-                char *src;
-                if (asprintf(&src, "/etc/%s", entry->d_name) == -1)
-                        errExit("asprintf");
-                if (stat(src, &s) != 0) {
-                        free(src);
-                        continue;
-                }
-
-                char *dest;
-                if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1)
-                        errExit("asprintf");
-
-                int symlink_done = 0;
-                if (is_link(src)) {
-                        char *rp =realpath(src, NULL);
-                        if (rp == NULL) {
-                                free(src);
-                                free(dest);
-                                continue;
-                        }
-                        if (symlink(rp, dest))
-                                errExit("symlink");
-                        else
-                                symlink_done = 1;
-                }
-                else if (S_ISDIR(s.st_mode))
-                        create_empty_dir_as_root(dest, s.st_mode);
-                else
-                        create_empty_file_as_root(dest, s.st_mode);
-
-                // bind-mount src on top of dest
-                if (!symlink_done) {
-                        if (mount(src, dest, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind mirroring /etc");
-                }
-                fs_logger2("clone", src);
-
-                free(src);
-                free(dest);
-        }
-        closedir(dir);
-
-        // mount bind our private etc directory on top of /etc
-        if (arg_debug)
-                printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC);
-        if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind mirroring /etc");
-        fs_logger("mount /etc");
-
-        if (arg_debug)
-                printf("Creating a new /etc/resolv.conf file\n");
-        FILE *fp = fopen("/etc/resolv.conf", "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n");
-                exit(1);
-        }
-
-        if (cfg.dns1) {
-                if (any_dhcp())
-                        fwarning("network setup uses DHCP, nameservers will likely be overwritten\n");
-                fprintf(fp, "nameserver %s\n", cfg.dns1);
-        }
-        if (cfg.dns2)
-                fprintf(fp, "nameserver %s\n", cfg.dns2);
-        if (cfg.dns3)
-                fprintf(fp, "nameserver %s\n", cfg.dns3);
-        if (cfg.dns4)
-                fprintf(fp, "nameserver %s\n", cfg.dns4);
-
-        // mode and owner
-        SET_PERMS_STREAM(fp, 0, 0, 0644);
-
-        fclose(fp);
-
-        fs_logger("create /etc/resolv.conf");
-}
-
 char *fs_check_hosts_file(const char *fname) {
         assert(fname);
         invalid_filename(fname, 0); // no globbing
         char *rv = expand_macros(fname);
 
-        // no a link
-        if (is_link(rv))
-                goto errexit;
-
         // the user has read access to the file
         if (access(rv, R_OK))
                 goto errexit;
@@ -222,9 +114,6 @@ void fs_mount_hosts_file(void) {
         struct stat s;
         if (stat("/etc/hosts", &s) == -1)
                 goto errexit;
-        // not a link
-        if (is_link("/etc/hosts"))
-                goto errexit;
         // owned by root
         if (s.st_uid != 0)
                 goto errexit;
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 85fb70854..848691a56 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -61,17 +61,31 @@ static int valid_full_path(const char *full_path) {
         return 0;
 }
 
+// return 1 if symlink to firejail executable
+int is_firejail_link(const char *fname) {
+        EUID_ASSERT();
+
+        if (!is_link(fname))
+                return 0;
+
+        char *rp = realpath(fname, NULL);
+        if (!rp)
+                return 0;
+
+        int rv = 0;
+        const char *base = gnu_basename(rp);
+        if (strcmp(base, "firejail") == 0)
+                rv = 1;
+
+        free(rp);
+        return rv;
+}
+
 char *find_in_path(const char *program) {
         EUID_ASSERT();
         if (arg_debug)
                 printf("Searching $PATH for %s\n", program);
 
-        char self[MAXBUF];
-        ssize_t len = readlink("/proc/self/exe", self, MAXBUF - 1);
-        if (len < 0)
-                errExit("readlink");
-        self[len] = '\0';
-
         const char *path = env_get("PATH");
         if (!path)
                 return NULL;
@@ -88,18 +102,12 @@ char *find_in_path(const char *program) {
                 if (arg_debug)
                         printf("trying #%s#\n", fname);
                 struct stat s;
-                if (stat(fname, &s) == 0) {
-                        // but skip links created by firecfg
-                        char *rp = realpath(fname, NULL);
-                        if (!rp)
-                                errExit("realpath");
-                        if (strcmp(self, rp) != 0) {
-                                free(rp);
-                                free(dup);
-                                return fname;
-                        }
-                        free(rp);
+                if (stat(fname, &s) == 0 &&
+                    !is_firejail_link(fname)) { // skip links created by firecfg
+                        free(dup);
+                        return fname;
                 }
+
                 free(fname);
                 tok = strtok(NULL, ":");
         }
@@ -178,8 +186,7 @@ void fslib_mount(const char *full_path) {
 
         if (*full_path == '\0' ||
             !valid_full_path(full_path) ||
-            access(full_path, F_OK) != 0 ||
-            stat(full_path, &s) != 0 ||
+            stat_as_user(full_path, &s) != 0 ||
             s.st_uid != 0)
                 return;
 
@@ -196,6 +203,11 @@ void fslib_mount_libs(const char *full_path, unsigned user) {
         assert(full_path);
         // if library/executable does not exist or the user does not have read access to it
         // print a warning and exit the function.
+        if (access(full_path, F_OK)) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("Cannot find %s, skipping...\n", full_path);
+                return;
+        }
         if (user && access(full_path, R_OK)) {
                 if (arg_debug || arg_debug_private_lib)
                         printf("Cannot read %s, skipping...\n", full_path);
@@ -203,7 +215,7 @@ void fslib_mount_libs(const char *full_path, unsigned user) {
         }
 
         if (arg_debug || arg_debug_private_lib)
-                printf("    fslib_mount_libs %s (parse as %s)\n", full_path, user ? "user" : "root");
+                printf("    fslib_mount_libs %s\n", full_path);
         // create an empty RUN_LIB_FILE and allow the user to write to it
         unlink(RUN_LIB_FILE);                     // in case is there
         create_empty_file_as_root(RUN_LIB_FILE, 0644);
@@ -212,7 +224,7 @@ void fslib_mount_libs(const char *full_path, unsigned user) {
 
         // run fldd to extract the list of files
         if (arg_debug || arg_debug_private_lib)
-                printf("    running fldd %s\n", full_path);
+                printf("    running fldd %s as %s\n", full_path, user ? "user" : "root");
         unsigned mask;
         if (user)
                 mask = SBOX_USER;
@@ -221,7 +233,7 @@ void fslib_mount_libs(const char *full_path, unsigned user) {
         sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE);
 
         // open the list of libraries and install them on by one
-        FILE *fp = fopen(RUN_LIB_FILE, "r");
+        FILE *fp = fopen(RUN_LIB_FILE, "re");
         if (!fp)
                 errExit("fopen");
 
@@ -246,7 +258,7 @@ static void load_library(const char *fname) {
 
         // existing file owned by root
         struct stat s;
-        if (!access(fname, F_OK) && stat(fname, &s) == 0 && s.st_uid == 0) {
+        if (stat_as_user(fname, &s) == 0 && s.st_uid == 0) {
                 // load directories, regular 64 bit libraries, and 64 bit executables
                 if (S_ISDIR(s.st_mode))
                         fslib_mount(fname);
@@ -264,9 +276,9 @@ static void install_list_entry(const char *lib) {
         assert(lib);
 
         // filename check
-        int len = strlen(lib);
-        if (strcspn(lib, "\\&!?\"'<>%^(){}[];,") != (size_t)len ||
-        strstr(lib, "..")) {
+        reject_meta_chars(lib, 1);
+
+        if (strstr(lib, "..")) {
                 fprintf(stderr, "Error: \"%s\" is an invalid library\n", lib);
                 exit(1);
         }
@@ -286,19 +298,21 @@ static void install_list_entry(const char *lib) {
 #define DO_GLOBBING
 #ifdef DO_GLOBBING
                 // globbing
+                EUID_USER();
                 glob_t globbuf;
                 int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
                 if (globerr) {
                         fprintf(stderr, "Error: failed to glob private-lib pattern %s\n", fname);
                         exit(1);
                 }
+                EUID_ROOT();
                 size_t j;
                 for (j = 0; j < globbuf.gl_pathc; j++) {
                         assert(globbuf.gl_pathv[j]);
 //printf("glob %s\n", globbuf.gl_pathv[j]);
                         // GLOB_NOCHECK - no pattern matched returns the original pattern; try to load it anyway
 
-                        // foobar/* includes foobar/. and foobar/..
+                        // foobar/* expands to foobar/. and foobar/..
                         const char *base = gnu_basename(globbuf.gl_pathv[j]);
                         if (strcmp(base, ".") == 0 || strcmp(base, "..") == 0)
                                 continue;
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index c69bf7c98..aefd38e3c 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -143,7 +143,7 @@ static void fdir(void) {
                 NULL,
         };
 
-        // need to parse as root user, unprivileged users have no read permission on executables
+        // need to parse as root user, unprivileged users have no read permission on some of these binaries
         int i;
         for (i = 0; fbin[i]; i++)
                 fslib_mount_libs(fbin[i], 0);
@@ -153,7 +153,9 @@ void fslib_install_firejail(void) {
         timetrace_start();
         // bring in firejail executable libraries, in case we are redirected here
         // by a firejail symlink from /usr/local/bin/firejail
-        fslib_mount_libs(PATH_FIREJAIL, 1); // parse as user
+        // fldd might have no read permission on the firejail executable
+        // parse as root in order to support these setups
+        fslib_mount_libs(PATH_FIREJAIL, 0);
 
         // bring in firejail directory
         fdir();
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c
index 67ad4b52e..06f03dac5 100644
--- a/src/firejail/fs_logger.c
+++ b/src/firejail/fs_logger.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -92,7 +92,7 @@ void fs_logger_print(void) {
         if (!head)
                 return;
 
-        FILE *fp = fopen(RUN_FSLOGGER_FILE, "a");
+        FILE *fp = fopen(RUN_FSLOGGER_FILE, "ae");
         if (!fp) {
                 perror("fopen");
                 return;
@@ -123,15 +123,8 @@ void fs_logger_print_log(pid_t pid) {
         // in case the pid is that of a firejail process, use the pid of the first child process
         pid = switch_to_child(pid);
 
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission denied\n");
-                        exit(1);
-                }
-        }
+        // exit if no permission to join the sandbox
+        check_join_permission(pid);
 
         // print RUN_FSLOGGER_FILE
         char *fname;
@@ -139,24 +132,16 @@ void fs_logger_print_log(pid_t pid) {
                 errExit("asprintf");
 
         EUID_ROOT();
-        struct stat s;
-        if (stat(fname, &s) == -1 || s.st_uid != 0) {
-                fprintf(stderr, "Error: Cannot access filesystem log\n");
-                exit(1);
-        }
-
-        /* coverity[toctou] */
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
+        free(fname);
         if (!fp) {
                 fprintf(stderr, "Error: Cannot open filesystem log\n");
                 exit(1);
         }
-
         char buf[MAXBUF];
         while (fgets(buf, MAXBUF, fp))
                 printf("%s", buf);
         fclose(fp);
-        free(fname);
 
         exit(0);
 }
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 8cfeea582..30dbd8e9b 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
@@ -25,7 +26,6 @@
 #include <sys/wait.h>
 #include <string.h>
 
-
 static void check(const char *fname) {
         // manufacture /run/user directory
         char *runuser;
@@ -95,9 +95,9 @@ void fs_mkdir(const char *name) {
 
                 // create directory
                 mkdir_recursive(expanded);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
diff --git a/src/firejail/fs_overlayfs.c b/src/firejail/fs_overlayfs.c
new file mode 100644
index 000000000..167a7e28b
--- /dev/null
+++ b/src/firejail/fs_overlayfs.c
@@ -0,0 +1,470 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#ifdef HAVE_OVERLAYFS
+#include "firejail.h"
+#include "../include/gcov_wrapper.h"
+#include <sys/mount.h>
+#include <sys/wait.h>
+#include <ftw.h>
+#include <errno.h>
+
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+
+char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
+        assert(subdirname);
+        EUID_ASSERT();
+        struct stat s;
+        char *dirname;
+
+        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
+                errExit("asprintf");
+        // check if ~/.firejail already exists
+        if (lstat(dirname, &s) == 0) {
+                if (!S_ISDIR(s.st_mode)) {
+                        if (S_ISLNK(s.st_mode))
+                                fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
+                        else
+                                fprintf(stderr, "Error: %s is not a directory\n", dirname);
+                        exit(1);
+                }
+                if (s.st_uid != getuid()) {
+                        fprintf(stderr, "Error: %s is not owned by the current user\n", dirname);
+                        exit(1);
+                }
+        }
+        else {
+                // create ~/.firejail directory
+                create_empty_dir_as_user(dirname, 0700);
+                if (stat(dirname, &s) == -1) {
+                        fprintf(stderr, "Error: cannot create directory %s\n", dirname);
+                        exit(1);
+                }
+        }
+        free(dirname);
+
+        // check overlay directory
+        if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
+                errExit("asprintf");
+        if (lstat(dirname, &s) == 0) {
+                if (!S_ISDIR(s.st_mode)) {
+                        if (S_ISLNK(s.st_mode))
+                                fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
+                        else
+                                fprintf(stderr, "Error: %s is not a directory\n", dirname);
+                        exit(1);
+                }
+                if (s.st_uid != 0) {
+                        fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname);
+                        exit(1);
+                }
+                if (allow_reuse == 0) {
+                        fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n");
+                        exit(1);
+                }
+        }
+
+        return dirname;
+}
+
+
+// mount overlayfs on top of / directory
+// mounting an overlay and chrooting into it:
+//
+// Old Ubuntu kernel
+// # cd ~
+// # mkdir -p overlay/root
+// # mkdir -p overlay/diff
+// # mount -t overlayfs -o lowerdir=/,upperdir=/root/overlay/diff overlayfs /root/overlay/root
+// # chroot /root/overlay/root
+// to shutdown, first exit the chroot and then  unmount the overlay
+// # exit
+// # umount /root/overlay/root
+//
+// Kernels 3.18+
+// # cd ~
+// # mkdir -p overlay/root
+// # mkdir -p overlay/diff
+// # mkdir -p overlay/work
+// # mount -t overlay -o lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work overlay /root/overlay/root
+// # cat /etc/mtab | grep overlay
+// /root/overlay /root/overlay/root overlay rw,relatime,lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work 0 0
+// # chroot /root/overlay/root
+// to shutdown, first exit the chroot and then  unmount the overlay
+// # exit
+// # umount /root/overlay/root
+
+// to do: fix the code below
+#include <sys/utsname.h>
+void fs_overlayfs(void) {
+        struct stat s;
+
+        // check kernel version
+        struct utsname u;
+        int rv = uname(&u);
+        if (rv != 0)
+                errExit("uname");
+        int major;
+        int minor;
+        if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+                fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+                exit(1);
+        }
+
+        if (arg_debug)
+                printf("Linux kernel version %d.%d\n", major, minor);
+        int oldkernel = 0;
+        if (major < 3) {
+                fprintf(stderr, "Error: minimum kernel version required 3.x\n");
+                exit(1);
+        }
+        if (major == 3 && minor < 18)
+                oldkernel = 1;
+
+        // mounting an overlayfs on top of / seems to be broken for kernels > 4.19
+        // we disable overlayfs for now, pending fixing
+        if (major >= 4 &&minor >= 19) {
+                fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n");
+                exit(1);
+        }
+
+        char *oroot = RUN_OVERLAY_ROOT;
+        mkdir_attr(oroot, 0755, 0, 0);
+
+        // set base for working and diff directories
+        char *basedir = RUN_MNT_DIR;
+        int basefd = -1;
+
+        if (arg_overlay_keep) {
+                basedir = cfg.overlay_dir;
+                assert(basedir);
+                // get a file descriptor for ~/.firejail, fails if there is any symlink
+                char *firejail;
+                if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1)
+                        errExit("asprintf");
+                int fd = safer_openat(-1, firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                if (fd == -1)
+                        errExit("safer_openat");
+                free(firejail);
+                // create basedir if it doesn't exist
+                // the new directory will be owned by root
+                const char *dirname = gnu_basename(basedir);
+                if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) {
+                        perror("mkdir");
+                        fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir);
+                        exit(1);
+                }
+                // open basedir
+                basefd = openat(fd, dirname, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                close(fd);
+        }
+        else {
+                basefd = open(basedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        }
+        if (basefd == -1) {
+                perror("open");
+                fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir);
+                exit(1);
+        }
+
+        // confirm once more base is owned by root
+        if (fstat(basefd, &s) == -1)
+                errExit("fstat");
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir);
+                exit(1);
+        }
+        // confirm permissions of base are 0755
+        if (((S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) & s.st_mode) != (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) {
+                fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir);
+                exit(1);
+        }
+
+        // create diff and work directories inside base
+        // no need to check arg_overlay_reuse
+        char *odiff;
+        if (asprintf(&odiff, "%s/odiff", basedir) == -1)
+                errExit("asprintf");
+        // the new directory will be owned by root
+        if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) {
+                perror("mkdir");
+                fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff);
+                exit(1);
+        }
+        ASSERT_PERMS(odiff, 0, 0, 0755);
+
+        char *owork;
+        if (asprintf(&owork, "%s/owork", basedir) == -1)
+                errExit("asprintf");
+        // the new directory will be owned by root
+        if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) {
+                perror("mkdir");
+                fprintf(stderr, "Error: cannot create overlay directory %s\n", owork);
+                exit(1);
+        }
+        ASSERT_PERMS(owork, 0, 0, 0755);
+
+        // mount overlayfs
+        if (arg_debug)
+                printf("Mounting OverlayFS\n");
+        char *option;
+        if (oldkernel) { // old Ubuntu/OpenSUSE kernels
+                if (arg_overlay_keep) {
+                        fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n");
+                        exit(1);
+                }
+                if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1)
+                        errExit("asprintf");
+                if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0)
+                        errExit("mounting overlayfs");
+        }
+        else { // kernel 3.18 or newer
+                if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1)
+                        errExit("asprintf");
+                if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) {
+                        fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor);
+                        errExit("mounting overlayfs");
+                }
+
+                //***************************
+                // issue #263 start code
+                // My setup has a separate mount point for /home. When the overlay is mounted,
+                // the overlay does not contain the original /home contents.
+                // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work
+                // @dshmgh, Jan 2016
+                {
+                        char *overlayhome;
+                        struct stat s;
+                        char *hroot;
+                        char *hdiff;
+                        char *hwork;
+
+                        // dons add debug
+                        if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s  odiff %s  owork %s\n",oroot,odiff,owork);
+
+                        // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it?
+                        // must create var for oroot/cfg.homedir
+                        if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1)
+                                errExit("asprintf");
+                        if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome);
+
+                        // if no homedir in overlay -- create another overlay for /home
+                        if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) {
+
+                                // no need to check arg_overlay_reuse
+                                if (asprintf(&hdiff, "%s/hdiff", basedir) == -1)
+                                        errExit("asprintf");
+                                // the new directory will be owned by root
+                                if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) {
+                                        perror("mkdir");
+                                        fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff);
+                                        exit(1);
+                                }
+                                ASSERT_PERMS(hdiff, 0, 0, 0755);
+
+                                // no need to check arg_overlay_reuse
+                                if (asprintf(&hwork, "%s/hwork", basedir) == -1)
+                                        errExit("asprintf");
+                                // the new directory will be owned by root
+                                if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) {
+                                        perror("mkdir");
+                                        fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork);
+                                        exit(1);
+                                }
+                                ASSERT_PERMS(hwork, 0, 0, 0755);
+
+                                // no homedir in overlay so now mount another overlay for /home
+                                if (asprintf(&hroot, "%s/home", oroot) == -1)
+                                        errExit("asprintf");
+                                if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
+                                        errExit("asprintf");
+                                if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0)
+                                        errExit("mounting overlayfs for mounted home directory");
+
+                                printf("OverlayFS for /home configured in %s directory\n", basedir);
+                                free(hroot);
+                                free(hdiff);
+                                free(hwork);
+
+                        } // stat(overlayhome)
+                        free(overlayhome);
+                }
+                // issue #263 end code
+                //***************************
+        }
+        fmessage("OverlayFS configured in %s directory\n", basedir);
+        close(basefd);
+
+        // /dev, /run and /tmp are not covered by the overlay
+        // mount-bind dev directory
+        if (arg_debug)
+                printf("Mounting /dev\n");
+        char *dev;
+        if (asprintf(&dev, "%s/dev", oroot) == -1)
+                errExit("asprintf");
+        if (mount("/dev", dev, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mounting /dev");
+        fs_logger("whitelist /dev");
+
+        // mount-bind run directory
+        if (arg_debug)
+                printf("Mounting /run\n");
+        char *run;
+        if (asprintf(&run, "%s/run", oroot) == -1)
+                errExit("asprintf");
+        if (mount("/run", run, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mounting /run");
+        fs_logger("whitelist /run");
+
+        // mount-bind tmp directory
+        if (arg_debug)
+                printf("Mounting /tmp\n");
+        char *tmp;
+        if (asprintf(&tmp, "%s/tmp", oroot) == -1)
+                errExit("asprintf");
+        if (mount("/tmp", tmp, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mounting /tmp");
+        fs_logger("whitelist /tmp");
+
+        // chroot in the new filesystem
+        __gcov_flush();
+
+        if (chroot(oroot) == -1)
+                errExit("chroot");
+
+        // mount a new proc filesystem
+        if (arg_debug)
+                printf("Mounting /proc filesystem representing the PID namespace\n");
+        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
+                errExit("mounting /proc");
+
+        // update /var directory in order to support multiple sandboxes running on the same root directory
+//      if (!arg_private_dev)
+//              fs_dev_shm();
+        fs_var_lock();
+        if (!arg_keep_var_tmp)
+                fs_var_tmp();
+        if (!arg_writable_var_log)
+                fs_var_log();
+        fs_var_lib();
+        fs_var_cache();
+        fs_var_utmp();
+        fs_machineid();
+
+        // don't leak user information
+        restrict_users();
+
+        // when starting as root, firejail config is not disabled;
+        if (getuid() != 0)
+                disable_config();
+
+        // cleanup and exit
+        free(option);
+        free(odiff);
+        free(owork);
+        free(dev);
+        free(run);
+        free(tmp);
+}
+
+
+static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
+        (void) sb;
+        (void) typeflag;
+        (void) ftwbuf;
+        assert(fpath);
+
+        if (strcmp(fpath, ".") == 0)    // rmdir would fail with EINVAL
+                return 0;
+
+        if (remove(fpath)) {    // removes the link not the actual file
+                fprintf(stderr, "Error: cannot remove file: %s\n", strerror(errno));
+                exit(1);
+        }
+
+        return 0;
+}
+
+int remove_overlay_directory(void) {
+        EUID_ASSERT();
+        sleep(1);
+
+        char *path;
+        if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
+                errExit("asprintf");
+
+        if (access(path, F_OK) == 0) {
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // open ~/.firejail
+                        int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+                        if (fd == -1) {
+                                fprintf(stderr, "Error: cannot open %s\n", path);
+                                exit(1);
+                        }
+                        struct stat s;
+                        if (fstat(fd, &s) == -1)
+                                errExit("fstat");
+                        if (!S_ISDIR(s.st_mode)) {
+                                if (S_ISLNK(s.st_mode))
+                                        fprintf(stderr, "Error: %s is a symbolic link\n", path);
+                                else
+                                        fprintf(stderr, "Error: %s is not a directory\n", path);
+                                exit(1);
+                        }
+                        if (s.st_uid != getuid()) {
+                                fprintf(stderr, "Error: %s is not owned by the current user\n", path);
+                                exit(1);
+                        }
+                        // chdir to ~/.firejail
+                        if (fchdir(fd) == -1)
+                                errExit("fchdir");
+                        close(fd);
+
+                        EUID_ROOT();
+                        // FTW_PHYS - do not follow symbolic links
+                        if (nftw(".", remove_callback, 64, FTW_DEPTH | FTW_PHYS) == -1)
+                                errExit("nftw");
+
+                        EUID_USER();
+                        // remove ~/.firejail
+                        if (rmdir(path) == -1)
+                                errExit("rmdir");
+
+                        __gcov_flush();
+
+                        _exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
+                // check if ~/.firejail was deleted
+                if (access(path, F_OK) == 0)
+                        return 1;
+        }
+        return 0;
+}
+
+#endif // HAVE_OVERLAYFS
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 8f939b5f5..4cecea9ce 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,26 +20,31 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
 #include <pwd.h>
 
-void fs_trace_preload(void) {
+// create an empty /etc/ld.so.preload
+void fs_trace_touch_preload(void) {
+        create_empty_file_as_root("/etc/ld.so.preload", S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+}
+
+void fs_trace_touch_or_store_preload(void) {
         struct stat s;
 
-        // create an empty /etc/ld.so.preload
-        if (stat("/etc/ld.so.preload", &s)) {
-                if (arg_debug)
-                        printf("Creating an empty /etc/ld.so.preload file\n");
-                /* coverity[toctou] */
-                FILE *fp = fopen("/etc/ld.so.preload", "w");
-                if (!fp)
-                        errExit("fopen");
-                SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
-                fclose(fp);
-                fs_logger("touch /etc/ld.so.preload");
+        if (stat("/etc/ld.so.preload", &s) != 0) {
+                fs_trace_touch_preload();
+                return;
+        }
+
+        if (s.st_size == 0)
+                return;
+
+        // create a copy of /etc/ld.so.preload
+        if (copy_file("/etc/ld.so.preload", RUN_LDPRELOAD_FILE, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)) {
+                fprintf(stderr, "Error: cannot copy /etc/ld.so.preload file\n");
+                exit(1);
         }
 }
 
@@ -48,7 +53,7 @@ void fs_tracefile(void) {
         if (arg_debug)
                 printf("Creating an empty trace log file: %s\n", arg_tracefile);
         EUID_USER();
-        int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (fd == -1) {
                 perror("open");
                 fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile);
@@ -64,20 +69,16 @@ void fs_tracefile(void) {
         if (ftruncate(fd, 0) == -1)
                 errExit("ftruncate");
         EUID_ROOT();
-        FILE *fp = fopen(RUN_TRACE_FILE, "w");
+        FILE *fp = fopen(RUN_TRACE_FILE, "we");
         if (!fp)
                 errExit("fopen " RUN_TRACE_FILE);
         fclose(fp);
-        fs_logger2("touch ", arg_tracefile);
+        fs_logger2("touch", arg_tracefile);
         // mount using the symbolic link in /proc/self/fd
         if (arg_debug)
                 printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE);
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_fd_to_path(fd, RUN_TRACE_FILE))
                 errExit("mount bind " RUN_TRACE_FILE);
-        free(proc);
         close(fd);
         // now that RUN_TRACE_FILE is user-writable, mount it noexec
         fs_remount(RUN_TRACE_FILE, MOUNT_NOEXEC, 0);
@@ -88,7 +89,7 @@ void fs_trace(void) {
         if (arg_debug)
                 printf("Create the new ld.so.preload file\n");
 
-        FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w");
+        FILE *fp = fopen(RUN_LDPRELOAD_FILE, "ae");
         if (!fp)
                 errExit("fopen");
         const char *prefix = RUN_FIREJAIL_LIB_DIR;
@@ -105,7 +106,7 @@ void fs_trace(void) {
                 fmessage("Post-exec seccomp protector enabled\n");
         }
 
-        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         fclose(fp);
 
         // mount the new preload file
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index f07581cd8..9523875d7 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
@@ -127,17 +126,17 @@ void fs_var_log(void) {
 
                 // create an empty /var/log/wtmp file
                 /* coverity[toctou] */
-                FILE *fp = fopen("/var/log/wtmp", "w");
+                FILE *fp = fopen("/var/log/wtmp", "wxe");
                 if (fp) {
-                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
+                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
                         fclose(fp);
                 }
                 fs_logger("touch /var/log/wtmp");
 
                 // create an empty /var/log/btmp file
-                fp = fopen("/var/log/btmp", "w");
+                fp = fopen("/var/log/btmp", "wxe");
                 if (fp) {
-                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP);
+                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
                         fclose(fp);
                 }
                 fs_logger("touch /var/log/btmp");
@@ -158,8 +157,7 @@ void fs_var_lib(void) {
                 fs_logger("tmpfs /var/lib/dhcp");
 
                 // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file
-                FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w");
-
+                FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "wxe");
                 if (fp) {
                         fprintf(fp, "\n");
                         SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
@@ -287,7 +285,7 @@ void fs_var_utmp(void) {
         if (stat(UTMP_FILE, &s) == 0)
                 utmp_group = s.st_gid;
         else {
-                fwarning("cannot find /var/run/utmp\n");
+                fwarning("cannot find %s\n", UTMP_FILE);
                 return;
         }
 
@@ -296,7 +294,7 @@ void fs_var_utmp(void) {
                 printf("Create the new utmp file\n");
 
         /* coverity[toctou] */
-        FILE *fp = fopen(RUN_UTMP_FILE, "w");
+        FILE *fp = fopen(RUN_UTMP_FILE, "we");
         if (!fp)
                 errExit("fopen");
 
@@ -315,7 +313,7 @@ void fs_var_utmp(void) {
         // save new utmp file
         int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp);
         (void) rv;
-        SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
+        SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
         fclose(fp);
 
         // mount the new utmp file
@@ -323,5 +321,9 @@ void fs_var_utmp(void) {
                 printf("Mount the new utmp file\n");
         if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                 errExit("mount bind utmp");
-        fs_logger("create /var/run/utmp");
+        fs_logger2("create", UTMP_FILE);
+
+        // blacklist RUN_UTMP_FILE
+        if (mount(RUN_RO_FILE, RUN_UTMP_FILE, NULL, MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount bind");
 }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 698d47b69..3377b2592 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -16,63 +16,70 @@
  * You should have received a copy of the GNU General Public License along
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
+ */
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
-#include <dirent.h>
 #include <errno.h>
 
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 
+#define TOP_MAX 64 // maximum number of top level directories
+
 // mountinfo functionality test;
 // 1. enable TEST_MOUNTINFO definition
 // 2. run firejail --whitelist=/any/directory
 //#define TEST_MOUNTINFO
 
-#define EMPTY_STRING ("")
-static size_t homedir_len; // cache length of homedir string
-static size_t runuser_len; // cache length of runuser string
-static char *runuser;
+static size_t homedir_len = 0; // cache length of homedir string
+static size_t runuser_len = 0; // cache length of runuser string
+static char *runuser = NULL;
 
 
-static int mkpath(const char* path, mode_t mode) {
-        assert(path && *path);
-        mode |= 0111;
 
-        // create directories with uid/gid as root, or as current user if inside home or run/user/$uid directory
-        int userprivs = 0;
-        if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') ||
-            (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) {
-                EUID_USER();
-                userprivs = 1;
+static void whitelist_error(const char *path) {
+        assert(path);
+
+        fprintf(stderr, "Error: invalid whitelist path %s\n", path);
+        exit(1);
+}
+
+static int whitelist_mkpath(const char *parentdir, const char *relpath, mode_t mode) {
+        // starting from top level directory
+        int parentfd = safer_openat(-1, parentdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (parentfd < 0)
+                errExit("open");
+
+        // top level directory mount id
+        int mountid = get_mount_id(parentfd);
+        if (mountid < 0) {
+                close(parentfd);
+                return -1;
         }
 
         // work on a copy of the path
-        char *dup = strdup(path);
+        char *dup = strdup(relpath);
         if (!dup)
                 errExit("strdup");
 
-        // don't create the last path element
+        // only create leading directories, don't create the file
         char *p = strrchr(dup, '/');
-        assert(p);
+        if (!p) { // nothing to do
+                free(dup);
+                return parentfd;
+        }
         *p = '\0';
 
-        int parentfd = open("/", O_PATH|O_DIRECTORY|O_CLOEXEC);
-        if (parentfd == -1)
-                errExit("open");
-
         // traverse the path, return -1 if a symlink is encountered
-        int done = 0;
         int fd = -1;
+        int done = 0;
         char *tok = strtok(dup, "/");
-        assert(tok); // path is no top level directory
+        assert(tok);
         while (tok) {
                 // create the directory if necessary
                 if (mkdirat(parentfd, tok, mode) == -1) {
@@ -81,9 +88,6 @@ static int mkpath(const char* path, mode_t mode) {
                                         perror("mkdir");
                                 close(parentfd);
                                 free(dup);
-                                if (userprivs) {
-                                        EUID_ROOT();
-                                }
                                 return -1;
                         }
                 }
@@ -96,9 +100,15 @@ static int mkpath(const char* path, mode_t mode) {
                                 perror("open");
                         close(parentfd);
                         free(dup);
-                        if (userprivs) {
-                                EUID_ROOT();
-                        }
+                        return -1;
+                }
+                // different mount id indicates earlier whitelist mount
+                if (get_mount_id(fd) != mountid) {
+                        if (arg_debug || arg_debug_whitelists)
+                                printf("Debug %d: whitelisted already\n", __LINE__);
+                        close(parentfd);
+                        close(fd);
+                        free(dup);
                         return -1;
                 }
                 // move on to next path segment
@@ -107,199 +117,110 @@ static int mkpath(const char* path, mode_t mode) {
                 tok = strtok(NULL, "/");
         }
 
-        if (done)
-                fs_logger2("mkpath", path);
+        if (done) {
+                char *abspath;
+                if (asprintf(&abspath, "%s/%s", parentdir, relpath) < 0)
+                        errExit("asprintf");
+                fs_logger2("mkpath", abspath);
+                free(abspath);
+        }
 
         free(dup);
-        if (userprivs) {
-                EUID_ROOT();
-        }
         return fd;
 }
 
-static void whitelist_path(ProfileEntry *entry) {
-        assert(entry);
-        const char *path = entry->data + 10;
-        const char *fname;
-        char *wfile = NULL;
-
-        if (entry->wldir == WLDIR_HOME) {
-                if (strncmp(path, cfg.homedir, homedir_len) != 0 || path[homedir_len] != '/')
-                        // either symlink pointing outside home directory
-                        // or entire home directory, skip the mount
-                        return;
-
-                fname = path + homedir_len + 1; // strlen("/home/user/")
-
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1)
-                        errExit("asprintf");
-        }
-        else if (entry->wldir == WLDIR_TMP) {
-                fname = path + 5; // strlen("/tmp/")
-
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1)
-                        errExit("asprintf");
-        }
-        else if (entry->wldir == WLDIR_MEDIA) {
-                fname = path + 7; // strlen("/media/")
+static void whitelist_file(const TopDir * const top, const char *path) {
+        EUID_ASSERT();
+        assert(top && path);
 
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1)
-                        errExit("asprintf");
-        }
-        else if (entry->wldir == WLDIR_MNT) {
-                fname = path + 5; // strlen("/mnt/")
-
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1)
-                        errExit("asprintf");
-        }
-        else if (entry->wldir == WLDIR_VAR) {
-                if (strncmp(path, "/var/", 5) != 0)
-                        // symlink pointing outside /var, skip the mount
-                        return;
-
-                fname = path + 5; // strlen("/var/")
-
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1)
-                        errExit("asprintf");
-        }
-        else if (entry->wldir == WLDIR_DEV) {
-                if (strncmp(path, "/dev/", 5) != 0)
-                        // symlink pointing outside /dev, skip the mount
-                        return;
-
-                fname = path + 5; // strlen("/dev/")
-
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1)
-                        errExit("asprintf");
-        }
-        else if (entry->wldir == WLDIR_OPT) {
-                fname = path + 5; // strlen("/opt/")
-
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1)
-                        errExit("asprintf");
-        }
-        else if (entry->wldir == WLDIR_SRV) {
-                fname = path + 5; // strlen("/srv/")
-
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1)
-                        errExit("asprintf");
-        }
-        else if (entry->wldir == WLDIR_ETC) {
-                if (strncmp(path, "/etc/", 5) != 0)
-                        // symlink pointing outside /etc, skip the mount
-                        return;
-
-                fname = path + 5; // strlen("/etc/")
-
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_ETC_DIR, fname) == -1)
-                        errExit("asprintf");
-        }
-        else if (entry->wldir == WLDIR_SHARE) {
-                fname = path + 11; // strlen("/usr/share/")
-
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SHARE_DIR, fname) == -1)
-                        errExit("asprintf");
-        }
-        else if (entry->wldir == WLDIR_MODULE) {
-                fname = path + 12; // strlen("/sys/module/")
-
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1)
-                        errExit("asprintf");
-        }
-        else if (entry->wldir == WLDIR_RUN) {
-                fname = path + runuser_len + 1; // strlen("/run/user/$uid/")
-
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_RUN_USER_DIR, fname) == -1)
-                        errExit("asprintf");
-        }
-        assert(wfile);
-
-        if (arg_debug || arg_debug_whitelists)
-                printf("Whitelisting %s\n", path);
-
-        // confirm again the mount source exists and there is no symlink
-        struct stat wfilestat;
-        EUID_USER();
-        int fd = safe_fd(wfile, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        EUID_ROOT();
+        // check if path is inside top level directory
+        size_t top_pathlen = strlen(top->path);
+        if (strncmp(top->path, path, top_pathlen) != 0 || path[top_pathlen] != '/')
+                return;
+        const char *relpath = path + top_pathlen + 1;
+
+        // open mount source, using a file descriptor that refers to the
+        // top level directory
+        // as the top level directory was opened before mounting the tmpfs
+        // we still have full access to all directory contents
+        // take care to not follow symbolic links (top->fd was obtained without
+        // following a link, too)
+        int fd = safer_openat(top->fd, relpath, O_PATH|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1) {
                 if (arg_debug || arg_debug_whitelists)
-                        printf("Debug %d: skip whitelisting of %s\n", __LINE__, path);
-                free(wfile);
+                        printf("Debug %d: skip whitelist %s\n", __LINE__, path);
                 return;
         }
-        if (fstat(fd, &wfilestat) == -1)
+        struct stat s;
+        if (fstat(fd, &s) == -1)
                 errExit("fstat");
-        close(fd);
-        if (S_ISLNK(wfilestat.st_mode)) {
+        if (S_ISLNK(s.st_mode)) {
                 if (arg_debug || arg_debug_whitelists)
-                        printf("Debug %d: skip whitelisting of %s\n", __LINE__, path);
-                free(wfile);
+                        printf("Debug %d: skip whitelist %s\n", __LINE__, path);
+                close(fd);
                 return;
         }
 
-        // create path of the mount target if necessary
-        int fd2 = mkpath(path, 0755);
+        // now modify the tmpfs:
+        // create mount target as root, except if inside home or run/user/$UID directory
+        if (strcmp(top->path, cfg.homedir) != 0 &&
+            strcmp(top->path, runuser) != 0)
+                EUID_ROOT();
+
+        // create path of the mount target
+        int fd2 = whitelist_mkpath(top->path, relpath, 0755);
         if (fd2 == -1) {
-                // something went wrong during path creation or a symlink was found;
-                // if there is a symlink somewhere in the path of the mount target,
-                // assume the file is whitelisted already
                 if (arg_debug || arg_debug_whitelists)
-                        printf("Debug %d: skip whitelisting of %s\n", __LINE__, path);
-                free(wfile);
+                        printf("Debug %d: skip whitelist %s\n", __LINE__, path);
+                close(fd);
+                EUID_USER();
                 return;
         }
 
         // get file name of the mount target
-        const char *file = gnu_basename(path);
+        const char *file = gnu_basename(relpath);
 
-        // create the mount target if necessary and open it, a symlink is rejected
+        // create mount target itself if necessary
+        // and open it, a symlink is not allowed
         int fd3 = -1;
-        if (S_ISDIR(wfilestat.st_mode)) {
-                // directory foo can exist already:
-                // firejail --whitelist=/foo/bar --whitelist=/foo
+        if (S_ISDIR(s.st_mode)) {
+                // directory bar can exist already:
+                // firejail --whitelist=/foo/bar/baz --whitelist=/foo/bar
                 if (mkdirat(fd2, file, 0755) == -1 && errno != EEXIST) {
                         if (arg_debug || arg_debug_whitelists) {
                                 perror("mkdir");
-                                printf("Debug %d: skip whitelisting of %s\n", __LINE__, path);
+                                printf("Debug %d: skip whitelist %s\n", __LINE__, path);
                         }
+                        close(fd);
                         close(fd2);
-                        free(wfile);
+                        EUID_USER();
                         return;
                 }
                 fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         }
-        else {
-                // create an empty file, fails with EEXIST if it is whitelisted already:
-                // firejail --whitelist=/foo --whitelist=/foo/bar
+        else
+                // create an empty file
+                // fails with EEXIST if it is whitelisted already
                 fd3 = openat(fd2, file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR|S_IWUSR);
-        }
 
         if (fd3 == -1) {
-                if (arg_debug || arg_debug_whitelists) {
-                        if (errno != EEXIST) {
-                                perror("open");
-                                printf("Debug %d: skip whitelisting of %s\n", __LINE__, path);
-                        }
+                if (errno != EEXIST && (arg_debug || arg_debug_whitelists)) {
+                        perror("open");
+                        printf("Debug %d: skip whitelist %s\n", __LINE__, path);
                 }
+                close(fd);
                 close(fd2);
-                free(wfile);
+                EUID_USER();
                 return;
         }
         close(fd2);
 
-        fs_logger2("whitelist", path);
-
-        // in order to make this mount resilient against symlink attacks, use
-        // a magic link in /proc/self/fd instead of mounting on path directly
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd3) == -1)
-                errExit("asprintf");
-        if (mount(wfile, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (arg_debug || arg_debug_whitelists)
+                printf("Whitelisting %s\n", path);
+        EUID_ROOT();
+        if (bind_mount_by_fd(fd, fd3))
                 errExit("mount bind");
-        free(proc);
-        close(fd3);
-
+        EUID_USER();
         // check the last mount operation
         MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found
 #ifdef TEST_MOUNTINFO
@@ -316,37 +237,54 @@ static void whitelist_path(ProfileEntry *entry) {
         //  - there should be more than one '/' char in dest string
         if (mptr->dir == strrchr(mptr->dir, '/'))
                 errLogExit("invalid whitelist mount");
-        // confirm the right file was mounted by comparing device and inode numbers
-        int fd4 = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        if (fd4 == -1)
-                errExit("safe_fd");
-        struct stat s;
-        if (fstat(fd4, &s) == -1)
-                errExit("fstat");
-        if (s.st_dev != wfilestat.st_dev || s.st_ino != wfilestat.st_ino)
-                errLogExit("invalid whitelist mount");
-        close(fd4);
-
-        free(wfile);
-        return;
+        close(fd);
+        close(fd3);
+        fs_logger2("whitelist", path);
 }
 
-static void whitelist_home(int topdir) {
-        ProfileEntry entry;
-        memset(&entry, 0, sizeof(entry));
-        char *cmd;
-        if (asprintf(&cmd, "whitelist %s", cfg.homedir) == -1)
-                errExit("asprintf");
-        entry.data = cmd;
-        entry.wldir = topdir;
-        // creates path owned by root, except homedir is inside /run/user/$uid
-        // does nothing if homedir does not exist
-        whitelist_path(&entry);
-        free(cmd);
-}
+static void whitelist_symlink(const TopDir * const top, const char *link, const char *target) {
+        EUID_ASSERT();
+        assert(top && link && target);
+
+        // confirm link is inside top level directory
+        // this should never fail
+        size_t top_pathlen = strlen(top->path);
+        assert(strncmp(top->path, link, top_pathlen) == 0 && link[top_pathlen] == '/');
+
+        const char *relpath = link + top_pathlen + 1;
+
+        // create link as root, except if inside home or run/user/$UID directory
+        if (strcmp(top->path, cfg.homedir) != 0 &&
+            strcmp(top->path, runuser) != 0)
+                EUID_ROOT();
 
+        int fd = whitelist_mkpath(top->path, relpath, 0755);
+        if (fd == -1) {
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link);
+                EUID_USER();
+                return;
+        }
+
+        // get file name of symlink
+        const char *file = gnu_basename(relpath);
+
+        // create the link
+        if (symlinkat(target, fd, file) == -1) {
+                if (arg_debug || arg_debug_whitelists) {
+                        perror("symlink");
+                        printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link);
+                }
+        }
+        else if (arg_debug || arg_debug_whitelists)
+                printf("Created symbolic link %s -> %s\n", link, target);
+
+        close(fd);
+        EUID_USER();
+}
 
 static void globbing(const char *pattern) {
+        EUID_ASSERT();
         assert(pattern);
 
         // globbing
@@ -363,6 +301,11 @@ static void globbing(const char *pattern) {
                 // testing for GLOB_NOCHECK - no pattern matched returns the original pattern
                 if (strcmp(globbuf.gl_pathv[i], pattern) == 0)
                         continue;
+                // foo/* expands to foo/. and foo/..
+                const char *base = gnu_basename(globbuf.gl_pathv[i]);
+                if (strcmp(base, ".") == 0 ||
+                    strcmp(base, "..") == 0)
+                        continue;
 
                 // build the new profile command
                 char *newcmd;
@@ -378,8 +321,237 @@ static void globbing(const char *pattern) {
         globfree(&globbuf);
 }
 
+// mount tmpfs on all top level directories
+static void tmpfs_topdirs(const TopDir * const topdirs) {
+        int tmpfs_home = 0;
+        int tmpfs_runuser = 0;
+
+        int i;
+        for (i = 0; i < TOP_MAX && topdirs[i].path; i++) {
+                // do nested top level directories last
+                // this way '--whitelist=nested_top_level_dir'
+                // yields the full, unmodified directory
+                // instead of the tmpfs
+                if (strcmp(topdirs[i].path, cfg.homedir) == 0) {
+                        tmpfs_home = 1;
+                        continue;
+                }
+                if (strcmp(topdirs[i].path, runuser) == 0) {
+                        tmpfs_runuser = 1;
+                        continue;
+                }
+
+                // special case /run
+                // open /run/firejail, so it can be restored right after mounting the tmpfs
+                int fd = -1;
+                if (strcmp(topdirs[i].path, "/run") == 0) {
+                        fd = open(RUN_FIREJAIL_DIR, O_PATH|O_CLOEXEC);
+                        if (fd == -1)
+                                errExit("open");
+                }
+
+                // mount tmpfs
+                fs_tmpfs(topdirs[i].path, 0);
+                selinux_relabel_path(topdirs[i].path, topdirs[i].path);
+
+                // init tmpfs
+                if (strcmp(topdirs[i].path, "/run") == 0) {
+                        // restore /run/firejail directory
+                        EUID_ROOT();
+                        mkdir_attr(RUN_FIREJAIL_DIR, 0755, 0, 0);
+                        if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR))
+                                errExit("mount bind");
+                        EUID_USER();
+                        close(fd);
+                        fs_logger2("whitelist", RUN_FIREJAIL_DIR);
+
+                        // restore /run/user/$UID directory
+                        whitelist_file(&topdirs[i], runuser);
+                }
+                else if (strcmp(topdirs[i].path, "/tmp") == 0) {
+                        // fix pam-tmpdir (#2685)
+                        const char *env = env_get("TMP");
+                        if (env) {
+                                // we allow TMP env set as /tmp/user/$UID and /tmp/$UID - see #4151
+                                char *pamtmpdir1;
+                                if (asprintf(&pamtmpdir1, "/tmp/user/%u", getuid()) == -1)
+                                        errExit("asprintf");
+                                char *pamtmpdir2;
+                                if (asprintf(&pamtmpdir2, "/tmp/%u", getuid()) == -1)
+                                        errExit("asprintf");
+                                if (strcmp(env, pamtmpdir1) == 0) {
+                                        // create empty user-owned /tmp/user/$UID directory
+                                        EUID_ROOT();
+                                        mkdir_attr("/tmp/user", 0755, 0, 0);
+                                        selinux_relabel_path("/tmp/user", "/tmp/user");
+                                        fs_logger("mkdir /tmp/user");
+                                        mkdir_attr(pamtmpdir1, 0700, getuid(), 0);
+                                        selinux_relabel_path(pamtmpdir1, pamtmpdir1);
+                                        fs_logger2("mkdir", pamtmpdir1);
+                                        EUID_USER();
+                                }
+                                else if (strcmp(env, pamtmpdir2) == 0) {
+                                        // create empty user-owned /tmp/$UID directory
+                                        EUID_ROOT();
+                                        mkdir_attr(pamtmpdir2, 0700, getuid(), 0);
+                                        selinux_relabel_path(pamtmpdir2, pamtmpdir2);
+                                        fs_logger2("mkdir", pamtmpdir2);
+                                        EUID_USER();
+                                }
+                                free(pamtmpdir1);
+                                free(pamtmpdir2);
+                        }
+                }
+
+                // restore user home directory if it is masked by the tmpfs
+                // creates path owned by root
+                // does nothing if user home directory doesn't exist
+                whitelist_file(&topdirs[i], cfg.homedir);
+        }
+
+        // user home directory
+        if (tmpfs_home)
+                fs_private(); // checks owner if outside /home
+
+        // /run/user/$UID directory
+        if (tmpfs_runuser) {
+                fs_tmpfs(runuser, 0);
+                selinux_relabel_path(runuser, runuser);
+        }
+}
+
+static int reject_topdir(const char *dir) {
+        if (!whitelist_reject_topdirs)
+                return 0;
+
+        size_t i;
+        for (i = 0; whitelist_reject_topdirs[i]; i++) {
+                if (strcmp(dir, whitelist_reject_topdirs[i]) == 0)
+                        return 1;
+        }
+        return 0;
+}
+
+// keep track of whitelist top level directories by adding them to an array
+// open each directory
+static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
+        EUID_ASSERT();
+        assert(dir && path);
+
+        // /proc and /sys are not allowed
+        if (strcmp(dir, "/") == 0 ||
+            strcmp(dir, "/proc") == 0 ||
+            strcmp(dir, "/sys") == 0)
+                whitelist_error(path);
+
+        // whitelisting home directory is disabled if --private option is present
+        if (arg_private && strcmp(dir, cfg.homedir) == 0) {
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: skip %s - a private home dir is configured!\n", __LINE__, path);
+                return NULL;
+        }
+
+        // do nothing if directory doesn't exist
+        struct stat s;
+        if (lstat(dir, &s) != 0) {
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Cannot access whitelist top level directory %s: %s\n", dir, strerror(errno));
+                return NULL;
+        }
+        // do nothing if directory is a link
+        if (!S_ISDIR(s.st_mode)) {
+                if (S_ISLNK(s.st_mode)) {
+                        fwarning("skipping whitelist %s because %s is a symbolic link\n", path, dir);
+                        return NULL;
+                }
+                whitelist_error(path);
+        }
+        // do nothing if directory is disabled by administrator
+        if (reject_topdir(dir)) {
+                fmessage("Whitelist top level directory %s is disabled in Firejail configuration file\n", dir);
+                return NULL;
+        }
+
+        // add directory to array
+        if (arg_debug || arg_debug_whitelists)
+                printf("Adding whitelist top level directory %s\n", dir);
+        static int cnt = 0;
+        if (cnt >= TOP_MAX) {
+                fprintf(stderr, "Error: too many whitelist top level directories\n");
+                exit(1);
+        }
+        TopDir *rv = topdirs + cnt;
+        cnt++;
+
+        rv->path = strdup(dir);
+        if (!rv->path)
+                errExit("strdup");
+
+        // open the directory, don't follow symbolic links
+        rv->fd = safer_openat(-1, dir, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC);
+        if (rv->fd == -1) {
+                fprintf(stderr, "Error: cannot open %s\n", dir);
+                exit(1);
+        }
+
+        return rv;
+}
+
+static TopDir *have_topdir(const char *dir, TopDir *topdirs) {
+        assert(dir);
+
+        int i;
+        for (i = 0; i < TOP_MAX; i++) {
+                TopDir *rv = topdirs + i;
+                if (!rv->path)
+                        break;
+                if (strcmp(dir, rv->path) == 0)
+                        return rv;
+        }
+        return NULL;
+}
+
+static char *extract_topdir(const char *path) {
+        assert(path);
+
+        char *dup = strdup(path);
+        if (!dup)
+                errExit("strdup");
+
+        // user home directory can be anywhere; disconnect user home
+        // whitelisting from top level directory whitelisting
+        // by treating user home as separate whitelist top level directory
+        if (strncmp(dup, cfg.homedir, homedir_len) == 0 && dup[homedir_len] == '/')
+                dup[homedir_len] = '\0';
+        // /run/user/$UID is treated as top level directory
+        else if (strncmp(dup, runuser, runuser_len) == 0 && dup[runuser_len] == '/')
+                dup[runuser_len] = '\0';
+        // whitelisting in /sys is not allowed, but /sys/module is an exception
+        // and is treated as top level directory here
+        else if (strncmp(dup, "/sys/module", 11) == 0 && dup[11] == '/')
+                dup[11] = '\0';
+        // treat /usr subdirectories as top level directories
+        else if (strncmp(dup, "/usr/", 5) == 0) {
+                char *p = strchr(dup+5, '/');
+                if (!p)
+                        whitelist_error(path);
+                *p = '\0';
+        }
+        // all other top level directories
+        else {
+                assert(dup[0] == '/');
+                char *p = strchr(dup+1, '/');
+                if (!p)
+                        whitelist_error(path);
+                *p = '\0';
+        }
+
+        return dup;
+}
 
 void fs_whitelist(void) {
+        EUID_ASSERT();
+
         ProfileEntry *entry = cfg.profile;
         if (!entry)
                 return;
@@ -389,29 +561,17 @@ void fs_whitelist(void) {
         runuser_len = strlen(runuser);
         homedir_len = strlen(cfg.homedir);
 
-        char *new_name = NULL;
-        int home_dir = 0;       // /home/user directory flag
-        int tmp_dir = 0;        // /tmp directory flag
-        int media_dir = 0;      // /media directory flag
-        int mnt_dir = 0;        // /mnt directory flag
-        int var_dir = 0;                // /var directory flag
-        int dev_dir = 0;                // /dev directory flag
-        int opt_dir = 0;                // /opt directory flag
-        int srv_dir = 0;                // /srv directory flag
-        int etc_dir = 0;                // /etc directory flag
-        int share_dir = 0;                // /usr/share directory flag
-        int module_dir = 0;                // /sys/module directory flag
-        int run_dir = 0;                // /run/user/$uid directory flag
-
         size_t nowhitelist_c = 0;
         size_t nowhitelist_m = 32;
         char **nowhitelist = calloc(nowhitelist_m, sizeof(*nowhitelist));
         if (nowhitelist == NULL)
-                errExit("failed allocating memory for nowhitelist entries");
+                errExit("calloc");
+
+        TopDir *topdirs = calloc(TOP_MAX, sizeof(*topdirs));
+        if (topdirs == NULL)
+                errExit("calloc");
 
         // verify whitelist files, extract symbolic links, etc.
-        EUID_USER();
-        struct stat s;
         while (entry) {
                 int nowhitelist_flag = 0;
 
@@ -424,48 +584,76 @@ void fs_whitelist(void) {
                         entry = entry->next;
                         continue;
                 }
-                char *dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10;
-
-                // replace ~/ or ${HOME} into /home/username or resolve macro
-                new_name = expand_macros(dataptr);
-                assert(new_name);
-
-                // mount empty home directory if resolving the macro was not successful
-                if (is_macro(new_name) && macro_id(new_name) > -1) {
-                        // no warning if home does not exist (e.g. in a chroot)
-                        if (stat(cfg.homedir, &s) == 0 && !nowhitelist_flag && !arg_private) {
-                                home_dir = 1;
-                                if (!arg_quiet) {
-                                        fprintf(stderr, "***\n");
-                                        fprintf(stderr, "*** Warning: cannot whitelist %s directory\n", new_name);
-                                        fprintf(stderr, "*** Any file saved in this directory will be lost when the sandbox is closed.\n");
-                                        fprintf(stderr, "***\n");
-                                }
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: %s\n", __LINE__, entry->data);
+
+                const char *dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10;
+
+                // replace ~ into /home/username or resolve macro
+                char *expanded = expand_macros(dataptr);
+
+                // check if respolving the macro was successful
+                if (is_macro(expanded) && macro_id(expanded) > -1) {
+                        if (!nowhitelist_flag && (have_topdir(cfg.homedir, topdirs) || add_topdir(cfg.homedir, topdirs, expanded)) && !arg_quiet) {
+                                fprintf(stderr, "***\n");
+                                fprintf(stderr, "*** Warning: cannot whitelist %s directory\n", expanded);
+                                fprintf(stderr, "*** Any file saved in this directory will be lost when the sandbox is closed.\n");
+                                fprintf(stderr, "***\n");
                         }
-                        entry->data = EMPTY_STRING;
                         entry = entry->next;
-                        free(new_name);
+                        free(expanded);
                         continue;
                 }
 
-                // remove trailing slashes and single dots
-                if (!nowhitelist_flag)
-                        trim_trailing_slash_or_dot(new_name);
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: expanded: %s\n", __LINE__, expanded);
+
+                // path should be absolute at this point
+                if (expanded[0] != '/')
+                        whitelist_error(expanded);
+
+                // sane pathname
+                char *new_name = clean_pathname(expanded);
+                free(expanded);
 
                 if (arg_debug || arg_debug_whitelists)
-                        fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist");
+                        printf("Debug %d: new_name: %s\n", __LINE__, new_name);
+
+                if (strstr(new_name, ".."))
+                        whitelist_error(new_name);
 
-                // valid path referenced to filesystem root
-                if (*new_name != '/') {
+                TopDir *current_top = NULL;
+                if (!nowhitelist_flag) {
+                        // extract whitelist top level directory
+                        char *dir = extract_topdir(new_name);
                         if (arg_debug || arg_debug_whitelists)
-                                fprintf(stderr, "Debug %d: \n", __LINE__);
-                        goto errexit;
+                                printf("Debug %d: dir: %s\n", __LINE__, dir);
+
+                        // check if this top level directory has been processed already
+                        current_top = have_topdir(dir, topdirs);
+                        if (!current_top) { // got new top level directory
+                                current_top = add_topdir(dir, topdirs, new_name);
+                                if (!current_top) { // skip this command, top level directory not valid
+                                        entry = entry->next;
+                                        free(new_name);
+                                        free(dir);
+                                        continue;
+                                }
+                        }
+                        free(dir);
+                }
+
+                // /run/firejail directory is internal and not allowed
+                if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) {
+                        entry = entry->next;
+                        free(new_name);
+                        continue;
                 }
 
-                // extract the absolute path of the file
+                // extract resolved path of the file
                 // realpath function will fail with ENOENT if the file is not found or with EACCES if user has no permission
                 // special processing for /dev/fd, /dev/stdin, /dev/stdout and /dev/stderr
-                char *fname;
+                char *fname = NULL;
                 if (strcmp(new_name, "/dev/fd") == 0)
                         fname = strdup("/proc/self/fd");
                 else if (strcmp(new_name, "/dev/stdin") == 0)
@@ -477,60 +665,34 @@ void fs_whitelist(void) {
                 else
                         fname = realpath(new_name, NULL);
 
-                // if this is not a real path, let's try globbing
-                // mark this entry as EMPTY_STRING and push the new paths at the end of profile entry list
-                // the new profile entries will be processed in this loop
-                // currently there is no globbing support for nowhitelist
-                if (!fname && !nowhitelist_flag)
-                        globbing(new_name);
-
                 if (!fname) {
-                        // file not found, blank the entry in the list and continue
                         if (arg_debug || arg_debug_whitelists) {
-                                printf("Removed whitelist/nowhitelist path: %s\n", entry->data);
-                                printf("\texpanded: %s\n", new_name);
-                                printf("\treal path: (null)\n");
-                                printf("\t");fflush(0);
-                                perror("realpath");
+                                printf("Removed path: %s\n", entry->data);
+                                printf("\tnew_name: %s\n", new_name);
+                                printf("\trealpath: (null)\n");
+                                printf("\t%s\n", strerror(errno));
                         }
 
-                        // if 1 the file was not found; mount an empty directory
                         if (!nowhitelist_flag) {
-                                if (strncmp(new_name, cfg.homedir, homedir_len) == 0 && new_name[homedir_len] == '/') {
-                                        if(!arg_private)
-                                                home_dir = 1;
-                                }
-                                else if (strncmp(new_name, "/tmp/", 5) == 0)
-                                        tmp_dir = 1;
-                                else if (strncmp(new_name, "/media/", 7) == 0)
-                                        media_dir = 1;
-                                else if (strncmp(new_name, "/mnt/", 5) == 0)
-                                        mnt_dir = 1;
-                                else if (strncmp(new_name, "/var/", 5) == 0)
-                                        var_dir = 1;
-                                else if (strncmp(new_name, "/dev/", 5) == 0)
-                                        dev_dir = 1;
-                                else if (strncmp(new_name, "/opt/", 5) == 0)
-                                        opt_dir = 1;
-                                else if (strncmp(new_name, "/srv/", 5) == 0)
-                                        srv_dir = 1;
-                                else if (strncmp(new_name, "/etc/", 5) == 0)
-                                        etc_dir = 1;
-                                else if (strncmp(new_name, "/usr/share/", 11) == 0)
-                                        share_dir = 1;
-                                else if (strncmp(new_name, "/sys/module/", 12) == 0)
-                                        module_dir = 1;
-                                else if (strncmp(new_name, runuser, runuser_len) == 0 && new_name[runuser_len] == '/')
-                                        run_dir = 1;
+                                // if this is not a real path, let's try globbing
+                                // push the new paths at the end of profile entry list
+                                // the new profile entries will be processed in this loop
+                                // currently there is no globbing support for nowhitelist
+                                globbing(new_name);
                         }
 
-                        entry->data = EMPTY_STRING;
                         entry = entry->next;
                         free(new_name);
                         continue;
                 }
-                else if (arg_debug_whitelists)
-                        printf("real path %s\n", fname);
+
+                // /run/firejail directory is internal and not allowed
+                if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) {
+                        entry = entry->next;
+                        free(new_name);
+                        free(fname);
+                        continue;
+                }
 
                 if (nowhitelist_flag) {
                         // store the path in nowhitelist array
@@ -544,175 +706,12 @@ void fs_whitelist(void) {
                                         errExit("failed increasing memory for nowhitelist entries");
                         }
                         nowhitelist[nowhitelist_c++] = fname;
-                        entry->data = EMPTY_STRING;
                         entry = entry->next;
                         free(new_name);
                         continue;
                 }
-
-                // check for supported directories
-                if (strncmp(new_name, cfg.homedir, homedir_len) == 0 && new_name[homedir_len] == '/') {
-                        // whitelisting home directory is disabled if --private option is present
-                        if (arg_private) {
-                                if (arg_debug || arg_debug_whitelists)
-                                        printf("\"%s\" disabled by --private\n", entry->data);
-
-                                entry->data = EMPTY_STRING;
-                                entry = entry->next;
-                                free(fname);
-                                free(new_name);
-                                continue;
-                        }
-
-                        entry->wldir = WLDIR_HOME;
-                        home_dir = 1;
-                        if (arg_debug || arg_debug_whitelists)
-                                fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
-                                        __LINE__, fname, cfg.homedir);
-
-                        // both path and absolute path are in user home,
-                        // if not check if the symlink destination is owned by the user
-                        if (strncmp(fname, cfg.homedir, homedir_len) != 0 || fname[homedir_len] != '/') {
-                                if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) {
-                                        if (stat(fname, &s) == 0 && s.st_uid != getuid()) {
-                                                free(fname);
-                                                goto errexit;
-                                        }
-                                }
-                        }
-                }
-                else if (strncmp(new_name, "/tmp/", 5) == 0) {
-                        entry->wldir = WLDIR_TMP;
-                        tmp_dir = 1;
-
-                        // both path and absolute path are under /tmp
-                        if (strncmp(fname, "/tmp/", 5) != 0) {
-                                free(fname);
-                                goto errexit;
-                        }
-                }
-                else if (strncmp(new_name, "/media/", 7) == 0) {
-                        entry->wldir = WLDIR_MEDIA;
-                        media_dir = 1;
-                        // both path and absolute path are under /media
-                        if (strncmp(fname, "/media/", 7) != 0) {
-                                free(fname);
-                                goto errexit;
-                        }
-                }
-                else if (strncmp(new_name, "/mnt/", 5) == 0) {
-                        entry->wldir = WLDIR_MNT;
-                        mnt_dir = 1;
-                        // both path and absolute path are under /mnt
-                        if (strncmp(fname, "/mnt/", 5) != 0) {
-                                free(fname);
-                                goto errexit;
-                        }
-                }
-                else if (strncmp(new_name, "/var/", 5) == 0) {
-                        entry->wldir = WLDIR_VAR;
-                        var_dir = 1;
-                        // both path and absolute path are under /var
-                        // exceptions: /var/tmp, /var/run and /var/lock
-                        if (strcmp(new_name, "/var/run")== 0 && strcmp(fname, "/run") == 0);
-                        else if (strcmp(new_name, "/var/lock")== 0 && strcmp(fname, "/run/lock") == 0);
-                        else if (strcmp(new_name, "/var/tmp")== 0 && strcmp(fname, "/tmp") == 0);
-                        else {
-                                // both path and absolute path are under /var
-                                if (strncmp(fname, "/var/", 5) != 0) {
-                                        free(fname);
-                                        goto errexit;
-                                }
-                        }
-                }
-                else if (strncmp(new_name, "/dev/", 5) == 0) {
-                        entry->wldir = WLDIR_DEV;
-                        dev_dir = 1;
-                        // special handling for /dev/shm
-                        // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm
-                        if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0);
-                        // special handling for /dev/log, which can be a symlink to /run/systemd/journal/dev-log
-                        else if (strcmp(new_name, "/dev/log") == 0 && strcmp(fname, "/run/systemd/journal/dev-log") == 0);
-                        // special processing for /proc/self/fd files
-                        else if (strcmp(new_name, "/dev/fd") == 0 && strcmp(fname, "/proc/self/fd") == 0);
-                        else if (strcmp(new_name, "/dev/stdin") == 0 && strcmp(fname, "/proc/self/fd/0") == 0);
-                        else if (strcmp(new_name, "/dev/stdout") == 0 && strcmp(fname, "/proc/self/fd/1") == 0);
-                        else if (strcmp(new_name, "/dev/stderr") == 0 && strcmp(fname, "/proc/self/fd/2") == 0);
-                        else {
-                                // both path and absolute path are under /dev
-                                if (strncmp(fname, "/dev/", 5) != 0) {
-                                        free(fname);
-                                        goto errexit;
-                                }
-                        }
-                }
-                else if (strncmp(new_name, "/opt/", 5) == 0) {
-                        entry->wldir = WLDIR_OPT;
-                        opt_dir = 1;
-                        // both path and absolute path are under /dev
-                        if (strncmp(fname, "/opt/", 5) != 0) {
-                                free(fname);
-                                goto errexit;
-                        }
-                }
-                else if (strncmp(new_name, "/srv/", 5) == 0) {
-                        entry->wldir = WLDIR_SRV;
-                        srv_dir = 1;
-                        // both path and absolute path are under /srv
-                        if (strncmp(fname, "/srv/", 5) != 0) {
-                                free(fname);
-                                goto errexit;
-                        }
-                }
-                else if (strncmp(new_name, "/etc/", 5) == 0) {
-                        entry->wldir = WLDIR_ETC;
-                        etc_dir = 1;
-                        // special handling for some of the symlinks
-                        if (strcmp(new_name, "/etc/localtime") == 0);
-                        else if (strcmp(new_name, "/etc/mtab") == 0);
-                        else if (strcmp(new_name, "/etc/os-release") == 0);
-                        // both path and absolute path are under /etc
-                        else {
-                                if (strncmp(fname, "/etc/", 5) != 0) {
-                                        free(fname);
-                                        goto errexit;
-                                }
-                        }
-                }
-                else if (strncmp(new_name, "/usr/share/", 11) == 0) {
-                        entry->wldir = WLDIR_SHARE;
-                        share_dir = 1;
-                        // both path and absolute path are under /etc
-                        if (strncmp(fname, "/usr/share/", 11) != 0) {
-                                free(fname);
-                                goto errexit;
-                        }
-                }
-                else if (strncmp(new_name, "/sys/module/", 12) == 0) {
-                        entry->wldir = WLDIR_MODULE;
-                        module_dir = 1;
-                        // both path and absolute path are under /sys/module
-                        if (strncmp(fname, "/sys/module/", 12) != 0) {
-                                free(fname);
-                                goto errexit;
-                        }
-                }
-                else if (strncmp(new_name, runuser, runuser_len) == 0 && new_name[runuser_len] == '/') {
-                        entry->wldir = WLDIR_RUN;
-                        run_dir = 1;
-                        // both path and absolute path are under /run/user/$uid
-                        if (strncmp(fname, runuser, runuser_len) != 0 || fname[runuser_len] != '/') {
-                                free(fname);
-                                goto errexit;
-                        }
-                }
                 else {
-                        free(fname);
-                        goto errexit;
-                }
-
-                // check if the path is in nowhitelist array
-                if (nowhitelist_flag == 0) {
+                        // check if the path is in nowhitelist array
                         size_t i;
                         int found = 0;
                         for (i = 0; i < nowhitelist_c; i++) {
@@ -726,494 +725,70 @@ void fs_whitelist(void) {
                         if (found) {
                                 if (arg_debug || arg_debug_whitelists)
                                         printf("Skip nowhitelisted path %s\n", fname);
-                                entry->data = EMPTY_STRING;
                                 entry = entry->next;
-                                free(fname);
                                 free(new_name);
+                                free(fname);
                                 continue;
                         }
                 }
 
-                // mark symbolic links
-                if (is_link(new_name))
-                        entry->link = new_name;
-                else {
-                        free(new_name);
-                        entry->link = NULL;
-                }
-
-                // change file name in entry->data
-                if (strcmp(fname, entry->data + 10) != 0) {
-                        char *newdata;
-                        if (asprintf(&newdata, "whitelist %s", fname) == -1)
-                                errExit("asprintf");
-                        entry->data = newdata;
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Replaced whitelist path: %s\n", entry->data);
-                }
-                free(fname);
-                entry = entry->next;
-        }
-
-        // release nowhitelist memory
-        assert(nowhitelist);
-        free(nowhitelist);
-
-        EUID_ROOT();
-        // /tmp mountpoint
-        if (tmp_dir) {
-                // check if /tmp directory exists
-                if (stat("/tmp", &s) == 0) {
-                        // keep a copy of real /tmp directory in RUN_WHITELIST_TMP_DIR
-                        mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0);
-                        if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
-
-                        // mount tmpfs on /tmp
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Mounting tmpfs on /tmp directory\n");
-                        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=1777,gid=0") < 0)
-                                errExit("mounting tmpfs on /tmp");
-                        selinux_relabel_path("/tmp", "/tmp");
-                        fs_logger("tmpfs /tmp");
-
-                        // pam-tmpdir - issue #2685
-                        const char *env = env_get("TMP");
-                        if (env) {
-                                char *pamtmpdir;
-                                if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1)
-                                        errExit("asprintf");
-                                if (strcmp(env, pamtmpdir) == 0) {
-                                        // create empty user-owned /tmp/user/$uid directory
-                                        mkdir_attr("/tmp/user", 0711, 0, 0);
-                                        selinux_relabel_path("/tmp/user", "/tmp/user");
-                                        fs_logger("mkdir /tmp/user");
-                                        mkdir_attr(pamtmpdir, 0700, getuid(), 0);
-                                        selinux_relabel_path(pamtmpdir, pamtmpdir);
-                                        fs_logger2("mkdir", pamtmpdir);
-                                }
-                                free(pamtmpdir);
-                        }
-
-                        // autowhitelist home directory if it is masked by the tmpfs
-                        if (strncmp(cfg.homedir, "/tmp/", 5) == 0)
-                                whitelist_home(WLDIR_TMP);
-                }
-                else
-                        tmp_dir = 0;
-        }
-
-        // /media mountpoint
-        if (media_dir) {
-                // some distros don't have a /media directory
-                if (stat("/media", &s) == 0) {
-                        // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR
-                        mkdir_attr(RUN_WHITELIST_MEDIA_DIR, 0755, 0, 0);
-                        if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
-
-                        // mount tmpfs on /media
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Mounting tmpfs on /media directory\n");
-                        if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                                errExit("mounting tmpfs on /media");
-                        selinux_relabel_path("/media", "/media");
-                        fs_logger("tmpfs /media");
-
-                        // autowhitelist home directory if it is masked by the tmpfs
-                        if (strncmp(cfg.homedir, "/media/", 7) == 0)
-                                whitelist_home(WLDIR_MEDIA);
-                }
-                else
-                        media_dir = 0;
-        }
-
-        // /mnt mountpoint
-        if (mnt_dir) {
-                // check if /mnt directory exists
-                if (stat("/mnt", &s) == 0) {
-                        // keep a copy of real /mnt directory in RUN_WHITELIST_MNT_DIR
-                        mkdir_attr(RUN_WHITELIST_MNT_DIR, 0755, 0, 0);
-                        if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
-
-                        // mount tmpfs on /mnt
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Mounting tmpfs on /mnt directory\n");
-                        if (mount("tmpfs", "/mnt", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                                errExit("mounting tmpfs on /mnt");
-                        selinux_relabel_path("/mnt", "/mnt");
-                        fs_logger("tmpfs /mnt");
-
-                        // autowhitelist home directory if it is masked by the tmpfs
-                        if (strncmp(cfg.homedir, "/mnt/", 5) == 0)
-                                whitelist_home(WLDIR_MNT);
-                }
-                else
-                        mnt_dir = 0;
-        }
-
-        // /var mountpoint
-        if (var_dir) {
-                // check if /var directory exists
-                if (stat("/var", &s) == 0) {
-                        // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR
-                        mkdir_attr(RUN_WHITELIST_VAR_DIR, 0755, 0, 0);
-                        if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
+                // attach whitelist parameters to profile entry
+                entry->wparam = calloc(1, sizeof(struct wparam_t));
+                if (!entry->wparam)
+                        errExit("calloc");
 
-                        // mount tmpfs on /var
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Mounting tmpfs on /var directory\n");
-                        if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                                errExit("mounting tmpfs on /var");
-                        selinux_relabel_path("/var", "/var");
-                        fs_logger("tmpfs /var");
-
-                        // autowhitelist home directory if it is masked by the tmpfs
-                        if (strncmp(cfg.homedir, "/var/", 5) == 0)
-                                whitelist_home(WLDIR_VAR);
-                }
-                else
-                        var_dir = 0;
-        }
-
-        // /dev mountpoint
-        if (dev_dir) {
-                // check if /dev directory exists
-                if (stat("/dev", &s) == 0) {
-                        // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR
-                        mkdir_attr(RUN_WHITELIST_DEV_DIR, 0755, 0, 0);
-                        if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC,  "mode=755,gid=0") < 0)
-                                errExit("mount bind");
-
-                        // mount tmpfs on /dev
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Mounting tmpfs on /dev directory\n");
-                        if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                                errExit("mounting tmpfs on /dev");
-                        selinux_relabel_path("/dev", "/dev");
-                        fs_logger("tmpfs /dev");
-
-                        // autowhitelist home directory if it is masked by the tmpfs
-                        if (strncmp(cfg.homedir, "/dev/", 5) == 0)
-                                whitelist_home(WLDIR_DEV);
-                }
-                else
-                        dev_dir = 0;
-        }
-
-        // /opt mountpoint
-        if (opt_dir) {
-                // check if /opt directory exists
-                if (stat("/opt", &s) == 0) {
-                        // keep a copy of real /opt directory in RUN_WHITELIST_OPT_DIR
-                        mkdir_attr(RUN_WHITELIST_OPT_DIR, 0755, 0, 0);
-                        if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
-
-                        // mount tmpfs on /opt
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Mounting tmpfs on /opt directory\n");
-                        if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                                errExit("mounting tmpfs on /opt");
-                        selinux_relabel_path("/opt", "/opt");
-                        fs_logger("tmpfs /opt");
-
-                        // autowhitelist home directory if it is masked by the tmpfs
-                        if (strncmp(cfg.homedir, "/opt/", 5) == 0)
-                                whitelist_home(WLDIR_OPT);
-                }
-                else
-                        opt_dir = 0;
-        }
-
-        // /srv mountpoint
-        if (srv_dir) {
-                // check if /srv directory exists
-                if (stat("/srv", &s) == 0) {
-                        // keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR
-                        mkdir_attr(RUN_WHITELIST_SRV_DIR, 0755, 0, 0);
-                        if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
-
-                        // mount tmpfs on /srv
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Mounting tmpfs on /srv directory\n");
-                        if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                                errExit("mounting tmpfs on /srv");
-                        selinux_relabel_path("/srv", "/srv");
-                        fs_logger("tmpfs /srv");
-
-                        // autowhitelist home directory if it is masked by the tmpfs
-                        if (strncmp(cfg.homedir, "/srv/", 5) == 0)
-                                whitelist_home(WLDIR_SRV);
-                }
-                else
-                        srv_dir = 0;
-        }
-
-        // /etc mountpoint
-        if (etc_dir) {
-                // check if /etc directory exists
-                if (stat("/etc", &s) == 0) {
-                        // keep a copy of real /etc directory in RUN_WHITELIST_ETC_DIR
-                        mkdir_attr(RUN_WHITELIST_ETC_DIR, 0755, 0, 0);
-                        if (mount("/etc", RUN_WHITELIST_ETC_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
-
-                        // mount tmpfs on /etc
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Mounting tmpfs on /etc directory\n");
-                        if (mount("tmpfs", "/etc", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                                errExit("mounting tmpfs on /etc");
-                        selinux_relabel_path("/etc", "/etc");
-                        fs_logger("tmpfs /etc");
-
-                        // autowhitelist home directory if it is masked by the tmpfs
-                        if (strncmp(cfg.homedir, "/etc/", 5) == 0)
-                                whitelist_home(WLDIR_ETC);
-                }
-                else
-                        etc_dir = 0;
-        }
-
-        // /usr/share mountpoint
-        if (share_dir) {
-                // check if /usr/share directory exists
-                if (stat("/usr/share", &s) == 0) {
-                        // keep a copy of real /usr/share directory in RUN_WHITELIST_ETC_DIR
-                        mkdir_attr(RUN_WHITELIST_SHARE_DIR, 0755, 0, 0);
-                        if (mount("/usr/share", RUN_WHITELIST_SHARE_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
-
-                        // mount tmpfs on /srv
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Mounting tmpfs on /usr/share directory\n");
-                        if (mount("tmpfs", "/usr/share", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                                errExit("mounting tmpfs on /usr/share");
-                        selinux_relabel_path("/usr/share", "/usr/share");
-                        fs_logger("tmpfs /usr/share");
-
-                        // autowhitelist home directory if it is masked by the tmpfs
-                        if (strncmp(cfg.homedir, "/usr/share/", 11) == 0)
-                                whitelist_home(WLDIR_SHARE);
-                }
-                else
-                        share_dir = 0;
-        }
-
-        // /sys/module mountpoint
-        if (module_dir) {
-                // check if /sys/module directory exists
-                if (stat("/sys/module", &s) == 0) {
-                        // keep a copy of real /sys/module directory in RUN_WHITELIST_MODULE_DIR
-                        mkdir_attr(RUN_WHITELIST_MODULE_DIR, 0755, 0, 0);
-                        if (mount("/sys/module", RUN_WHITELIST_MODULE_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
+                assert(current_top);
+                entry->wparam->top = current_top;
+                entry->wparam->file = fname;
 
-                        // mount tmpfs on /sys/module
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Mounting tmpfs on /sys/module directory\n");
-                        if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                                errExit("mounting tmpfs on /sys/module");
-                        selinux_relabel_path("/sys/module", "/sys/module");
-                        fs_logger("tmpfs /sys/module");
-                }
+                // mark link
+                if (is_link(new_name))
+                        entry->wparam->link = new_name;
                 else
-                        module_dir = 0;
-        }
-
-        // /run/user/$uid mountpoint
-        if (run_dir) {
-                // check if /run/user/$uid directory exists
-                if (stat(runuser, &s) == 0) {
-                        // keep a copy of real /run/user/$uid directory in RUN_WHITELIST_RUN_USER_DIR
-                        mkdir_attr(RUN_WHITELIST_RUN_USER_DIR, 0700, getuid(), getgid());
-                        if (mount(runuser, RUN_WHITELIST_RUN_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
+                        free(new_name);
 
-                        // mount tmpfs on /run/user/$uid
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Mounting tmpfs on %s directory\n", runuser);
-                        char *options;
-                        if (asprintf(&options, "mode=700,uid=%u,gid=%u", getuid(), getgid()) == -1)
-                                errExit("asprintf");
-                        if (mount("tmpfs", runuser, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, options) < 0)
-                                errExit("mounting tmpfs on /run/user/<uid>");
-                        selinux_relabel_path(runuser, runuser);
-                        free(options);
-                        fs_logger2("tmpfs", runuser);
-
-                        // autowhitelist home directory if it is masked by the tmpfs
-                        if (strncmp(cfg.homedir, runuser, runuser_len) == 0 && cfg.homedir[runuser_len] == '/')
-                                whitelist_home(WLDIR_RUN);
-                }
-                else
-                        run_dir = 0;
+                entry = entry->next;
         }
 
-        // home mountpoint
-        if (home_dir) {
-                // check if home directory exists
-                if (stat(cfg.homedir, &s) == 0) {
-                        // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR
-                        mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid());
-                        int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-                        if (fd == -1)
-                                errExit("safe_fd");
-                        char *proc;
-                        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                                errExit("asprintf");
-                        if (mount(proc, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
-                        free(proc);
-                        close(fd);
-
-                        // mount a tmpfs and initialize home directory
-                        fs_private();
-                }
-                else
-                        home_dir = 0;
-        }
+        // mount tmpfs on all top level directories
+        tmpfs_topdirs(topdirs);
 
         // go through profile rules again, and interpret whitelist commands
         entry = cfg.profile;
         while (entry) {
-                // handle only whitelist commands
-                if (strncmp(entry->data, "whitelist ", 10)) {
-                        entry = entry->next;
-                        continue;
-                }
-
-//printf("here %d#%s#\n", __LINE__, entry->data);
-                // whitelist the real file
-                whitelist_path(entry);
-
-                // create the link if any
-                if (entry->link) {
-                        // if the link is already there, do not bother
-                        if (lstat(entry->link, &s) != 0) {
-                                // create the path if necessary
-                                // entry->link has no trailing slashes or single dots
-                                int fd = mkpath(entry->link, 0755);
-                                if (fd == -1) {
-                                        if (arg_debug || arg_debug_whitelists)
-                                                printf("Debug %d: cannot create symbolic link %s\n", __LINE__, entry->link);
-                                        free(entry->link);
-                                        entry->link = NULL;
-                                        entry = entry->next;
-                                        continue;
-                                }
-                                // get file name of symlink
-                                const char *file = gnu_basename(entry->link);
-                                // create the link
-                                int rv = symlinkat(entry->data + 10, fd, file);
-                                if (rv) {
-                                        if (arg_debug || arg_debug_whitelists) {
-                                                perror("symlink");
-                                                printf("Debug %d: cannot create symbolic link %s\n", __LINE__, entry->link);
-                                        }
-                                }
-                                else if (arg_debug || arg_debug_whitelists)
-                                        printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
-                                close(fd);
+                if (entry->wparam) {
+                        char *file = entry->wparam->file;
+                        char *link = entry->wparam->link;
+                        const TopDir * const current_top = entry->wparam->top;
+
+                        // top level directories of link and file can differ
+                        // will whitelist the file only if it is in same top level directory
+                        whitelist_file(current_top, file);
+
+                        // create the link if any
+                        if (link) {
+                                whitelist_symlink(current_top, link, file);
+                                free(link);
                         }
-                        free(entry->link);
-                        entry->link = NULL;
+
+                        free(file);
+                        free(entry->wparam);
+                        entry->wparam = NULL;
                 }
 
                 entry = entry->next;
         }
 
-        // mask the real home directory, currently mounted on RUN_WHITELIST_HOME_DIR
-        if (home_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR);
-        }
-
-        // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR
-        if (tmp_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_TMP_DIR);
-        }
-
-        // mask the real /var directory, currently mounted on RUN_WHITELIST_VAR_DIR
-        if (var_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_VAR_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_VAR_DIR);
-        }
-
-        // mask the real /opt directory, currently mounted on RUN_WHITELIST_OPT_DIR
-        if (opt_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_OPT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_OPT_DIR);
-        }
-
-        // mask the real /dev directory, currently mounted on RUN_WHITELIST_DEV_DIR
-        if (dev_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_DEV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_DEV_DIR);
-        }
-
-        // mask the real /media directory, currently mounted on RUN_WHITELIST_MEDIA_DIR
-        if (media_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_MEDIA_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_MEDIA_DIR);
-        }
-
-        // mask the real /mnt directory, currently mounted on RUN_WHITELIST_MNT_DIR
-        if (mnt_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR);
-        }
-
-        // mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR
-        if (srv_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR);
-        }
-
-        // mask the real /etc directory, currently mounted on RUN_WHITELIST_ETC_DIR
-        if (etc_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_ETC_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_ETC_DIR);
-        }
-
-        // mask the real /usr/share directory, currently mounted on RUN_WHITELIST_SHARE_DIR
-        if (share_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_SHARE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_SHARE_DIR);
-        }
-
-        // mask the real /sys/module directory, currently mounted on RUN_WHITELIST_MODULE_DIR
-        if (module_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_MODULE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_MODULE_DIR);
-        }
+        // release resources
+        size_t i;
+        for (i = 0; i < nowhitelist_c; i++)
+                free(nowhitelist[i]);
+        free(nowhitelist);
 
-        // mask the real /run/user/$uid directory, currently mounted on RUN_WHITELIST_RUN_USER_DIR
-        if (run_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_RUN_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_RUN_USER_DIR);
+        for (i = 0; i < TOP_MAX && topdirs[i].path; i++) {
+                free(topdirs[i].path);
+                close(topdirs[i].fd);
         }
-
+        free(topdirs);
         free(runuser);
-        return;
-
-errexit:
-        fprintf(stderr, "Error: invalid whitelist path %s\n", new_name);
-        exit(1);
 }
diff --git a/src/firejail/ids.c b/src/firejail/ids.c
new file mode 100644
index 000000000..fdb78d6e6
--- /dev/null
+++ b/src/firejail/ids.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+
+static void ids_init(void) {
+        // store checksums as root in /var/lib/firejail/${USERNAME}.ids
+        char *fname;
+        if (asprintf(&fname, VARDIR"/%s.ids", cfg.username) == -1)
+                errExit("asprintf");
+
+        int rv = unlink(fname);
+        (void) rv;
+        int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0600);
+        if (fd < 0) {
+                fprintf(stderr, "Error: cannot create %s\n", fname);
+                exit(1);
+        }
+
+        // redirect output
+        close(STDOUT_FILENO);
+        if (dup(fd) != STDOUT_FILENO)
+                errExit("dup");
+        close(fd);
+
+        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir);
+}
+
+static void ids_check(void) {
+        // store checksums as root in /var/lib/firejail/${USERNAME}.ids
+        char *fname;
+        if (asprintf(&fname, VARDIR"/%s.ids", cfg.username) == -1)
+                errExit("asprintf");
+
+        int fd = open(fname, O_RDONLY);
+        if (fd < 0) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                exit(1);
+        }
+
+        // redirect input
+        close(STDIN_FILENO);
+        if (dup(fd) != STDIN_FILENO)
+                errExit("dup");
+        close(fd);
+
+        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir);
+}
+
+void run_ids(int argc, char **argv) {
+        if (argc != 2) {
+                fprintf(stderr, "Error: only one IDS command expected\n");
+                exit(1);
+        }
+
+        EUID_ROOT();
+        struct stat s;
+        if (stat(VARDIR, &s)) // /var/lib/firejail
+                create_empty_dir_as_root(VARDIR, 0700);
+
+        if (strcmp(argv[1], "--ids-init") == 0)
+                ids_init();
+        else if (strcmp(argv[1], "--ids-check") == 0)
+                ids_check();
+        else
+                fprintf(stderr, "Error: unrecognized IDS command\n");
+
+        exit(0);
+}
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 1575a7469..5d73f71be 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -45,7 +45,7 @@ static unsigned display = 0;
 static void signal_handler(int sig){
         flush_stdin();
 
-        exit(sig);
+        exit(128 + sig);
 }
 
 static void install_handler(void) {
@@ -103,7 +103,7 @@ static void extract_x11_display(pid_t pid) {
         if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
                 errExit("asprintf");
 
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         free(fname);
         if (!fp)
                 return;
@@ -147,7 +147,7 @@ static void extract_command(int argc, char **argv, int index) {
         }
 
         // build command
-        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index);
+        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index, true);
 }
 
 static void extract_nogroups(pid_t pid) {
@@ -219,7 +219,7 @@ static void extract_caps(pid_t pid) {
                 perror("asprintf");
                 exit(1);
         }
-        FILE *fp = fopen(file, "r");
+        FILE *fp = fopen(file, "re");
         if (!fp)
                 goto errexit;
 
@@ -266,7 +266,7 @@ static void extract_user_namespace(pid_t pid) {
         char *uidmap;
         if (asprintf(&uidmap, "/proc/%u/uid_map", pid) == -1)
                 errExit("asprintf");
-        FILE *fp = fopen(uidmap, "r");
+        FILE *fp = fopen(uidmap, "re");
         if (!fp) {
                 free(uidmap);
                 return;
@@ -315,6 +315,11 @@ static int open_shell(void) {
                 fprintf(stderr, "Error: cannot open shell %s\n", cfg.shell);
                 exit(1);
         }
+
+        // pass file descriptor through to the final fexecve
+        if (asprintf(&cfg.keep_fd, "%s,%d", cfg.keep_fd ? cfg.keep_fd : "", fd) == -1)
+                errExit("asprintf");
+
         return fd;
 }
 
@@ -431,7 +436,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
 
         // set cgroup
         if (cfg.cgroup) // not available for uid 0
-                set_cgroup(cfg.cgroup);
+                set_cgroup(cfg.cgroup, getpid());
 
         // join namespaces
         if (arg_join_network) {
@@ -536,7 +541,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
 
 #ifdef HAVE_APPARMOR
-                // add apparmor confinement after the execve
                 set_apparmor();
 #endif
 
@@ -552,10 +556,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 if (cfg.cpus)   // not available for uid 0
                         set_cpu_affinity();
 
-                // set nice value
-                if (arg_nice)
-                        set_nice(cfg.nice);
-
                 // add x11 display
                 if (display) {
                         char *display_str;
@@ -596,15 +596,17 @@ void join(pid_t pid, int argc, char **argv, int index) {
 
         // end of signal-safe code
         //*****************************
-        flush_stdin();
 
         if (WIFEXITED(status)) {
+                // if we had a proper exit, return that exit status
                 status = WEXITSTATUS(status);
         } else if (WIFSIGNALED(status)) {
-                status = WTERMSIG(status);
+                // distinguish fatal signals by adding 128
+                status = 128 + WTERMSIG(status);
         } else {
-                status = 0;
+                status = -1;
         }
 
+        flush_stdin();
         exit(status);
 }
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 63ef2309b..4156a7b25 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,6 +19,7 @@
 */
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
@@ -45,7 +46,8 @@ static void print_file_or_dir(const char *path, const char *fname) {
         struct stat s;
         if (stat(name, &s) == -1) {
                 if (lstat(name, &s) == -1) {
-                        printf("Error: cannot access %s\n", name);
+                        printf("Error: cannot access %s\n", do_replace_cntrl_chars(name, '?'));
+                        free(name);
                         return;
                 }
         }
@@ -150,12 +152,17 @@ static void print_file_or_dir(const char *path, const char *fname) {
         if (allocated)
                 free(groupname);
 
+        // file size
         char *sz;
         if (asprintf(&sz, "%d", (int) s.st_size) == -1)
                 errExit("asprintf");
-        printf("%11.10s %s\n", sz, fname);
-        free(sz);
 
+        // file name
+        char *fname_print = replace_cntrl_chars(fname, '?');
+
+        printf("%11.10s %s\n", sz, fname_print);
+        free(sz);
+        free(fname_print);
 }
 
 static void print_directory(const char *path) {
@@ -191,13 +198,15 @@ void ls(const char *path) {
                 fprintf(stderr, "Error: cannot access %s\n", path);
                 exit(1);
         }
+
+        // debug doesn't filter control characters currently
         if (arg_debug)
                 printf("ls %s\n", rp);
 
         // list directory contents
         struct stat s;
         if (stat(rp, &s) == -1) {
-                fprintf(stderr, "Error: cannot access %s\n", rp);
+                fprintf(stderr, "Error: cannot access %s\n", do_replace_cntrl_chars(rp, '?'));
                 exit(1);
         }
         if (S_ISDIR(s.st_mode))
@@ -221,7 +230,7 @@ void cat(const char *path) {
 
         if (arg_debug)
                 printf("cat %s\n", path);
-        FILE *fp = fopen(path, "r");
+        FILE *fp = fopen(path, "re");
         if (!fp) {
                 fprintf(stderr, "Error: cannot read %s\n", path);
                 exit(1);
@@ -236,13 +245,13 @@ void cat(const char *path) {
                 fprintf(stderr, "Error: %s is not a regular file\n", path);
                 exit(1);
         }
-        bool tty = isatty(STDOUT_FILENO);
+        int tty = isatty(STDOUT_FILENO);
 
         int c;
         while ((c = fgetc(fp)) != EOF) {
                 // file is untrusted
                 // replace control characters when printing to a terminal
-                if (tty && c != '\t' && c != '\n' && iscntrl((unsigned char) c))
+                if (tty && iscntrl((unsigned char) c) && c != '\t' && c != '\n')
                         c = '?';
                 fputc(c, stdout);
         }
@@ -304,7 +313,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                 }
                 // create destination file if necessary
                 EUID_ASSERT();
-                int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWRITE);
+                int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWUSR);
                 if (fd == -1) {
                         fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname);
                         exit(1);
@@ -324,7 +333,6 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                 // redirection
                 if (dup2(fd, STDOUT_FILENO) == -1)
                         errExit("dup2");
-                assert(fd != STDOUT_FILENO);
                 close(fd);
                 op = SANDBOX_FS_CAT;
         }
@@ -349,9 +357,8 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         ls(fname1);
                 else
                         cat(fname1);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
         }
         // get file from host and store it in the sandbox
         else if (op == SANDBOX_FS_PUT && path2) {
@@ -383,9 +390,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         // copy the file
                         if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
@@ -415,9 +422,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         // copy the file
                         if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
index 7f2f6dbf3..3f9460041 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -22,9 +22,11 @@
 #define MAXBUF 4098
 
 typedef struct macro_t {
-        char *name;     // macro name
+        char *name;             // macro name
         char *xdg;              // xdg line in ~/.config/user-dirs.dirs
-#define MAX_TRANSLATIONS 3      // several translations in case ~/.config/user-dirs.dirs not found
+        // several translations in case ~/.config/user-dirs.dirs not found
+        // covered currently: English, Russian, French, Italian, Spanish, Portuguese, German
+#define MAX_TRANSLATIONS 7
         char *translation[MAX_TRANSLATIONS];
 } Macro;
 
@@ -32,37 +34,37 @@ Macro macro[] = {
         {
                 "${DOWNLOADS}",
                 "XDG_DOWNLOAD_DIR=\"$HOME/",
-                { "Downloads", "Загрузки", "Téléchargement" }
+                {"Downloads", "Загрузки", "Téléchargement", "Scaricati", "Descargas"}
         },
 
         {
                 "${MUSIC}",
                 "XDG_MUSIC_DIR=\"$HOME/",
-                {"Music", "Музыка", "Musique"}
+                {"Music", "Музыка", "Musique", "Musica", "Música", "Musik"}
         },
 
         {
                 "${VIDEOS}",
                 "XDG_VIDEOS_DIR=\"$HOME/",
-                {"Videos", "Видео", "Vidéos"}
+                {"Videos", "Видео", "Vidéos", "Video", "Vídeos"}
         },
 
         {
                 "${PICTURES}",
                 "XDG_PICTURES_DIR=\"$HOME/",
-                {"Pictures", "Изображения", "Photos"}
+                {"Pictures", "Изображения", "Photos", "Immagini", "Imágenes", "Imagens", "Bilder"}
         },
 
         {
                 "${DESKTOP}",
                 "XDG_DESKTOP_DIR=\"$HOME/",
-                {"Desktop", "Рабочий стол", "Bureau"}
+                {"Desktop", "Рабочий стол", "Bureau", "Scrivania", "Escritorio", "Área de trabalho", "Schreibtisch"}
         },
 
         {
                 "${DOCUMENTS}",
                 "XDG_DOCUMENTS_DIR=\"$HOME/",
-                {"Documents", "Документы", "Documents"}
+                {"Documents", "Документы", "Documenti", "Documentos", "Dokumente"}
         },
 
         { 0 }
@@ -99,7 +101,7 @@ static char *resolve_xdg(const char *var) {
 
         if (asprintf(&fname, "%s/.config/user-dirs.dirs", cfg.homedir) == -1)
                 errExit("asprintf");
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         if (!fp) {
                 free(fname);
                 return NULL;
@@ -149,11 +151,12 @@ static char *resolve_xdg(const char *var) {
 
 // returns mallocated memory
 static char *resolve_hardcoded(char *entries[]) {
+        EUID_ASSERT();
         char *fname;
         struct stat s;
 
         int i = 0;
-        while (entries[i] != NULL) {
+        while (i < MAX_TRANSLATIONS && entries[i] != NULL) {
                 if (asprintf(&fname, "%s/%s", cfg.homedir, entries[i]) == -1)
                         errExit("asprintf");
 
@@ -262,28 +265,6 @@ char *expand_macros(const char *path) {
         return rv;
 }
 
-// replace control characters with a '?'
-static char *fix_control_chars(const char *fname) {
-        assert(fname);
-
-        size_t len = strlen(fname);
-        char *rv = malloc(len + 1);
-        if (!rv)
-                errExit("malloc");
-
-        size_t i = 0;
-        while (fname[i] != '\0') {
-                if (iscntrl((unsigned char) fname[i]))
-                        rv[i] = '?';
-                else
-                        rv[i] = fname[i];
-                i++;
-        }
-        rv[i] = '\0';
-
-        return rv;
-}
-
 void invalid_filename(const char *fname, int globbing) {
 //      EUID_ASSERT();
         assert(fname);
@@ -301,24 +282,5 @@ void invalid_filename(const char *fname, int globbing) {
                         return;
         }
 
-        size_t i = 0;
-        while (ptr[i] != '\0') {
-                if (iscntrl((unsigned char) ptr[i])) {
-                        char *new = fix_control_chars(fname);
-                        fprintf(stderr, "Error: \"%s\" is an invalid filename: no control characters allowed\n", new);
-                        exit(1);
-                }
-                i++;
-        }
-
-        char *reject;
-        if (globbing)
-                reject = "\\&!\"'<>%^{};,"; // file globbing ('*?[]') is allowed
-        else
-                reject = "\\&!?\"'<>%^{};,*[]";
-        char *c = strpbrk(ptr, reject);
-        if (c) {
-                fprintf(stderr, "Error: \"%s\" is an invalid filename: rejected character: \"%c\"\n", fname, *c);
-                exit(1);
-        }
+        reject_meta_chars(ptr, globbing);
 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index d6de6d997..4b01ea0a5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,6 +20,7 @@
 #include "firejail.h"
 #include "../include/pid.h"
 #include "../include/firejail_user.h"
+#include "../include/gcov_wrapper.h"
 #include "../include/syscall.h"
 #include "../include/seccomp.h"
 #define _GNU_SOURCE
@@ -31,7 +32,8 @@
 #include <dirent.h>
 #include <pwd.h>
 #include <errno.h>
-//#include <limits.h>
+
+#include <limits.h>
 #include <sys/file.h>
 #include <sys/prctl.h>
 #include <signal.h>
@@ -116,15 +118,16 @@ int arg_private_cwd = 0;			// private working directory
 int arg_scan = 0;                               // arp-scan all interfaces
 int arg_whitelist = 0;                          // whitelist command
 int arg_nosound = 0;                            // disable sound
-int arg_noautopulse = 0;                        // disable automatic ~/.config/pulse init
 int arg_novideo = 0;                    //disable video devices in /dev
 int arg_no3d;                                   // disable 3d hardware acceleration
+int arg_noprinters = 0;                         // disable printers
 int arg_quiet = 0;                              // no output for scripting
 int arg_join_network = 0;                       // join only the network namespace
 int arg_join_filesystem = 0;                    // join only the mount namespace
 int arg_nice = 0;                               // nice value configured
 int arg_ipc = 0;                                        // enable ipc namespace
 int arg_writable_etc = 0;                       // writable etc
+int arg_keep_config_pulse = 0;                  // disable automatic ~/.config/pulse init
 int arg_writable_var = 0;                       // writable var
 int arg_keep_var_tmp = 0;                       // don't overwrite /var/tmp
 int arg_writable_run_user = 0;                  // writable /run/user
@@ -135,7 +138,7 @@ int arg_allow_debuggers = 0;			// allow debuggers
 int arg_x11_block = 0;                          // block X11
 int arg_x11_xorg = 0;                           // use X11 security extension
 int arg_allusers = 0;                           // all user home directories visible
-int arg_machineid = 0;                          // preserve /etc/machine-id
+int arg_machineid = 0;                          // spoof /etc/machine-id
 int arg_allow_private_blacklist = 0;            // blacklist things in private directories
 int arg_disable_mnt = 0;                        // disable /mnt and /media
 int arg_noprofile = 0; // use default.profile if none other found/specified
@@ -145,11 +148,14 @@ int arg_nodvd = 0; // --nodvd
 int arg_nou2f = 0; // --nou2f
 int arg_noinput = 0; // --noinput
 int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
+int arg_deterministic_shutdown = 0;     // shut down the sandbox if first child dies
+int arg_keep_fd_all = 0;                // inherit all file descriptors to sandbox
 DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW;   // --dbus-user
 DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system
 const char *arg_dbus_log_file = NULL;
 int arg_dbus_log_user = 0;
 int arg_dbus_log_system = 0;
+int arg_tab = 0;
 int login_shell = 0;
 
 int parent_to_child_fds[2];
@@ -188,13 +194,15 @@ static void my_handler(int s) {
         logsignal(s);
 
         if (waitpid(child, NULL, WNOHANG) == 0) {
-                if (has_handler(child, s)) // signals are not delivered if there is no handler yet
+                // child is pid 1 of a pid namespace:
+                // signals are not delivered if there is no handler yet
+                if (has_handler(child, s))
                         kill(child, s);
                 else
                         kill(child, SIGKILL);
                 waitpid(child, NULL, 0);
         }
-        myexit(s);
+        myexit(128 + s);
 }
 
 static void install_handler(void) {
@@ -259,8 +267,8 @@ static void init_cfg(int argc, char **argv) {
                 fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username);
                 exit(1);
         }
+        check_homedir(pw->pw_dir);
         cfg.homedir = clean_pathname(pw->pw_dir);
-        check_homedir();
 
         // initialize random number generator
         sandbox_pid = getpid();
@@ -402,6 +410,23 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         }
 #endif
 #ifdef HAVE_NETWORK
+        else if (strcmp(argv[i], "--nettrace") == 0) {
+                if (checkcfg(CFG_NETWORK)) {
+                        netfilter_trace(0);
+                }
+                else
+                        exit_err_feature("networking");
+                exit(0);
+        }
+        else if (strncmp(argv[i], "--nettrace=", 11) == 0) {
+                if (checkcfg(CFG_NETWORK)) {
+                        pid_t pid = require_pid(argv[i] + 11);
+                        netfilter_trace(pid);
+                }
+                else
+                        exit_err_feature("networking");
+                exit(0);
+        }
         else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
                 if (checkcfg(CFG_NETWORK)) {
                         logargs(argc, argv);
@@ -535,7 +560,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 char *fname;
                 if (asprintf(&fname, RUN_FIREJAIL_PROFILE_DIR "/%d", pid) == -1)
                         errExit("asprintf");
-                FILE *fp = fopen(fname, "r");
+                FILE *fp = fopen(fname, "re");
                 if (!fp) {
                         fprintf(stderr, "Error: sandbox %s not found\n", argv[i] + 16);
                         exit(1);
@@ -862,13 +887,12 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 char *guess_shell(void) {
         const char *shell;
         char *retval;
-        struct stat s;
 
         shell = env_get("SHELL");
         if (shell) {
                 invalid_filename(shell, 0); // no globbing
-                if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 &&
-                    strcmp(shell, PATH_FIREJAIL) != 0)
+                if (access(shell, X_OK) == 0 && !is_dir(shell) && strstr(shell, "..") == NULL &&
+                    strcmp(gnu_basename(shell), "firejail") != 0)
                         goto found;
         }
 
@@ -878,12 +902,15 @@ char *guess_shell(void) {
         int i = 0;
         while (shells[i] != NULL) {
                 // access call checks as real UID/GID, not as effective UID/GID
-                if (stat(shells[i], &s) == 0 && access(shells[i], X_OK) == 0) {
+                if (access(shells[i], X_OK) == 0) {
                         shell = shells[i];
-                        break;
+                        goto found;
                 }
                 i++;
         }
+
+        return NULL;
+
  found:
         retval = strdup(shell);
         if (!retval)
@@ -929,12 +956,14 @@ static void run_builder(int argc, char **argv) {
         if (setresuid(-1, getuid(), getuid()) != 0)
                 errExit("setresuid");
 
+        if (env_get("LD_PRELOAD") != NULL)
+                fprintf(stderr, "run_builder: LD_PRELOAD is: '%s'\n", env_get("LD_PRELOAD"));
         assert(env_get("LD_PRELOAD") == NULL);
         assert(getenv("LD_PRELOAD") == NULL);
         umask(orig_umask);
 
-        // restore some environment variables
-        env_apply_whitelist_sbox();
+        // restore original environment variables
+        env_apply_all();
 
         argv[0] = LIBDIR "/firejail/fbuilder";
         execvp(argv[0], argv);
@@ -961,7 +990,7 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b
 static int check_postexec(const char *list) {
         char *prelist, *postlist;
 
-        if (list) {
+        if (list && list[0]) {
                 syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true);
                 if (postlist)
                         return 1;
@@ -980,125 +1009,64 @@ int main(int argc, char **argv, char **envp) {
         int option_cgroup = 0;
         int custom_profile = 0; // custom profile loaded
         int arg_caps_cmdline = 0;       // caps requested on command line (used to break out of --chroot)
+        int arg_netlock = 0;
         char **ptr;
 
+
         // sanitize the umask
         orig_umask = umask(022);
 
-        // check standard streams before printing anything
-        fix_std_streams();
-
         // drop permissions by default and rise them when required
         EUID_INIT();
         EUID_USER();
 
+        // check standard streams before opening any file
+        fix_std_streams();
+
         // argument count should be larger than 0
         if (argc == 0 || !argv || strlen(argv[0]) == 0) {
                 fprintf(stderr, "Error: argv is invalid\n");
                 exit(1);
         } else if (argc >= MAX_ARGS) {
-                fprintf(stderr, "Error: too many arguments\n");
+                fprintf(stderr, "Error: too many arguments: argc (%d) >= MAX_ARGS (%d)\n", argc, MAX_ARGS);
                 exit(1);
         }
 
+        // sanity check for arguments
+        for (i = 0; i < argc; i++) {
+//              if (*argv[i] == 0) { // see #4395 - bug reported by Debian
+//                      fprintf(stderr, "Error: too short arguments: argv[%d] is empty\n", i);
+//                      exit(1);
+//              }
+                if (strlen(argv[i]) >= MAX_ARG_LEN) {
+                        fprintf(stderr, "Error: too long arguments: argv[%d] len (%zu) >= MAX_ARG_LEN (%d)\n", i, strlen(argv[i]), MAX_ARG_LEN);
+                        exit(1);
+                }
+        }
+
         // Stash environment variables
         for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++)
                 env_store(*ptr, SETENV);
 
         // sanity check for environment variables
         if (i >= MAX_ENVS) {
-                fprintf(stderr, "Error: too many environment variables\n");
+                fprintf(stderr, "Error: too many environment variables: >= MAX_ENVS (%d)\n", MAX_ENVS);
                 exit(1);
         }
 
-        // sanity check for arguments
-        for (i = 0; i < argc; i++) {
-                if (*argv[i] == 0) {
-                        fprintf(stderr, "Error: too short arguments\n");
-                        exit(1);
-                }
-                if (strlen(argv[i]) >= MAX_ARG_LEN) {
-                        fprintf(stderr, "Error: too long arguments\n");
-                        exit(1);
-                }
-        }
-
         // Reapply a minimal set of environment variables
         env_apply_whitelist();
 
-        // check if the user is allowed to use firejail
-        init_cfg(argc, argv);
-
-        // get starting timestamp, process --quiet
-        timetrace_start();
+        // process --quiet
         const char *env_quiet = env_get("FIREJAIL_QUIET");
         if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0))
                 arg_quiet = 1;
 
-        // cleanup at exit
-        EUID_ROOT();
-        atexit(clear_atexit);
-
-        // build /run/firejail directory structure
-        preproc_build_firejail_dir();
-        const char *container_name = env_get("container");
-        if (!container_name || strcmp(container_name, "firejail")) {
-                lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
-                if (lockfd_directory != -1) {
-                        int rv = fchown(lockfd_directory, 0, 0);
-                        (void) rv;
-                        flock(lockfd_directory, LOCK_EX);
-                }
-                preproc_clean_run();
-                flock(lockfd_directory, LOCK_UN);
-                close(lockfd_directory);
-        }
-        EUID_USER();
-
-        // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient)
-        // these paths are disabled in disable-common.inc
-        if ((i = check_arg(argc, argv, "--ip", 0)) != 0) {
-                if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) {
-                        profile_add("noblacklist /sbin");
-                        profile_add("noblacklist /usr/sbin");
-                }
-        }
-
-        // for appimages we need to remove "include disable-shell.inc from the profile
-        // a --profile command can show up before --appimage
-        if (check_arg(argc, argv, "--appimage", 1))
-                arg_appimage = 1;
-
-        // process allow-debuggers
-        if (check_arg(argc, argv, "--allow-debuggers", 1)) {
-                // check kernel version
-                struct utsname u;
-                int rv = uname(&u);
-                if (rv != 0)
-                        errExit("uname");
-                int major;
-                int minor;
-                if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
-                        fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
-                        exit(1);
-                }
-                if (major < 4 || (major == 4 && minor < 8)) {
-                        fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
-                                "A bug in ptrace call allows a full bypass of the seccomp filter. "
-                                "Your current kernel version is %d.%d.\n", major, minor);
-                        exit(1);
-                }
-
-                arg_allow_debuggers = 1;
-                char *cmd = strdup("noblacklist ${PATH}/strace");
-                if (!cmd)
-                        errExit("strdup");
-                profile_add(cmd);
-        }
+        // check if the user is allowed to use firejail
+        init_cfg(argc, argv);
 
-        // profile builder
-        if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename
-                run_builder(argc, argv); // this function will not return
+        // get starting timestamp
+        timetrace_start();
 
         // check argv[0] symlink wrapper if this is not a login shell
         if (*argv[0] != '-')
@@ -1123,15 +1091,44 @@ int main(int argc, char **argv, char **envp) {
                         __builtin_unreachable();
                 }
         }
-        EUID_ASSERT();
 
+        // profile builder
+        if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename
+                run_builder(argc, argv); // this function will not return
+
+        // intrusion detection system
+        if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check
+                run_ids(argc, argv); // this function will not return
 
-        // check firejail directories
         EUID_ROOT();
-        delete_run_files(sandbox_pid);
+#ifndef HAVE_SUID
+        if (geteuid() != 0) {
+                fprintf(stderr, "Error: Firejail needs to be SUID.\n");
+                fprintf(stderr, "Assuming firejail is installed in /usr/bin, execute the following command as root:\n");
+                fprintf(stderr, "  chmod u+s /usr/bin/firejail\n");
+        }
+#endif
+
+        // build /run/firejail directory structure
+        preproc_build_firejail_dir();
+        const char *container_name = env_get("container");
+        if (!container_name || strcmp(container_name, "firejail")) {
+                lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
+                if (lockfd_directory != -1) {
+                        int rv = fchown(lockfd_directory, 0, 0);
+                        (void) rv;
+                        flock(lockfd_directory, LOCK_EX);
+                }
+                preproc_clean_run();
+                flock(lockfd_directory, LOCK_UN);
+                close(lockfd_directory);
+        }
+
+        delete_run_files(getpid());
+        atexit(clear_atexit);
         EUID_USER();
 
-        //check if the parent is sshd daemon
+        // check if the parent is sshd daemon
         int parent_sshd = 0;
         {
                 pid_t ppid = getppid();
@@ -1145,7 +1142,7 @@ int main(int argc, char **argv, char **envp) {
 
 #ifdef DEBUG_RESTRICTED_SHELL
                                 {EUID_ROOT();
-                                FILE *fp = fopen("/firelog", "w");
+                                FILE *fp = fopen("/firelog", "we");
                                 if (fp) {
                                         int i;
                                         fprintf(fp, "argc %d: ", argc);
@@ -1164,7 +1161,7 @@ int main(int argc, char **argv, char **envp) {
                                                     strncmp(argv[2], "scp ", 4) == 0) {
 #ifdef DEBUG_RESTRICTED_SHELL
                                                         {EUID_ROOT();
-                                                        FILE *fp = fopen("/firelog", "a");
+                                                        FILE *fp = fopen("/firelog", "ae");
                                                         if (fp) {
                                                                 fprintf(fp, "run without a sandbox\n");
                                                                 fclose(fp);
@@ -1188,7 +1185,8 @@ int main(int argc, char **argv, char **envp) {
         }
         EUID_ASSERT();
 
-        // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users
+        // is this a login shell, or a command passed by sshd,
+        // insert command line options from /etc/firejail/login.users
         if (*argv[0] == '-' || parent_sshd) {
                 if (argc == 1)
                         login_shell = 1;
@@ -1197,7 +1195,7 @@ int main(int argc, char **argv, char **envp) {
 
 #ifdef DEBUG_RESTRICTED_SHELL
                         {EUID_ROOT();
-                        FILE *fp = fopen("/firelog", "a");
+                        FILE *fp = fopen("/firelog", "ae");
                         if (fp) {
                                 fprintf(fp, "fullargc %d: ",  fullargc);
                                 int i;
@@ -1219,7 +1217,7 @@ int main(int argc, char **argv, char **envp) {
 
 #ifdef DEBUG_RESTRICTED_SHELL
                         {EUID_ROOT();
-                        FILE *fp = fopen("/firelog", "a");
+                        FILE *fp = fopen("/firelog", "ae");
                         if (fp) {
                                 fprintf(fp, "argc %d: ", argc);
                                 int i;
@@ -1240,6 +1238,47 @@ int main(int argc, char **argv, char **envp) {
 #endif
         EUID_ASSERT();
 
+        // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient)
+        // these paths are disabled in disable-common.inc
+        if ((i = check_arg(argc, argv, "--ip", 0)) != 0) {
+                if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) {
+                        profile_add("noblacklist /sbin");
+                        profile_add("noblacklist /usr/sbin");
+                }
+        }
+
+        // process allow-debuggers
+        if (check_arg(argc, argv, "--allow-debuggers", 1)) {
+                // check kernel version
+                struct utsname u;
+                int rv = uname(&u);
+                if (rv != 0)
+                        errExit("uname");
+                int major;
+                int minor;
+                if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+                        fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+                        exit(1);
+                }
+                if (major < 4 || (major == 4 && minor < 8)) {
+                        fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
+                                "A bug in ptrace call allows a full bypass of the seccomp filter. "
+                                "Your current kernel version is %d.%d.\n", major, minor);
+                        exit(1);
+                }
+
+                arg_allow_debuggers = 1;
+                char *cmd = strdup("noblacklist ${PATH}/strace");
+                if (!cmd)
+                        errExit("strdup");
+                profile_add(cmd);
+        }
+
+        // for appimages we need to remove "include disable-shell.inc from the profile
+        // a --profile command can show up before --appimage
+        if (check_arg(argc, argv, "--appimage", 1))
+                arg_appimage = 1;
+
         // check for force-nonewprivs in /etc/firejail/firejail.config file
         if (checkcfg(CFG_FORCE_NONEWPRIVS))
                 arg_nonewprivs = 1;
@@ -1248,8 +1287,10 @@ int main(int argc, char **argv, char **envp) {
         for (i = 1; i < argc; i++) {
                 run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized
 
-                if (strcmp(argv[i], "--debug") == 0 && !arg_quiet)
+                if (strcmp(argv[i], "--debug") == 0) {
                         arg_debug = 1;
+                        arg_quiet = 0;
+                }
                 else if (strcmp(argv[i], "--debug-blacklists") == 0)
                         arg_debug_blacklists = 1;
                 else if (strcmp(argv[i], "--debug-whitelists") == 0)
@@ -1257,8 +1298,8 @@ int main(int argc, char **argv, char **envp) {
                 else if (strcmp(argv[i], "--debug-private-lib") == 0)
                         arg_debug_private_lib = 1;
                 else if (strcmp(argv[i], "--quiet") == 0) {
-                        arg_quiet = 1;
-                        arg_debug = 0;
+                        if (!arg_debug)
+                                arg_quiet = 1;
                 }
                 else if (strcmp(argv[i], "--allow-debuggers") == 0) {
                         // already handled
@@ -1480,8 +1521,11 @@ int main(int argc, char **argv, char **envp) {
                         arg_rlimit_nproc = 1;
                 }
                 else if (strncmp(argv[i], "--rlimit-fsize=", 15) == 0) {
-                        check_unsigned(argv[i] + 15, "Error: invalid rlimit");
-                        sscanf(argv[i] + 15, "%llu", &cfg.rlimit_fsize);
+                        cfg.rlimit_fsize = parse_arg_size(argv[i] + 15);
+                        if (cfg.rlimit_fsize == 0) {
+                                perror("Error: invalid rlimit-fsize. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                         arg_rlimit_fsize = 1;
                 }
                 else if (strncmp(argv[i], "--rlimit-sigpending=", 20) == 0) {
@@ -1490,8 +1534,11 @@ int main(int argc, char **argv, char **envp) {
                         arg_rlimit_sigpending = 1;
                 }
                 else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) {
-                        check_unsigned(argv[i] + 12, "Error: invalid rlimit");
-                        sscanf(argv[i] + 12, "%llu", &cfg.rlimit_as);
+                        cfg.rlimit_as = parse_arg_size(argv[i] + 12);
+                        if (cfg.rlimit_as == 0) {
+                                perror("Error: invalid rlimit-as. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                         arg_rlimit_as = 1;
                 }
                 else if (strncmp(argv[i], "--ipc-namespace", 15) == 0)
@@ -1507,15 +1554,16 @@ int main(int argc, char **argv, char **envp) {
                 else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
                         if (checkcfg(CFG_CGROUP)) {
                                 if (option_cgroup) {
-                                        fprintf(stderr, "Error: only a cgroup can be defined\n");
+                                        fprintf(stderr, "Error: only one cgroup can be defined\n");
                                         exit(1);
                                 }
-
-                                option_cgroup = 1;
                                 cfg.cgroup = strdup(argv[i] + 9);
                                 if (!cfg.cgroup)
                                         errExit("strdup");
-                                set_cgroup(cfg.cgroup);
+
+                                check_cgroup_file(cfg.cgroup);
+                                set_cgroup(cfg.cgroup, getpid());
+                                option_cgroup = 1;
                         }
                         else
                                 exit_err_feature("cgroup");
@@ -1546,6 +1594,7 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
+
                 else if (strncmp(argv[i], "--blacklist=", 12) == 0) {
                         char *line;
                         if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1)
@@ -1562,19 +1611,13 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
-
-#ifdef HAVE_WHITELIST
                 else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
-                        if (checkcfg(CFG_WHITELIST)) {
-                                char *line;
-                                if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
-                                        errExit("asprintf");
+                        char *line;
+                        if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+                                errExit("asprintf");
 
-                                profile_check_line(line, 0, NULL);      // will exit if something wrong
-                                profile_add(line);
-                        }
-                        else
-                                exit_err_feature("whitelist");
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
                 }
                 else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) {
                         char *line;
@@ -1584,7 +1627,7 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
-#endif
+
                 else if (strncmp(argv[i], "--mkdir=", 8) == 0) {
                         char *line;
                         if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1)
@@ -1824,6 +1867,8 @@ int main(int argc, char **argv, char **envp) {
                                 exit(1);
                         }
                         arg_noprofile = 1;
+                        // force keep-config-pulse in order to keep ~/.config/pulse as is
+                        arg_keep_config_pulse = 1;
                 }
                 else if (strncmp(argv[i], "--ignore=", 9) == 0) {
                         if (custom_profile) {
@@ -1832,6 +1877,14 @@ int main(int argc, char **argv, char **envp) {
                         }
                         profile_add_ignore(argv[i] + 9);
                 }
+                else if (strncmp(argv[i], "--keep-fd=", 10) == 0) {
+                        if (strcmp(argv[i] + 10, "all") == 0)
+                                arg_keep_fd_all = 1;
+                        else {
+                                const char *add = argv[i] + 10;
+                                profile_list_augment(&cfg.keep_fd, add);
+                        }
+                }
 #ifdef HAVE_CHROOT
                 else if (strncmp(argv[i], "--chroot=", 9) == 0) {
                         if (checkcfg(CFG_CHROOT)) {
@@ -1874,6 +1927,9 @@ int main(int argc, char **argv, char **envp) {
                         }
                         arg_writable_etc = 1;
                 }
+                else if (strcmp(argv[i], "--keep-config-pulse") == 0) {
+                        arg_keep_config_pulse = 1;
+                }
                 else if (strcmp(argv[i], "--writable-var") == 0) {
                         arg_writable_var = 1;
                 }
@@ -1944,61 +2000,77 @@ int main(int argc, char **argv, char **envp) {
                         arg_keep_dev_shm = 1;
                 }
                 else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
-                        if (arg_writable_etc) {
-                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
-                                exit(1);
-                        }
+                        if (checkcfg(CFG_PRIVATE_ETC)) {
+                                if (arg_writable_etc) {
+                                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                        exit(1);
+                                }
 
-                        // extract private etc list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-etc option\n");
-                                exit(1);
+                                // extract private etc list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-etc option\n");
+                                        exit(1);
+                                }
+                                if (cfg.etc_private_keep) {
+                                        if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.etc_private_keep = argv[i] + 14;
+                                arg_private_etc = 1;
                         }
-                        if (cfg.etc_private_keep) {
-                                if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.etc_private_keep = argv[i] + 14;
-                        arg_private_etc = 1;
+                        else
+                                exit_err_feature("private-etc");
                 }
                 else if (strncmp(argv[i], "--private-opt=", 14) == 0) {
-                        // extract private opt list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-opt option\n");
-                                exit(1);
+                        if (checkcfg(CFG_PRIVATE_OPT)) {
+                                // extract private opt list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-opt option\n");
+                                        exit(1);
+                                }
+                                if (cfg.opt_private_keep) {
+                                        if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.opt_private_keep = argv[i] + 14;
+                                arg_private_opt = 1;
                         }
-                        if (cfg.opt_private_keep) {
-                                if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.opt_private_keep = argv[i] + 14;
-                        arg_private_opt = 1;
+                        else
+                                exit_err_feature("private-opt");
                 }
                 else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
-                        // extract private srv list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-srv option\n");
-                                exit(1);
+                        if (checkcfg(CFG_PRIVATE_SRV)) {
+                                // extract private srv list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-srv option\n");
+                                        exit(1);
+                                }
+                                if (cfg.srv_private_keep) {
+                                        if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.srv_private_keep = argv[i] + 14;
+                                arg_private_srv = 1;
                         }
-                        if (cfg.srv_private_keep) {
-                                if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.srv_private_keep = argv[i] + 14;
-                        arg_private_srv = 1;
+                        else
+                                exit_err_feature("private-srv");
                 }
                 else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
-                        // extract private bin list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-bin option\n");
-                                exit(1);
+                        if (checkcfg(CFG_PRIVATE_BIN)) {
+                                // extract private bin list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-bin option\n");
+                                        exit(1);
+                                }
+                                if (cfg.bin_private_keep) {
+                                        if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.bin_private_keep = argv[i] + 14;
+                                arg_private_bin = 1;
                         }
-                        if (cfg.bin_private_keep) {
-                                if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.bin_private_keep = argv[i] + 14;
-                        arg_private_bin = 1;
+                        else
+                                exit_err_feature("private-bin");
                 }
                 else if (strncmp(argv[i], "--private-lib", 13) == 0) {
                         if (checkcfg(CFG_PRIVATE_LIB)) {
@@ -2076,11 +2148,16 @@ int main(int argc, char **argv, char **envp) {
                 else if (strcmp(argv[i], "--nosound") == 0)
                         arg_nosound = 1;
                 else if (strcmp(argv[i], "--noautopulse") == 0)
-                        arg_noautopulse = 1;
+                        arg_keep_config_pulse = 1;
                 else if (strcmp(argv[i], "--novideo") == 0)
                         arg_novideo = 1;
                 else if (strcmp(argv[i], "--no3d") == 0)
                         arg_no3d = 1;
+                else if (strcmp(argv[i], "--noprinters") == 0) {
+                        arg_noprinters = 1;
+                        profile_add("blacklist /dev/lp*");
+                        profile_add("blacklist /run/cups/cups.sock");
+                }
                 else if (strcmp(argv[i], "--notv") == 0)
                         arg_notv = 1;
                 else if (strcmp(argv[i], "--nodvd") == 0)
@@ -2253,6 +2330,21 @@ int main(int argc, char **argv, char **envp) {
                         continue;
                 }
 #ifdef HAVE_NETWORK
+                else if (strcmp(argv[i], "--netlock") == 0) {
+                        if (checkcfg(CFG_NETWORK))
+                                arg_netlock = 1;
+                        else
+                                exit_err_feature("networking");
+                }
+                else if (strncmp(argv[i], "--netlock=", 10) == 0) {
+                        if (checkcfg(CFG_NETWORK)) {
+                                pid_t pid = require_pid(argv[i] + 10);
+                                netfilter_netlock(pid);
+                        }
+                        else
+                                exit_err_feature("networking");
+                        exit(0);
+                }
                 else if (strncmp(argv[i], "--interface=", 12) == 0) {
                         if (checkcfg(CFG_NETWORK)) {
                                 // checks
@@ -2558,7 +2650,7 @@ int main(int argc, char **argv, char **envp) {
                         else if (cfg.dns4 == NULL)
                                 cfg.dns4 = dns;
                         else {
-                                fwarning("Warning: up to 4 DNS servers can be specified, %s ignored\n", dns);
+                                fwarning("up to 4 DNS servers can be specified, %s ignored\n", dns);
                                 free(dns);
                         }
                 }
@@ -2579,6 +2671,15 @@ int main(int argc, char **argv, char **envp) {
                         if (checkcfg(CFG_NETWORK)) {
                                 arg_netfilter = 1;
                                 arg_netfilter_file = argv[i] + 12;
+
+                                // expand tilde
+                                if (*arg_netfilter_file == '~') {
+                                        char *tmp;
+                                        if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter_file + 1) == -1)
+                                                errExit("asprintf");
+                                        arg_netfilter_file = tmp;
+                                }
+
                                 check_netfilter_file(arg_netfilter_file);
                         }
                         else
@@ -2589,6 +2690,15 @@ int main(int argc, char **argv, char **envp) {
                         if (checkcfg(CFG_NETWORK)) {
                                 arg_netfilter6 = 1;
                                 arg_netfilter6_file = argv[i] + 13;
+
+                                // expand tilde
+                                if (*arg_netfilter6_file == '~') {
+                                        char *tmp;
+                                        if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter6_file + 1) == -1)
+                                                errExit("asprintf");
+                                        arg_netfilter6_file = tmp;
+                                }
+
                                 check_netfilter_file(arg_netfilter6_file);
                         }
                         else
@@ -2609,8 +2719,9 @@ int main(int argc, char **argv, char **envp) {
                 //*************************************
                 else if (strncmp(argv[i], "--timeout=", 10) == 0)
                         cfg.timeout = extract_timeout(argv[i] + 10);
-                else if (strcmp(argv[i], "--appimage") == 0)
-                        arg_appimage = 1;
+                else if (strcmp(argv[i], "--appimage") == 0) {
+                        // already handled
+                }
                 else if (strcmp(argv[i], "--shell=none") == 0) {
                         arg_shell_none = 1;
                         if (cfg.shell) {
@@ -2685,6 +2796,11 @@ int main(int argc, char **argv, char **envp) {
                 else if (strcmp(argv[i], "--deterministic-exit-code") == 0) {
                         arg_deterministic_exit_code = 1;
                 }
+                else if (strcmp(argv[i], "--deterministic-shutdown") == 0) {
+                        arg_deterministic_shutdown = 1;
+                }
+                else if (strcmp(argv[i], "--tab") == 0)
+                        arg_tab = 1;
                 else {
                         // double dash - positional params to follow
                         if (strcmp(argv[i], "--") == 0) {
@@ -2786,6 +2902,11 @@ int main(int argc, char **argv, char **envp) {
         // build the sandbox command
         if (prog_index == -1 && cfg.shell) {
                 assert(cfg.command_line == NULL); // runs cfg.shell
+                if (arg_appimage) {
+                        fprintf(stderr, "Error: no appimage archive specified\n");
+                        exit(1);
+                }
+
                 cfg.window_title = cfg.shell;
                 cfg.command_name = cfg.shell;
         }
@@ -2793,10 +2914,11 @@ int main(int argc, char **argv, char **envp) {
                 if (arg_debug)
                         printf("Configuring appimage environment\n");
                 appimage_set(cfg.command_name);
-                build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
+                build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true);
         }
         else {
-                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
+                // Only add extra quotes if we were not launched by sshd.
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, !parent_sshd);
         }
 /*      else {
                 fprintf(stderr, "Error: command must be specified when --shell=none used.\n");
@@ -2810,7 +2932,13 @@ int main(int argc, char **argv, char **envp) {
 
         // load the profile
         if (!arg_noprofile && !custom_profile) {
-                custom_profile = profile_find_firejail(cfg.command_name, 1);
+                if (arg_appimage) {
+                        custom_profile = appimage_find_profile(cfg.command_name);
+                        // disable shell=* for appimages
+                        arg_shell_none = 0;
+                }
+                else
+                        custom_profile = profile_find_firejail(cfg.command_name, 1);
         }
 
         // use default.profile as the default
@@ -2824,7 +2952,7 @@ int main(int argc, char **argv, char **envp) {
                 custom_profile = profile_find_firejail(profile_name, 1);
 
                 if (!custom_profile) {
-                        fprintf(stderr, "Error: no default.profile installed\n");
+                        fprintf(stderr, "Error: no %s installed\n", profile_name);
                         exit(1);
                 }
 
@@ -2840,6 +2968,15 @@ int main(int argc, char **argv, char **envp) {
         // check network configuration options - it will exit if anything went wrong
         net_check_cfg();
 
+        // customization of default seccomp filter
+        if (config_seccomp_filter_add) {
+                if (arg_seccomp && !cfg.seccomp_list_keep && !cfg.seccomp_list_drop)
+                        profile_list_augment(&cfg.seccomp_list, config_seccomp_filter_add);
+
+                if (arg_seccomp32 && !cfg.seccomp_list_keep32 && !cfg.seccomp_list_drop32)
+                        profile_list_augment(&cfg.seccomp_list32, config_seccomp_filter_add);
+        }
+
         if (arg_seccomp)
                 arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop);
 
@@ -2850,7 +2987,7 @@ int main(int argc, char **argv, char **envp) {
         // check and assign an IP address - for macvlan it will be done again in the sandbox!
         if (any_bridge_configured()) {
                 EUID_ROOT();
-                lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
+                lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
                 if (lockfd_network != -1) {
                         int rv = fchown(lockfd_network, 0, 0);
                         (void) rv;
@@ -2872,12 +3009,6 @@ int main(int argc, char **argv, char **envp) {
         }
         EUID_ASSERT();
 
-        // create the parent-child communication pipe
-        if (pipe(parent_to_child_fds) < 0)
-                errExit("pipe");
-        if (pipe(child_to_parent_fds) < 0)
-                errExit("pipe");
-
         if (arg_noroot && arg_overlay) {
                 fwarning("--overlay and --noroot are mutually exclusive, noroot disabled\n");
                 arg_noroot = 0;
@@ -2890,7 +3021,7 @@ int main(int argc, char **argv, char **envp) {
 
         // set name and x11 run files
         EUID_ROOT();
-        lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
+        lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
         if (lockfd_directory != -1) {
                 int rv = fchown(lockfd_directory, 0, 0);
                 (void) rv;
@@ -2919,6 +3050,12 @@ int main(int argc, char **argv, char **envp) {
         }
 #endif
 
+        // create the parent-child communication pipe
+        if (pipe2(parent_to_child_fds, O_CLOEXEC) < 0)
+                errExit("pipe");
+        if (pipe2(child_to_parent_fds, O_CLOEXEC) < 0)
+                errExit("pipe");
+
         // clone environment
         int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD;
 
@@ -2975,9 +3112,9 @@ int main(int argc, char **argv, char **envp) {
                         network_main(child);
                         if (arg_debug)
                                 printf("Host network configured\n");
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
@@ -2987,100 +3124,163 @@ int main(int argc, char **argv, char **envp) {
         }
         EUID_ASSERT();
 
-        // close each end of the unused pipes
-        close(parent_to_child_fds[0]);
-        close(child_to_parent_fds[1]);
+        // close each end of the unused pipes
+        close(parent_to_child_fds[0]);
+        close(child_to_parent_fds[1]);
 
         // notify child that base setup is complete
-        notify_other(parent_to_child_fds[1]);
+        notify_other(parent_to_child_fds[1]);
 
-        // wait for child to create new user namespace with CLONE_NEWUSER
-        wait_for_other(child_to_parent_fds[0]);
-        close(child_to_parent_fds[0]);
+        // wait for child to create new user namespace with CLONE_NEWUSER
+        wait_for_other(child_to_parent_fds[0]);
+        close(child_to_parent_fds[0]);
 
-        if (arg_noroot) {
-                // update the UID and GID maps in the new child user namespace
+        if (arg_noroot) {
+                // update the UID and GID maps in the new child user namespace
                 // uid
-                char *map_path;
-                if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1)
-                        errExit("asprintf");
-
-                char *map;
-                uid_t uid = getuid();
-                if (asprintf(&map, "%d %d 1", uid, uid) == -1)
-                        errExit("asprintf");
-                EUID_ROOT();
-                update_map(map, map_path);
-                EUID_USER();
-                free(map);
-                free(map_path);
-
-                // gid file
+                char *map_path;
+                if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1)
+                        errExit("asprintf");
+
+                char *map;
+                uid_t uid = getuid();
+                if (asprintf(&map, "%d %d 1", uid, uid) == -1)
+                        errExit("asprintf");
+                EUID_ROOT();
+                update_map(map, map_path);
+                EUID_USER();
+                free(map);
+                free(map_path);
+
+                // gid file
                 if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1)
                         errExit("asprintf");
-                char gidmap[1024];
-                char *ptr = gidmap;
-                *ptr = '\0';
-
-                // add user group
-                gid_t gid = getgid();
-                sprintf(ptr, "%d %d 1\n", gid, gid);
-                ptr += strlen(ptr);
-
-                if (!arg_nogroups) {
-                        //  add firejail group
-                        gid_t g = get_group_id("firejail");
-                        if (g) {
-                                sprintf(ptr, "%d %d 1\n", g, g);
-                                ptr += strlen(ptr);
-                        }
-
-                        //  add tty group
-                        g = get_group_id("tty");
-                        if (g) {
-                                sprintf(ptr, "%d %d 1\n", g, g);
-                                ptr += strlen(ptr);
-                        }
-
-                        //  add audio group
-                        g = get_group_id("audio");
-                        if (g) {
-                                sprintf(ptr, "%d %d 1\n", g, g);
-                                ptr += strlen(ptr);
-                        }
-
-                        //  add video group
-                        g = get_group_id("video");
-                        if (g) {
-                                sprintf(ptr, "%d %d 1\n", g, g);
-                                ptr += strlen(ptr);
-                        }
-
-                        //  add games group
-                        g = get_group_id("games");
-                        if (g) {
-                                sprintf(ptr, "%d %d 1\n", g, g);
-                        }
-                 }
-
-                EUID_ROOT();
-                update_map(gidmap, map_path);
-                EUID_USER();
-                free(map_path);
-        }
+                char gidmap[1024];
+                char *ptr = gidmap;
+                *ptr = '\0';
+
+                // add user group
+                gid_t gid = getgid();
+                sprintf(ptr, "%d %d 1\n", gid, gid);
+                ptr += strlen(ptr);
+
+                gid_t g;
+                if (!arg_nogroups || !check_can_drop_all_groups()) {
+                        // add audio group
+                        if (!arg_nosound) {
+                                g = get_group_id("audio");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
+                        }
+
+                        // add video group
+                        if (!arg_novideo) {
+                                g = get_group_id("video");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
+                        }
+
+                        // add render/vglusers group
+                        if (!arg_no3d) {
+                                g = get_group_id("render");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
+                                g = get_group_id("vglusers");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
+                        }
+
+                        // add lp group
+                        if (!arg_noprinters) {
+                                g = get_group_id("lp");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
+                        }
+
+                        // add cdrom/optical groups
+                        if (!arg_nodvd) {
+                                g = get_group_id("cdrom");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
+                                g = get_group_id("optical");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
+                        }
+
+                        // add input group
+                        if (!arg_noinput) {
+                                g = get_group_id("input");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
+                        }
+                }
+
+                if (!arg_nogroups) {
+                        // add firejail group
+                        g = get_group_id("firejail");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+
+                        // add tty group
+                        g = get_group_id("tty");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+
+                        // add games group
+                        g = get_group_id("games");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                        }
+                }
+
+                EUID_ROOT();
+                update_map(gidmap, map_path);
+                EUID_USER();
+                free(map_path);
+        }
         EUID_ASSERT();
 
-        // notify child that UID/GID mapping is complete
-        notify_other(parent_to_child_fds[1]);
-        close(parent_to_child_fds[1]);
+        // notify child that UID/GID mapping is complete
+        notify_other(parent_to_child_fds[1]);
+        close(parent_to_child_fds[1]);
 
-        EUID_ROOT();
+        EUID_ROOT();
         if (lockfd_network != -1) {
                 flock(lockfd_network, LOCK_UN);
                 close(lockfd_network);
         }
         EUID_USER();
 
+        // lock netfilter firewall
+        if (arg_netlock) {
+                char *cmd;
+                if (asprintf(&cmd, "firejail --netlock=%d&", getpid()) == -1)
+                        errExit("asprintf");
+                int rv = system(cmd);
+                (void) rv;
+                free(cmd);
+        }
+
         int status = 0;
         //*****************************
         // following code is signal-safe
@@ -3098,35 +3298,16 @@ int main(int argc, char **argv, char **envp) {
         // end of signal-safe code
         //*****************************
 
-#if 0
-// at this point the sandbox was closed and we are on our way out
-// it would make sense to move this before waitpid above to free some memory
-// crash for now as of issue #3662 from dhcp code
-        // free globals
-        if (cfg.profile) {
-                ProfileEntry *prf = cfg.profile;
-                while (prf != NULL) {
-                        ProfileEntry *next = prf->next;
-printf("data #%s#\n", prf->data);
-                        if (prf->data)
-                                free(prf->data);
-printf("link #%s#\n", prf->link);
-                        if (prf->link)
-                                free(prf->link);
-                        free(prf);
-                        prf = next;
-                }
-        }
-#endif
 
 
         if (WIFEXITED(status)){
                 myexit(WEXITSTATUS(status));
         } else if (WIFSIGNALED(status)) {
-                myexit(WTERMSIG(status));
+                // distinguish fatal signals by adding 128
+                myexit(128 + WTERMSIG(status));
         } else {
-                myexit(0);
+                myexit(1);
         }
 
-        return 0;
+        return 1;
 }
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index a700729d3..56c0bda30 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,10 +19,11 @@
 */
 
 #include "firejail.h"
+#include <errno.h>
 
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 
 #define MAX_BUF 4096
@@ -32,43 +33,38 @@ static MountData mdata;
 
 
 // Convert octal escape sequence to decimal value
-static int read_oct(const char *path) {
-        int dec = 0;
-        int digit, i;
-        // there are always exactly three octal digits
-        for (i = 1; i < 4; i++) {
-                digit = *(path + i);
-                if (digit < '0' || digit > '7') {
-                        fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
-                        exit(1);
-                }
-                dec = (dec << 3) + (digit - '0');
-        }
-        return dec;
+static unsigned read_oct(char *s) {
+        assert(s[0] == '\\');
+        s++;
+
+        int i;
+        for (i = 0; i < 3; i++)
+                assert(s[i] >= '0' && s[i] <= '7');
+
+        return ((s[0] - '0') << 6 |
+                (s[1] - '0') << 3 |
+                (s[2] - '0') << 0);
 }
 
 // Restore empty spaces in pathnames extracted from /proc/self/mountinfo
 static void unmangle_path(char *path) {
-        char *p = strchr(path, '\\');
-        if (p && read_oct(p) == ' ') {
-                *p = ' ';
-                int i = 3;
-                do {
-                        p++;
-                        if (*(p + i) == '\\' && read_oct(p + i) == ' ') {
-                                *p = ' ';
-                                i += 3;
-                        }
-                        else
-                                *p = *(p + i);
-                } while (*p);
-        }
+        char *r = strchr(path, '\\');
+        if (!r)
+                return;
+
+        char *w = r;
+        do {
+                while (*r == '\\') {
+                        *w++ = read_oct(r);
+                        r += 4;
+                }
+                *w++ = *r;
+        } while (*r++);
 }
 
 // Parse a line from /proc/self/mountinfo,
 // the function does an exit(1) if anything goes wrong.
 static void parse_line(char *line, MountData *output) {
-        assert(line && output);
         memset(output, 0, sizeof(*output));
         // extract mount id, filesystem name, directory and filesystem types
         // examples:
@@ -86,8 +82,6 @@ static void parse_line(char *line, MountData *output) {
         char *ptr = strtok(line, " ");
         if (!ptr)
                 goto errexit;
-        if (ptr != line)
-                goto errexit;
         output->mountid = atoi(ptr);
         int cnt = 1;
 
@@ -108,10 +102,9 @@ static void parse_line(char *line, MountData *output) {
         ptr = strtok(NULL, " ");
         if (!ptr)
                 goto errexit;
-        output->fstype = ptr++;
+        output->fstype = ptr;
 
-
-        if (output->mountid == 0 ||
+        if (output->mountid < 0 ||
             output->fsname == NULL ||
             output->dir == NULL ||
             output->fstype == NULL)
@@ -151,108 +144,118 @@ MountData *get_last_mount(void) {
         return &mdata;
 }
 
-// Extract the mount id from /proc/self/fdinfo and return it.
-int get_mount_id(const char *path) {
-        assert(path);
+// Returns mount id, or -1 if fd refers to a procfs or sysfs file
+static int get_mount_id_from_handle(int fd) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+
+        struct file_handle *fh = malloc(sizeof *fh);
+        if (!fh)
+                errExit("malloc");
+        fh->handle_bytes = 0;
+
+        int rv = -1;
+        int tmp;
+        if (name_to_handle_at(-1, proc, fh, &tmp, AT_SYMLINK_FOLLOW) != -1) {
+                fprintf(stderr, "Error: unexpected result from name_to_handle_at\n");
+                exit(1);
+        }
+        if (errno == EOVERFLOW && fh->handle_bytes)
+                rv = tmp;
 
-        int fd = open(path, O_PATH|O_CLOEXEC);
-        if (fd == -1)
-                return -1;
+        free(proc);
+        free(fh);
+        return rv;
+}
 
-        char *fdinfo;
-        if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1)
+// Returns mount id, or -1 on kernels < 3.15
+static int get_mount_id_from_fdinfo(int fd) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1)
                 errExit("asprintf");
-        FILE *fp = fopen(fdinfo, "re");
-        free(fdinfo);
-        if (!fp)
-                goto errexit;
 
-        // read the file
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root == 0)
+                EUID_ROOT();
+
+        FILE *fp = fopen(proc, "re");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot read proc file\n");
+                exit(1);
+        }
+
+        if (called_as_root == 0)
+                EUID_USER();
+
+        int rv = -1;
         char buf[MAX_BUF];
-        if (fgets(buf, MAX_BUF, fp) == NULL)
-                goto errexit;
-        do {
-                if (strncmp(buf, "mnt_id:", 7) == 0) {
-                        char *ptr = buf + 7;
-                        while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
-                                ptr++;
-                        }
-                        if (*ptr == '\0')
-                                goto errexit;
-                        fclose(fp);
-                        close(fd);
-                        return atoi(ptr);
-                }
-        } while (fgets(buf, MAX_BUF, fp));
+        while (fgets(buf, MAX_BUF, fp)) {
+                if (sscanf(buf, "mnt_id: %d", &rv) == 1)
+                                break;
+        }
 
-        // fallback, kernels older than 3.15 don't expose the mount id in this place
+        free(proc);
         fclose(fp);
-        close(fd);
-        return -2;
+        return rv;
+}
 
-errexit:
-        fprintf(stderr, "Error: cannot read proc file\n");
-        exit(1);
+int get_mount_id(int fd) {
+        int rv = get_mount_id_from_handle(fd);
+        if (rv < 0)
+                rv = get_mount_id_from_fdinfo(fd);
+        return rv;
 }
 
 // Check /proc/self/mountinfo if path contains any mounts points.
 // Returns an array that can be iterated over for recursive remounting.
-char **build_mount_array(const int mount_id, const char *path) {
+char **build_mount_array(const int mountid, const char *path) {
         assert(path);
 
-        // open /proc/self/mountinfo
         FILE *fp = fopen("/proc/self/mountinfo", "re");
         if (!fp) {
                 fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
                 exit(1);
         }
 
-        // array to be returned
-        size_t cnt = 0;
+        // try to find line with mount id
+        int found = 0;
+        MountData mntp;
+        char line[MAX_BUF];
+        while (fgets(line, MAX_BUF, fp)) {
+                parse_line(line, &mntp);
+                if (mntp.mountid == mountid) {
+                        found = 1;
+                        break;
+                }
+        }
+
+        if (!found) {
+                fclose(fp);
+                return NULL;
+        }
+
+        // allocate array
         size_t size = 32;
         char **rv = malloc(size * sizeof(*rv));
         if (!rv)
                 errExit("malloc");
 
-        // read /proc/self/mountinfo
-        size_t pathlen = strlen(path);
-        char buf[MAX_BUF];
-        MountData mntp;
-        int found = 0;
+        // add directory itself
+        size_t cnt = 0;
+        rv[cnt] = strdup(path);
+        if (rv[cnt] == NULL)
+                errExit("strdup");
 
-        if (fgets(buf, MAX_BUF, fp) == NULL) {
-                fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
-                exit(1);
-        }
-        do {
-                parse_line(buf, &mntp);
-                // find mount point with mount id
-                if (!found) {
-                        if (mntp.mountid == mount_id) {
-                                // give up if mount id has been reassigned,
-                                // don't remount blacklisted path
-                                if (strncmp(mntp.dir, path, strlen(mntp.dir)) ||
-                                    strstr(mntp.fsname, "firejail.ro.dir") ||
-                                    strstr(mntp.fsname, "firejail.ro.file"))
-                                            break;
-
-                                rv[cnt] = strdup(path);
-                                if (rv[cnt] == NULL)
-                                        errExit("strdup");
-                                cnt++;
-                                found = 1;
-                                continue;
-                        }
-                        continue;
-                }
-                // from here on add all mount points below path,
-                // don't remount blacklisted paths
-                if (strncmp(mntp.dir, path, pathlen) == 0 &&
-                    mntp.dir[pathlen] == '/' &&
-                    strstr(mntp.fsname, "firejail.ro.dir") == NULL &&
-                    strstr(mntp.fsname, "firejail.ro.file") == NULL) {
-
-                        if (cnt == size) {
+        // and add all following mountpoints contained in this directory
+        size_t pathlen = strlen(path);
+        while (fgets(line, MAX_BUF, fp)) {
+                parse_line(line, &mntp);
+                if (strncmp(mntp.dir, path, pathlen) == 0 && mntp.dir[pathlen] == '/') {
+                        if (++cnt == size) {
                                 size *= 2;
                                 rv = realloc(rv, size * sizeof(*rv));
                                 if (!rv)
@@ -261,18 +264,17 @@ char **build_mount_array(const int mount_id, const char *path) {
                         rv[cnt] = strdup(mntp.dir);
                         if (rv[cnt] == NULL)
                                 errExit("strdup");
-                        cnt++;
                 }
-        } while (fgets(buf, MAX_BUF, fp));
+        }
+        fclose(fp);
 
-        if (cnt == size) {
-                size++;
+        // end of array
+        if (++cnt == size) {
+                ++size;
                 rv = realloc(rv, size * sizeof(*rv));
                 if (!rv)
                         errExit("realloc");
         }
-        rv[cnt] = NULL; // end of the array
-
-        fclose(fp);
+        rv[cnt] = NULL;
         return rv;
 }
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index fc79dddec..5b49fe19a 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -24,6 +24,96 @@
 #include <sys/wait.h>
 #include <fcntl.h>
 
+void netfilter_netlock(pid_t pid) {
+        EUID_ASSERT();
+
+        // give the sandbox a chance to start up before entering the network namespace
+        sleep(1);
+        enter_network_namespace(pid);
+
+        char *flog;
+        if (asprintf(&flog, "/run/firejail/network/%d-netlock", getpid()) == -1)
+                errExit("asprintf");
+        FILE *fp = fopen(flog, "w");
+        if (!fp)
+                errExit("fopen");
+        fclose(fp);
+
+        // try to find a X terminal
+        char *terminal = NULL;
+        if (access("/usr/bin/xterm", X_OK) == 0)
+                terminal = "/usr/bin/xterm";
+        else if (access("/usr/bin/lxterminal", X_OK) == 0)
+                terminal = "/usr/bin/lxterminal";
+        else if (access("/usr/bin/xfce4-terminal", X_OK) == 0)
+                terminal = "/usr/bin/xfce4-terminal";
+        else if (access("/usr/bin/konsole", X_OK) == 0)
+                terminal = "/usr/bin/konsole";
+// problem: newer gnome-terminal versions don't support -e command line option???
+// same for mate-terminal
+
+        if (isatty(STDIN_FILENO))
+                terminal = NULL;
+
+        if (terminal) {
+                pid_t p = fork();
+                if (p == -1)
+                        ; // run without terminal logger
+                else if (p == 0) { // child
+                        drop_privs(0);
+
+                        char *cmd;
+                        if (asprintf(&cmd, "%s -e \"%s/firejail/fnettrace --tail --log=%s\"", terminal, LIBDIR, flog) == -1)
+                                errExit("asprintf");
+                        int rv = system(cmd);
+                        (void) rv;
+                        exit(0);
+                }
+        }
+
+        char *cmd;
+        if (asprintf(&cmd, "%s/firejail/fnettrace --netfilter --log=%s", LIBDIR, flog) == -1)
+                errExit("asprintf");
+        free(flog);
+
+        //************************
+        // build command
+        //************************
+        char *arg[4];
+        arg[0] = "/bin/sh";
+        arg[1] = "-c";
+        arg[2] = cmd;
+        arg[3] = NULL;
+        clearenv();
+        sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg);
+        // it will never get here!!
+}
+
+void netfilter_trace(pid_t pid) {
+        EUID_ASSERT();
+
+        // a pid of 0 means the main system network namespace
+        if (pid)
+                enter_network_namespace(pid);
+
+        char *cmd;
+        if (asprintf(&cmd, "%s/firejail/fnettrace", LIBDIR) == -1)
+                errExit("asprintf");
+
+        //************************
+        // build command
+        //************************
+        char *arg[4];
+        arg[0] = "/bin/sh";
+        arg[1] = "-c";
+        arg[2] = cmd;
+        arg[3] = NULL;
+
+        clearenv();
+        sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg);
+        // it will never get here!!
+}
+
 void check_netfilter_file(const char *fname) {
         EUID_ASSERT();
 
diff --git a/src/firejail/netns.c b/src/firejail/netns.c
index b5d6fb636..c72c009ae 100644
--- a/src/firejail/netns.c
+++ b/src/firejail/netns.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2020-2021 Firejail Authors
+ * Copyright (C) 2020-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/network.c b/src/firejail/network.c
index f7142cefd..e631745fb 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -217,7 +217,7 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) {
 
 #define BUFSIZE 1024
 uint32_t network_get_defaultgw(void) {
-        FILE *fp = fopen("/proc/self/net/route", "r");
+        FILE *fp = fopen("/proc/self/net/route", "re");
         if (!fp)
                 errExit("fopen");
 
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index ee3c00872..dd66ecc55 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -292,7 +292,7 @@ void net_dns_print(pid_t pid) {
                         errExit("chdir");
 
                 // access /etc/resolv.conf
-                FILE *fp = fopen("/etc/resolv.conf", "r");
+                FILE *fp = fopen("/etc/resolv.conf", "re");
                 if (!fp) {
                         fprintf(stderr, "Error: cannot access /etc/resolv.conf\n");
                         exit(1);
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 60a82821e..c57d397ef 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,6 +20,7 @@
 #include "firejail.h"
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <errno.h>
 #include <unistd.h>
 #include <grp.h>
 
@@ -47,7 +48,8 @@ int check_namespace_virt(void) {
 
         // check PID 1 container environment variable
         EUID_ROOT();
-        FILE *fp = fopen("/proc/1/environ", "r");
+        FILE *fp = fopen("/proc/1/environ", "re");
+        EUID_USER();
         if (fp) {
                 int c = 0;
                 while (c != EOF) {
@@ -68,7 +70,6 @@ int check_namespace_virt(void) {
                                 // found it
                                 if (is_container(buf + 10)) {
                                         fclose(fp);
-                                        EUID_USER();
                                         return 1;
                                 }
                         }
@@ -78,7 +79,6 @@ int check_namespace_virt(void) {
                 fclose(fp);
         }
 
-        EUID_USER();
         return 0;
 }
 
@@ -105,20 +105,15 @@ int check_kernel_procs(void) {
         // look at the first 10 processes
         // if a kernel process is found, return 1
         for (i = 1; i <= 10; i++) {
-                struct stat s;
                 char *fname;
                 if (asprintf(&fname, "/proc/%d/comm", i) == -1)
                         errExit("asprintf");
-                if (stat(fname, &s) == -1) {
-                        free(fname);
-                        continue;
-                }
 
                 // open file
-                /* coverity[toctou] */
-                FILE *fp = fopen(fname, "r");
+                FILE *fp = fopen(fname, "re");
                 if (!fp) {
-                        fwarning("cannot open %s\n", fname);
+                        if (errno != ENOENT)
+                                fwarning("cannot open %s\n", fname);
                         free(fname);
                         continue;
                 }
@@ -208,7 +203,7 @@ void run_no_sandbox(int argc, char **argv) {
                 // force --shell=none in order to not break firecfg symbolic links
                 arg_shell_none = 1;
 
-                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true);
         }
 
         fwarning("an existing sandbox was detected. "
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 835dff2db..f9df9f3d4 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -50,13 +50,21 @@ void check_output(int argc, char **argv) {
         if (!outindex)
                 return;
 
-
-        // check filename
         drop_privs(0);
         char *outfile = argv[outindex];
         outfile += (enable_stderr)? 16:9;
+
+        // check filename
         invalid_filename(outfile, 0); // no globbing
 
+        // expand user home directory
+        if (outfile[0] == '~') {
+                char *full;
+                if (asprintf(&full, "%s%s", cfg.homedir, outfile + 1) == -1)
+                        errExit("asprintf");
+                outfile = full;
+        }
+
         // do not accept directories, links, and files with ".."
         if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile)) {
                 fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n");
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
index b800fa944..6d62c9004 100644
--- a/src/firejail/paths.c
+++ b/src/firejail/paths.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -136,7 +136,7 @@ int program_in_path(const char *program) {
                         // ('x' permission means something different for directories).
                         // exec follows symlinks, so use stat, not lstat.
                         struct stat st;
-                        if (stat(scratch, &st)) {
+                        if (stat_as_user(scratch, &st)) {
                                 perror(scratch);
                                 exit(1);
                         }
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 7f602545d..da50e9a82 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -164,7 +164,7 @@ void preproc_clean_run(void) {
         int max_pids=32769;
         int start_pid = 100;
         // extract real max_pids
-        FILE *fp = fopen("/proc/sys/kernel/pid_max", "r");
+        FILE *fp = fopen("/proc/sys/kernel/pid_max", "re");
         if (fp) {
                 int val;
                 if (fscanf(fp, "%d", &val) == 1) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 2ea32b665..5bc77263a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,10 +18,12 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include "../include/seccomp.h"
 #include "../include/syscall.h"
 #include <dirent.h>
 #include <sys/stat.h>
+
 extern char *xephyr_screen;
 
 #define MAX_READ 8192                             // line buffer for profile files
@@ -70,6 +72,7 @@ static int profile_find(const char *name, const char *dir, int add_ext) {
 // search and read the profile specified by name from firejail directories
 // return  1 if a profile was found
 int profile_find_firejail(const char *name, int add_ext) {
+#ifndef HAVE_ONLY_SYSCFG_PROFILES
         // look for a profile in ~/.config/firejail directory
         char *usercfgdir;
         if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
@@ -82,6 +85,9 @@ int profile_find_firejail(const char *name, int add_ext) {
                 rv = profile_find(name, SYSCONFDIR, add_ext);
 
         return rv;
+#else
+        return profile_find(name, SYSCONFDIR, add_ext);
+#endif
 }
 
 //***************************************************
@@ -173,6 +179,10 @@ static int check_allow_drm(void) {
         return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0;
 }
 
+static int check_allow_tray(void) {
+        return checkcfg(CFG_ALLOW_TRAY) != 0;
+}
+
 Cond conditionals[] = {
         {"HAS_APPIMAGE", check_appimage},
         {"HAS_NET", check_netoptions},
@@ -182,6 +192,7 @@ Cond conditionals[] = {
         {"HAS_X11", check_x11},
         {"BROWSER_DISABLE_U2F", check_disable_u2f},
         {"BROWSER_ALLOW_DRM", check_allow_drm},
+        {"ALLOW_TRAY", check_allow_tray},
         { NULL, NULL }
 };
 
@@ -283,6 +294,15 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        if (strncmp(ptr, "keep-fd ", 8) == 0) {
+                if (strcmp(ptr + 8, "all") == 0)
+                        arg_keep_fd_all = 1;
+                else {
+                        const char *add = ptr + 8;
+                        profile_list_augment(&cfg.keep_fd, add);
+                }
+                return 0;
+        }
         if (strncmp(ptr, "xephyr-screen ", 14) == 0) {
 #ifdef HAVE_X11
                 if (checkcfg(CFG_X11)) {
@@ -373,6 +393,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 0;
         }
+        else if (strcmp(ptr, "tab") == 0) {
+                arg_tab = 1;
+                return 0;
+        }
         else if (strcmp(ptr, "private-cwd") == 0) {
                 cfg.cwd = NULL;
                 arg_private_cwd = 1;
@@ -409,13 +433,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "nogroups") == 0) {
-                // nvidia cards require video group; disable nogroups
-                if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) {
-                        fwarning("Warning: NVIDIA card detected, nogroups command disabled\n");
-                        arg_nogroups = 0;
-                }
-                else
-                        arg_nogroups = 1;
+                arg_nogroups = 1;
                 return 0;
         }
         else if (strcmp(ptr, "nosound") == 0) {
@@ -423,7 +441,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "noautopulse") == 0) {
-                arg_noautopulse = 1;
+                arg_keep_config_pulse = 1;
                 return 0;
         }
         else if (strcmp(ptr, "notv") == 0) {
@@ -442,6 +460,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_no3d = 1;
                 return 0;
         }
+        else if (strcmp(ptr, "noprinters") == 0) {
+                arg_noprinters = 1;
+                profile_add("blacklist /dev/lp*");
+                profile_add("blacklist /run/cups/cups.sock");
+                return 0;
+        }
         else if (strcmp(ptr, "noinput") == 0) {
                 arg_noinput = 1;
                 return 0;
@@ -628,7 +652,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 0;
         }
-        else if (strncmp(ptr, "netns  ", 6) == 0) {
+        else if (strncmp(ptr, "netns ", 6) == 0) {
 #ifdef HAVE_NETWORK
                 if (checkcfg(CFG_NETWORK)) {
                         arg_netns = ptr + 6;
@@ -979,10 +1003,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         warning_feature_disabled("seccomp");
                 return 0;
         }
-        if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) {
+        if (strncmp(ptr, "seccomp.32.drop ", 16) == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
-                        cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13);
+                        cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 16);
                 }
                 else
                         warning_feature_disabled("seccomp");
@@ -999,10 +1023,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         warning_feature_disabled("seccomp");
                 return 0;
         }
-        if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) {
+        if (strncmp(ptr, "seccomp.32.keep ", 16) == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
-                        cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13);
+                        cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 16);
                 }
                 else
                         warning_feature_disabled("seccomp");
@@ -1099,7 +1123,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 else if (cfg.dns4 == NULL)
                         cfg.dns4 = dns;
                 else {
-                        fwarning("Warning: up to 4 DNS servers can be specified, %s ignored\n", dns);
+                        fwarning("up to 4 DNS servers can be specified, %s ignored\n", dns);
                         free(dns);
                 }
                 return 0;
@@ -1122,8 +1146,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // cgroup
         if (strncmp(ptr, "cgroup ", 7) == 0) {
-                if (checkcfg(CFG_CGROUP))
-                        set_cgroup(ptr + 7);
+                if (checkcfg(CFG_CGROUP)) {
+                        cfg.cgroup = strdup(ptr + 7);
+                        if (!cfg.cgroup)
+                                errExit("strdup");
+
+                        check_cgroup_file(cfg.cgroup);
+                        set_cgroup(cfg.cgroup, getpid());
+                }
                 else
                         warning_feature_disabled("cgroup");
                 return 0;
@@ -1143,6 +1173,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_machineid = 1;
                 return 0;
         }
+
+        if (strcmp(ptr, "keep-config-pulse") == 0) {
+                arg_keep_config_pulse = 1;
+                return 0;
+        }
+
         // writable-var
         if (strcmp(ptr, "writable-var") == 0) {
                 arg_writable_var = 1;
@@ -1269,56 +1305,69 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // private /etc list of files and directories
         if (strncmp(ptr, "private-etc ", 12) == 0) {
-                if (arg_writable_etc) {
-                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
-                        exit(1);
-                }
-                if (cfg.etc_private_keep) {
-                        if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.etc_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_ETC)) {
+                        if (arg_writable_etc) {
+                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                exit(1);
+                        }
+                        if (cfg.etc_private_keep) {
+                                if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.etc_private_keep = ptr + 12;
+                        }
+                        arg_private_etc = 1;
                 }
-                arg_private_etc = 1;
-
+                else
+                        warning_feature_disabled("private-etc");
                 return 0;
         }
 
         // private /opt list of files and directories
         if (strncmp(ptr, "private-opt ", 12) == 0) {
-                if (cfg.opt_private_keep) {
-                        if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.opt_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_OPT)) {
+                        if (cfg.opt_private_keep) {
+                                if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.opt_private_keep = ptr + 12;
+                        }
+                        arg_private_opt = 1;
                 }
-                arg_private_opt = 1;
-
+                else
+                        warning_feature_disabled("private-opt");
                 return 0;
         }
 
         // private /srv list of files and directories
         if (strncmp(ptr, "private-srv ", 12) == 0) {
-                if (cfg.srv_private_keep) {
-                        if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.srv_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_SRV)) {
+                        if (cfg.srv_private_keep) {
+                                if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.srv_private_keep = ptr + 12;
+                        }
+                        arg_private_srv = 1;
                 }
-                arg_private_srv = 1;
-
+                else
+                        warning_feature_disabled("private-srv");
                 return 0;
         }
 
         // private /bin list of files
         if (strncmp(ptr, "private-bin ", 12) == 0) {
-                if (cfg.bin_private_keep) {
-                        if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.bin_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_BIN)) {
+                        if (cfg.bin_private_keep) {
+                                if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.bin_private_keep = ptr + 12;
+                        }
+                        arg_private_bin = 1;
                 }
-                arg_private_bin = 1;
+                else
+                        warning_feature_disabled("private-bin");
                 return 0;
         }
 
@@ -1486,8 +1535,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         arg_rlimit_nproc = 1;
                 }
                 else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) {
-                        check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: ");
-                        sscanf(ptr + 13, "%llu", &cfg.rlimit_fsize);
+                        cfg.rlimit_fsize = parse_arg_size(ptr + 13);
+                        if (cfg.rlimit_fsize == 0) {
+                                perror("Error: invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                         arg_rlimit_fsize = 1;
                 }
                 else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) {
@@ -1496,8 +1548,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         arg_rlimit_sigpending = 1;
                 }
                 else if (strncmp(ptr, "rlimit-as ", 10) == 0) {
-                        check_unsigned(ptr + 10, "Error: invalid rlimit in profile file: ");
-                        sscanf(ptr + 10, "%llu", &cfg.rlimit_as);
+                        cfg.rlimit_as = parse_arg_size(ptr + 10);
+                        if (cfg.rlimit_as == 0) {
+                                perror("Error: invalid rlimit-as in profile file. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                         arg_rlimit_as = 1;
                 }
                 else {
@@ -1554,6 +1609,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        if (strcmp(ptr, "deterministic-shutdown") == 0) {
+                arg_deterministic_shutdown = 1;
+                return 0;
+        }
+
         // rest of filesystem
         if (strncmp(ptr, "blacklist ", 10) == 0)
                 ptr += 10;
@@ -1562,22 +1622,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         else if (strncmp(ptr, "noblacklist ", 12) == 0)
                 ptr += 12;
         else if (strncmp(ptr, "whitelist ", 10) == 0) {
-#ifdef HAVE_WHITELIST
-                if (checkcfg(CFG_WHITELIST)) {
-                        arg_whitelist = 1;
-                        ptr += 10;
-                }
-                else {
-                        static int whitelist_warning_printed = 0;
-                        if (!whitelist_warning_printed) {
-                                warning_feature_disabled("whitelist");
-                                whitelist_warning_printed = 1;
-                        }
-                        return 0;
-                }
-#else
-                return 0;
-#endif
+                arg_whitelist = 1;
+                ptr += 10;
         }
         else if (strncmp(ptr, "nowhitelist ", 12) == 0)
                 ptr += 12;
@@ -1691,7 +1737,7 @@ void profile_read(const char *fname) {
         }
 
         // open profile file:
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         if (fp == NULL) {
                 fprintf(stderr, "Error: cannot open profile file %s\n", fname);
                 exit(1);
@@ -1708,13 +1754,29 @@ void profile_read(const char *fname) {
         int lineno = 0;
         while (fgets(buf, MAX_READ, fp)) {
                 ++lineno;
+
+                // remove comments
+                char *ptr = strchr(buf, '#');
+                if (ptr)
+                        *ptr = '\0';
+
                 // remove empty space - ptr in allocated memory
-                char *ptr = line_remove_spaces(buf);
+                ptr = line_remove_spaces(buf);
                 if (ptr == NULL)
                         continue;
+                if (*ptr == '\0') {
+                        free(ptr);
+                        continue;
+                }
 
-                // comments
-                if (*ptr == '#' || *ptr == '\0') {
+                if (strncmp(ptr, "whitelist-ro ", 13) == 0) {
+                        char *whitelist, *readonly;
+                        if (asprintf(&whitelist, "whitelist %s", ptr + 13) == -1)
+                                errExit("asprintf");
+                        profile_add(whitelist);
+                        if (asprintf(&readonly, "read-only %s", ptr + 13) == -1)
+                                errExit("asprintf");
+                        profile_add(readonly);
                         free(ptr);
                         continue;
                 }
@@ -1724,7 +1786,7 @@ void profile_read(const char *fname) {
                 if (strcmp(ptr, "quiet") == 0) {
                         if (is_in_ignore_list(ptr))
                                 arg_quiet = 0;
-                        else
+                        else if (!arg_debug)
                                 arg_quiet = 1;
                         free(ptr);
                         continue;
@@ -1771,9 +1833,8 @@ void profile_read(const char *fname) {
 //              else {
 //                      free(ptr);
 //              }
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
         }
         fclose(fp);
 }
@@ -1884,7 +1945,7 @@ char *profile_list_compress(char *list)
                         /* Include non-empty item */
                         if (!*item)
                                 in[i] = 0;
-                        /* Remove all allready included items */
+                        /* Remove all already included items */
                         for (k = 0; k < i; ++k)
                                 in[k] = 0;
                         break;
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index 926af7967..37e541f50 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -23,7 +23,7 @@
 
 void protocol_filter_save(void) {
         // save protocol filter configuration in PROTOCOL_CFG
-        FILE *fp = fopen(RUN_PROTOCOL_CFG, "w");
+        FILE *fp = fopen(RUN_PROTOCOL_CFG, "wxe");
         if (!fp)
                 errExit("fopen");
         fprintf(fp, "%s\n", cfg.protocol);
@@ -35,7 +35,7 @@ void protocol_filter_load(const char *fname) {
         assert(fname);
 
         // read protocol filter configuration from PROTOCOL_CFG
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         if (!fp)
                 return;
 
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 4b9203c36..320668bf9 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -25,6 +25,7 @@
 #include <dirent.h>
 #include <errno.h>
 #include <sys/wait.h>
+#include <glob.h>
 
 #include <fcntl.h>
 #ifndef O_PATH
@@ -33,6 +34,59 @@
 
 #define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf"
 
+
+
+static void disable_rundir_pipewire(const char *path) {
+        assert(path);
+
+        // globbing for path/pipewire-*
+        char *pattern;
+        if (asprintf(&pattern, "%s/pipewire-*", path) == -1)
+                errExit("asprintf");
+
+        glob_t globbuf;
+        int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT, NULL, &globbuf);
+        if (globerr) {
+                fprintf(stderr, "Error: failed to glob pattern %s\n", pattern);
+                exit(1);
+        }
+
+        size_t i;
+        for (i = 0; i < globbuf.gl_pathc; i++) {
+                char *dir = globbuf.gl_pathv[i];
+                assert(dir);
+
+                // don't disable symlinks - disable_file_or_dir will bind-mount an empty directory on top of it!
+                if (is_link(dir))
+                        continue;
+                disable_file_or_dir(dir);
+        }
+        globfree(&globbuf);
+        free(pattern);
+}
+
+
+
+// disable pipewire socket
+void pipewire_disable(void) {
+        if (arg_debug)
+                printf("disable pipewire\n");
+        // blacklist user config directory
+        disable_file_path(cfg.homedir, ".config/pipewire");
+
+        // blacklist pipewire in XDG_RUNTIME_DIR
+        const char *name = env_get("XDG_RUNTIME_DIR");
+        if (name)
+                disable_rundir_pipewire(name);
+
+        // try the default location anyway
+        char *path;
+        if (asprintf(&path, "/run/user/%d", getuid()) == -1)
+                errExit("asprintf");
+        disable_rundir_pipewire(path);
+        free(path);
+}
+
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
         if (arg_debug)
@@ -75,38 +129,41 @@ void pulseaudio_disable(void) {
         closedir(dir);
 }
 
-static void pulseaudio_fallback(const char *path) {
-        assert(path);
-
-        fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir);
-        env_store_name_val("PULSE_CLIENTCONFIG", path, SETENV);
-}
-
 // disable shm in pulseaudio (issue #69)
 void pulseaudio_init(void) {
-        struct stat s;
-
         // do we have pulseaudio in the system?
-        if (stat(PULSE_CLIENT_SYSCONF, &s) == -1) {
+        if (access(PULSE_CLIENT_SYSCONF, R_OK)) {
                 if (arg_debug)
-                        printf("%s not found\n", PULSE_CLIENT_SYSCONF);
+                        printf("Cannot read %s\n", PULSE_CLIENT_SYSCONF);
                 return;
         }
 
+        // create ~/.config/pulse directory if not present
+        char *homeusercfg = NULL;
+        if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (create_empty_dir_as_user(homeusercfg, 0700))
+                fs_logger2("create", homeusercfg);
+
+        free(homeusercfg);
+        if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (create_empty_dir_as_user(homeusercfg, 0700))
+                fs_logger2("create", homeusercfg);
+
         // create the new user pulseaudio directory
+        // that will be mounted over ~/.config/pulse
         if (mkdir(RUN_PULSE_DIR, 0700) == -1)
                 errExit("mkdir");
-        selinux_relabel_path(RUN_PULSE_DIR, RUN_PULSE_DIR);
-        // mount it nosuid, noexec, nodev
+        selinux_relabel_path(RUN_PULSE_DIR, homeusercfg);
         fs_remount(RUN_PULSE_DIR, MOUNT_NOEXEC, 0);
-
         // create the new client.conf file
         char *pulsecfg = NULL;
         if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
                 errExit("asprintf");
         if (copy_file(PULSE_CLIENT_SYSCONF, pulsecfg, -1, -1, 0644)) // root needed
                 errExit("copy_file");
-        FILE *fp = fopen(pulsecfg, "a");
+        FILE *fp = fopen(pulsecfg, "ae");
         if (!fp)
                 errExit("fopen");
         fprintf(fp, "%s", "\nenable-shm = no\n");
@@ -116,37 +173,14 @@ void pulseaudio_init(void) {
         if (set_perms(RUN_PULSE_DIR, getuid(), getgid(), 0700))
                 errExit("set_perms");
 
-        // create ~/.config/pulse directory if not present
-        char *homeusercfg = NULL;
-        if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1)
-                errExit("asprintf");
-        if (create_empty_dir_as_user(homeusercfg, 0700))
-                fs_logger2("create", homeusercfg);
-
-        free(homeusercfg);
-        if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
-                errExit("asprintf");
-        if (create_empty_dir_as_user(homeusercfg, 0700))
-                fs_logger2("create", homeusercfg);
-
         // if ~/.config/pulse exists and there are no symbolic links, mount the new directory
         // else set environment variable
-        int fd = safe_fd(homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        EUID_USER();
+        int fd = safer_openat(-1, homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        EUID_ROOT();
         if (fd == -1) {
-                pulseaudio_fallback(pulsecfg);
-                goto out;
-        }
-        // confirm the actual mount destination is owned by the user
-        if (fstat(fd, &s) == -1) { // FUSE
-                if (errno != EACCES)
-                        errExit("fstat");
-                close(fd);
-                pulseaudio_fallback(pulsecfg);
-                goto out;
-        }
-        if (s.st_uid != getuid()) {
-                close(fd);
-                pulseaudio_fallback(pulsecfg);
+                fwarning("not mounting tmpfs on %s\n", homeusercfg);
+                env_store_name_val("PULSE_CLIENTCONFIG", pulsecfg, SETENV);
                 goto out;
         }
         // preserve a read-only mount
@@ -158,17 +192,13 @@ void pulseaudio_init(void) {
         // mount via the link in /proc/self/fd
         if (arg_debug)
                 printf("Mounting %s on %s\n", RUN_PULSE_DIR, homeusercfg);
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(RUN_PULSE_DIR, proc, "none", MS_BIND, NULL) < 0)
+        if (bind_mount_path_to_fd(RUN_PULSE_DIR, fd))
                 errExit("mount pulseaudio");
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
         if (strcmp(mptr->dir, homeusercfg) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
                 errLogExit("invalid pulseaudio mount");
         fs_logger2("tmpfs", homeusercfg);
-        free(proc);
         close(fd);
 
         char *p;
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index a0ca4c02c..447d7b663 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -21,7 +21,6 @@
 #include "../include/firejail_user.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
@@ -73,7 +72,7 @@ static void sanitize_home(void) {
         if (arg_debug)
                 printf("Cleaning /home directory\n");
         // open user home directory in order to keep it around
-        int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        int fd = safer_openat(-1, cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
                 goto errout;
         if (fstat(fd, &s) == -1) { // FUSE
@@ -104,12 +103,8 @@ static void sanitize_home(void) {
         selinux_relabel_path(cfg.homedir, cfg.homedir);
 
         // bring back real user home directory
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_fd_to_path(fd, cfg.homedir))
                 errExit("mount bind");
-        free(proc);
         close(fd);
 
         if (!arg_private)
@@ -154,12 +149,8 @@ static void sanitize_run(void) {
         selinux_relabel_path(runuser, runuser);
 
         // bring back real run/user/$UID directory
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_fd_to_path(fd, runuser))
                 errExit("mount bind");
-        free(proc);
         close(fd);
 
         fs_logger2("whitelist", runuser);
@@ -183,10 +174,10 @@ static void sanitize_passwd(void) {
 
         // open files
         /* coverity[toctou] */
-        fpin = fopen("/etc/passwd", "r");
+        fpin = fopen("/etc/passwd", "re");
         if (!fpin)
                 goto errout;
-        fpout = fopen(RUN_PASSWD_FILE, "w");
+        fpout = fopen(RUN_PASSWD_FILE, "we");
         if (!fpout)
                 goto errout;
 
@@ -246,6 +237,11 @@ static void sanitize_passwd(void) {
         // mount-bind tne new password file
         if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
                 errExit("mount");
+
+        // blacklist RUN_PASSWD_FILE
+        if (mount(RUN_RO_FILE, RUN_PASSWD_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount");
+
         fs_logger("create /etc/passwd");
 
         return;
@@ -318,10 +314,10 @@ static void sanitize_group(void) {
 
         // open files
         /* coverity[toctou] */
-        fpin = fopen("/etc/group", "r");
+        fpin = fopen("/etc/group", "re");
         if (!fpin)
                 goto errout;
-        fpout = fopen(RUN_GROUP_FILE, "w");
+        fpout = fopen(RUN_GROUP_FILE, "we");
         if (!fpout)
                 goto errout;
 
@@ -376,6 +372,11 @@ static void sanitize_group(void) {
         // mount-bind tne new group file
         if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
                 errExit("mount");
+
+        // blacklist RUN_GROUP_FILE
+        if (mount(RUN_RO_FILE, RUN_GROUP_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount");
+
         fs_logger("create /etc/group");
 
         return;
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
index ae453f4f1..c1340cae1 100644
--- a/src/firejail/restricted_shell.c
+++ b/src/firejail/restricted_shell.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -32,7 +32,7 @@ int restricted_shell(const char *user) {
         char *fname;
         if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1)
                 errExit("asprintf");
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         free(fname);
         if (fp == NULL)
                 return 0;
@@ -96,7 +96,7 @@ int restricted_shell(const char *user) {
                                 fullargv[i] = ptr;
 #ifdef DEBUG_RESTRICTED_SHELL
                                 {EUID_ROOT();
-                                FILE *fp = fopen("/firelog", "a");
+                                FILE *fp = fopen("/firelog", "ae");
                                 if (fp) {
                                         fprintf(fp, "i %d ptr #%s#\n", i, fullargv[i]);
                                         fclose(fp);
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index 78f00bc63..b10d2c528 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/time.h>
 #include <sys/resource.h>
 
@@ -33,9 +34,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_cpu;
                 rl.rlim_max = (rlim_t) cfg.rlimit_cpu;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_CPU, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -50,9 +51,10 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_nofile;
                 rl.rlim_max = (rlim_t) cfg.rlimit_nofile;
-#ifdef HAVE_GCOV        // gcov-instrumented programs might crash at this point
+
+                // gcov-instrumented programs might crash at this point
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_NOFILE, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -67,9 +69,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_nproc;
                 rl.rlim_max = (rlim_t) cfg.rlimit_nproc;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_NPROC, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -84,9 +86,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_fsize;
                 rl.rlim_max = (rlim_t) cfg.rlimit_fsize;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_FSIZE, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -101,9 +103,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending;
                 rl.rlim_max = (rlim_t) cfg.rlimit_sigpending;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_SIGPENDING, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -118,9 +120,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_as;
                 rl.rlim_max = (rlim_t) cfg.rlimit_as;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_AS, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
index cd44f745f..c971a4f53 100644
--- a/src/firejail/run_files.c
+++ b/src/firejail/run_files.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -101,7 +101,7 @@ void set_name_run_file(pid_t pid) {
                 errExit("asprintf");
 
         // the file is deleted first
-        FILE *fp = fopen(fname, "w");
+        FILE *fp = fopen(fname, "we");
         if (!fp) {
                 fprintf(stderr, "Error: cannot create %s\n", fname);
                 exit(1);
@@ -120,7 +120,7 @@ void set_x11_run_file(pid_t pid, int display) {
                 errExit("asprintf");
 
         // the file is deleted first
-        FILE *fp = fopen(fname, "w");
+        FILE *fp = fopen(fname, "we");
         if (!fp) {
                 fprintf(stderr, "Error: cannot create %s\n", fname);
                 exit(1);
@@ -139,7 +139,7 @@ void set_profile_run_file(pid_t pid, const char *fname) {
 
         EUID_ROOT();
         // the file is deleted first
-        FILE *fp = fopen(runfile, "w");
+        FILE *fp = fopen(runfile, "we");
         if (!fp) {
                 fprintf(stderr, "Error: cannot create %s\n", runfile);
                 exit(1);
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index 77fac5438..e2847aea6 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -22,7 +22,6 @@
 #include <sys/stat.h>
 #include <unistd.h>
 
-extern char *find_in_path(const char *program);
 
 void run_symlink(int argc, char **argv, int run_as_is) {
         EUID_ASSERT();
@@ -77,6 +76,8 @@ void run_symlink(int argc, char **argv, int run_as_is) {
                 a[i + 2] = argv[i + 1];
         }
         a[i + 2] = NULL;
+        if (env_get("LD_PRELOAD") != NULL)
+                fprintf(stderr, "run_symlink: LD_PRELOAD is: '%s'\n", env_get("LD_PRELOAD"));
         assert(env_get("LD_PRELOAD") == NULL);
         assert(getenv("LD_PRELOAD") == NULL);
         execvp(a[0], a);
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 3af828ede..96407d081 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,6 +19,7 @@
 */
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include "../include/seccomp.h"
 #include <sys/mman.h>
 #include <sys/mount.h>
@@ -49,7 +50,6 @@
 #include <sys/apparmor.h>
 #endif
 
-
 static int force_nonewprivs = 0;
 
 static int monitored_pid = 0;
@@ -67,7 +67,7 @@ static void sandbox_handler(int sig){
                 if (asprintf(&monfile, "/proc/%d/cmdline", monitored_pid) == -1)
                         errExit("asprintf");
                 while (monsec) {
-                        FILE *fp = fopen(monfile, "r");
+                        FILE *fp = fopen(monfile, "re");
                         if (!fp)
                                 break;
 
@@ -87,9 +87,9 @@ static void sandbox_handler(int sig){
 
         // broadcast a SIGKILL
         kill(-1, SIGKILL);
-        flush_stdin();
 
-        exit(sig);
+        flush_stdin();
+        exit(128 + sig);
 }
 
 static void install_handler(void) {
@@ -162,7 +162,7 @@ static void save_nogroups(void) {
         if (arg_nogroups == 0)
                 return;
 
-        FILE *fp = fopen(RUN_GROUPS_CFG, "w");
+        FILE *fp = fopen(RUN_GROUPS_CFG, "wxe");
         if (fp) {
                 fprintf(fp, "\n");
                 SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644
@@ -204,7 +204,7 @@ static void save_umask(void) {
 }
 
 static char *create_join_file(void) {
-        int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (fd == -1)
                 errExit("open");
         if (ftruncate(fd, 1) == -1)
@@ -227,7 +227,7 @@ static void sandbox_if_up(Bridge *br) {
         if (br->arg_ip_none == 1);      // do nothing
         else if (br->arg_ip_none == 0 && br->macvlan == 0) {
                 if (br->ipsandbox == br->ip) {
-                        fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address.\n", PRINT_IP(br->ipsandbox), br->dev);
+                        fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address, exiting...\n", PRINT_IP(br->ipsandbox), br->dev);
                         exit(1);
                 }
 
@@ -245,13 +245,17 @@ static void sandbox_if_up(Bridge *br) {
                         br->ipsandbox = arp_assign(dev, br); //br->ip, br->mask);
                 else {
                         if (br->ipsandbox == br->ip) {
-                                fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address.\n", PRINT_IP(br->ipsandbox), br->dev);
+                                fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address, exiting...\n", PRINT_IP(br->ipsandbox), br->dev);
+                                exit(1);
+                        }
+                        if (br->ipsandbox == cfg.defaultgw) {
+                                fprintf(stderr, "Error: %d.%d.%d.%d is the default gateway, exiting...\n", PRINT_IP(br->ipsandbox));
                                 exit(1);
                         }
 
                         uint32_t rv = arp_check(dev, br->ipsandbox);
                         if (rv) {
-                                fprintf(stderr, "Error: the address %d.%d.%d.%d is already in use.\n", PRINT_IP(br->ipsandbox));
+                                fprintf(stderr, "Error: the address %d.%d.%d.%d is already in use, exiting...\n", PRINT_IP(br->ipsandbox));
                                 exit(1);
                         }
                 }
@@ -352,6 +356,15 @@ static int monitor_application(pid_t app_pid) {
                 if (arg_debug)
                         printf("Sandbox monitor: waitpid %d retval %d status %d\n", monitored_pid, rv, status);
 
+                if (arg_deterministic_shutdown) {
+                        if (arg_debug)
+                                printf("Sandbox monitor: monitored process died, shut down the sandbox\n");
+                        kill(-1, SIGTERM);
+                        usleep(100000);
+                        kill(-1, SIGKILL);
+                        break;
+                }
+
                 DIR *dir;
                 if (!(dir = opendir("/proc"))) {
                         // sleep 2 seconds and try again
@@ -373,18 +386,6 @@ static int monitor_application(pid_t app_pid) {
                         if ((pid_t) pid == dhclient4_pid || (pid_t) pid == dhclient6_pid)
                                 continue;
 
-                        // todo: make this generic
-                        // Dillo browser leaves a dpid process running, we need to shut it down
-                        int found = 0;
-                        if (strcmp(cfg.command_name, "dillo") == 0) {
-                                char *pidname = pid_proc_comm(pid);
-                                if (pidname && strcmp(pidname, "dpid") == 0)
-                                        found = 1;
-                                free(pidname);
-                        }
-                        if (found)
-                                break;
-
                         monitored_pid = pid;
                         break;
                 }
@@ -403,7 +404,6 @@ static void print_time(void) {
         fmessage("Child process initialized in %.02f ms\n", delta);
 }
 
-
 // check execute permissions for the program
 // this is done typically by the shell
 // we are here because of --shell=none
@@ -460,10 +460,42 @@ static int ok_to_run(const char *program) {
         return 0;
 }
 
+static void close_file_descriptors(void) {
+        if (arg_keep_fd_all)
+                return;
+
+        if (arg_debug)
+                printf("Closing non-standard file descriptors\n");
+
+        if (!cfg.keep_fd) {
+                close_all(NULL, 0);
+                return;
+        }
+
+        size_t sz = 0;
+        int *keep = str_to_int_array(cfg.keep_fd, &sz);
+        if (!keep) {
+                fprintf(stderr, "Error: invalid keep-fd option\n");
+                exit(1);
+        }
+        close_all(keep, sz);
+        free(keep);
+}
+
+
 void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
-        // set environment
-        if (no_sandbox == 0)
+        if (no_sandbox == 0) {
+                close_file_descriptors();
+
+                // set nice and rlimits
+                if (arg_nice)
+                        set_nice(cfg.nice);
+                set_rlimits();
+
                 env_defaults();
+        }
+
+        // set environment
         env_apply_all();
 
         // restore original umask
@@ -500,9 +532,8 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
                         exit(1);
                 }
 
-#ifdef HAVE_GCOV
                 __gcov_dump();
-#endif
+
                 seccomp_install_filters();
 
                 if (set_sandbox_status)
@@ -556,9 +587,8 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
                 if (!arg_command && !arg_quiet)
                         print_time();
 
-#ifdef HAVE_GCOV
                 __gcov_dump();
-#endif
+
                 seccomp_install_filters();
 
                 if (set_sandbox_status)
@@ -796,7 +826,7 @@ int sandbox(void* sandbox_arg) {
 
         // trace pre-install
         if (need_preload)
-                fs_trace_preload();
+                fs_trace_touch_or_store_preload();
 
         // store hosts file
         if (cfg.hosts_file)
@@ -812,8 +842,11 @@ int sandbox(void* sandbox_arg) {
                 //****************************
                 // trace pre-install, this time inside chroot
                 //****************************
-                if (need_preload)
-                        fs_trace_preload();
+                if (need_preload) {
+                        int rv = unlink(RUN_LDPRELOAD_FILE);
+                        (void) rv;
+                        fs_trace_touch_or_store_preload();
+                }
         }
         else
 #endif
@@ -833,6 +866,7 @@ int sandbox(void* sandbox_arg) {
         // private mode
         //****************************
         if (arg_private) {
+                EUID_USER();
                 if (cfg.home_private) { // --private=
                         if (cfg.chrootdir)
                                 fwarning("private=directory feature is disabled in chroot\n");
@@ -851,6 +885,7 @@ int sandbox(void* sandbox_arg) {
                 }
                 else // --private
                         fs_private();
+                EUID_ROOT();
         }
 
         if (arg_private_dev)
@@ -883,16 +918,16 @@ int sandbox(void* sandbox_arg) {
                 else if (arg_overlay)
                         fwarning("private-bin feature is disabled in overlay\n");
                 else {
+                        EUID_USER();
                         // for --x11=xorg we need to add xauth command
                         if (arg_x11_xorg) {
-                                EUID_USER();
                                 char *tmp;
                                 if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1)
                                         errExit("asprintf");
                                 cfg.bin_private_keep = tmp;
-                                EUID_ROOT();
                         }
                         fs_private_bin_list();
+                        EUID_ROOT();
                 }
         }
 
@@ -988,7 +1023,7 @@ int sandbox(void* sandbox_arg) {
 
                         // create /etc/ld.so.preload file again
                         if (need_preload)
-                                fs_trace_preload();
+                                fs_trace_touch_preload();
 
                         // openSUSE configuration is split between /etc and /usr/etc
                         // process private-etc a second time
@@ -1000,10 +1035,12 @@ int sandbox(void* sandbox_arg) {
         // apply the profile file
         //****************************
         // apply all whitelist commands ...
+        EUID_USER();
         fs_whitelist();
 
         // ... followed by blacklist commands
         fs_blacklist(); // mkdir and mkfile are processed all over again
+        EUID_ROOT();
 
         //****************************
         // nosound/no3d/notv/novideo and fix for pulseaudio 7.0
@@ -1012,10 +1049,13 @@ int sandbox(void* sandbox_arg) {
                 // disable pulseaudio
                 pulseaudio_disable();
 
+                // disable pipewire
+                pipewire_disable();
+
                 // disable /dev/snd
                 fs_dev_disable_sound();
         }
-        else if (!arg_noautopulse)
+        else if (!arg_keep_config_pulse)
                 pulseaudio_init();
 
         if (arg_no3d)
@@ -1039,7 +1079,7 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // set dns
         //****************************
-        fs_resolvconf();
+        fs_rebuild_etc();
 
         //****************************
         // start dhcp client
@@ -1052,6 +1092,11 @@ int sandbox(void* sandbox_arg) {
         EUID_USER();
         int cwd = 0;
         if (cfg.cwd) {
+                if (is_link(cfg.cwd)) {
+                        fprintf(stderr, "Error: unable to enter private working directory: %s\n", cfg.cwd);
+                        exit(1);
+                }
+
                 if (chdir(cfg.cwd) == 0)
                         cwd = 1;
                 else if (arg_private_cwd) {
@@ -1219,7 +1264,7 @@ int sandbox(void* sandbox_arg) {
         //****************************************
         // drop privileges
         //****************************************
-        drop_privs(arg_nogroups);
+        drop_privs(0);
 
         // kill the sandbox in case the parent died
         prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
@@ -1239,28 +1284,25 @@ int sandbox(void* sandbox_arg) {
 
         if (app_pid == 0) {
 #ifdef HAVE_APPARMOR
-                // add apparmor confinement after the execve
                 set_apparmor();
 #endif
-
-                // set nice and rlimits
-                if (arg_nice)
-                        set_nice(cfg.nice);
-                set_rlimits();
-
                 start_application(0, -1, set_sandbox_status);
         }
 
         munmap(set_sandbox_status, 1);
 
         int status = monitor_application(app_pid);      // monitor application
-        flush_stdin();
 
         if (WIFEXITED(status)) {
                 // if we had a proper exit, return that exit status
-                return WEXITSTATUS(status);
+                status = WEXITSTATUS(status);
+        } else if (WIFSIGNALED(status)) {
+                // distinguish fatal signals by adding 128
+                status = 128 + WTERMSIG(status);
         } else {
-                // something else went wrong!
-                return -1;
+                status = -1;
         }
+
+        flush_stdin();
+        return status;
 }
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index f9c41f661..a37943940 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -23,6 +23,7 @@
 #include <unistd.h>
 #include <net/if.h>
 #include <stdarg.h>
+#include <sys/resource.h>
 #include <sys/wait.h>
 #include "../include/seccomp.h"
 
@@ -72,11 +73,8 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
         }
 
         // close all other file descriptors
-        if ((filtermask & SBOX_KEEP_FDS) == 0) {
-                int i;
-                for (i = 3; i < FIREJAIL_MAX_FD; i++)
-                        close(i); // close open files
-        }
+        if ((filtermask & SBOX_KEEP_FDS) == 0)
+                close_all(NULL, 0);
 
         umask(027);
 
@@ -206,6 +204,11 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
         if (filtermask & SBOX_USER)
                 drop_privs(1);
         else if (filtermask & SBOX_ROOT) {
+                // https://seclists.org/oss-sec/2021/q4/43
+                struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 };
+                if (setrlimit(RLIMIT_CORE, &tozero))
+                        errExit("setrlimit");
+
                 // elevate privileges in order to get grsecurity working
                 if (setreuid(0, 0))
                         errExit("setreuid");
@@ -248,7 +251,9 @@ int sbox_run(unsigned filtermask, int num, ...) {
         va_start(valist, num);
 
         // build argument list
-        char **arg = malloc((num + 1) * sizeof(char *));
+        char **arg = calloc(num + 1, sizeof(char *));
+        if (!arg)
+                errExit("calloc");
         int i;
         for (i = 0; i < num; i++)
                 arg[i] = va_arg(valist, char *);
@@ -263,7 +268,6 @@ int sbox_run(unsigned filtermask, int num, ...) {
 }
 
 int sbox_run_v(unsigned filtermask, char * const arg[]) {
-        EUID_ROOT();
         assert(arg);
 
         if (arg_debug) {
@@ -283,6 +287,7 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
         if (child < 0)
                 errExit("fork");
         if (child == 0) {
+                EUID_ROOT();
                 sbox_do_exec_v(filtermask, arg);
         }
 
@@ -290,8 +295,9 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
         if (waitpid(child, &status, 0) == -1 ) {
                 errExit("waitpid");
         }
-        if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
-                fprintf(stderr, "Error: failed to run %s\n", arg[0]);
+        if (WIFSIGNALED(status) ||
+           (WIFEXITED(status) && WEXITSTATUS(status) != 0)) {
+                fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]);
                 exit(1);
         }
 
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 785c29517..0cd6ac7ec 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -86,7 +86,7 @@ int seccomp_install_filters(void) {
 static void seccomp_save_file_list(const char *fname) {
         assert(fname);
 
-        FILE *fp = fopen(RUN_SECCOMP_LIST, "a+");
+        FILE *fp = fopen(RUN_SECCOMP_LIST, "ae");
         if (!fp)
                 errExit("fopen");
 
@@ -99,7 +99,7 @@ static void seccomp_save_file_list(const char *fname) {
 #define MAXBUF 4096
 static int load_file_list_flag = 0;
 void seccomp_load_file_list(void) {
-        FILE *fp = fopen(RUN_SECCOMP_LIST, "r");
+        FILE *fp = fopen(RUN_SECCOMP_LIST, "re");
         if (!fp)
                 return; // no seccomp configuration whatsoever
 
@@ -122,7 +122,7 @@ int seccomp_load(const char *fname) {
         assert(fname);
 
         // open filter file
-        int fd = open(fname, O_RDONLY);
+        int fd = open(fname, O_RDONLY|O_CLOEXEC);
         if (fd == -1)
                 goto errexit;
 
@@ -208,7 +208,8 @@ int seccomp_filter_drop(bool native) {
         //      - seccomp
         if (cfg.seccomp_list_drop == NULL) {
                 // default seccomp if error action is not changed
-                if (cfg.seccomp_list == NULL && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) {
+                if ((cfg.seccomp_list == NULL || cfg.seccomp_list[0] == '\0')
+                    && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) {
                         if (arg_seccomp_block_secondary)
                                 seccomp_filter_block_secondary();
                         else {
@@ -261,7 +262,7 @@ int seccomp_filter_drop(bool native) {
                         }
 
                         // build the seccomp filter as a regular user
-                        if (list)
+                        if (list && list[0])
                                 if (arg_allow_debuggers)
                                         rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7,
                                                       PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers");
@@ -434,11 +435,11 @@ void seccomp_print_filter(pid_t pid) {
         if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_LIST) == -1)
                 errExit("asprintf");
 
-        struct stat s;
-        if (stat(fname, &s) == -1)
+        int fd = open(fname, O_RDONLY|O_CLOEXEC);
+        if (fd < 0)
                 goto errexit;
 
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fdopen(fd, "r");
         if (!fp)
                 goto errexit;
         free(fname);
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c
index 06189d7f6..0348cef4b 100644
--- a/src/firejail/selinux.c
+++ b/src/firejail/selinux.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2020-2021 Firejail and systemd authors
+ * Copyright (C) 2020-2022 Firejail and systemd authors
  *
  * This file is part of firejail project, from systemd selinux-util.c
  *
@@ -19,10 +19,14 @@
 */
 #if HAVE_SELINUX
 #include "firejail.h"
-
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <errno.h>
+
 #include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
 
 #include <selinux/context.h>
 #include <selinux/label.h>
@@ -52,8 +56,19 @@ void selinux_relabel_path(const char *path, const char *inside_path)
         if (!label_hnd)
                 errExit("selabel_open");
 
-        /* Open the file as O_PATH, to pin it while we determine and adjust the label */
-        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+        /* Open the file as O_PATH, to pin it while we determine and adjust the label
+         * Defeat symlink races by not allowing symbolic links */
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+        if (called_as_root)
+                EUID_USER();
+
+        fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+
+        if (called_as_root)
+                EUID_ROOT();
+
         if (fd < 0)
                 return;
         if (fstat(fd, &st) < 0)
@@ -64,8 +79,16 @@ void selinux_relabel_path(const char *path, const char *inside_path)
                 if (arg_debug)
                         printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
 
-                setfilecon_raw(procfs_path, fcon);
+                if (!called_as_root)
+                        EUID_ROOT();
+
+                if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug)
+                        printf("Cannot relabel %s: %s\n", path, strerror(errno));
+
+                if (!called_as_root)
+                        EUID_USER();
         }
+
         freecon(fcon);
  close:
         close(fd);
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index 8fb03d0a6..44fdd58ab 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -36,8 +36,10 @@ void shut(pid_t pid) {
                 }
                 free(comm);
         }
-        else
-                errExit("/proc/PID/comm");
+        else {
+                fprintf(stderr, "Error: cannot find process %d\n", pid);
+                exit(1);
+        }
 
         // check privileges for non-root users
         uid_t uid = getuid();
@@ -64,7 +66,7 @@ void shut(pid_t pid) {
                 monsec--;
 
                 EUID_ROOT();
-                FILE *fp = fopen(monfile, "r");
+                FILE *fp = fopen(monfile, "re");
                 EUID_USER();
                 if (!fp) {
                         killdone = 1;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 397150158..2dd913b5e 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -58,16 +58,18 @@ static char *usage_str =
 #ifdef HAVE_DBUSPROXY
         "    --dbus-log=file - set DBus log file location.\n"
         "    --dbus-system=filter|none - set system DBus access policy.\n"
-        "    --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n"
+        "    --dbus-system.broadcast=rule - allow signals on the system DBus according\n"
+        "\tto rule.\n"
         "    --dbus-system.call=rule - allow calls on the system DBus according to rule.\n"
-        "    --dbus-system.log - turn on logging for the system DBus."
+        "    --dbus-system.log - turn on logging for the system DBus.\n"
         "    --dbus-system.own=name - allow ownership of name on the system DBus.\n"
         "    --dbus-system.see=name - allow seeing name on the system DBus.\n"
         "    --dbus-system.talk=name - allow talking to name on the system DBus.\n"
         "    --dbus-user=filter|none - set session DBus access policy.\n"
-        "    --dbus-user.broadcast=rule - allow signals on the session DBus according to rule.\n"
+        "    --dbus-user.broadcast=rule - allow signals on the session DBus according\n"
+        "\tto rule.\n"
         "    --dbus-user.call=rule - allow calls on the session DBus according to rule.\n"
-        "    --dbus-user.log - turn on logging for the user DBus."
+        "    --dbus-user.log - turn on logging for the user DBus.\n"
         "    --dbus-user.own=name - allow ownership of name on the session DBus.\n"
         "    --dbus-user.see=name - allow seeing name on the session DBus.\n"
         "    --dbus-user.talk=name - allow talking to name on the session DBus.\n"
@@ -80,13 +82,12 @@ static char *usage_str =
         "    --debug-protocols - print all recognized protocols.\n"
         "    --debug-syscalls - print all recognized system calls.\n"
         "    --debug-syscalls32 - print all recognized 32 bit system calls.\n"
-#ifdef HAVE_WHITELIST
         "    --debug-whitelists - debug whitelisting.\n"
-#endif
 #ifdef HAVE_NETWORK
         "    --defaultgw=address - configure default gateway.\n"
 #endif
         "    --deterministic-exit-code - always exit with first child's status code.\n"
+        "    --deterministic-shutdown - terminate orphan processes.\n"
         "    --dns=address - set DNS server.\n"
         "    --dns.print=name|pid - print DNS configuration.\n"
         "    --env=name=value - set environment variable.\n"
@@ -97,6 +98,8 @@ static char *usage_str =
         "    --help, -? - this help screen.\n"
         "    --hostname=name - set sandbox hostname.\n"
         "    --hosts-file=file - use file as /etc/hosts.\n"
+        "    --ids-check - verify file system.\n"
+        "    --ids-init - initialize IDS database.\n"
         "    --ignore=command - ignore command in profile files.\n"
 #ifdef HAVE_NETWORK
         "    --interface=name - move interface in sandbox.\n"
@@ -114,7 +117,9 @@ static char *usage_str =
         "    --join-network=name|pid - join the network namespace.\n"
 #endif
         "    --join-or-start=name|pid - join the sandbox or start a new one.\n"
-        "    --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
+        "    --keep-config-pulse - disable automatic ~/.config/pulse init.\n"
+        "    --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
+        "    --keep-fd - inherit open file descriptors to sandbox.\n"
         "    --keep-var-tmp - /var/tmp directory is untouched.\n"
         "    --list - list all sandboxes.\n"
 #ifdef HAVE_FILE_TRANSFER
@@ -123,7 +128,7 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
         "    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"
 #endif
-        "    --machine-id - preserve /etc/machine-id\n"
+        "    --machine-id - spoof /etc/machine-id with a random id\n"
         "    --memory-deny-write-execute - seccomp filter to block attempts to create\n"
         "\tmemory mappings that are both writable and executable.\n"
         "    --mkdir=dirname - create a directory.\n"
@@ -142,10 +147,12 @@ static char *usage_str =
         "    --netfilter.print=name|pid - print the firewall.\n"
         "    --netfilter6=filename - enable IPv6 firewall.\n"
         "    --netfilter6.print=name|pid - print the IPv6 firewall.\n"
-        "    --netmask=address - define a network mask when dealing with unconfigured"
-        "\tparrent interfaces.\n"
+        "    --netlock - enable the network locking feature\n"
+        "    --netmask=address - define a network mask when dealing with unconfigured\n"
+        "\tparent interfaces.\n"
         "    --netns=name - Run the program in a named, persistent network namespace.\n"
         "    --netstats - monitor network statistics.\n"
+        "    --nettrace - monitor TCP and UDP traffic coming into the sandbox.\n"
 #endif
         "    --nice=value - set nice value.\n"
         "    --no3d - disable 3D hardware acceleration.\n"
@@ -154,7 +161,9 @@ static char *usage_str =
         "    --nodvd - disable DVD and audio CD devices.\n"
         "    --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"
         "    --nogroups - disable supplementary groups.\n"
+        "    --noinput - disable input devices.\n"
         "    --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"
+        "    --noprinters - disable printers.\n"
         "    --noprofile - do not use a security profile.\n"
 #ifdef HAVE_USERNS
         "    --noroot - install a user namespace with only the current user.\n"
@@ -236,6 +245,8 @@ static char *usage_str =
         "    --shell=none - run the program directly without a user shell.\n"
         "    --shell=program - set default user shell.\n"
         "    --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n"
+        "    --tab - enable shell tab completion in sandboxes using private or\n"
+        "\twhitelisted home directories.\n"
         "    --timeout=hh:mm:ss - kill the sandbox automatically after the time\n"
         "\thas elapsed.\n"
         "    --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"
@@ -250,9 +261,7 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
         "    --veth-name=name - use this name for the interface connected to the bridge.\n"
 #endif
-#ifdef HAVE_WHITELIST
         "    --whitelist=filename - whitelist directory or file.\n"
-#endif
         "    --writable-etc - /etc directory is mounted read-write.\n"
         "    --writable-run-user - allow access to /run/user/$UID/systemd and\n"
         "\t/run/user/$UID/gnupg.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 2ad85acd6..109105630 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,8 +19,7 @@
  */
 #define _XOPEN_SOURCE 500
 #include "firejail.h"
-#include <ftw.h>
-#include <sys/stat.h>
+#include "../include/gcov_wrapper.h"
 #include <sys/mount.h>
 #include <syslog.h>
 #include <errno.h>
@@ -46,6 +45,44 @@
 #define EMPTY_STRING ("")
 
 
+long long unsigned parse_arg_size(char *str) {
+        long long unsigned result = 0;
+        int len = strlen(str);
+        sscanf(str, "%llu", &result);
+
+        char suffix = *(str + len - 1);
+        if (!isdigit(suffix) && (suffix == 'k' || suffix == 'm' || suffix == 'g')) {
+                len -= 1;
+        }
+
+        /* checks for is value valid positive number */
+        for (int i = 0; i < len; i++) {
+                if (!isdigit(*(str+i))) {
+                        return 0;
+                }
+        }
+
+        if (isdigit(suffix))
+                return result;
+
+        switch (suffix) {
+        case 'k':
+                result *= 1024;
+                break;
+        case 'm':
+                result *= 1024 * 1024;
+                break;
+        case 'g':
+                result *= 1024 * 1024 * 1024;
+                break;
+        default:
+                result = 0;
+                break;
+        }
+
+        return result;
+}
+
 // send the error to /var/log/auth.log and exit after a small delay
 void errLogExit(char* fmt, ...) {
         va_list args;
@@ -66,6 +103,72 @@ void errLogExit(char* fmt, ...) {
         exit(1);
 }
 
+// Returns whether all supplementary groups can be safely dropped
+int check_can_drop_all_groups() {
+        static int can_drop_all_groups = -1;
+
+        // Avoid needlessly checking (and printing) things twice
+        if (can_drop_all_groups != -1)
+                goto out;
+
+        // nvidia cards require video group; ignore nogroups
+        if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) {
+                fwarning("NVIDIA card detected, nogroups command ignored\n");
+                can_drop_all_groups = 0;
+                goto out;
+        }
+
+        /* When we are not sure that the system has working seat-based ACLs
+         * (e.g.: probably yes on (e)udev + (e)logind, probably not on eudev +
+         * seatd), supplementary groups (e.g.: audio and input) might be needed
+         * to avoid breakage (e.g.: audio or gamepads not working).  See #4600
+         * and #4603.
+         */
+        if (access("/run/systemd/seats/", F_OK) != 0) {
+                // TODO: wrc causes this to be printed even with (e)logind (see #4930)
+                //fwarning("logind not detected, nogroups command ignored\n");
+                can_drop_all_groups = 0;
+                goto out;
+        }
+
+        if (arg_debug)
+                fprintf(stderr, "nogroups command not ignored\n");
+        can_drop_all_groups = 1;
+
+out:
+        return can_drop_all_groups;
+}
+
+static int find_group(gid_t group, const gid_t *groups, int ngroups) {
+        int i;
+        for (i = 0; i < ngroups; i++) {
+                if (group == groups[i])
+                        return i;
+        }
+
+        return -1;
+}
+
+// Gets group from "groupname" and adds it to "new_groups" if it exists on
+// "groups".  Always returns the current value of new_ngroups.
+static int copy_group_ifcont(const char *groupname,
+                             const gid_t *groups, int ngroups,
+                             gid_t *new_groups, int *new_ngroups, int new_sz) {
+        if (*new_ngroups >= new_sz) {
+                errno = ERANGE;
+                goto out;
+        }
+
+        gid_t g = get_group_id(groupname);
+        if (g && find_group(g, groups, ngroups) >= 0) {
+                new_groups[*new_ngroups] = g;
+                (*new_ngroups)++;
+        }
+
+out:
+        return *new_ngroups;
+}
+
 static void clean_supplementary_groups(gid_t gid) {
         assert(cfg.username);
         gid_t groups[MAX_GROUPS];
@@ -74,35 +177,60 @@ static void clean_supplementary_groups(gid_t gid) {
         if (rv == -1)
                 goto clean_all;
 
+        if (arg_nogroups && check_can_drop_all_groups())
+                goto clean_all;
+
         // clean supplementary group list
-        // allow only firejail, tty, audio, video, games
         gid_t new_groups[MAX_GROUPS];
         int new_ngroups = 0;
         char *allowed[] = {
                 "firejail",
                 "tty",
-                "audio",
-                "video",
                 "games",
                 NULL
         };
 
         int i = 0;
         while (allowed[i]) {
-                gid_t g = get_group_id(allowed[i]);
-                if (g) {
-                        int j;
-                        for (j = 0; j < ngroups; j++) {
-                                if (g == groups[j]) {
-                                        new_groups[new_ngroups] = g;
-                                        new_ngroups++;
-                                        break;
-                                }
-                        }
-                }
+                copy_group_ifcont(allowed[i], groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
                 i++;
         }
 
+        if (!arg_nosound) {
+                copy_group_ifcont("audio", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+
+        if (!arg_novideo) {
+                copy_group_ifcont("video", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+
+        if (!arg_no3d) {
+                copy_group_ifcont("render", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+                copy_group_ifcont("vglusers", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+
+        if (!arg_noprinters) {
+                copy_group_ifcont("lp", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+
+        if (!arg_nodvd) {
+                copy_group_ifcont("cdrom", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+                copy_group_ifcont("optical", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+
+        if (!arg_noinput) {
+                copy_group_ifcont("input", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+
         if (new_ngroups) {
                 rv = setgroups(new_ngroups, new_groups);
                 if (rv)
@@ -128,21 +256,22 @@ clean_all:
 
 
 // drop privileges
-// - for root group or if nogroups is set, supplementary groups are not configured
-void drop_privs(int nogroups) {
+// - for root group or if force_nogroups is set, supplementary groups are not configured
+void drop_privs(int force_nogroups) {
         gid_t gid = getgid();
         if (arg_debug)
-                printf("Drop privileges: pid %d, uid %d, gid %d, nogroups %d\n",  getpid(), getuid(), gid, nogroups);
+                printf("Drop privileges: pid %d, uid %d, gid %d, force_nogroups %d\n",
+                       getpid(), getuid(), gid, force_nogroups);
 
         // configure supplementary groups
         EUID_ROOT();
-        if (gid == 0 || nogroups) {
+        if (gid == 0 || force_nogroups) {
                 if (setgroups(0, NULL) < 0)
                         errExit("setgroups");
                 if (arg_debug)
                         printf("No supplementary groups\n");
         }
-        else if (arg_noroot)
+        else if (arg_noroot || arg_nogroups)
                 clean_supplementary_groups(gid);
 
         // set uid/gid
@@ -298,14 +427,14 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
         assert(destname);
 
         // open source
-        int src = open(srcname, O_RDONLY);
+        int src = open(srcname, O_RDONLY|O_CLOEXEC);
         if (src < 0) {
                 fwarning("cannot open source file %s, file not copied\n", srcname);
                 return -1;
         }
 
         // open destination
-        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (dst < 0) {
                 fwarning("cannot open destination file %s, file not copied\n", destname);
                 close(src);
@@ -325,7 +454,7 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
 }
 
 // return -1 if error, 0 if no error
-void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
+void copy_file_as_user(const char *srcname, const char *destname, mode_t mode) {
         pid_t child = fork();
         if (child < 0)
                 errExit("fork");
@@ -333,13 +462,13 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid
                 // drop privileges
                 drop_privs(0);
 
-                // copy, set permissions and ownership
-                int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user
+                // copy, set permissions
+                int rv = copy_file(srcname, destname, -1, -1, mode); // already a regular user
                 if (rv)
                         fwarning("cannot copy %s\n", srcname);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -348,7 +477,7 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid
 
 void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
         // open destination
-        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (dst < 0) {
                 fwarning("cannot open destination file %s, file not copied\n", destname);
                 return;
@@ -361,7 +490,7 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_
                 // drop privileges
                 drop_privs(0);
 
-                int src = open(srcname, O_RDONLY);
+                int src = open(srcname, O_RDONLY|O_CLOEXEC);
                 if (src < 0) {
                         fwarning("cannot open source file %s, file not copied\n", srcname);
                 } else {
@@ -371,9 +500,9 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_
                         close(src);
                 }
                 close(dst);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -394,17 +523,17 @@ void touch_file_as_user(const char *fname, mode_t mode) {
                 // drop privileges
                 drop_privs(0);
 
-                FILE *fp = fopen(fname, "wx");
-                if (fp) {
-                        fprintf(fp, "\n");
-                        SET_PERMS_STREAM(fp, -1, -1, mode);
-                        fclose(fp);
+                int fd = open(fname, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
+                if (fd > -1) {
+                        int err = fchmod(fd, mode);
+                        (void) err;
+                        close(fd);
                 }
                 else
                         fwarning("cannot create %s\n", fname);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -421,14 +550,14 @@ int is_dir(const char *fname) {
         int rv;
         struct stat s;
         if (fname[strlen(fname) - 1] == '/')
-                rv = stat(fname, &s);
+                rv = stat_as_user(fname, &s);
         else {
                 char *tmp;
                 if (asprintf(&tmp, "%s/", fname) == -1) {
                         fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__);
                         errExit("asprintf");
                 }
-                rv = stat(tmp, &s);
+                rv = stat_as_user(tmp, &s);
                 free(tmp);
         }
 
@@ -447,18 +576,91 @@ int is_link(const char *fname) {
         if (*fname == '\0')
                 return 0;
 
-        char *dup = strdup(fname);
-        if (!dup)
+        // remove trailing '/' if any
+        char *tmp = strdup(fname);
+        if (!tmp)
                 errExit("strdup");
-        trim_trailing_slash_or_dot(dup);
+        trim_trailing_slash_or_dot(tmp);
 
         char c;
-        ssize_t rv = readlink(dup, &c, 1);
+        ssize_t rv = readlink_as_user(tmp, &c, 1);
+        free(tmp);
 
-        free(dup);
         return (rv != -1);
 }
 
+char *realpath_as_user(const char *fname) {
+        assert(fname);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        char *rv = realpath(fname, NULL);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
+ssize_t readlink_as_user(const char *fname, char *buf, size_t sz) {
+        assert(fname && buf && sz);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        ssize_t rv = readlink(fname, buf, sz);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
+int stat_as_user(const char *fname, struct stat *s) {
+        assert(fname);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        int rv = stat(fname, s);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
+int lstat_as_user(const char *fname, struct stat *s) {
+        assert(fname);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        int rv = lstat(fname, s);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
 // remove all slashes and single dots from the end of a path
 // for example /foo/bar///././. -> /foo/bar
 void trim_trailing_slash_or_dot(char *path) {
@@ -544,11 +746,13 @@ char *split_comma(char *str) {
 }
 
 
-// remove consecutive and trailing slashes
-// and return allocated memory
-// e.g. /home//user/ -> /home/user
+// simplify absolute path by removing
+// 1) consecutive and trailing slashes, and
+// 2) segments with a single dot
+// for example /foo//./bar/ -> /foo/bar
 char *clean_pathname(const char *path) {
-        assert(path);
+        assert(path && path[0] == '/');
+
         size_t len = strlen(path);
         char *rv = malloc(len + 1);
         if (!rv)
@@ -557,15 +761,23 @@ char *clean_pathname(const char *path) {
         size_t i = 0;
         size_t j = 0;
         while (path[i]) {
-                while (path[i] == '/' && path[i+1] == '/')
-                        i++;
+                if (path[i] == '/') {
+                        while (path[i+1] == '/' ||
+                              (path[i+1] == '.' && path[i+2] == '/'))
+                                i++;
+                }
+
                 rv[j++] = path[i++];
         }
         rv[j] = '\0';
 
+        // remove a trailing dot
+        if (j > 1 && rv[j - 1] == '.' && rv[j - 2] == '/')
+                rv[--j] = '\0';
+
         // remove a trailing slash
         if (j > 1 && rv[j - 1] == '/')
-                rv[j - 1] = '\0';
+                rv[--j] = '\0';
 
         return rv;
 }
@@ -616,7 +828,7 @@ int find_child(pid_t parent, pid_t *child) {
                         perror("asprintf");
                         exit(1);
                 }
-                FILE *fp = fopen(file, "r");
+                FILE *fp = fopen(file, "re");
                 if (!fp) {
                         free(file);
                         continue;
@@ -637,9 +849,11 @@ int find_child(pid_t parent, pid_t *child) {
                                 if (parent == atoi(ptr)) {
                                         // we don't want /usr/bin/xdg-dbus-proxy!
                                         char *cmdline = pid_proc_cmdline(pid);
-                                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0)
-                                                *child = pid;
-                                        free(cmdline);
+                                        if (cmdline) {
+                                                if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0)
+                                                        *child = pid;
+                                                free(cmdline);
+                                        }
                                 }
                                 break;            // stop reading the file
                         }
@@ -722,7 +936,7 @@ void update_map(char *mapping, char *map_file) {
                 if (mapping[j] == ',')
                         mapping[j] = '\n';
 
-        fd = open(map_file, O_RDWR);
+        fd = open(map_file, O_RDWR|O_CLOEXEC);
         if (fd == -1) {
                 fprintf(stderr, "Error: cannot open %s: %s\n", map_file, strerror(errno));
                 exit(EXIT_FAILURE);
@@ -742,9 +956,9 @@ void wait_for_other(int fd) {
         // wait for the parent to be initialized
         //****************************
         char childstr[BUFLEN + 1];
-        int newfd = dup(fd);
+        int newfd = fcntl(fd, F_DUPFD_CLOEXEC, 0);
         if (newfd == -1)
-                errExit("dup");
+                errExit("fcntl");
         FILE* stream;
         stream = fdopen(newfd, "r");
         *childstr = '\0';
@@ -791,9 +1005,9 @@ void wait_for_other(int fd) {
 
 void notify_other(int fd) {
         FILE* stream;
-        int newfd = dup(fd);
+        int newfd = fcntl(fd, F_DUPFD_CLOEXEC, 0);
         if (newfd == -1)
-                errExit("dup");
+                errExit("fcntl");
         stream = fdopen(newfd, "w");
         fprintf(stream, "arg_noroot=%d\n", arg_noroot);
         fflush(stream);
@@ -811,7 +1025,7 @@ uid_t pid_get_uid(pid_t pid) {
                 exit(1);
         }
         EUID_ROOT();                              // grsecurity fix
-        FILE *fp = fopen(file, "r");
+        FILE *fp = fopen(file, "re");
         if (!fp) {
                 free(file);
                 fprintf(stderr, "Error: cannot open /proc file\n");
@@ -845,12 +1059,9 @@ uid_t pid_get_uid(pid_t pid) {
 }
 
 
-
-
-uid_t get_group_id(const char *group) {
-        // find tty group id
+gid_t get_group_id(const char *groupname) {
         gid_t gid = 0;
-        struct group *g = getgrnam(group);
+        struct group *g = getgrnam(groupname);
         if (g)
                 gid = g->gr_gid;
 
@@ -858,84 +1069,6 @@ uid_t get_group_id(const char *group) {
 }
 
 
-static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
-        (void) sb;
-        (void) typeflag;
-        (void) ftwbuf;
-        assert(fpath);
-
-        if (strcmp(fpath, ".") == 0)
-                return 0;
-
-        if (remove(fpath)) {    // removes the link not the actual file
-                perror("remove");
-                fprintf(stderr, "Error: cannot remove file from user .firejail directory: %s\n", fpath);
-                exit(1);
-        }
-
-        return 0;
-}
-
-
-int remove_overlay_directory(void) {
-        EUID_ASSERT();
-        struct stat s;
-        sleep(1);
-
-        char *path;
-        if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
-                errExit("asprintf");
-
-        if (lstat(path, &s) == 0) {
-                // deal with obvious problems such as symlinks and root ownership
-                if (!S_ISDIR(s.st_mode)) {
-                        if (S_ISLNK(s.st_mode))
-                                fprintf(stderr, "Error: %s is a symbolic link\n", path);
-                        else
-                                fprintf(stderr, "Error: %s is not a directory\n", path);
-                        exit(1);
-                }
-                if (s.st_uid != getuid()) {
-                        fprintf(stderr, "Error: %s is not owned by the current user\n", path);
-                        exit(1);
-                }
-
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // open ~/.firejail, fails if there is any symlink
-                        int fd = safe_fd(path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-                        if (fd == -1)
-                                errExit("safe_fd");
-                        // chdir to ~/.firejail
-                        if (fchdir(fd) == -1)
-                                errExit("fchdir");
-                        close(fd);
-
-                        EUID_ROOT();
-                        // FTW_PHYS - do not follow symbolic links
-                        if (nftw(".", remove_callback, 64, FTW_DEPTH | FTW_PHYS) == -1)
-                                errExit("nftw");
-
-                        EUID_USER();
-                        // remove ~/.firejail
-                        if (rmdir(path) == -1)
-                                errExit("rmdir");
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
-                        _exit(0);
-                }
-                // wait for the child to finish
-                waitpid(child, NULL, 0);
-                // check if ~/.firejail was deleted
-                if (stat(path, &s) == 0)
-                        return 1;
-        }
-        return 0;
-}
-
 // flush stdin if it is connected to a tty and has input
 void flush_stdin(void) {
         if (!isatty(STDIN_FILENO))
@@ -963,33 +1096,34 @@ void flush_stdin(void) {
 int create_empty_dir_as_user(const char *dir, mode_t mode) {
         assert(dir);
         mode &= 07777;
-        struct stat s;
 
-        if (stat(dir, &s)) {
+        if (access(dir, F_OK) == 0)
+                return 0;
+
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+
                 if (arg_debug)
                         printf("Creating empty %s directory\n", dir);
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // drop privileges
-                        drop_privs(0);
-
-                        if (mkdir(dir, mode) == 0) {
-                                if (chmod(dir, mode) == -1)
-                                        {;} // do nothing
-                        }
-                        else if (arg_debug)
-                                printf("Directory %s not created: %s\n", dir, strerror(errno));
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
-                        _exit(0);
+                if (mkdir(dir, mode) == 0) {
+                        int err = chmod(dir, mode);
+                        (void) err;
                 }
-                waitpid(child, NULL, 0);
-                if (stat(dir, &s) == 0)
-                        return 1;
+                else if (arg_debug)
+                        printf("Directory %s not created: %s\n", dir, strerror(errno));
+
+                __gcov_flush();
+
+                _exit(0);
         }
+        waitpid(child, NULL, 0);
+
+        if (access(dir, F_OK) == 0)
+                return 1;
         return 0;
 }
 
@@ -1020,9 +1154,10 @@ void create_empty_file_as_root(const char *fname, mode_t mode) {
         if (stat(fname, &s)) {
                 if (arg_debug)
                         printf("Creating empty %s file\n", fname);
-
                 /* coverity[toctou] */
-                FILE *fp = fopen(fname, "w");
+                // don't fail if file already exists. This can be the case in a race
+                // condition, when two jails launch at the same time. Compare to #1013
+                FILE *fp = fopen(fname, "we");
                 if (!fp)
                         errExit("fopen");
                 SET_PERMS_STREAM(fp, 0, 0, mode);
@@ -1097,20 +1232,35 @@ unsigned extract_timeout(const char *str) {
 }
 
 void disable_file_or_dir(const char *fname) {
+        assert(geteuid() == 0);
+        assert(fname);
+
+        EUID_USER();
+        int fd = open(fname, O_PATH|O_CLOEXEC);
+        EUID_ROOT();
+        if (fd < 0)
+                return;
+
         struct stat s;
-        if (stat(fname, &s) != -1) {
-                if (arg_debug)
-                        printf("blacklist %s\n", fname);
-                if (is_dir(fname)) {
-                        if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                                errExit("disable directory");
-                }
-                else {
-                        if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                                errExit("disable file");
-                }
-                fs_logger2("blacklist", fname);
+        if (fstat(fd, &s) < 0) { // FUSE
+                if (errno != EACCES)
+                        errExit("fstat");
+                close(fd);
+                return;
+        }
+
+        if (arg_debug)
+                printf("blacklist %s\n", fname);
+        if (S_ISDIR(s.st_mode)) {
+                if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0)
+                        errExit("disable directory");
         }
+        else {
+                if (bind_mount_path_to_fd(RUN_RO_FILE, fd) < 0)
+                        errExit("disable file");
+        }
+        close(fd);
+        fs_logger2("blacklist", fname);
 }
 
 void disable_file_path(const char *path, const char *file) {
@@ -1126,13 +1276,13 @@ void disable_file_path(const char *path, const char *file) {
 }
 
 // open an existing file without following any symbolic link
-int safe_fd(const char *path, int flags) {
+// relative paths are interpreted relative to dirfd
+// ignore dirfd if path is absolute
+// https://web.archive.org/web/20180419120236/https://blogs.gnome.org/jamesh/2018/04/19/secure-mounts
+int safer_openat(int dirfd, const char *path, int flags) {
+        assert(path && path[0]);
         flags |= O_NOFOLLOW;
-        assert(path);
-        if (*path != '/' || strstr(path, "..")) {
-                fprintf(stderr, "Error: invalid path %s\n", path);
-                exit(1);
-        }
+
         int fd = -1;
 
 #ifdef __NR_openat2 // kernel 5.6 or better
@@ -1140,7 +1290,7 @@ int safe_fd(const char *path, int flags) {
         memset(&oh, 0, sizeof(oh));
         oh.flags = flags;
         oh.resolve = RESOLVE_NO_SYMLINKS;
-        fd = syscall(__NR_openat2, -1, path, &oh, sizeof(struct open_how));
+        fd = syscall(__NR_openat2, dirfd, path, &oh, sizeof(struct open_how));
         if (fd != -1 || errno != ENOSYS)
                 return fd;
 #endif
@@ -1151,18 +1301,23 @@ int safe_fd(const char *path, int flags) {
         if (!dup)
                 errExit("strdup");
         char *tok = strtok(dup, "/");
-        if (!tok) { // root directory
+        if (!tok) { // nothing to do, path is the root directory
                 free(dup);
-                return open("/", flags);
+                return openat(dirfd, path, flags);
         }
         char *last_tok = EMPTY_STRING;
-        int parentfd = open("/", O_PATH|O_CLOEXEC);
+
+        int parentfd;
+        if (path[0] == '/')
+                parentfd = open("/", O_PATH|O_CLOEXEC);
+        else
+                parentfd = fcntl(dirfd, F_DUPFD_CLOEXEC, 0);
         if (parentfd == -1)
-                errExit("open");
+                errExit("open/fcntl");
 
-        while(1) {
+        while (1) {
                 // open path component, assuming it is a directory; this fails with ENOTDIR if it is a symbolic link
-                // if token is a single dot, the previous directory is reopened
+                // if token is a single dot, the directory referred to by parentfd is reopened
                 fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
                 if (fd == -1) {
                         // if the following token is NULL, the current token is the final path component
@@ -1192,6 +1347,106 @@ int safe_fd(const char *path, int flags) {
         return fd;
 }
 
+int remount_by_fd(int dst, unsigned long mountflags) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+
+        int rv = mount(NULL, proc, NULL, mountflags|MS_BIND|MS_REMOUNT, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc);
+        return rv;
+}
+
+int bind_mount_by_fd(int src, int dst) {
+        char *proc_src, *proc_dst;
+        if (asprintf(&proc_src, "/proc/self/fd/%d", src) < 0 ||
+            asprintf(&proc_dst, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+
+        int rv = mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc_src);
+        free(proc_dst);
+        return rv;
+}
+
+int bind_mount_fd_to_path(int src, const char *destname) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", src) < 0)
+                errExit("asprintf");
+
+        int rv = mount(proc, destname, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc);
+        return rv;
+}
+
+int bind_mount_path_to_fd(const char *srcname, int dst) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+
+        int rv = mount(srcname, proc, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc);
+        return rv;
+}
+
+void close_all(int *keep_list, size_t sz) {
+        DIR *dir;
+        if (!(dir = opendir("/proc/self/fd"))) {
+                // sleep 2 seconds and try again
+                sleep(2);
+                if (!(dir = opendir("/proc/self/fd"))) {
+                        fprintf(stderr, "Error: cannot open /proc/self/fd directory\n");
+                        exit(1);
+                }
+        }
+        struct dirent *entry;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 ||
+                    strcmp(entry->d_name, "..") == 0)
+                        continue;
+
+                int fd = atoi(entry->d_name);
+
+                // don't close standard streams
+                if (fd == STDIN_FILENO ||
+                    fd == STDOUT_FILENO ||
+                    fd == STDERR_FILENO)
+                        continue;
+
+                if (fd == dirfd(dir))
+                        continue; // just postponed
+
+                // dont't close file descriptors in keep list
+                int keep = 0;
+                if (keep_list) {
+                        size_t i;
+                        for (i = 0; i < sz; i++) {
+                                if (keep_list[i] == fd) {
+                                        keep = 1;
+                                        break;
+                                }
+                        }
+                }
+                if (keep)
+                        continue;
+
+                close(fd);
+        }
+        closedir(dir);
+}
+
 int has_handler(pid_t pid, int signal) {
         if (signal > 0 && signal <= SIGRTMAX) {
                 char *fname;
@@ -1293,25 +1548,22 @@ pid_t require_pid(const char *name) {
 // return 1 if there is a link somewhere in path of directory
 static int has_link(const char *dir) {
         assert(dir);
-        int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-        if (fd == -1) {
-                if ((errno == ELOOP || errno == ENOTDIR) && is_dir(dir))
-                        return 1;
-        }
-        else
+        int fd = safer_openat(-1, dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd != -1)
                 close(fd);
+        else if (errno == ELOOP || (errno == ENOTDIR && is_dir(dir)))
+                return 1;
         return 0;
 }
 
-void check_homedir(void) {
-        assert(cfg.homedir);
-        if (cfg.homedir[0] != '/') {
-                fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir);
+void check_homedir(const char *dir) {
+        assert(dir);
+        if (dir[0] != '/') {
+                fprintf(stderr, "Error: invalid user directory \"%s\"\n", dir);
                 exit(1);
         }
         // symlinks are rejected in many places
-        if (has_link(cfg.homedir)) {
-                fprintf(stderr, "No full support for symbolic links in path of user directory.\n"
+        if (has_link(dir))
+                fmessage("No full support for symbolic links in path of user directory.\n"
                         "Please provide resolved path in password database (/etc/passwd).\n\n");
-        }
 }
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 1dabf272e..f173b6672 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -84,7 +84,7 @@ int x11_display(void) {
 static int x11_abstract_sockets_present(void) {
 
         EUID_ROOT();                              // grsecurity fix
-        FILE *fp = fopen("/proc/net/unix", "r");
+        FILE *fp = fopen("/proc/net/unix", "re");
         if (!fp)
                 errExit("fopen");
         EUID_USER();
@@ -204,7 +204,6 @@ static int random_display_number(void) {
 void x11_start_xvfb(int argc, char **argv) {
         EUID_ASSERT();
         int i;
-        struct stat s;
         pid_t jail = 0;
         pid_t server = 0;
 
@@ -348,7 +347,7 @@ void x11_start_xvfb(int argc, char **argv) {
         // wait for x11 server to start
         while (++n < 10) {
                 sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         break;
         };
 
@@ -427,7 +426,6 @@ static char *extract_setting(int argc, char **argv, const char *argument) {
 void x11_start_xephyr(int argc, char **argv) {
         EUID_ASSERT();
         int i;
-        struct stat s;
         pid_t jail = 0;
         pid_t server = 0;
 
@@ -586,7 +584,7 @@ void x11_start_xephyr(int argc, char **argv) {
         // wait for x11 server to start
         while (++n < 10) {
                 sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         break;
         };
 
@@ -701,7 +699,6 @@ static char * get_title_arg_str() {
 static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
         EUID_ASSERT();
         int i;
-        struct stat s;
         pid_t client = 0;
         pid_t server = 0;
 
@@ -818,7 +815,7 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv,
         // wait for x11 server to start
         while (++n < 10) {
                 sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         break;
         }
 
@@ -1207,14 +1204,13 @@ void x11_xorg(void) {
         fmessage("Generating a new .Xauthority file\n");
         mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());
         // create new Xauthority file in RUN_XAUTHORITY_SEC_DIR
+        EUID_USER();
         char tmpfname[] = RUN_XAUTHORITY_SEC_DIR "/.Xauth-XXXXXX";
         int fd = mkstemp(tmpfname);
         if (fd == -1) {
                 fprintf(stderr, "Error: cannot create .Xauthority file\n");
                 exit(1);
         }
-        if (fchown(fd, getuid(), getgid()) == -1)
-                errExit("chown");
         close(fd);
 
         // run xauth
@@ -1224,24 +1220,22 @@ void x11_xorg(void) {
         else
                 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, RUN_XAUTH_FILE, "-f", tmpfname,
                         "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted");
-        // remove xauth copy
-        unlink(RUN_XAUTH_FILE);
 
         // ensure there is already a file ~/.Xauthority, so that bind-mount below will work.
         char *dest;
         if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
                 errExit("asprintf");
-        if (lstat(dest, &s) == -1) {
+        if (access(dest, F_OK) == -1) {
                 touch_file_as_user(dest, 0600);
-                if (stat(dest, &s) == -1) {
+                if (access(dest, F_OK) == -1) {
                         fprintf(stderr, "Error: cannot create %s\n", dest);
                         exit(1);
                 }
         }
         // get a file descriptor for ~/.Xauthority
-        int dst = safe_fd(dest, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        int dst = safer_openat(-1, dest, O_PATH|O_NOFOLLOW|O_CLOEXEC);
         if (dst == -1)
-                errExit("safe_fd");
+                errExit("safer_openat");
         // check if the actual mount destination is a user owned regular file
         if (fstat(dst, &s) == -1)
                 errExit("fstat");
@@ -1263,9 +1257,9 @@ void x11_xorg(void) {
         fs_remount(RUN_XAUTHORITY_SEC_DIR, MOUNT_NOEXEC, 0);
 
         // get a file descriptor for the new Xauthority file
-        int src = safe_fd(tmpfname, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        int src = safer_openat(-1, tmpfname, O_PATH|O_NOFOLLOW|O_CLOEXEC);
         if (src == -1)
-                errExit("safe_fd");
+                errExit("safer_openat");
         if (fstat(src, &s) == -1)
                 errExit("fstat");
         if (!S_ISREG(s.st_mode)) {
@@ -1276,21 +1270,16 @@ void x11_xorg(void) {
         // mount via the link in /proc/self/fd
         if (arg_debug)
                 printf("Mounting %s on %s\n", tmpfname, dest);
-        char *proc_src, *proc_dst;
-        if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
-                errExit("asprintf");
-        if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
-                errExit("asprintf");
-        if (mount(proc_src, proc_dst, NULL, MS_BIND, NULL) == -1) {
+        EUID_ROOT();
+        if (bind_mount_by_fd(src, dst)) {
                 fprintf(stderr, "Error: cannot mount the new .Xauthority file\n");
                 exit(1);
         }
+        EUID_USER();
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
         if (strcmp(mptr->dir, dest) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
                 errLogExit("invalid .Xauthority mount");
-        free(proc_src);
-        free(proc_dst);
         close(src);
         close(dst);
 
@@ -1301,8 +1290,11 @@ void x11_xorg(void) {
         if (envar) {
                 char *rp = realpath(envar, NULL);
                 if (rp) {
-                        if (strcmp(rp, dest) != 0)
+                        if (strcmp(rp, dest) != 0) {
+                                EUID_ROOT();
                                 disable_file_or_dir(rp);
+                                EUID_USER();
+                        }
                         free(rp);
                 }
         }
@@ -1311,9 +1303,13 @@ void x11_xorg(void) {
         free(dest);
 
         // mask RUN_XAUTHORITY_SEC_DIR
+        EUID_ROOT();
         if (mount("tmpfs", RUN_XAUTHORITY_SEC_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                 errExit("mounting tmpfs");
         fs_logger2("tmpfs", RUN_XAUTHORITY_SEC_DIR);
+
+        // cleanup
+        unlink(RUN_XAUTH_FILE);
 #endif
 }
 
@@ -1327,7 +1323,7 @@ void fs_x11(void) {
         struct stat s1, s2;
         if (stat("/tmp", &s1) != 0 || lstat("/tmp/.X11-unix", &s2) != 0)
                 return;
-        if ((s1.st_mode & S_ISVTX) == 0) {
+        if ((s1.st_mode & S_ISVTX) != S_ISVTX) {
                 fwarning("cannot mask X11 sockets: sticky bit not set on /tmp directory\n");
                 return;
         }
@@ -1335,68 +1331,46 @@ void fs_x11(void) {
                 fwarning("cannot mask X11 sockets: /tmp/.X11-unix not owned by root user\n");
                 return;
         }
+
+        // the mount source is under control of the user, so be careful and
+        // mount without following symbolic links, using a file descriptor
         char *x11file;
         if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1)
                 errExit("asprintf");
-        struct stat x11stat;
-        if (lstat(x11file, &x11stat) != 0 || !S_ISSOCK(x11stat.st_mode)) {
+        int src = open(x11file, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (src < 0) {
+                free(x11file);
+                return;
+        }
+        struct stat s3;
+        if (fstat(src, &s3) < 0)
+                errExit("fstat");
+        if (!S_ISSOCK(s3.st_mode)) {
+                close(src);
                 free(x11file);
                 return;
         }
 
         if (arg_debug || arg_debug_whitelists)
                 fprintf(stderr, "Masking all X11 sockets except %s\n", x11file);
-
-        // Move the real /tmp/.X11-unix to a scratch location
-        // so we can still access x11file after we mount a
-        // tmpfs over /tmp/.X11-unix.
-        if (mkdir(RUN_WHITELIST_X11_DIR, 0700) == -1)
-                errExit("mkdir");
-        if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0)
-                errExit("mount bind");
-
         // This directory must be mode 1777
         if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs",
                 MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,
                 "mode=1777,uid=0,gid=0") < 0)
                 errExit("mounting tmpfs on /tmp/.X11-unix");
+        selinux_relabel_path("/tmp/.X11-unix", "/tmp/.X11-unix");
         fs_logger("tmpfs /tmp/.X11-unix");
 
         // create an empty root-owned file which will have the desired socket bind-mounted over it
-        int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL, S_IRUSR | S_IWUSR);
-        if (fd < 0)
-                errExit(x11file);
-        close(fd);
+        int dst = open(x11file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
+        if (dst < 0)
+                errExit("open");
 
-        // the mount source is under control of the user, so be careful and
-        // mount without following symbolic links, using a file descriptor
-        char *wx11file;
-        if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1)
-                errExit("asprintf");
-        fd = safe_fd(wx11file, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        if (fd == -1)
-                errExit("opening X11 socket");
-        // confirm once more we are mounting a socket
-        if (fstat(fd, &x11stat) == -1)
-                errExit("fstat");
-        if (!S_ISSOCK(x11stat.st_mode)) {
-                errno = ENOTSOCK;
-                errExit("mounting X11 socket");
-        }
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, x11file, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_by_fd(src, dst))
                 errExit("mount bind");
+        close(src);
+        close(dst);
         fs_logger2("whitelist", x11file);
-        close(fd);
-        free(proc);
-
-        // block access to RUN_WHITELIST_X11_DIR
-        if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0)
-                errExit("mount");
-        fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);
-        free(wx11file);
         free(x11file);
 #endif
 }
diff --git a/src/firemon/apparmor.c b/src/firemon/apparmor.c
index eb810a9e7..7103ab7af 100644
--- a/src/firemon/apparmor.c
+++ b/src/firemon/apparmor.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/arp.c b/src/firemon/arp.c
index 1a69a67b1..1a01da016 100644
--- a/src/firemon/arp.c
+++ b/src/firemon/arp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/caps.c b/src/firemon/caps.c
index c0f305a5d..045cd1968 100644
--- a/src/firemon/caps.c
+++ b/src/firemon/caps.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c
index 97ba591a6..7ef76fa46 100644
--- a/src/firemon/cgroup.c
+++ b/src/firemon/cgroup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c
index 91b455941..31e4eb7fd 100644
--- a/src/firemon/cpu.c
+++ b/src/firemon/cpu.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 37870747d..91406d6a7 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -52,7 +52,7 @@ static void my_handler(int s){
 
         if (terminal_set)
                 tcsetattr(0, TCSANOW, &tlocal);
-        exit(0);
+        _exit(0);
 }
 
 // find the second child process for the specified pid
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index 5252ad34f..2fa294e8d 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
index e04b6f431..f57616ed7 100644
--- a/src/firemon/interface.c
+++ b/src/firemon/interface.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <netdb.h>
@@ -145,9 +146,9 @@ static void print_sandbox(pid_t pid) {
                 if (rv)
                         return;
                 net_ifprint();
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
 
diff --git a/src/firemon/list.c b/src/firemon/list.c
index 51099a75c..d066c7a5f 100644
--- a/src/firemon/list.c
+++ b/src/firemon/list.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 850959eb3..0a1b7e0c4 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <termios.h>
 #include <sys/ioctl.h>
 #include <sys/types.h>
@@ -242,8 +243,7 @@ void netstats(void) {
                                 print_proc(i, itv, col);
                         }
                 }
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
+
+                __gcov_flush();
         }
 }
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 8085d2d29..ccc1ba1c6 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/socket.h>
 #include <linux/connector.h>
 #include <linux/netlink.h>
@@ -230,9 +231,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
         tv.tv_usec = 0;
 
         while (1) {
-#ifdef HAVE_GCOV
                 __gcov_flush();
-#endif
 
 #define BUFFSIZE 4096
                 char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE];
diff --git a/src/firemon/route.c b/src/firemon/route.c
index 9cf5054b2..86f4d85ae 100644
--- a/src/firemon/route.c
+++ b/src/firemon/route.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c
index 04111b6c0..ba0017eff 100644
--- a/src/firemon/seccomp.c
+++ b/src/firemon/seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/top.c b/src/firemon/top.c
index a25e3c0d8..2bfa63380 100644
--- a/src/firemon/top.c
+++ b/src/firemon/top.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <termios.h>
 #include <sys/ioctl.h>
 #include <sys/types.h>
@@ -326,8 +327,7 @@ void top(void) {
                         }
                 }
                 head_print(col, row);
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
+
+                __gcov_flush();
         }
 }
diff --git a/src/firemon/tree.c b/src/firemon/tree.c
index 899214b9f..7ad413772 100644
--- a/src/firemon/tree.c
+++ b/src/firemon/tree.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
index baaef3111..c6a664790 100644
--- a/src/firemon/usage.c
+++ b/src/firemon/usage.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -38,12 +38,12 @@ static char *help_str =
         "\t--name=name - print information only about named sandbox.\n\n"
         "\t--netstats - monitor network statistics for sandboxes creating a new\n"
         "\t\tnetwork namespace.\n\n"
-        "\t--nowrap - enable line wrapping in terminals.\n\n"
         "\t--route - print route table for each sandbox.\n\n"
         "\t--seccomp - print seccomp configuration for each sandbox.\n\n"
         "\t--tree - print a tree of all sandboxed processes.\n\n"
         "\t--top - monitor the most CPU-intensive sandboxes.\n\n"
         "\t--version - print program version and exit.\n\n"
+        "\t--wrap - enable line wrapping in terminals.\n\n"
         "\t--x11 - print X11 display number.\n\n"
 
         "Without any options, firemon monitors all fork, exec, id change, and exit\n"
diff --git a/src/firemon/x11.c b/src/firemon/x11.c
index 97e24b2d2..16ee0a2d6 100644
--- a/src/firemon/x11.c
+++ b/src/firemon/x11.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fldd/main.c b/src/fldd/main.c
index 9d91557c1..898e0f36a 100644
--- a/src/fldd/main.c
+++ b/src/fldd/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -261,12 +261,21 @@ static void walk_directory(const char *dirname) {
 
                         // check directory
                         // entry->d_type field is supported  in glibc since version 2.19 (Feb 2014)
-                        // we'll use stat to check for directories
+                        // we'll use stat to check for directories using the real path
+                        // (sometimes the path is a double symlink to a real file and stat would fail)
+                        char *rpath = realpath(path, NULL);
+                        if (!rpath) {
+                                free(path);
+                                continue;
+                        }
+                        free(path);
+
                         struct stat s;
-                        if (stat(path, &s) == -1)
+                        if (stat(rpath, &s) == -1)
                                 errExit("stat");
                         if (S_ISDIR(s.st_mode))
-                                walk_directory(path);
+                                walk_directory(rpath);
+                        free(rpath);
                 }
                 closedir(dir);
         }
diff --git a/src/fnet/arp.c b/src/fnet/arp.c
index 59798d32d..ed110c271 100644
--- a/src/fnet/arp.c
+++ b/src/fnet/arp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h
index c0154b53e..41db5aa1b 100644
--- a/src/fnet/fnet.h
+++ b/src/fnet/fnet.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fnet/interface.c b/src/fnet/interface.c
index 91d91360d..072dbf381 100644
--- a/src/fnet/interface.c
+++ b/src/fnet/interface.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fnet/main.c b/src/fnet/main.c
index df8f7226c..d39fcfc84 100644
--- a/src/fnet/main.c
+++ b/src/fnet/main.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fnet/veth.c b/src/fnet/veth.c
index e09b1b1c5..bd6e33583 100644
--- a/src/fnet/veth.c
+++ b/src/fnet/veth.c
@@ -26,7 +26,7 @@
  *
  */
  /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c
index 979f082d0..a89e12933 100644
--- a/src/fnetfilter/main.c
+++ b/src/fnetfilter/main.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -187,10 +187,9 @@ printf("\n");
         char *command = (argc == 3)? argv[1]: NULL;
 //printf("command %s\n", command);
 //printf("destfile %s\n", destfile);
+
         // destfile is a real filename
-        int len = strlen(destfile);
-        if (strcspn(destfile, "\\&!?\"'<>%^(){};,*[]") != (size_t)len)
-                err_exit_cannot_open_file(destfile);
+        reject_meta_chars(destfile, 0);
 
         // handle default config (command = NULL, destfile)
         if (command == NULL) {
diff --git a/src/fnettrace/Makefile.in b/src/fnettrace/Makefile.in
new file mode 100644
index 000000000..755ddcc3a
--- /dev/null
+++ b/src/fnettrace/Makefile.in
@@ -0,0 +1,17 @@
+.PHONY: all
+all: fnettrace
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+fnettrace: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+.PHONY: clean
+clean:; rm -fr *.o fnettrace *.gcov *.gcda *.gcno *.plist
+
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/fnettrace/fnettrace.h b/src/fnettrace/fnettrace.h
new file mode 100644
index 000000000..b30a9f10d
--- /dev/null
+++ b/src/fnettrace/fnettrace.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FNETTRACE_H
+#define FNETTRACE_H
+
+#include "../include/common.h"
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <time.h>
+#include <stdarg.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+
+
+//#define DEBUG 1
+
+#define NETLOCK_INTERVAL 60     // seconds
+#define DISPLAY_INTERVAL 2      // seconds
+#define DISPLAY_TTL 4           // display intervals (4 * 2 seconds)
+#define DISPLAY_BW_UNITS 20     // length of the bandwidth bar
+
+
+static inline void ansi_topleft(void) {
+        char str[] = {0x1b, '[', '1', ';',  '1', 'H', '\0'};
+        printf("%s", str);
+        fflush(0);
+}
+
+static inline void ansi_clrscr(void) {
+        ansi_topleft();
+        char str[] = {0x1b, '[', '0', 'J', '\0'};
+        printf("%s", str);
+        fflush(0);
+}
+
+static inline uint8_t hash(uint32_t ip) {
+        uint8_t *ptr = (uint8_t *) &ip;
+        // simple byte xor
+        return *ptr ^ *(ptr + 1) ^ *(ptr + 2) ^ *(ptr + 3);
+}
+
+// main.c
+void logprintf(char* fmt, ...);
+
+// hostnames.c
+extern int geoip_calls;
+void load_hostnames(const char *fname);
+char* retrieve_hostname(uint32_t ip);
+
+// tail.c
+void tail(const char *logfile);
+
+#endif
\ No newline at end of file
diff --git a/src/fnettrace/hostnames.c b/src/fnettrace/hostnames.c
new file mode 100644
index 000000000..dd92070bf
--- /dev/null
+++ b/src/fnettrace/hostnames.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnettrace.h"
+#include "radix.h"
+#define MAXBUF 1024
+
+int geoip_calls = 0;
+static int geoip_not_found = 0;
+static char buf[MAXBUF];
+
+char *retrieve_hostname(uint32_t ip) {
+        if (geoip_not_found)
+                return NULL;
+        geoip_calls++;
+
+        char *rv = NULL;
+        char *cmd;
+        if (asprintf(&cmd, "/usr/bin/geoiplookup %d.%d.%d.%d", PRINT_IP(ip)) == -1)
+                errExit("asprintf");
+
+        FILE *fp = popen(cmd, "r");
+        if (fp) {
+                char *ptr;
+                 if (fgets(buf, MAXBUF, fp)) {
+                        ptr = strchr(buf, '\n');
+                        if (ptr)
+                                *ptr = '\0';
+                        if (strncmp(buf, "GeoIP Country Edition:", 22) == 0) {
+                                ptr = buf + 22;
+                                if (*ptr == ' ' && *(ptr + 3) == ',' &&  *(ptr + 4) == ' ') {
+                                        rv = ptr + 5;
+                                        rv = radix_add(ip, 0xffffffff, rv);
+                                }
+                        }
+                }
+                fclose(fp);
+                return rv;
+        }
+        else
+                geoip_not_found = 1;
+
+        free(cmd);
+
+        return NULL;
+}
+
+void load_hostnames(const char *fname) {
+        assert(fname);
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Warning: cannot find %s file\n", fname);
+                return;
+        }
+
+        char buf[MAXBUF];
+        int line = 0;
+        while (fgets(buf, MAXBUF, fp)) {
+                line++;
+
+                // skip empty spaces
+                char *start = buf;
+                while (*start == ' ' || *start == '\t')
+                        start++;
+                // comments
+                if (*start == '#')
+                        continue;
+                char *end = strchr(start, '#');
+                if (end)
+                        *end = '\0';
+
+                // end
+                end = strchr(start, '\n');
+                if (end)
+                        *end = '\0';
+                end = start + strlen(start);
+                if (end == start)       // empty line
+                        continue;
+
+                // line format: 1.2.3.4/32 name_without_empty_spaces
+                // a single empty space between address and name
+                end = strchr(start, ' ');
+                if (!end)
+                        goto errexit;
+                *end = '\0';
+                end++;
+                if (*end == '\0')
+                        goto errexit;
+
+                uint32_t ip;
+                uint32_t mask;
+                if (atocidr(start, &ip, &mask)) {
+                        fprintf(stderr, "Error: invalid CIDR address\n");
+                        goto errexit;
+                }
+
+                radix_add(ip, mask, end);
+        }
+
+        fclose(fp);
+        return;
+
+
+errexit:
+        fprintf(stderr, "Error: invalid line %d in file %s\n", line, fname);
+        exit(1);
+}
+
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c
new file mode 100644
index 000000000..31d49d839
--- /dev/null
+++ b/src/fnettrace/main.c
@@ -0,0 +1,665 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnettrace.h"
+#include "radix.h"
+#include <sys/ioctl.h>
+#define MAX_BUF_SIZE (64 * 1024)
+
+static int arg_netfilter = 0;
+static int arg_tail = 0;
+static char *arg_log = NULL;
+
+typedef struct hnode_t {
+        struct hnode_t *hnext;  // used for hash table and unused linked list
+        struct hnode_t *dnext;  // used to display stremas on the screen
+        uint32_t ip_src;
+        uint32_t  bytes;        // number of bytes received in the last display interval
+        uint16_t port_src;
+        uint8_t protocol;
+        // the firewall is build based on source address, and in the linked list
+        // we have elements with the same address but different ports
+        uint8_t ip_instance;
+        char *hostname;
+        int ttl;
+} HNode;
+
+// hash table
+#define HMAX 256
+HNode *htable[HMAX] = {NULL};
+// display linked list
+HNode *dlist = NULL;
+
+
+// speed up malloc/free
+#define HNODE_MAX_MALLOC 16
+static HNode *hnode_unused = NULL;
+HNode *hmalloc(void) {
+        if (hnode_unused == NULL) {
+                hnode_unused = malloc(sizeof(HNode) * HNODE_MAX_MALLOC);
+                if (!hnode_unused)
+                        errExit("malloc");
+                memset(hnode_unused, 0, sizeof(HNode) * HNODE_MAX_MALLOC);
+                HNode *ptr = hnode_unused;
+                int i;
+                for ( i = 1; i < HNODE_MAX_MALLOC; i++, ptr++)
+                        ptr->hnext = hnode_unused + i;
+        }
+
+        HNode *rv = hnode_unused;
+        hnode_unused = hnode_unused->hnext;
+        return rv;
+}
+
+void hfree(HNode *ptr) {
+        assert(ptr);
+        memset(ptr, 0, sizeof(HNode));
+        ptr->hnext = hnode_unused;
+        hnode_unused = ptr;
+}
+
+
+static void hnode_add(uint32_t ip_src, uint8_t protocol, uint16_t port_src, uint32_t bytes) {
+        uint8_t h = hash(ip_src);
+
+        // find
+        int ip_instance = 0;
+        HNode *ptr = htable[h];
+        while (ptr) {
+                if (ptr->ip_src == ip_src) {
+                        ip_instance++;
+                        if (ptr->port_src == port_src && ptr->protocol == protocol) {
+                                ptr->bytes += bytes;
+                                return;
+                        }
+                }
+                ptr = ptr->hnext;
+        }
+
+#ifdef DEBUG
+        printf("malloc %d.%d.%d.%d\n", PRINT_IP(ip_src));
+#endif
+        HNode *hnew = hmalloc();
+        assert(hnew);
+        hnew->hostname = NULL;
+        hnew->ip_src = ip_src;
+        hnew->port_src = port_src;
+        hnew->protocol = protocol;
+        hnew->hnext = NULL;
+        hnew->bytes = bytes;
+        hnew->ip_instance = ip_instance + 1;
+        hnew->ttl = DISPLAY_TTL;
+        if (htable[h] == NULL)
+                htable[h] = hnew;
+        else {
+                hnew->hnext = htable[h];
+                htable[h] = hnew;
+        }
+
+        // add to the end of list
+        hnew->dnext = NULL;
+        if (dlist == NULL)
+                dlist = hnew;
+        else {
+                ptr = dlist;
+                while (ptr->dnext != NULL)
+                        ptr = ptr->dnext;
+                ptr->dnext = hnew;
+        }
+
+        if (arg_netfilter)
+                logprintf(" %d.%d.%d.%d ", PRINT_IP(hnew->ip_src));
+}
+
+static void hnode_free(HNode *elem) {
+        assert(elem);
+#ifdef DEBUG
+        printf("free %d.%d.%d.%d\n", PRINT_IP(elem->ip_src));
+#endif
+
+        uint8_t h = hash(elem->ip_src);
+        HNode *ptr = htable[h];
+        assert(ptr);
+
+        HNode *prev = NULL;
+        while (ptr != elem) {
+                prev = ptr;
+                ptr = ptr->hnext;
+        }
+        if (prev == NULL)
+                htable[h] = elem->hnext;
+        else
+                prev->hnext = elem->hnext;
+        hfree(elem);
+}
+
+#ifdef DEBUG
+static void debug_dlist(void) {
+        HNode *ptr = dlist;
+        while (ptr) {
+                printf("dlist %d.%d.%d.%d:%d\n", PRINT_IP(ptr->ip_src), ptr->port_src);
+                ptr = ptr->dnext;
+        }
+}
+static void debug_hnode(void) {
+        int i;
+        for (i = 0; i < HMAX; i++) {
+                HNode *ptr = htable[i];
+                while (ptr) {
+                        printf("hnode (%d) %d.%d.%d.%d:%d\n", i, PRINT_IP(ptr->ip_src), ptr->port_src);
+                        ptr = ptr->hnext;
+                }
+        }
+}
+#endif
+
+static char *bw_line[DISPLAY_BW_UNITS + 1] = { NULL };
+
+static char *print_bw(unsigned units) {
+        if (units > DISPLAY_BW_UNITS)
+                units = DISPLAY_BW_UNITS ;
+
+        if (bw_line[units] == NULL) {
+                char *ptr = malloc(DISPLAY_BW_UNITS + 2);
+                if (!ptr)
+                        errExit("malloc");
+                bw_line[units] = ptr;
+
+                unsigned i;
+                for (i = 0; i < DISPLAY_BW_UNITS; i++, ptr++)
+                        sprintf(ptr, "%s", (i < units)? "*": " ");
+                sprintf(ptr, "%s", " ");
+        }
+
+        return bw_line[units];
+}
+
+#define LINE_MAX 200
+static inline void adjust_line(char *str, int len, int cols) {
+        if (len > LINE_MAX) // functions such as snprintf truncate the string, and return the length of the untruncated string
+                len = LINE_MAX;
+        if (cols > 4 && len > cols) {
+                str[cols] = '\0';
+                str[cols- 1] = '\n';
+        }
+}
+
+#define BWMAX_CNT 8
+static unsigned adjust_bandwidth(unsigned bw) {
+        static unsigned array[BWMAX_CNT] = {0};
+        static int instance = 0;
+
+        array[instance] = bw;
+        int i;
+        unsigned sum = 0;
+        unsigned max = 0;
+        for ( i = 0; i < BWMAX_CNT; i++) {
+                sum += array[i];
+                max = (max > array[i])? max: array[i];
+        }
+        sum /= BWMAX_CNT;
+
+        if (++instance >= BWMAX_CNT)
+                instance = 0;
+
+        return (max < (sum / 2))? sum: max;
+}
+
+static void hnode_print(unsigned bw) {
+        assert(!arg_netfilter);
+        bw = (bw < 1024 * DISPLAY_INTERVAL)? 1024 * DISPLAY_INTERVAL: bw;
+#ifdef DEBUG
+        printf("*********************\n");
+        debug_dlist();
+        printf("-----------------------------\n");
+        debug_hnode();
+        printf("*********************\n");
+#else
+        ansi_clrscr();
+#endif
+
+        // get terminal size
+        struct winsize sz;
+        int cols = 80;
+        if (isatty(STDIN_FILENO)) {
+                if (!ioctl(0, TIOCGWINSZ, &sz))
+                        cols  = sz.ws_col;
+        }
+        if (cols > LINE_MAX)
+                cols = LINE_MAX;
+        char line[LINE_MAX + 1];
+
+        // print stats line
+        bw = adjust_bandwidth(bw);
+        char stats[31];
+        if (bw > (1024 * 1024 * DISPLAY_INTERVAL))
+                sprintf(stats, "%u MB/s ", bw / (1024 * 1024 * DISPLAY_INTERVAL));
+        else
+                sprintf(stats, "%u KB/s ", bw / (1024 * DISPLAY_INTERVAL));
+        int len = snprintf(line, LINE_MAX, "%32s geoip %d, IP database %d\n", stats, geoip_calls, radix_nodes);
+        adjust_line(line, len, cols);
+        printf("%s", line);
+
+        HNode *ptr = dlist;
+        HNode *prev = NULL;
+        while (ptr) {
+                HNode *next = ptr->dnext;
+                if (--ptr->ttl > 0) {
+                        char bytes[11];
+                        if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 1024 * 2)) // > 2 MB/second
+                                snprintf(bytes, 11, "%u MB/s",
+                                        (unsigned) (ptr->bytes / (DISPLAY_INTERVAL * 1024* 1024)));
+                        else if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 2)) // > 2 KB/second
+                                snprintf(bytes, 11, "%u KB/s",
+                                        (unsigned) (ptr->bytes / (DISPLAY_INTERVAL * 1024)));
+                        else
+                                snprintf(bytes, 11, "%u B/s ", (unsigned) (ptr->bytes / DISPLAY_INTERVAL));
+
+                        if (!ptr->hostname)
+                                ptr->hostname = radix_longest_prefix_match(ptr->ip_src);
+                        if (!ptr->hostname)
+                                ptr->hostname = retrieve_hostname(ptr->ip_src);
+                        if (!ptr->hostname)
+                                ptr->hostname = " ";
+
+                        unsigned bwunit = bw / DISPLAY_BW_UNITS;
+                        char *bwline;
+                        if (bwunit == 0)
+                                bwline = print_bw(0);
+                        else
+                                bwline = print_bw(ptr->bytes / bwunit);
+
+                        char *protocol = "";
+                        if (ptr->port_src == 80)
+                                protocol = "(HTTP)";
+                        else if (ptr->port_src == 853)
+                                protocol = "(DoT)";
+                        else if (ptr->protocol == 0x11)
+                                protocol = "(UDP)";
+/*
+                        else (ptr->port_src == 443)
+                                protocol = "TLS";
+                        else if (ptr->port_src == 53)
+                                protocol = "DNS";
+*/
+
+                        len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d:%u%s %s\n",
+                                bytes, bwline, PRINT_IP(ptr->ip_src), ptr->port_src, protocol, ptr->hostname);
+                        adjust_line(line, len, cols);
+                        printf("%s", line);
+
+                        if (ptr->bytes)
+                                ptr->ttl = DISPLAY_TTL;
+                        ptr->bytes = 0;
+                        prev = ptr;
+                }
+                else {
+                        // free the element
+                        if (prev == NULL)
+                                dlist = next;
+                        else
+                                prev->dnext = next;
+                        hnode_free(ptr);
+                }
+
+                ptr = next;
+        }
+
+#ifdef DEBUG
+        {
+                int cnt = 0;
+                HNode *ptr = hnode_unused;
+                while (ptr) {
+                        cnt++;
+                        ptr = ptr->hnext;
+                }
+                printf("hnode unused %d\n", cnt);
+        }
+#endif
+}
+
+static void run_trace(void) {
+        if (arg_netfilter)
+                logprintf("accumulating traffic for %d seconds\n", NETLOCK_INTERVAL);
+
+        // trace only rx ipv4 tcp and upd
+        int s1 = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
+        int s2 = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
+        if (s1 < 0 || s2 < 0)
+                errExit("socket");
+
+        unsigned start = time(NULL);
+        unsigned last_print_traces = 0;
+        unsigned last_print_remaining = 0;
+        unsigned char buf[MAX_BUF_SIZE];
+        unsigned bw = 0; // bandwidth calculations
+        while (1) {
+                unsigned end = time(NULL);
+                if (arg_netfilter && end - start >= NETLOCK_INTERVAL)
+                        break;
+                if (end % DISPLAY_INTERVAL == 1 && last_print_traces != end) { // first print after 1 second
+                        if (!arg_netfilter)
+                                hnode_print(bw);
+                        last_print_traces = end;
+                        bw = 0;
+                }
+                if (arg_netfilter && last_print_remaining != end) {
+                        logprintf(".");
+                        fflush(0);
+                        last_print_remaining = end;
+                }
+
+                fd_set rfds;
+                FD_ZERO(&rfds);
+                FD_SET(s1, &rfds);
+                FD_SET(s2, &rfds);
+                int maxfd = (s1 > s2) ? s1 : s2;
+                 maxfd++;
+                struct timeval tv;
+                tv.tv_sec = 1;
+                tv.tv_usec = 0;
+                int rv = select(maxfd, &rfds, NULL, NULL, &tv);
+                if (rv < 0)
+                        errExit("select");
+                else if (rv == 0)
+                        continue;
+
+                int sock = (FD_ISSET(s1, &rfds)) ? s1 : s2;
+
+                unsigned bytes = recvfrom(sock, buf, MAX_BUF_SIZE, 0, NULL, NULL);
+                if (bytes >= 20) { // size of IP header
+#ifdef DEBUG
+                        {
+                                uint32_t ip_src;
+                                memcpy(&ip_src, buf + 12, 4);
+                                ip_src = ntohl(ip_src);
+
+                                uint32_t ip_dst;
+                                memcpy(&ip_dst, buf + 16, 4);
+                                ip_dst = ntohl(ip_dst);
+                                printf("%d.%d.%d.%d -> %d.%d.%d.%d, %u bytes\n", PRINT_IP(ip_src), PRINT_IP(ip_dst), bytes);
+                        }
+#endif
+                        // filter out loopback traffic
+                        if (buf[12] != 127 && buf[16] != 127) {
+                                bw += bytes + 14; // assume a 14 byte Ethernet layer
+
+                                uint32_t ip_src;
+                                memcpy(&ip_src, buf + 12, 4);
+                                ip_src = ntohl(ip_src);
+
+                                uint8_t hlen = (buf[0] & 0x0f) * 4;
+                                uint16_t port_src;
+                                memcpy(&port_src, buf + hlen, 2);
+                                port_src = ntohs(port_src);
+
+                                hnode_add(ip_src, buf[9], port_src, bytes + 14);
+                        }
+                }
+        }
+
+        close(s1);
+        close(s2);
+}
+
+static char *filter_start =
+        "*filter\n"
+        ":INPUT DROP [0:0]\n"
+        ":FORWARD DROP [0:0]\n"
+        ":OUTPUT DROP [0:0]\n";
+
+// return 1 if error
+static int print_filter(FILE *fp) {
+        if (dlist == NULL)
+                return 1;
+        fprintf(fp, "%s\n", filter_start);
+        fprintf(fp, "-A INPUT -s 127.0.0.0/8 -j ACCEPT\n");
+        fprintf(fp, "-A OUTPUT -d 127.0.0.0/8 -j ACCEPT\n");
+        fprintf(fp, "\n");
+
+        int i;
+        for (i = 0; i < HMAX; i++) {
+                HNode *ptr = htable[i];
+                while (ptr) {
+                        // filter rules are targeting ip address, the port number is disregarded,
+                        // so we look only at the first instance of an address
+                        if (ptr->ip_instance == 1) {
+                                char *protocol = (ptr->protocol == 6)? "tcp": "udp";
+                                fprintf(fp, "-A INPUT -s %d.%d.%d.%d -p %s  -j ACCEPT\n",
+                                        PRINT_IP(ptr->ip_src),
+                                        protocol);
+                                fprintf(fp, "-A OUTPUT -d %d.%d.%d.%d -p %s  -j ACCEPT\n",
+                                        PRINT_IP(ptr->ip_src),
+                                        protocol);
+                                fprintf(fp, "\n");
+                        }
+                        ptr = ptr->hnext;
+                }
+        }
+        fprintf(fp, "COMMIT\n");
+
+        return 0;
+}
+
+static char *flush_rules[] = {
+        "-P INPUT ACCEPT",
+//      "-P FORWARD DENY",
+        "-P OUTPUT ACCEPT",
+        "-F",
+        "-X",
+//      "-t nat -F",
+//      "-t nat -X",
+//      "-t mangle -F",
+//      "-t mangle -X",
+//      "iptables -t raw -F",
+//      "-t raw -X",
+        NULL
+};
+
+static void deploy_netfilter(void) {
+        int rv;
+        char *cmd;
+        int i;
+
+        if (dlist == NULL) {
+                logprintf("Sorry, no network traffic was detected. The firewall was not configured.\n");
+                return;
+        }
+        // find iptables command
+        char *iptables = NULL;
+        char *iptables_restore = NULL;
+        if (access("/sbin/iptables", X_OK) == 0) {
+                iptables = "/sbin/iptables";
+                iptables_restore = "/sbin/iptables-restore";
+        }
+        else if (access("/usr/sbin/iptables", X_OK) == 0) {
+                iptables = "/usr/sbin/iptables";
+                iptables_restore = "/usr/sbin/iptables-restore";
+        }
+        if (iptables == NULL || iptables_restore == NULL) {
+                fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
+                exit(1);
+        }
+
+        // flush all netfilter rules
+        i = 0;
+        while (flush_rules[i]) {
+                char *cmd;
+                if (asprintf(&cmd, "%s %s", iptables, flush_rules[i]) == -1)
+                        errExit("asprintf");
+                int rv = system(cmd);
+                (void) rv;
+                free(cmd);
+                i++;
+        }
+
+        // create temporary file
+        char fname[] = "/tmp/firejail-XXXXXX";
+        int fd = mkstemp(fname);
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot create temporary configuration file\n");
+                exit(1);
+        }
+
+        FILE* fp = fdopen(fd, "w");
+        if (!fp) {
+                rv = unlink(fname);
+                (void) rv;
+                fprintf(stderr, "Error: cannot create temporary configuration file\n");
+                exit(1);
+        }
+        print_filter(fp);
+        fclose(fp);
+
+        logprintf("\n\n");
+        logprintf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+        if (asprintf(&cmd, "cat %s >> %s", fname, arg_log) == -1)
+                errExit("asprintf");
+        rv = system(cmd);
+        (void) rv;
+        free(cmd);
+
+        if (asprintf(&cmd, "cat %s", fname) == -1)
+                errExit("asprintf");
+        rv = system(cmd);
+        (void) rv;
+        free(cmd);
+        logprintf("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+
+        // configuring
+        if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
+                errExit("asprintf");
+        rv = system(cmd);
+        if (rv)
+                fprintf(stdout, "Warning: possible netfilter problem!");
+        free(cmd);
+
+        rv = unlink(fname);
+        (void) rv;
+        logprintf("\nfirewall deployed\n");
+}
+
+void logprintf(char* fmt, ...) {
+        if (!arg_log)
+                return;
+
+        FILE *fp = fopen(arg_log, "a");
+        if (fp) { // disregard if error
+                va_list args;
+                va_start(args,fmt);
+                vfprintf(fp, fmt, args);
+                va_end(args);
+                fclose(fp);
+        }
+
+        va_list args;
+        va_start(args,fmt);
+        vfprintf(stdout, fmt, args);
+        va_end(args);
+}
+
+static void usage(void) {
+        printf("Usage: fnettrace [OPTIONS]\n");
+        printf("Options:\n");
+        printf("   --help, -? - this help screen\n");
+        printf("   --log=filename - netlocker logfile\n");
+        printf("   --netfilter - build the firewall rules and commit them.\n");
+        printf("   --tail - \"tail -f\" functionality\n");
+        printf("Examples:\n");
+        printf("   # fnettrace                              - traffic trace\n");
+        printf("   # fnettrace --netfilter --log=logfile    - netlocker, dump output in logfile\n");
+        printf("   # fnettrace --tail --log=logifile        - similar to \"tail -f logfile\"\n");
+        printf("\n");
+}
+
+int main(int argc, char **argv) {
+        int i;
+
+#ifdef DEBUG
+        // radix test
+        radix_add(0x09000000, 0xff000000, "IBM");
+        radix_add(0x09090909, 0xffffffff, "Quad9 DNS");
+        radix_add(0x09000000, 0xff000000, "IBM");
+        printf("This test should print \"IBM, Quad9 DNS, IBM\"\n");
+        char *name = radix_longest_prefix_match(0x09040404);
+        printf("%s, ", name);
+        name = radix_longest_prefix_match(0x09090909);
+        printf("%s, ", name);
+        name = radix_longest_prefix_match(0x09322209);
+        printf("%s\n", name);
+#endif
+
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--netfilter") == 0)
+                        arg_netfilter = 1;
+                else if (strcmp(argv[i], "--tail") == 0)
+                        arg_tail = 1;
+                else if (strncmp(argv[i], "--log=", 6) == 0)
+                        arg_log = argv[i] + 6;
+                else {
+                        fprintf(stderr, "Error: invalid argument\n");
+                        return 1;
+                }
+        }
+
+        // tail
+        if (arg_tail) {
+                if (!arg_log) {
+                        fprintf(stderr, "Error: no log file\n");
+                        usage();
+                        exit(1);
+                }
+
+                tail(arg_log);
+                sleep(5);
+                exit(0);
+        }
+
+        if (getuid() != 0) {
+                fprintf(stderr, "Error: you need to be root to run this program\n");
+                return 1;
+        }
+
+        ansi_clrscr();
+        if (arg_netfilter)
+                logprintf("starting network lockdown\n");
+        else  {
+                char *fname = LIBDIR "/firejail/static-ip-map";
+                load_hostnames(fname);
+        }
+
+        run_trace();
+        if (arg_netfilter) {
+                // TCP path MTU discovery will not work properly since the firewall drops all ICMP packets
+                // Instead, we use iPacketization Layer PMTUD (RFC 4821) support in Linux kernel
+                int rv = system("echo 1 > /proc/sys/net/ipv4/tcp_mtu_probing");
+                (void) rv;
+
+                deploy_netfilter();
+                sleep(3);
+                if (arg_log)
+                        unlink(arg_log);
+        }
+
+        return 0;
+}
diff --git a/src/fnettrace/radix.c b/src/fnettrace/radix.c
new file mode 100644
index 000000000..c9493717d
--- /dev/null
+++ b/src/fnettrace/radix.c
@@ -0,0 +1,155 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <assert.h>
+#include "radix.h"
+#include "fnettrace.h"
+
+typedef struct rnode_t {
+        struct rnode_t *zero;
+        struct rnode_t *one;
+        char *name;
+} RNode;
+
+RNode *head = 0;
+int radix_nodes = 0;
+
+// get rid of the malloc overhead
+#define RNODE_MAX_MALLOC 128
+static RNode *rnode_unused = NULL;
+static int rnode_malloc_cnt = 0;
+static RNode *rmalloc(void) {
+        if (rnode_unused == NULL || rnode_malloc_cnt >= RNODE_MAX_MALLOC) {
+                rnode_unused = malloc(sizeof(RNode) * RNODE_MAX_MALLOC);
+                if (!rnode_unused)
+                        errExit("malloc");
+                memset(rnode_unused, 0, sizeof(RNode) * RNODE_MAX_MALLOC);
+                rnode_malloc_cnt = 0;
+        }
+
+        rnode_malloc_cnt++;
+        return rnode_unused + rnode_malloc_cnt - 1;
+}
+
+
+static inline char *duplicate_name(const char *name) {
+        assert(name);
+
+        if (strcmp(name, "United States") == 0)
+                return "United States";
+        else if (strcmp(name, "Amazon") == 0)
+                return "Amazon";
+        return strdup(name);
+}
+
+static inline RNode *addOne(RNode *ptr, char *name) {
+        assert(ptr);
+        if (ptr->one)
+                return ptr->one;
+        RNode *node = rmalloc();
+        assert(node);
+        if (name) {
+                node->name = duplicate_name(name);
+                if (!node->name)
+                        errExit("duplicate name");
+        }
+
+        ptr->one = node;
+        return node;
+}
+
+static inline RNode *addZero(RNode *ptr, char *name) {
+        assert(ptr);
+        if (ptr->zero)
+                return ptr->zero;
+        RNode *node = rmalloc();
+        assert(node);
+        if (name) {
+                node->name = duplicate_name(name);
+                if (!node->name)
+                        errExit("duplicate name");
+        }
+
+        ptr->zero = node;
+        return node;
+}
+
+
+// add to radix tree
+char *radix_add(uint32_t ip, uint32_t mask, char *name) {
+        assert(name);
+        uint32_t m = 0x80000000;
+        uint32_t lastm = 0;
+        if (head == 0) {
+                head = malloc(sizeof(RNode));
+                memset(head, 0, sizeof(RNode));
+        }
+        RNode *ptr = head;
+        radix_nodes++;
+
+        int i;
+        for (i = 0; i < 32; i++, m >>= 1) {
+                if (!(m & mask))
+                        break;
+
+                lastm |= m;
+                int valid = (lastm == mask)? 1: 0;
+                if (m & ip)
+                        ptr = addOne(ptr, (valid)? name: NULL);
+                else
+                        ptr = addZero(ptr, (valid)? name: NULL);
+        }
+        assert(ptr);
+        if (!ptr->name) {
+                ptr->name = duplicate_name(name);
+                if (!ptr->name)
+                        errExit("duplicate_name");
+        }
+
+        return ptr->name;
+}
+
+// find last match
+char *radix_longest_prefix_match(uint32_t ip) {
+        if (!head)
+                return NULL;
+
+        uint32_t m = 0x80000000;
+        RNode *ptr = head;
+        RNode *rv = NULL;
+
+        int i;
+        for (i = 0; i < 32; i++, m >>= 1) {
+                if (m & ip)
+                        ptr = ptr->one;
+                else
+                        ptr = ptr->zero;
+                if (!ptr)
+                        break;
+                if (ptr->name)
+                        rv = ptr;
+        }
+
+        return (rv)? rv->name: NULL;
+}
+
diff --git a/src/fnettrace/radix.h b/src/fnettrace/radix.h
new file mode 100644
index 000000000..c22c5c547
--- /dev/null
+++ b/src/fnettrace/radix.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef RADIX_H
+#define RADIX_H
+
+extern int radix_nodes;
+char *radix_longest_prefix_match(uint32_t ip);
+char *radix_add(uint32_t ip, uint32_t mask, char *name);
+
+#endif
\ No newline at end of file
diff --git a/src/fnettrace/static-ip-map b/src/fnettrace/static-ip-map
new file mode 100644
index 000000000..e24ecf218
--- /dev/null
+++ b/src/fnettrace/static-ip-map
@@ -0,0 +1,4044 @@
+#
+# Copyright (C) 2014-2022 Firejail Authors
+#
+# This file is part of firejail project
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#
+# Static Internet Map
+#
+# Unfortunately we cannot do a hostname lookup. This will leak a lot of
+# information about what network resources we access.
+# A static map, helped out by geoip package available on all Linux distros,
+# will have to do it for now!
+#
+# Format:
+#       CIDR-IPv4-address-range hostname
+#       a single space between address and hostname
+#       use '#' for comments
+#       example: 9.9.9.0/24 Quad9 DNS
+#
+#
+
+# local network addresses
+192.168.0.0/16 local network
+10.0.0.0/8 local network
+172.16.0.0/16 local network
+
+#  huge address ranges
+6.0.0.0/8 US Army
+7.0.0.0/8 US Army
+9.0.0.0/8 IBM
+11.0.0.0/8 US Army
+17.0.0.0/8 Apple
+19.0.0.0/8 Ford
+21.0.0.0/8 US Army
+22.0.0.0/8 US Army
+26.0.0.0/8 US Army
+28.0.0.0/8 US Army
+29.0.0.0/8 US Army
+30.0.0.0/8 US Army
+33.0.0.0/8 US Army
+48.0.0.0/8 Prudential US
+55.0.0.0/8 US Army
+56.0.0.0/8 US Postal Service
+214.0.0.0/8     US Army
+215.0.0.0/8 US Army
+
+# whois/DNS
+1.1.1.0/24 Cloudflare DNS
+1.0.0.0/24 Cloudflare DNS
+8.8.4.0/24 Google DNS
+8.8.8.0/24 Google DNS
+9.9.9.0/24 Quad9 DNS
+45.90.28.0/22 NextDNS
+149.112.112.0/24 Quad9 DNS
+149.112.120.0/21 CIRA DNS Canada
+176.103.128.0/19 Adguard DNS
+185.228.168.0/24 Cleanbrowsing DNS
+193.0.0.0/21 whois.ripe.net Netherlands
+199.5.26.0/24 whois.arin.net US
+199.15.80.0/21 whois.publicinterestregistry.net Canada
+199.15.88.0/24 whois.publicinterestregistry.net Canada
+199.71.0.0/24 whois.arin.net US
+199.212.0.0/24 whois.arin.net US
+200.3.12.0/22 whois.lacnic.net Uruguay
+201.159.220.0/22 whois.lacnic.net Ecuador
+
+# some popular websites
+31.13.24.0/21 Facebook
+31.13.64.0/18 Facebook
+64.63.0.0/18 Twitter
+69.171.224.0/19 Facebook
+104.244.40.0/21 Twitter
+129.134.0.0/16 Facebook
+140.82.112.0/20 GitHub
+157.240.0.0/16 Facebook
+185.199.108.0/22 GitHub
+188.64.224.0/21 Twitter
+192.0.64.0/18 Wordpress
+199.16.156.0/22 Twitter
+199.59.148.0/22 Twitter
+208.80.152.0/22 Wikipedia
+
+# Akamai
+23.0.0.0/12 Akamai
+23.32.0.0/11 Akamai
+23.64.0.0/14 Akamai
+23.72.0.0/13 Akamai
+23.192.0.0/11 Akamai
+72.246.0.0/15 Akamai
+96.6.0.0/15 Akamai
+96.16.0.0/15 Akamai
+104.64.0.0/10 Akamai
+184.24.0.0/13 Akamai
+184.50.0.0/15 Akamai
+184.84.0.0/14 Akamai
+
+# Fastly
+23.235.32.0/20 Fastly
+43.249.72.0/22 Fastly
+103.244.50.0/24 Fastly
+103.245.222.0/23 Fastly
+103.245.224.0/24 Fastly
+104.156.80.0/20 Fastly
+146.75.0.0/16 Fastly
+151.101.0.0/16 Fastly
+157.52.64.0/18 Fastly
+167.82.0.0/17 Fastly
+167.82.128.0/20 Fastly
+167.82.160.0/20 Fastly
+167.82.224.0/20 Fastly
+172.111.64.0/18 Fastly
+185.31.16.0/22 Fastly
+199.27.72.0/21 Fastly
+199.232.0.0/16 Fastly
+
+# MCI/Verizon
+72.21.80.0/20 MCI
+108.29.0.0/16 MCI
+108.30.0.0/16 MCI
+108.31.0.0/16 MCI
+108.3.128.0/17 MCI
+108.32.0.0/17 MCI
+108.32.128.0/17 MCI
+108.33.254.0/24 MCI
+108.33.255.0/24 MCI
+108.34.128.0/17 MCI
+108.34.16.0/20 MCI
+108.34.32.0/19 MCI
+108.34.64.0/18 MCI
+108.35.0.0/16 MCI
+108.36.0.0/16 MCI
+108.3.64.0/18 MCI
+108.37.0.0/16 MCI
+108.39.0.0/17 MCI
+108.39.128.0/17 MCI
+108.40.0.0/17 MCI
+108.4.0.0/17 MCI
+108.41.0.0/16 MCI
+108.4.128.0/19 MCI
+108.4.160.0/19 MCI
+108.4.192.0/18 MCI
+108.44.0.0/18 MCI
+108.44.128.0/17 MCI
+108.44.64.0/18 MCI
+108.45.0.0/16 MCI
+108.46.0.0/16 MCI
+192.229.128.0/17 MCI
+
+# Microsoft
+40.76.0.0/14 Microsoft
+40.96.0.0/12 Microsoft
+40.112.0.0/13 Microsoft
+40.124.0.0/16 Microsoft
+40.74.0.0/15 Microsoft
+40.80.0.0/12 Microsoft
+40.120.0.0/14 Microsoft
+40.125.0.0/17 Microsoft
+52.145.0.0/16 Microsoft
+52.148.0.0/14 Microsoft
+52.152.0.0/13 Microsoft
+52.146.0.0/15 Microsoft
+52.160.0.0/11 Microsoft
+
+# Yahoo
+63.250.192.0/19 Yahoo
+66.196.64.0/18 Yahoo
+67.195.0.0/16 Yahoo
+69.147.64.0/18 Yahoo
+76.13.0.0/16 Yahoo
+98.136.0.0/14 Yahoo
+206.190.32.0/19 Yahoo
+209.73.160.0/19 Yahoo
+209.191.64.0/18 Yahoo
+216.115.96.0/20 Yahoo
+
+# Google
+# from https://support.google.com/a/answer/10026322?hl=en
+# last update January 5, 2022
+8.34.208.0/20 Google
+8.35.192.0/20 Google
+23.236.48.0/20 Google
+23.251.128.0/19 Google
+34.64.0.0/10 Google
+34.128.0.0/10 Google
+35.184.0.0/13 Google
+35.192.0.0/14 Google
+35.196.0.0/15 Google
+35.198.0.0/16 Google
+35.199.0.0/17 Google
+35.199.128.0/18 Google
+35.200.0.0/13 Google
+35.208.0.0/12 Google
+35.224.0.0/12 Google
+35.240.0.0/13 Google
+64.15.112.0/20 Google
+64.233.160.0/19 Google
+66.102.0.0/20 Google
+66.249.64.0/19 Google
+70.32.128.0/19 Google
+72.14.192.0/18 Google
+74.114.24.0/21 Google
+74.125.0.0/16 Google
+104.154.0.0/15 Google
+104.196.0.0/14 Google
+104.237.160.0/19 Google
+107.167.160.0/19 Google
+107.178.192.0/18 Google
+108.59.80.0/20 Google
+108.170.192.0/18 Google
+108.177.0.0/17 Google
+130.211.0.0/16 Google
+136.112.0.0/12 Google
+142.250.0.0/15 Google
+146.148.0.0/17 Google
+162.216.148.0/22 Google
+162.222.176.0/21 Google
+172.110.32.0/21 Google
+172.217.0.0/16 Google
+172.253.0.0/16 Google
+173.194.0.0/16 Google
+173.255.112.0/20 Google
+192.158.28.0/22 Google
+192.178.0.0/15 Google
+193.186.4.0/24 Google
+199.36.154.0/23 Google
+199.36.156.0/24 Google
+199.192.112.0/22 Google
+199.223.232.0/21 Google
+207.223.160.0/20 Google
+208.65.152.0/22 Google
+208.68.108.0/22 Google
+208.81.188.0/22 Google
+208.117.224.0/19 Google
+209.85.128.0/17 Google
+216.58.192.0/19 Google
+216.73.80.0/20 Google
+216.239.32.0/19 Google
+
+
+#Cloudflare
+# from https://www.cloudflare.com/ips/
+# update April 8, 2021
+103.21.244.0/22 Cloudflare
+103.22.200.0/22 Cloudflare
+103.31.4.0/22 Cloudflare
+104.16.0.0/13 Cloudflare
+104.24.0.0/14 Cloudflare
+108.162.192.0/18 Cloudflare
+131.0.72.0/22 Cloudflare
+141.101.64.0/18 Cloudflare
+162.158.0.0/15 Cloudflare
+172.64.0.0/13 Cloudflare
+173.245.48.0/20 Cloudflare
+188.114.96.0/20 Cloudflare
+190.93.240.0/20 Cloudflare
+197.234.240.0/22 Cloudflare
+198.41.128.0/17 Cloudflare
+
+# Amazon
+# from https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
+# update January 6, 2022
+3.0.0.0/15 Amazon
+3.2.0.0/24 Amazon
+3.2.2.0/24 Amazon
+3.2.3.0/24 Amazon
+3.2.8.0/21 Amazon
+3.3.0.0/23 Amazon
+3.3.5.0/24 Amazon
+3.3.6.0/23 Amazon
+3.3.8.0/21 Amazon
+3.3.16.0/21 Amazon
+3.3.24.0/22 Amazon
+3.3.28.0/22 Amazon
+3.4.0.0/24 Amazon
+3.4.1.0/24 Amazon
+3.4.2.0/24 Amazon
+3.4.3.0/24 Amazon
+3.4.4.0/24 Amazon
+3.4.6.0/24 Amazon
+3.4.7.0/24 Amazon
+3.4.16.0/21 Amazon
+3.4.24.0/21 Amazon
+3.5.0.0/19 Amazon
+3.5.32.0/22 Amazon
+3.5.36.0/22 Amazon
+3.5.40.0/22 Amazon
+3.5.44.0/22 Amazon
+3.5.48.0/22 Amazon
+3.5.52.0/22 Amazon
+3.5.64.0/21 Amazon
+3.5.72.0/23 Amazon
+3.5.76.0/22 Amazon
+3.5.80.0/21 Amazon
+3.5.128.0/22 Amazon
+3.5.132.0/23 Amazon
+3.5.134.0/23 Amazon
+3.5.136.0/22 Amazon
+3.5.140.0/22 Amazon
+3.5.144.0/23 Amazon
+3.5.146.0/23 Amazon
+3.5.148.0/22 Amazon
+3.5.152.0/21 Amazon
+3.5.160.0/22 Amazon
+3.5.164.0/22 Amazon
+3.5.168.0/23 Amazon
+3.5.208.0/22 Amazon
+3.5.212.0/23 Amazon
+3.5.216.0/22 Amazon
+3.5.220.0/22 Amazon
+3.5.224.0/22 Amazon
+3.5.228.0/22 Amazon
+3.5.232.0/22 Amazon
+3.5.236.0/22 Amazon
+3.5.240.0/22 Amazon
+3.5.244.0/22 Amazon
+3.5.248.0/22 Amazon
+3.5.252.0/22 Amazon
+3.6.0.0/15 Amazon
+3.8.0.0/14 Amazon
+3.12.0.0/16 Amazon
+3.13.0.0/16 Amazon
+3.14.0.0/15 Amazon
+3.16.0.0/14 Amazon
+3.20.0.0/14 Amazon
+3.24.0.0/14 Amazon
+3.28.0.0/15 Amazon
+3.30.0.0/15 Amazon
+3.32.0.0/16 Amazon
+3.33.34.0/24 Amazon
+3.33.35.0/24 Amazon
+3.33.128.0/17 Amazon
+3.34.0.0/15 Amazon
+3.36.0.0/14 Amazon
+3.48.0.0/12 Amazon
+3.64.0.0/12 Amazon
+3.80.0.0/12 Amazon
+3.96.0.0/15 Amazon
+3.98.0.0/15 Amazon
+3.100.0.0/16 Amazon
+3.101.0.0/16 Amazon
+3.104.0.0/14 Amazon
+3.108.0.0/14 Amazon
+3.112.0.0/14 Amazon
+3.116.0.0/14 Amazon
+3.120.0.0/14 Amazon
+3.124.0.0/14 Amazon
+3.128.0.0/15 Amazon
+3.130.0.0/16 Amazon
+3.131.0.0/16 Amazon
+3.132.0.0/14 Amazon
+3.136.0.0/13 Amazon
+3.144.0.0/13 Amazon
+3.152.0.0/13 Amazon
+3.208.0.0/12 Amazon
+3.224.0.0/12 Amazon
+3.240.0.0/13 Amazon
+3.248.0.0/13 Amazon
+13.32.0.0/15 Amazon
+13.34.0.128/27 Amazon
+13.34.0.160/27 Amazon
+13.34.1.0/27 Amazon
+13.34.1.32/27 Amazon
+13.34.3.128/27 Amazon
+13.34.3.160/27 Amazon
+13.34.3.192/27 Amazon
+13.34.3.224/27 Amazon
+13.34.4.64/27 Amazon
+13.34.4.96/27 Amazon
+13.34.5.12/32 Amazon
+13.34.5.13/32 Amazon
+13.34.5.14/32 Amazon
+13.34.5.15/32 Amazon
+13.34.5.16/32 Amazon
+13.34.5.17/32 Amazon
+13.34.5.44/32 Amazon
+13.34.5.45/32 Amazon
+13.34.5.46/32 Amazon
+13.34.5.47/32 Amazon
+13.34.5.48/32 Amazon
+13.34.5.49/32 Amazon
+13.34.5.78/32 Amazon
+13.34.5.79/32 Amazon
+13.34.5.80/32 Amazon
+13.34.5.81/32 Amazon
+13.34.5.110/32 Amazon
+13.34.5.111/32 Amazon
+13.34.5.112/32 Amazon
+13.34.5.113/32 Amazon
+13.34.5.128/27 Amazon
+13.34.5.160/27 Amazon
+13.34.5.192/27 Amazon
+13.34.5.224/27 Amazon
+13.34.6.192/27 Amazon
+13.34.6.224/27 Amazon
+13.34.7.64/27 Amazon
+13.34.7.96/27 Amazon
+13.34.8.64/27 Amazon
+13.34.8.96/27 Amazon
+13.34.9.0/27 Amazon
+13.34.9.32/27 Amazon
+13.34.10.128/27 Amazon
+13.34.10.160/27 Amazon
+13.34.11.0/27 Amazon
+13.34.11.32/27 Amazon
+13.34.11.128/27 Amazon
+13.34.11.160/27 Amazon
+13.34.12.64/27 Amazon
+13.34.12.96/27 Amazon
+13.34.12.192/27 Amazon
+13.34.12.242/32 Amazon
+13.34.12.243/32 Amazon
+13.34.12.244/32 Amazon
+13.34.12.245/32 Amazon
+13.34.13.18/32 Amazon
+13.34.13.19/32 Amazon
+13.34.13.20/32 Amazon
+13.34.13.21/32 Amazon
+13.34.13.50/32 Amazon
+13.34.13.51/32 Amazon
+13.34.13.52/32 Amazon
+13.34.13.53/32 Amazon
+13.34.14.128/27 Amazon
+13.34.14.160/27 Amazon
+13.34.14.192/27 Amazon
+13.34.14.224/27 Amazon
+13.34.15.0/27 Amazon
+13.34.15.32/27 Amazon
+13.34.16.64/27 Amazon
+13.34.16.96/27 Amazon
+13.34.16.192/27 Amazon
+13.34.17.24/29 Amazon
+13.34.17.64/27 Amazon
+13.34.17.96/27 Amazon
+13.34.18.192/27 Amazon
+13.34.18.224/27 Amazon
+13.34.19.192/27 Amazon
+13.34.19.224/27 Amazon
+13.34.20.0/27 Amazon
+13.34.20.32/27 Amazon
+13.34.20.64/27 Amazon
+13.34.20.96/27 Amazon
+13.34.21.64/27 Amazon
+13.34.21.96/27 Amazon
+13.34.22.88/29 Amazon
+13.34.22.160/27 Amazon
+13.34.22.192/27 Amazon
+13.34.22.224/27 Amazon
+13.34.23.0/27 Amazon
+13.34.23.32/27 Amazon
+13.34.23.64/27 Amazon
+13.34.23.96/27 Amazon
+13.34.23.128/27 Amazon
+13.34.23.160/27 Amazon
+13.34.23.192/27 Amazon
+13.34.23.224/27 Amazon
+13.34.24.64/27 Amazon
+13.34.24.96/27 Amazon
+13.34.24.128/27 Amazon
+13.34.24.160/27 Amazon
+13.34.24.192/27 Amazon
+13.34.25.64/27 Amazon
+13.34.25.96/27 Amazon
+13.34.25.128/27 Amazon
+13.34.25.160/27 Amazon
+13.34.25.192/27 Amazon
+13.34.25.248/29 Amazon
+13.34.26.0/27 Amazon
+13.34.26.32/27 Amazon
+13.34.26.64/27 Amazon
+13.34.26.96/27 Amazon
+13.34.26.128/27 Amazon
+13.34.26.160/27 Amazon
+13.34.26.192/27 Amazon
+13.34.26.224/27 Amazon
+13.34.27.16/32 Amazon
+13.34.27.17/32 Amazon
+13.34.27.32/27 Amazon
+13.34.27.64/27 Amazon
+13.34.27.96/27 Amazon
+13.34.27.128/27 Amazon
+13.34.28.0/27 Amazon
+13.34.28.32/27 Amazon
+13.34.28.64/27 Amazon
+13.34.28.96/27 Amazon
+13.34.28.128/27 Amazon
+13.34.28.160/27 Amazon
+13.34.28.192/27 Amazon
+13.34.28.224/27 Amazon
+13.34.29.0/27 Amazon
+13.34.29.32/27 Amazon
+13.34.29.64/27 Amazon
+13.34.29.96/27 Amazon
+13.34.29.128/27 Amazon
+13.34.29.160/27 Amazon
+13.34.29.192/27 Amazon
+13.34.29.224/27 Amazon
+13.34.30.0/27 Amazon
+13.34.30.32/27 Amazon
+13.34.30.64/27 Amazon
+13.34.30.96/27 Amazon
+13.34.30.128/27 Amazon
+13.34.30.160/27 Amazon
+13.34.30.192/27 Amazon
+13.34.30.224/27 Amazon
+13.34.31.0/27 Amazon
+13.34.31.32/27 Amazon
+13.34.31.64/27 Amazon
+13.34.31.96/27 Amazon
+13.34.31.128/27 Amazon
+13.34.31.160/27 Amazon
+13.34.31.192/27 Amazon
+13.34.31.224/27 Amazon
+13.34.32.0/27 Amazon
+13.34.32.32/27 Amazon
+13.34.32.64/27 Amazon
+13.34.32.96/27 Amazon
+13.34.32.128/27 Amazon
+13.34.32.160/27 Amazon
+13.34.33.0/27 Amazon
+13.34.33.32/27 Amazon
+13.34.33.64/27 Amazon
+13.34.33.96/27 Amazon
+13.34.33.128/27 Amazon
+13.34.33.160/27 Amazon
+13.34.33.192/27 Amazon
+13.34.33.224/27 Amazon
+13.34.34.0/27 Amazon
+13.34.34.32/27 Amazon
+13.34.34.64/27 Amazon
+13.34.34.96/27 Amazon
+13.34.34.128/27 Amazon
+13.34.34.160/27 Amazon
+13.34.34.192/27 Amazon
+13.34.34.224/27 Amazon
+13.34.35.0/27 Amazon
+13.34.35.32/27 Amazon
+13.34.35.64/27 Amazon
+13.34.35.96/27 Amazon
+13.34.35.128/27 Amazon
+13.34.35.160/27 Amazon
+13.34.35.192/27 Amazon
+13.34.35.224/27 Amazon
+13.34.36.0/27 Amazon
+13.34.36.32/27 Amazon
+13.34.36.64/27 Amazon
+13.34.36.96/27 Amazon
+13.34.36.128/27 Amazon
+13.34.36.160/27 Amazon
+13.34.36.192/27 Amazon
+13.34.36.224/27 Amazon
+13.34.37.0/27 Amazon
+13.34.37.32/27 Amazon
+13.34.37.64/27 Amazon
+13.34.37.96/27 Amazon
+13.34.37.128/27 Amazon
+13.34.37.160/27 Amazon
+13.34.37.192/27 Amazon
+13.34.37.224/27 Amazon
+13.34.38.0/27 Amazon
+13.34.38.32/27 Amazon
+13.34.38.64/27 Amazon
+13.34.38.96/27 Amazon
+13.34.38.128/27 Amazon
+13.34.38.160/27 Amazon
+13.34.39.0/27 Amazon
+13.34.39.32/27 Amazon
+13.34.39.64/27 Amazon
+13.34.39.96/27 Amazon
+13.34.39.128/27 Amazon
+13.34.39.160/27 Amazon
+13.34.39.192/27 Amazon
+13.34.39.224/27 Amazon
+13.34.40.0/27 Amazon
+13.34.40.32/27 Amazon
+13.34.40.64/27 Amazon
+13.34.40.96/27 Amazon
+13.34.40.128/27 Amazon
+13.34.40.160/27 Amazon
+13.34.40.192/27 Amazon
+13.34.40.224/27 Amazon
+13.34.41.0/27 Amazon
+13.34.41.32/27 Amazon
+13.34.41.64/27 Amazon
+13.34.41.96/27 Amazon
+13.34.41.128/27 Amazon
+13.34.41.160/27 Amazon
+13.34.41.192/27 Amazon
+13.34.41.224/27 Amazon
+13.34.42.0/27 Amazon
+13.34.42.32/27 Amazon
+13.34.42.64/27 Amazon
+13.34.42.96/27 Amazon
+13.34.42.128/27 Amazon
+13.34.42.160/27 Amazon
+13.34.42.192/27 Amazon
+13.34.42.224/27 Amazon
+13.34.43.0/27 Amazon
+13.34.43.32/27 Amazon
+13.34.43.64/27 Amazon
+13.34.43.96/27 Amazon
+13.34.43.128/27 Amazon
+13.34.43.160/27 Amazon
+13.34.43.192/27 Amazon
+13.34.43.224/27 Amazon
+13.34.44.0/27 Amazon
+13.34.44.32/27 Amazon
+13.34.44.64/27 Amazon
+13.34.44.96/27 Amazon
+13.34.44.128/27 Amazon
+13.34.44.160/27 Amazon
+13.34.44.192/27 Amazon
+13.34.44.224/27 Amazon
+13.34.45.0/27 Amazon
+13.34.45.32/27 Amazon
+13.34.45.64/27 Amazon
+13.34.45.96/27 Amazon
+13.34.45.128/27 Amazon
+13.34.45.160/27 Amazon
+13.34.45.192/27 Amazon
+13.34.45.224/27 Amazon
+13.34.46.0/27 Amazon
+13.34.46.32/27 Amazon
+13.34.46.64/27 Amazon
+13.34.46.96/27 Amazon
+13.34.46.128/27 Amazon
+13.34.46.160/27 Amazon
+13.34.46.192/27 Amazon
+13.34.46.224/27 Amazon
+13.34.47.0/27 Amazon
+13.34.47.32/27 Amazon
+13.34.47.64/27 Amazon
+13.34.47.96/27 Amazon
+13.34.47.128/27 Amazon
+13.34.47.160/27 Amazon
+13.34.47.192/27 Amazon
+13.34.47.224/27 Amazon
+13.34.48.0/27 Amazon
+13.34.48.32/27 Amazon
+13.34.48.64/27 Amazon
+13.34.48.96/27 Amazon
+13.34.48.128/27 Amazon
+13.34.48.160/27 Amazon
+13.34.48.192/27 Amazon
+13.34.48.224/27 Amazon
+13.34.49.0/27 Amazon
+13.34.49.32/27 Amazon
+13.34.49.64/27 Amazon
+13.34.49.96/27 Amazon
+13.34.49.128/27 Amazon
+13.34.49.160/27 Amazon
+13.34.49.192/27 Amazon
+13.34.49.224/27 Amazon
+13.34.50.0/27 Amazon
+13.34.50.32/27 Amazon
+13.34.50.64/27 Amazon
+13.34.50.96/27 Amazon
+13.34.50.128/27 Amazon
+13.34.50.160/27 Amazon
+13.34.50.192/27 Amazon
+13.34.50.224/27 Amazon
+13.34.51.0/27 Amazon
+13.34.51.32/27 Amazon
+13.34.51.64/27 Amazon
+13.34.51.96/27 Amazon
+13.34.51.128/27 Amazon
+13.34.51.160/27 Amazon
+13.34.51.192/27 Amazon
+13.34.51.224/27 Amazon
+13.34.52.0/27 Amazon
+13.34.52.32/27 Amazon
+13.34.52.64/27 Amazon
+13.34.52.96/27 Amazon
+13.34.52.128/27 Amazon
+13.34.52.160/27 Amazon
+13.34.52.192/27 Amazon
+13.34.52.224/27 Amazon
+13.34.53.0/27 Amazon
+13.34.53.32/27 Amazon
+13.34.53.64/27 Amazon
+13.34.53.96/27 Amazon
+13.34.53.128/27 Amazon
+13.34.53.160/27 Amazon
+13.34.53.192/27 Amazon
+13.34.53.224/27 Amazon
+13.34.54.0/27 Amazon
+13.34.54.32/27 Amazon
+13.34.54.64/27 Amazon
+13.34.54.96/27 Amazon
+13.34.54.128/27 Amazon
+13.34.54.160/27 Amazon
+13.34.54.192/27 Amazon
+13.34.54.224/27 Amazon
+13.34.55.0/27 Amazon
+13.34.55.32/27 Amazon
+13.34.55.64/27 Amazon
+13.34.55.96/27 Amazon
+13.34.55.128/27 Amazon
+13.34.55.160/27 Amazon
+13.34.55.192/27 Amazon
+13.34.55.224/27 Amazon
+13.34.56.0/27 Amazon
+13.34.56.32/27 Amazon
+13.34.56.64/27 Amazon
+13.34.56.96/27 Amazon
+13.34.56.128/27 Amazon
+13.34.56.160/27 Amazon
+13.34.56.192/27 Amazon
+13.34.56.224/27 Amazon
+13.34.57.0/27 Amazon
+13.34.57.32/27 Amazon
+13.34.57.64/27 Amazon
+13.34.57.96/27 Amazon
+13.34.57.128/27 Amazon
+13.34.57.160/27 Amazon
+13.34.57.192/27 Amazon
+13.34.57.224/27 Amazon
+13.34.58.0/27 Amazon
+13.34.58.32/27 Amazon
+13.34.58.64/27 Amazon
+13.34.58.96/27 Amazon
+13.34.58.128/27 Amazon
+13.34.58.160/27 Amazon
+13.34.58.192/27 Amazon
+13.34.58.224/27 Amazon
+13.34.59.0/27 Amazon
+13.34.59.32/27 Amazon
+13.34.59.64/27 Amazon
+13.34.59.96/27 Amazon
+13.34.59.128/27 Amazon
+13.34.59.160/27 Amazon
+13.34.59.192/27 Amazon
+13.34.59.224/27 Amazon
+13.34.60.0/27 Amazon
+13.34.60.32/27 Amazon
+13.34.60.64/27 Amazon
+13.34.60.96/27 Amazon
+13.34.60.128/27 Amazon
+13.34.60.160/27 Amazon
+13.34.60.192/27 Amazon
+13.34.60.224/27 Amazon
+13.34.61.0/27 Amazon
+13.34.61.32/27 Amazon
+13.34.61.64/27 Amazon
+13.34.61.96/27 Amazon
+13.34.61.128/27 Amazon
+13.34.61.160/27 Amazon
+13.34.61.192/27 Amazon
+13.34.61.224/27 Amazon
+13.34.62.0/27 Amazon
+13.34.62.32/27 Amazon
+13.34.62.128/27 Amazon
+13.34.62.160/27 Amazon
+13.34.62.192/27 Amazon
+13.34.62.224/27 Amazon
+13.34.63.0/27 Amazon
+13.34.63.32/27 Amazon
+13.34.63.64/27 Amazon
+13.34.63.96/27 Amazon
+13.34.63.128/27 Amazon
+13.34.63.160/27 Amazon
+13.35.0.0/16 Amazon
+13.36.0.0/14 Amazon
+13.40.0.0/14 Amazon
+13.44.0.0/14 Amazon
+13.48.0.0/15 Amazon
+13.50.0.0/16 Amazon
+13.51.0.0/16 Amazon
+13.52.0.0/16 Amazon
+13.53.0.0/16 Amazon
+13.54.0.0/15 Amazon
+13.56.0.0/16 Amazon
+13.57.0.0/16 Amazon
+13.58.0.0/15 Amazon
+13.112.0.0/14 Amazon
+13.124.0.0/16 Amazon
+13.125.0.0/16 Amazon
+13.126.0.0/15 Amazon
+13.200.0.0/13 Amazon
+13.208.0.0/16 Amazon
+13.209.0.0/16 Amazon
+13.210.0.0/15 Amazon
+13.212.0.0/15 Amazon
+13.214.0.0/15 Amazon
+13.224.0.0/14 Amazon
+13.228.0.0/15 Amazon
+13.230.0.0/15 Amazon
+13.232.0.0/14 Amazon
+13.236.0.0/14 Amazon
+13.244.0.0/15 Amazon
+13.246.0.0/16 Amazon
+13.247.0.0/16 Amazon
+13.248.0.0/20 Amazon
+13.248.16.0/21 Amazon
+13.248.24.0/22 Amazon
+13.248.28.0/22 Amazon
+13.248.32.0/20 Amazon
+13.248.48.0/21 Amazon
+13.248.56.0/22 Amazon
+13.248.60.0/22 Amazon
+13.248.64.0/24 Amazon
+13.248.65.0/24 Amazon
+13.248.66.0/24 Amazon
+13.248.67.0/24 Amazon
+13.248.68.0/24 Amazon
+13.248.69.0/24 Amazon
+13.248.70.0/24 Amazon
+13.248.71.0/24 Amazon
+13.248.96.0/24 Amazon
+13.248.97.0/24 Amazon
+13.248.98.0/24 Amazon
+13.248.99.0/24 Amazon
+13.248.100.0/24 Amazon
+13.248.101.0/24 Amazon
+13.248.102.0/24 Amazon
+13.248.103.0/24 Amazon
+13.248.104.0/24 Amazon
+13.248.105.0/24 Amazon
+13.248.106.0/24 Amazon
+13.248.107.0/24 Amazon
+13.248.108.0/24 Amazon
+13.248.109.0/24 Amazon
+13.248.111.0/24 Amazon
+13.248.112.0/24 Amazon
+13.248.113.0/24 Amazon
+13.248.114.0/24 Amazon
+13.248.115.0/24 Amazon
+13.248.116.0/24 Amazon
+13.248.117.0/24 Amazon
+13.248.118.0/24 Amazon
+13.248.119.0/24 Amazon
+13.248.120.0/24 Amazon
+13.248.121.0/24 Amazon
+13.248.122.0/24 Amazon
+13.248.123.0/24 Amazon
+13.248.124.0/24 Amazon
+13.248.125.0/24 Amazon
+13.248.126.0/24 Amazon
+13.248.127.0/24 Amazon
+13.248.128.0/17 Amazon
+13.249.0.0/16 Amazon
+13.250.0.0/15 Amazon
+15.152.0.0/16 Amazon
+15.156.0.0/15 Amazon
+15.158.0.0/16 Amazon
+15.160.0.0/16 Amazon
+15.161.0.0/16 Amazon
+15.164.0.0/15 Amazon
+15.168.0.0/16 Amazon
+15.177.0.0/18 Amazon
+15.177.64.0/23 Amazon
+15.177.66.0/23 Amazon
+15.177.68.0/23 Amazon
+15.177.70.0/23 Amazon
+15.177.72.0/24 Amazon
+15.177.73.0/24 Amazon
+15.177.74.0/24 Amazon
+15.177.75.0/24 Amazon
+15.177.76.0/24 Amazon
+15.177.77.0/24 Amazon
+15.177.78.0/24 Amazon
+15.177.79.0/24 Amazon
+15.177.80.0/24 Amazon
+15.177.81.0/24 Amazon
+15.177.82.0/24 Amazon
+15.177.83.0/24 Amazon
+15.177.84.0/24 Amazon
+15.177.85.0/24 Amazon
+15.177.86.0/24 Amazon
+15.177.87.0/24 Amazon
+15.177.88.0/24 Amazon
+15.177.89.0/24 Amazon
+15.177.90.0/24 Amazon
+15.177.91.0/24 Amazon
+15.177.92.0/24 Amazon
+15.181.0.0/20 Amazon
+15.181.16.0/20 Amazon
+15.181.32.0/21 Amazon
+15.181.40.0/21 Amazon
+15.181.48.0/20 Amazon
+15.181.64.0/20 Amazon
+15.181.80.0/20 Amazon
+15.181.96.0/20 Amazon
+15.181.112.0/22 Amazon
+15.181.116.0/22 Amazon
+15.181.120.0/21 Amazon
+15.181.128.0/20 Amazon
+15.181.144.0/20 Amazon
+15.181.160.0/20 Amazon
+15.181.176.0/20 Amazon
+15.181.192.0/19 Amazon
+15.181.224.0/21 Amazon
+15.181.232.0/21 Amazon
+15.181.240.0/24 Amazon
+15.181.241.0/24 Amazon
+15.181.242.0/24 Amazon
+15.181.243.0/24 Amazon
+15.181.244.0/24 Amazon
+15.181.245.0/24 Amazon
+15.181.246.0/24 Amazon
+15.181.247.0/24 Amazon
+15.181.248.0/24 Amazon
+15.181.249.0/24 Amazon
+15.181.250.0/24 Amazon
+15.181.251.0/24 Amazon
+15.181.252.0/24 Amazon
+15.181.253.0/24 Amazon
+15.181.254.0/24 Amazon
+15.184.0.0/16 Amazon
+15.185.0.0/16 Amazon
+15.188.0.0/16 Amazon
+15.191.0.0/16 Amazon
+15.193.0.0/19 Amazon
+15.197.0.0/23 Amazon
+15.197.2.0/24 Amazon
+15.197.3.0/24 Amazon
+15.197.4.0/22 Amazon
+15.197.8.0/22 Amazon
+15.197.12.0/22 Amazon
+15.197.16.0/23 Amazon
+15.197.18.0/23 Amazon
+15.197.20.0/22 Amazon
+15.197.24.0/22 Amazon
+15.197.28.0/23 Amazon
+15.197.30.0/23 Amazon
+15.197.32.0/23 Amazon
+15.197.128.0/17 Amazon
+15.200.0.0/16 Amazon
+15.205.0.0/16 Amazon
+15.206.0.0/15 Amazon
+15.220.0.0/20 Amazon
+15.220.16.0/20 Amazon
+15.220.220.0/23 Amazon
+15.220.222.0/23 Amazon
+15.220.224.0/23 Amazon
+15.220.226.0/24 Amazon
+15.220.250.0/23 Amazon
+15.220.252.0/22 Amazon
+15.221.0.0/24 Amazon
+15.221.1.0/24 Amazon
+15.221.2.0/24 Amazon
+15.221.3.0/24 Amazon
+15.221.4.0/23 Amazon
+15.221.6.0/24 Amazon
+15.221.7.0/24 Amazon
+15.221.8.0/21 Amazon
+15.221.16.0/22 Amazon
+15.221.20.0/22 Amazon
+15.221.24.0/21 Amazon
+15.221.33.0/24 Amazon
+15.221.34.0/24 Amazon
+15.221.35.0/24 Amazon
+15.221.36.0/22 Amazon
+15.221.40.0/21 Amazon
+15.221.48.0/24 Amazon
+15.221.49.0/24 Amazon
+15.221.50.0/24 Amazon
+15.221.51.0/24 Amazon
+15.221.52.0/24 Amazon
+15.221.53.0/24 Amazon
+15.222.0.0/15 Amazon
+15.228.0.0/15 Amazon
+15.230.0.4/32 Amazon
+15.230.0.5/32 Amazon
+15.230.0.6/31 Amazon
+15.230.0.12/31 Amazon
+15.230.0.14/32 Amazon
+15.230.4.19/32 Amazon
+15.230.4.152/31 Amazon
+15.230.4.154/31 Amazon
+15.230.4.156/31 Amazon
+15.230.4.158/31 Amazon
+15.230.4.160/31 Amazon
+15.230.4.162/31 Amazon
+15.230.4.176/28 Amazon
+15.230.5.0/24 Amazon
+15.230.6.0/24 Amazon
+15.230.14.12/32 Amazon
+15.230.14.18/31 Amazon
+15.230.14.20/31 Amazon
+15.230.14.252/31 Amazon
+15.230.16.0/32 Amazon
+15.230.16.12/32 Amazon
+15.230.16.17/32 Amazon
+15.230.16.18/31 Amazon
+15.230.16.20/31 Amazon
+15.230.16.252/31 Amazon
+15.230.18.0/24 Amazon
+15.230.21.0/24 Amazon
+15.230.22.0/24 Amazon
+15.230.23.0/24 Amazon
+15.230.24.0/22 Amazon
+15.230.28.0/24 Amazon
+15.230.29.0/24 Amazon
+15.230.30.0/24 Amazon
+15.230.31.0/24 Amazon
+15.230.32.0/24 Amazon
+15.230.35.0/24 Amazon
+15.230.36.0/23 Amazon
+15.230.38.0/24 Amazon
+15.230.39.0/31 Amazon
+15.230.39.2/31 Amazon
+15.230.39.4/31 Amazon
+15.230.39.6/31 Amazon
+15.230.39.8/31 Amazon
+15.230.39.10/31 Amazon
+15.230.39.12/31 Amazon
+15.230.39.14/31 Amazon
+15.230.39.16/31 Amazon
+15.230.39.18/31 Amazon
+15.230.39.20/31 Amazon
+15.230.39.22/31 Amazon
+15.230.39.24/31 Amazon
+15.230.39.26/31 Amazon
+15.230.39.28/31 Amazon
+15.230.39.30/31 Amazon
+15.230.39.32/31 Amazon
+15.230.39.34/31 Amazon
+15.230.39.36/31 Amazon
+15.230.39.38/31 Amazon
+15.230.39.40/31 Amazon
+15.230.39.42/31 Amazon
+15.230.39.44/31 Amazon
+15.230.39.46/31 Amazon
+15.230.39.48/31 Amazon
+15.230.39.50/31 Amazon
+15.230.39.52/31 Amazon
+15.230.39.54/31 Amazon
+15.230.39.56/31 Amazon
+15.230.39.58/31 Amazon
+15.230.39.60/31 Amazon
+15.230.39.62/31 Amazon
+15.230.39.64/31 Amazon
+15.230.39.66/31 Amazon
+15.230.39.68/31 Amazon
+15.230.39.70/31 Amazon
+15.230.39.72/31 Amazon
+15.230.39.74/31 Amazon
+15.230.39.76/31 Amazon
+15.230.39.78/31 Amazon
+15.230.39.80/31 Amazon
+15.230.39.82/31 Amazon
+15.230.39.84/31 Amazon
+15.230.39.86/31 Amazon
+15.230.39.88/31 Amazon
+15.230.39.90/31 Amazon
+15.230.39.92/31 Amazon
+15.230.39.94/31 Amazon
+15.230.39.96/31 Amazon
+15.230.39.98/31 Amazon
+15.230.39.100/31 Amazon
+15.230.39.102/31 Amazon
+15.230.39.104/31 Amazon
+15.230.39.106/31 Amazon
+15.230.39.108/31 Amazon
+15.230.39.110/31 Amazon
+15.230.39.112/31 Amazon
+15.230.39.114/31 Amazon
+15.230.39.116/31 Amazon
+15.230.39.118/31 Amazon
+15.230.39.120/31 Amazon
+15.230.39.122/31 Amazon
+15.230.39.124/31 Amazon
+15.230.39.126/31 Amazon
+15.230.39.128/31 Amazon
+15.230.39.130/31 Amazon
+15.230.39.132/31 Amazon
+15.230.39.134/31 Amazon
+15.230.39.136/31 Amazon
+15.230.39.138/31 Amazon
+15.230.39.140/31 Amazon
+15.230.39.142/31 Amazon
+15.230.39.144/31 Amazon
+15.230.39.146/31 Amazon
+15.230.39.148/31 Amazon
+15.230.39.150/31 Amazon
+15.230.39.152/31 Amazon
+15.230.39.154/31 Amazon
+15.230.39.156/31 Amazon
+15.230.39.158/31 Amazon
+15.230.39.160/31 Amazon
+15.230.39.162/31 Amazon
+15.230.39.164/31 Amazon
+15.230.39.166/31 Amazon
+15.230.39.168/31 Amazon
+15.230.39.170/31 Amazon
+15.230.39.172/31 Amazon
+15.230.39.174/31 Amazon
+15.230.39.176/31 Amazon
+15.230.39.178/31 Amazon
+15.230.39.180/31 Amazon
+15.230.39.182/31 Amazon
+15.230.39.184/31 Amazon
+15.230.39.186/31 Amazon
+15.230.39.188/31 Amazon
+15.230.39.190/31 Amazon
+15.230.39.192/31 Amazon
+15.230.39.194/31 Amazon
+15.230.39.196/31 Amazon
+15.230.39.198/31 Amazon
+15.230.39.200/31 Amazon
+15.230.39.202/31 Amazon
+15.230.39.204/31 Amazon
+15.230.39.206/31 Amazon
+15.230.39.208/31 Amazon
+15.230.39.210/31 Amazon
+15.230.39.212/31 Amazon
+15.230.39.214/31 Amazon
+15.230.39.216/31 Amazon
+15.230.39.218/31 Amazon
+15.230.39.220/31 Amazon
+15.230.39.222/31 Amazon
+15.230.39.224/31 Amazon
+15.230.39.226/31 Amazon
+15.230.39.228/31 Amazon
+15.230.39.230/31 Amazon
+15.230.39.232/31 Amazon
+15.230.39.234/31 Amazon
+15.230.39.236/31 Amazon
+15.230.39.238/31 Amazon
+15.230.39.240/31 Amazon
+15.230.39.242/31 Amazon
+15.230.39.244/31 Amazon
+15.230.39.246/31 Amazon
+15.230.39.248/31 Amazon
+15.230.39.250/31 Amazon
+15.230.39.252/31 Amazon
+15.230.39.254/31 Amazon
+15.230.40.0/24 Amazon
+15.230.41.0/24 Amazon
+15.230.42.0/24 Amazon
+15.230.43.0/24 Amazon
+15.230.49.0/24 Amazon
+15.230.50.0/24 Amazon
+15.230.51.0/24 Amazon
+15.230.52.0/24 Amazon
+15.230.53.0/24 Amazon
+15.230.54.0/24 Amazon
+15.230.55.0/24 Amazon
+15.230.56.0/24 Amazon
+15.230.57.0/24 Amazon
+15.230.58.0/24 Amazon
+15.230.59.0/24 Amazon
+15.230.60.0/24 Amazon
+15.230.61.0/24 Amazon
+15.230.64.192/26 Amazon
+15.230.65.0/26 Amazon
+15.230.65.64/26 Amazon
+15.230.65.128/25 Amazon
+15.230.66.0/25 Amazon
+15.230.66.128/25 Amazon
+15.230.67.0/26 Amazon
+15.230.67.64/26 Amazon
+15.230.67.128/26 Amazon
+15.230.67.192/26 Amazon
+15.230.68.0/26 Amazon
+15.230.68.64/26 Amazon
+15.230.68.128/26 Amazon
+15.230.68.192/26 Amazon
+15.230.69.0/26 Amazon
+15.230.69.64/26 Amazon
+15.230.69.128/26 Amazon
+15.230.69.192/26 Amazon
+15.230.70.0/26 Amazon
+15.230.70.64/26 Amazon
+15.230.70.128/26 Amazon
+15.230.70.192/26 Amazon
+15.230.71.0/26 Amazon
+15.230.71.64/26 Amazon
+15.230.71.128/26 Amazon
+15.230.71.192/26 Amazon
+15.230.72.0/26 Amazon
+15.230.72.64/26 Amazon
+15.230.72.128/26 Amazon
+15.230.72.192/26 Amazon
+15.230.73.0/26 Amazon
+15.230.73.64/26 Amazon
+15.230.73.128/26 Amazon
+15.230.73.192/26 Amazon
+15.230.74.0/26 Amazon
+15.230.74.64/26 Amazon
+15.230.74.128/26 Amazon
+15.230.74.192/26 Amazon
+15.230.75.0/26 Amazon
+15.230.75.64/26 Amazon
+15.230.75.128/26 Amazon
+15.230.75.192/26 Amazon
+15.230.76.0/26 Amazon
+15.230.76.64/26 Amazon
+15.230.76.128/26 Amazon
+15.230.76.192/26 Amazon
+15.230.77.0/26 Amazon
+15.230.77.64/26 Amazon
+15.230.77.128/26 Amazon
+15.230.77.192/26 Amazon
+15.230.78.0/26 Amazon
+15.230.78.64/26 Amazon
+15.230.78.128/26 Amazon
+15.230.78.192/26 Amazon
+15.230.79.0/26 Amazon
+15.230.79.64/26 Amazon
+15.230.79.128/26 Amazon
+15.230.80.0/24 Amazon
+15.230.81.0/24 Amazon
+15.230.82.0/24 Amazon
+15.230.83.0/24 Amazon
+15.230.84.0/24 Amazon
+15.230.85.0/24 Amazon
+15.230.86.0/24 Amazon
+15.230.87.0/24 Amazon
+15.230.88.0/24 Amazon
+15.230.89.0/24 Amazon
+15.230.90.0/24 Amazon
+15.230.91.0/24 Amazon
+15.230.92.0/24 Amazon
+15.230.93.0/24 Amazon
+15.230.94.0/24 Amazon
+15.230.129.0/24 Amazon
+15.230.130.0/24 Amazon
+15.230.131.0/32 Amazon
+15.230.131.1/32 Amazon
+15.230.131.2/32 Amazon
+15.230.131.3/32 Amazon
+15.230.131.4/32 Amazon
+15.230.131.5/32 Amazon
+15.230.131.6/32 Amazon
+15.230.131.7/32 Amazon
+15.230.131.8/32 Amazon
+15.230.131.9/32 Amazon
+15.230.131.10/31 Amazon
+15.230.131.12/31 Amazon
+15.230.131.14/32 Amazon
+15.230.131.15/32 Amazon
+15.230.131.16/28 Amazon
+15.230.131.32/28 Amazon
+15.230.131.48/28 Amazon
+15.230.131.64/28 Amazon
+15.230.131.80/28 Amazon
+15.230.131.96/28 Amazon
+15.230.131.112/28 Amazon
+15.230.131.128/28 Amazon
+15.230.131.144/28 Amazon
+15.230.131.160/31 Amazon
+15.230.131.162/31 Amazon
+15.230.131.164/31 Amazon
+15.230.131.166/31 Amazon
+15.230.131.168/31 Amazon
+15.230.131.170/31 Amazon
+15.230.131.172/31 Amazon
+15.230.131.174/31 Amazon
+15.230.132.0/24 Amazon
+15.230.133.0/28 Amazon
+15.230.133.16/32 Amazon
+15.230.133.17/32 Amazon
+15.230.133.18/31 Amazon
+15.230.133.20/31 Amazon
+15.230.133.22/31 Amazon
+15.230.133.24/32 Amazon
+15.230.133.26/31 Amazon
+15.230.133.28/31 Amazon
+15.230.134.0/24 Amazon
+15.230.135.0/24 Amazon
+15.230.136.0/24 Amazon
+15.230.137.0/24 Amazon
+15.230.138.0/24 Amazon
+15.230.140.0/24 Amazon
+15.230.141.0/24 Amazon
+15.230.142.0/24 Amazon
+15.230.143.0/24 Amazon
+15.230.144.0/24 Amazon
+15.230.145.0/24 Amazon
+15.230.148.0/24 Amazon
+15.230.149.0/31 Amazon
+15.230.149.2/31 Amazon
+15.230.149.4/31 Amazon
+15.230.149.8/31 Amazon
+15.230.149.10/32 Amazon
+15.230.149.11/32 Amazon
+15.230.150.0/23 Amazon
+15.230.152.0/24 Amazon
+15.230.153.0/24 Amazon
+15.230.154.0/23 Amazon
+15.230.156.0/24 Amazon
+15.230.157.0/24 Amazon
+15.230.158.0/23 Amazon
+15.230.160.0/24 Amazon
+15.230.161.0/24 Amazon
+15.230.162.0/24 Amazon
+15.230.163.0/24 Amazon
+15.230.164.0/24 Amazon
+15.230.165.0/24 Amazon
+15.230.166.0/24 Amazon
+15.230.170.0/23 Amazon
+15.230.173.0/24 Amazon
+15.230.174.0/24 Amazon
+15.230.176.0/24 Amazon
+15.230.177.0/31 Amazon
+15.230.177.2/31 Amazon
+15.230.178.0/24 Amazon
+15.230.179.0/29 Amazon
+15.230.179.8/29 Amazon
+15.230.179.16/29 Amazon
+15.230.181.0/24 Amazon
+15.230.182.0/24 Amazon
+15.230.183.0/24 Amazon
+15.230.184.0/24 Amazon
+15.230.185.0/24 Amazon
+15.230.186.0/24 Amazon
+15.230.188.0/25 Amazon
+15.230.188.128/25 Amazon
+15.230.189.0/25 Amazon
+15.230.189.128/25 Amazon
+15.230.190.0/25 Amazon
+15.230.190.128/25 Amazon
+15.230.192.0/24 Amazon
+15.230.193.0/24 Amazon
+15.230.195.0/24 Amazon
+15.230.196.0/24 Amazon
+15.230.197.0/24 Amazon
+15.230.198.0/24 Amazon
+15.230.199.0/28 Amazon
+15.230.200.0/24 Amazon
+15.230.201.0/24 Amazon
+15.230.202.0/30 Amazon
+15.230.203.0/24 Amazon
+15.230.204.0/32 Amazon
+15.230.204.1/32 Amazon
+15.230.204.2/32 Amazon
+15.230.204.3/32 Amazon
+15.230.205.0/24 Amazon
+15.230.206.0/24 Amazon
+15.230.207.0/24 Amazon
+15.231.0.0/16 Amazon
+15.236.0.0/15 Amazon
+15.248.8.0/22 Amazon
+15.248.16.0/22 Amazon
+15.248.20.0/22 Amazon
+15.248.24.0/22 Amazon
+15.248.28.0/22 Amazon
+15.248.32.0/22 Amazon
+15.248.36.0/22 Amazon
+15.248.40.0/22 Amazon
+15.251.0.0/32 Amazon
+15.251.0.1/32 Amazon
+15.251.0.2/32 Amazon
+15.251.0.3/32 Amazon
+15.251.0.4/32 Amazon
+15.251.0.5/32 Amazon
+15.251.0.6/32 Amazon
+15.251.0.7/32 Amazon
+15.251.0.8/32 Amazon
+15.251.0.9/32 Amazon
+15.251.0.10/32 Amazon
+15.251.0.11/32 Amazon
+15.251.0.12/32 Amazon
+15.251.0.13/32 Amazon
+15.251.0.14/32 Amazon
+15.251.0.15/32 Amazon
+15.253.0.0/16 Amazon
+15.254.0.0/16 Amazon
+16.12.0.0/23 Amazon
+16.12.2.0/24 Amazon
+16.12.4.0/23 Amazon
+16.12.6.0/23 Amazon
+16.12.8.0/24 Amazon
+16.16.0.0/16 Amazon
+16.50.0.0/15 Amazon
+16.62.0.0/15 Amazon
+16.162.0.0/15 Amazon
+16.168.0.0/15 Amazon
+16.170.0.0/15 Amazon
+18.60.0.0/15 Amazon
+18.64.0.0/14 Amazon
+18.100.0.0/15 Amazon
+18.102.0.0/16 Amazon
+18.116.0.0/14 Amazon
+18.130.0.0/16 Amazon
+18.132.0.0/14 Amazon
+18.136.0.0/16 Amazon
+18.138.0.0/15 Amazon
+18.140.0.0/15 Amazon
+18.142.0.0/15 Amazon
+18.144.0.0/15 Amazon
+18.148.0.0/14 Amazon
+18.153.0.0/16 Amazon
+18.156.0.0/14 Amazon
+18.162.0.0/16 Amazon
+18.163.0.0/16 Amazon
+18.166.0.0/15 Amazon
+18.168.0.0/14 Amazon
+18.175.0.0/16 Amazon
+18.176.0.0/15 Amazon
+18.178.0.0/16 Amazon
+18.179.0.0/16 Amazon
+18.180.0.0/15 Amazon
+18.182.0.0/16 Amazon
+18.183.0.0/16 Amazon
+18.184.0.0/15 Amazon
+18.186.0.0/15 Amazon
+18.188.0.0/16 Amazon
+18.189.0.0/16 Amazon
+18.190.0.0/16 Amazon
+18.191.0.0/16 Amazon
+18.192.0.0/15 Amazon
+18.194.0.0/15 Amazon
+18.196.0.0/15 Amazon
+18.198.0.0/15 Amazon
+18.200.0.0/16 Amazon
+18.201.0.0/16 Amazon
+18.202.0.0/15 Amazon
+18.204.0.0/14 Amazon
+18.208.0.0/13 Amazon
+18.216.0.0/14 Amazon
+18.220.0.0/14 Amazon
+18.224.0.0/14 Amazon
+18.228.0.0/16 Amazon
+18.229.0.0/16 Amazon
+18.230.0.0/16 Amazon
+18.231.0.0/16 Amazon
+18.232.0.0/14 Amazon
+18.236.0.0/15 Amazon
+18.246.0.0/16 Amazon
+18.252.0.0/16 Amazon
+18.253.0.0/16 Amazon
+18.254.0.0/16 Amazon
+23.20.0.0/14 Amazon
+27.0.0.0/22 Amazon
+34.192.0.0/12 Amazon
+34.208.0.0/12 Amazon
+34.224.0.0/12 Amazon
+34.240.0.0/13 Amazon
+34.248.0.0/13 Amazon
+35.71.64.0/22 Amazon
+35.71.96.0/24 Amazon
+35.71.97.0/24 Amazon
+35.71.128.0/17 Amazon
+35.72.0.0/13 Amazon
+35.80.0.0/12 Amazon
+35.96.0.0/12 Amazon
+35.152.0.0/16 Amazon
+35.153.0.0/16 Amazon
+35.154.0.0/16 Amazon
+35.155.0.0/16 Amazon
+35.156.0.0/14 Amazon
+35.160.0.0/13 Amazon
+35.168.0.0/13 Amazon
+35.176.0.0/15 Amazon
+35.178.0.0/15 Amazon
+35.180.0.0/16 Amazon
+35.181.0.0/16 Amazon
+35.182.0.0/15 Amazon
+36.103.232.0/25 Amazon
+36.103.232.128/26 Amazon
+43.192.0.0/15 Amazon
+43.194.0.0/16 Amazon
+43.195.0.0/16 Amazon
+43.196.0.0/15 Amazon
+43.198.0.0/15 Amazon
+43.200.0.0/14 Amazon
+43.204.0.0/15 Amazon
+43.206.0.0/15 Amazon
+43.224.76.0/30 Amazon
+43.224.76.4/30 Amazon
+43.224.76.8/30 Amazon
+43.224.76.12/30 Amazon
+43.224.76.16/30 Amazon
+43.224.76.20/30 Amazon
+43.224.76.24/30 Amazon
+43.224.76.28/30 Amazon
+43.224.76.32/30 Amazon
+43.224.76.36/30 Amazon
+43.224.76.40/30 Amazon
+43.224.76.44/30 Amazon
+43.224.76.48/30 Amazon
+43.224.76.52/30 Amazon
+43.224.76.56/30 Amazon
+43.224.76.60/30 Amazon
+43.224.76.64/30 Amazon
+43.224.76.68/30 Amazon
+43.224.76.72/30 Amazon
+43.224.76.76/30 Amazon
+43.224.76.80/30 Amazon
+43.224.76.84/30 Amazon
+43.224.76.88/30 Amazon
+43.224.76.92/30 Amazon
+43.224.76.96/30 Amazon
+43.224.76.100/30 Amazon
+43.224.76.104/30 Amazon
+43.224.76.108/30 Amazon
+43.224.76.112/30 Amazon
+43.224.76.116/30 Amazon
+43.224.76.120/30 Amazon
+43.224.76.124/30 Amazon
+43.224.76.128/30 Amazon
+43.224.76.132/30 Amazon
+43.224.76.136/30 Amazon
+43.224.76.140/30 Amazon
+43.224.76.144/30 Amazon
+43.224.76.148/30 Amazon
+43.224.76.152/30 Amazon
+43.224.76.156/30 Amazon
+43.224.76.160/30 Amazon
+43.224.76.164/30 Amazon
+43.224.76.168/30 Amazon
+43.224.76.172/30 Amazon
+43.224.76.176/30 Amazon
+43.224.76.180/30 Amazon
+43.224.76.184/30 Amazon
+43.224.76.188/30 Amazon
+43.224.76.192/30 Amazon
+43.224.76.196/30 Amazon
+43.224.76.200/30 Amazon
+43.224.76.204/30 Amazon
+43.224.76.208/30 Amazon
+43.224.76.212/30 Amazon
+43.224.76.216/30 Amazon
+43.224.76.220/30 Amazon
+43.224.76.224/30 Amazon
+43.224.76.228/30 Amazon
+43.224.76.232/30 Amazon
+43.224.76.236/30 Amazon
+43.224.76.240/30 Amazon
+43.224.76.244/30 Amazon
+43.224.76.248/30 Amazon
+43.224.77.0/29 Amazon
+43.224.77.8/29 Amazon
+43.224.77.24/30 Amazon
+43.224.77.28/30 Amazon
+43.224.77.32/30 Amazon
+43.224.77.36/30 Amazon
+43.224.77.40/30 Amazon
+43.224.77.44/30 Amazon
+43.224.77.76/30 Amazon
+43.224.77.80/30 Amazon
+43.224.77.84/30 Amazon
+43.224.77.88/30 Amazon
+43.224.77.92/30 Amazon
+43.224.77.96/30 Amazon
+43.224.77.100/30 Amazon
+43.224.77.104/30 Amazon
+43.224.77.108/30 Amazon
+43.224.77.112/30 Amazon
+43.224.77.116/30 Amazon
+43.224.77.120/30 Amazon
+43.224.77.124/30 Amazon
+43.224.77.128/30 Amazon
+43.224.77.132/30 Amazon
+43.224.77.136/30 Amazon
+43.224.77.140/30 Amazon
+43.224.77.144/30 Amazon
+43.224.77.148/30 Amazon
+43.224.77.152/30 Amazon
+43.224.77.156/30 Amazon
+43.224.77.168/30 Amazon
+43.224.77.172/30 Amazon
+43.224.77.176/30 Amazon
+43.224.77.180/30 Amazon
+43.224.77.184/30 Amazon
+43.224.77.188/30 Amazon
+43.224.77.192/30 Amazon
+43.224.77.208/30 Amazon
+43.224.77.212/30 Amazon
+43.224.79.26/31 Amazon
+43.224.79.28/31 Amazon
+43.224.79.30/31 Amazon
+43.224.79.32/31 Amazon
+43.224.79.34/31 Amazon
+43.224.79.36/31 Amazon
+43.224.79.38/31 Amazon
+43.224.79.40/31 Amazon
+43.224.79.42/31 Amazon
+43.224.79.44/31 Amazon
+43.224.79.46/31 Amazon
+43.224.79.48/31 Amazon
+43.224.79.50/31 Amazon
+43.224.79.52/31 Amazon
+43.224.79.54/31 Amazon
+43.224.79.56/31 Amazon
+43.224.79.58/31 Amazon
+43.224.79.60/31 Amazon
+43.224.79.62/31 Amazon
+43.224.79.64/31 Amazon
+43.224.79.66/31 Amazon
+43.224.79.68/31 Amazon
+43.224.79.70/31 Amazon
+43.224.79.72/31 Amazon
+43.224.79.74/31 Amazon
+43.224.79.76/31 Amazon
+43.224.79.78/31 Amazon
+43.224.79.80/31 Amazon
+43.224.79.82/31 Amazon
+43.224.79.84/31 Amazon
+43.224.79.90/31 Amazon
+43.224.79.92/31 Amazon
+43.224.79.94/31 Amazon
+43.224.79.96/31 Amazon
+43.224.79.98/31 Amazon
+43.224.79.100/31 Amazon
+43.224.79.102/31 Amazon
+43.224.79.104/31 Amazon
+43.224.79.106/31 Amazon
+43.224.79.108/31 Amazon
+43.224.79.110/31 Amazon
+43.224.79.112/31 Amazon
+43.224.79.114/31 Amazon
+43.224.79.116/31 Amazon
+43.224.79.118/31 Amazon
+43.224.79.120/31 Amazon
+43.224.79.122/31 Amazon
+43.224.79.124/31 Amazon
+43.224.79.126/31 Amazon
+43.224.79.128/31 Amazon
+43.224.79.130/31 Amazon
+43.224.79.136/31 Amazon
+43.224.79.138/31 Amazon
+43.224.79.140/31 Amazon
+43.224.79.142/31 Amazon
+43.224.79.144/31 Amazon
+43.224.79.154/31 Amazon
+43.224.79.156/31 Amazon
+43.224.79.158/31 Amazon
+43.224.79.160/31 Amazon
+43.224.79.162/31 Amazon
+43.224.79.164/31 Amazon
+43.224.79.166/31 Amazon
+43.224.79.168/31 Amazon
+43.224.79.174/31 Amazon
+43.224.79.176/31 Amazon
+43.224.79.178/31 Amazon
+43.224.79.180/31 Amazon
+43.224.79.182/31 Amazon
+43.224.79.184/31 Amazon
+43.224.79.186/31 Amazon
+43.224.79.188/31 Amazon
+43.224.79.190/31 Amazon
+43.224.79.192/31 Amazon
+43.224.79.194/31 Amazon
+43.224.79.196/31 Amazon
+43.224.79.198/31 Amazon
+43.224.79.200/31 Amazon
+43.224.79.202/31 Amazon
+43.224.79.204/31 Amazon
+43.224.79.206/31 Amazon
+43.224.79.208/31 Amazon
+43.224.79.210/31 Amazon
+43.224.79.212/31 Amazon
+43.224.79.214/31 Amazon
+43.224.79.216/31 Amazon
+43.224.79.218/31 Amazon
+43.224.79.220/31 Amazon
+43.224.79.222/31 Amazon
+43.224.79.224/31 Amazon
+43.224.79.226/31 Amazon
+43.224.79.228/31 Amazon
+43.224.79.230/31 Amazon
+43.224.79.232/31 Amazon
+43.224.79.234/31 Amazon
+43.224.79.236/31 Amazon
+43.224.79.238/31 Amazon
+43.224.79.240/31 Amazon
+43.224.79.242/31 Amazon
+43.224.79.244/31 Amazon
+43.224.79.246/31 Amazon
+43.224.79.248/31 Amazon
+43.224.79.250/31 Amazon
+43.224.79.252/31 Amazon
+43.224.79.254/31 Amazon
+43.249.45.0/24 Amazon
+43.249.46.0/24 Amazon
+43.249.47.0/24 Amazon
+43.250.192.0/24 Amazon
+43.250.193.0/24 Amazon
+44.192.0.0/11 Amazon
+44.224.0.0/11 Amazon
+46.51.128.0/18 Amazon
+46.51.192.0/20 Amazon
+46.51.208.0/22 Amazon
+46.51.216.0/21 Amazon
+46.51.224.0/19 Amazon
+46.137.0.0/17 Amazon
+46.137.128.0/18 Amazon
+46.137.192.0/19 Amazon
+46.137.224.0/19 Amazon
+50.16.0.0/15 Amazon
+50.18.0.0/16 Amazon
+50.19.0.0/16 Amazon
+50.112.0.0/16 Amazon
+51.20.0.0/14 Amazon
+52.0.0.0/15 Amazon
+52.2.0.0/15 Amazon
+52.4.0.0/14 Amazon
+52.8.0.0/16 Amazon
+52.9.0.0/16 Amazon
+52.10.0.0/15 Amazon
+52.12.0.0/15 Amazon
+52.14.0.0/16 Amazon
+52.15.0.0/16 Amazon
+52.16.0.0/15 Amazon
+52.18.0.0/15 Amazon
+52.20.0.0/14 Amazon
+52.24.0.0/14 Amazon
+52.28.0.0/16 Amazon
+52.29.0.0/16 Amazon
+52.30.0.0/15 Amazon
+52.32.0.0/14 Amazon
+52.36.0.0/14 Amazon
+52.40.0.0/14 Amazon
+52.44.0.0/15 Amazon
+52.46.0.0/18 Amazon
+52.46.64.0/20 Amazon
+52.46.80.0/21 Amazon
+52.46.88.0/22 Amazon
+52.46.92.0/22 Amazon
+52.46.96.0/19 Amazon
+52.46.128.0/19 Amazon
+52.46.164.0/23 Amazon
+52.46.166.0/23 Amazon
+52.46.168.0/23 Amazon
+52.46.170.0/23 Amazon
+52.46.172.0/22 Amazon
+52.46.176.0/22 Amazon
+52.46.180.0/22 Amazon
+52.46.184.0/22 Amazon
+52.46.188.24/30 Amazon
+52.46.188.28/30 Amazon
+52.46.188.36/30 Amazon
+52.46.188.40/30 Amazon
+52.46.188.44/30 Amazon
+52.46.188.48/30 Amazon
+52.46.188.52/30 Amazon
+52.46.188.56/30 Amazon
+52.46.188.60/30 Amazon
+52.46.188.64/30 Amazon
+52.46.188.68/30 Amazon
+52.46.188.72/30 Amazon
+52.46.188.76/30 Amazon
+52.46.188.80/30 Amazon
+52.46.188.84/30 Amazon
+52.46.188.88/30 Amazon
+52.46.188.92/30 Amazon
+52.46.188.96/30 Amazon
+52.46.188.108/30 Amazon
+52.46.188.120/30 Amazon
+52.46.188.132/30 Amazon
+52.46.188.136/30 Amazon
+52.46.188.140/30 Amazon
+52.46.188.144/30 Amazon
+52.46.188.148/30 Amazon
+52.46.188.152/30 Amazon
+52.46.188.156/30 Amazon
+52.46.188.160/30 Amazon
+52.46.188.164/30 Amazon
+52.46.188.168/30 Amazon
+52.46.188.172/30 Amazon
+52.46.188.176/30 Amazon
+52.46.188.180/30 Amazon
+52.46.188.184/30 Amazon
+52.46.188.188/30 Amazon
+52.46.188.192/30 Amazon
+52.46.188.204/30 Amazon
+52.46.188.208/30 Amazon
+52.46.188.216/30 Amazon
+52.46.188.224/30 Amazon
+52.46.188.228/30 Amazon
+52.46.188.232/30 Amazon
+52.46.188.236/30 Amazon
+52.46.188.240/30 Amazon
+52.46.188.244/30 Amazon
+52.46.188.248/30 Amazon
+52.46.188.252/30 Amazon
+52.46.189.0/30 Amazon
+52.46.189.4/30 Amazon
+52.46.189.8/30 Amazon
+52.46.189.12/30 Amazon
+52.46.189.16/30 Amazon
+52.46.189.32/30 Amazon
+52.46.189.36/30 Amazon
+52.46.189.40/30 Amazon
+52.46.189.44/30 Amazon
+52.46.189.48/30 Amazon
+52.46.189.52/30 Amazon
+52.46.189.56/30 Amazon
+52.46.189.60/30 Amazon
+52.46.189.64/30 Amazon
+52.46.189.68/30 Amazon
+52.46.189.72/30 Amazon
+52.46.189.76/30 Amazon
+52.46.189.80/30 Amazon
+52.46.189.84/30 Amazon
+52.46.189.88/30 Amazon
+52.46.189.92/30 Amazon
+52.46.189.96/30 Amazon
+52.46.189.100/30 Amazon
+52.46.189.104/30 Amazon
+52.46.189.108/30 Amazon
+52.46.189.112/30 Amazon
+52.46.189.124/30 Amazon
+52.46.189.128/30 Amazon
+52.46.189.132/30 Amazon
+52.46.189.136/30 Amazon
+52.46.189.140/30 Amazon
+52.46.189.156/30 Amazon
+52.46.189.160/30 Amazon
+52.46.189.168/30 Amazon
+52.46.189.172/30 Amazon
+52.46.189.176/30 Amazon
+52.46.189.180/30 Amazon
+52.46.189.192/30 Amazon
+52.46.189.196/30 Amazon
+52.46.189.200/30 Amazon
+52.46.189.204/30 Amazon
+52.46.189.216/30 Amazon
+52.46.189.220/30 Amazon
+52.46.189.224/30 Amazon
+52.46.189.228/30 Amazon
+52.46.189.240/30 Amazon
+52.46.189.244/30 Amazon
+52.46.189.248/30 Amazon
+52.46.189.252/30 Amazon
+52.46.190.0/30 Amazon
+52.46.190.4/30 Amazon
+52.46.190.8/30 Amazon
+52.46.190.12/30 Amazon
+52.46.190.32/30 Amazon
+52.46.190.36/30 Amazon
+52.46.190.40/30 Amazon
+52.46.190.44/30 Amazon
+52.46.190.52/30 Amazon
+52.46.190.56/30 Amazon
+52.46.190.60/30 Amazon
+52.46.190.64/30 Amazon
+52.46.190.68/30 Amazon
+52.46.190.72/30 Amazon
+52.46.190.76/30 Amazon
+52.46.190.92/30 Amazon
+52.46.190.96/30 Amazon
+52.46.190.100/30 Amazon
+52.46.190.104/30 Amazon
+52.46.190.108/30 Amazon
+52.46.190.120/30 Amazon
+52.46.190.124/30 Amazon
+52.46.190.144/30 Amazon
+52.46.190.148/30 Amazon
+52.46.190.152/30 Amazon
+52.46.190.164/30 Amazon
+52.46.190.168/30 Amazon
+52.46.190.180/31 Amazon
+52.46.190.182/31 Amazon
+52.46.190.188/31 Amazon
+52.46.190.190/31 Amazon
+52.46.190.192/31 Amazon
+52.46.190.202/31 Amazon
+52.46.190.204/31 Amazon
+52.46.190.206/31 Amazon
+52.46.190.208/31 Amazon
+52.46.190.210/31 Amazon
+52.46.190.212/31 Amazon
+52.46.190.214/31 Amazon
+52.46.190.216/31 Amazon
+52.46.190.222/31 Amazon
+52.46.190.224/31 Amazon
+52.46.190.226/31 Amazon
+52.46.190.228/31 Amazon
+52.46.190.230/31 Amazon
+52.46.190.232/31 Amazon
+52.46.190.234/31 Amazon
+52.46.190.236/31 Amazon
+52.46.190.238/31 Amazon
+52.46.190.240/31 Amazon
+52.46.190.242/31 Amazon
+52.46.190.244/31 Amazon
+52.46.190.254/31 Amazon
+52.46.191.0/31 Amazon
+52.46.191.2/31 Amazon
+52.46.191.4/31 Amazon
+52.46.191.6/31 Amazon
+52.46.191.8/31 Amazon
+52.46.191.10/31 Amazon
+52.46.191.12/31 Amazon
+52.46.191.18/31 Amazon
+52.46.191.20/31 Amazon
+52.46.191.22/31 Amazon
+52.46.191.24/31 Amazon
+52.46.191.26/31 Amazon
+52.46.191.28/31 Amazon
+52.46.191.34/31 Amazon
+52.46.191.36/31 Amazon
+52.46.191.42/31 Amazon
+52.46.191.44/31 Amazon
+52.46.191.46/31 Amazon
+52.46.191.48/31 Amazon
+52.46.191.52/31 Amazon
+52.46.191.54/31 Amazon
+52.46.191.60/31 Amazon
+52.46.191.62/31 Amazon
+52.46.191.64/31 Amazon
+52.46.191.66/31 Amazon
+52.46.191.68/31 Amazon
+52.46.191.70/31 Amazon
+52.46.191.72/31 Amazon
+52.46.191.76/31 Amazon
+52.46.191.78/31 Amazon
+52.46.191.80/31 Amazon
+52.46.191.82/31 Amazon
+52.46.191.84/31 Amazon
+52.46.191.86/31 Amazon
+52.46.191.88/31 Amazon
+52.46.191.90/31 Amazon
+52.46.191.92/31 Amazon
+52.46.191.94/31 Amazon
+52.46.191.96/31 Amazon
+52.46.191.98/31 Amazon
+52.46.191.100/31 Amazon
+52.46.191.102/31 Amazon
+52.46.191.104/31 Amazon
+52.46.191.106/31 Amazon
+52.46.191.108/31 Amazon
+52.46.191.110/31 Amazon
+52.46.191.120/31 Amazon
+52.46.191.122/31 Amazon
+52.46.191.124/31 Amazon
+52.46.191.126/31 Amazon
+52.46.191.128/31 Amazon
+52.46.191.130/31 Amazon
+52.46.191.132/31 Amazon
+52.46.191.134/31 Amazon
+52.46.191.136/31 Amazon
+52.46.191.140/31 Amazon
+52.46.191.142/31 Amazon
+52.46.191.144/31 Amazon
+52.46.191.148/31 Amazon
+52.46.191.150/31 Amazon
+52.46.191.152/31 Amazon
+52.46.191.156/31 Amazon
+52.46.191.158/31 Amazon
+52.46.191.164/31 Amazon
+52.46.191.166/31 Amazon
+52.46.191.168/31 Amazon
+52.46.191.170/31 Amazon
+52.46.191.172/31 Amazon
+52.46.191.174/31 Amazon
+52.46.191.176/31 Amazon
+52.46.191.178/31 Amazon
+52.46.191.180/31 Amazon
+52.46.191.182/31 Amazon
+52.46.191.184/31 Amazon
+52.46.191.186/31 Amazon
+52.46.191.188/31 Amazon
+52.46.191.190/31 Amazon
+52.46.191.192/31 Amazon
+52.46.191.194/31 Amazon
+52.46.191.200/31 Amazon
+52.46.191.202/31 Amazon
+52.46.191.210/31 Amazon
+52.46.191.212/31 Amazon
+52.46.191.214/31 Amazon
+52.46.191.216/31 Amazon
+52.46.191.218/31 Amazon
+52.46.191.220/31 Amazon
+52.46.191.222/31 Amazon
+52.46.191.224/31 Amazon
+52.46.191.226/31 Amazon
+52.46.191.228/31 Amazon
+52.46.191.230/31 Amazon
+52.46.191.232/31 Amazon
+52.46.191.234/31 Amazon
+52.46.191.236/31 Amazon
+52.46.191.238/31 Amazon
+52.46.191.240/31 Amazon
+52.46.192.0/20 Amazon
+52.46.208.0/21 Amazon
+52.46.216.0/22 Amazon
+52.46.220.0/22 Amazon
+52.46.224.0/20 Amazon
+52.46.240.0/22 Amazon
+52.46.249.0/24 Amazon
+52.46.250.0/23 Amazon
+52.46.252.0/22 Amazon
+52.47.0.0/16 Amazon
+52.48.0.0/14 Amazon
+52.52.0.0/15 Amazon
+52.54.0.0/15 Amazon
+52.56.0.0/16 Amazon
+52.57.0.0/16 Amazon
+52.58.0.0/15 Amazon
+52.60.0.0/16 Amazon
+52.61.0.0/16 Amazon
+52.62.0.0/15 Amazon
+52.64.0.0/17 Amazon
+52.64.128.0/17 Amazon
+52.65.0.0/16 Amazon
+52.66.0.0/16 Amazon
+52.67.0.0/16 Amazon
+52.68.0.0/15 Amazon
+52.70.0.0/15 Amazon
+52.72.0.0/15 Amazon
+52.74.0.0/16 Amazon
+52.75.0.0/16 Amazon
+52.76.0.0/17 Amazon
+52.76.128.0/17 Amazon
+52.77.0.0/16 Amazon
+52.78.0.0/16 Amazon
+52.79.0.0/16 Amazon
+52.80.0.0/16 Amazon
+52.81.0.0/16 Amazon
+52.82.0.0/17 Amazon
+52.82.128.0/19 Amazon
+52.82.160.0/22 Amazon
+52.82.164.0/22 Amazon
+52.82.168.0/24 Amazon
+52.82.169.0/28 Amazon
+52.82.169.16/28 Amazon
+52.82.176.0/22 Amazon
+52.82.180.0/22 Amazon
+52.82.184.0/23 Amazon
+52.82.187.0/24 Amazon
+52.82.188.0/22 Amazon
+52.82.192.0/18 Amazon
+52.83.0.0/16 Amazon
+52.84.0.0/15 Amazon
+52.86.0.0/15 Amazon
+52.88.0.0/15 Amazon
+52.90.0.0/15 Amazon
+52.92.0.0/17 Amazon
+52.92.128.0/17 Amazon
+52.93.0.0/24 Amazon
+52.93.1.0/24 Amazon
+52.93.2.0/24 Amazon
+52.93.3.0/24 Amazon
+52.93.4.0/24 Amazon
+52.93.5.0/24 Amazon
+52.93.8.0/22 Amazon
+52.93.12.12/32 Amazon
+52.93.12.13/32 Amazon
+52.93.14.18/32 Amazon
+52.93.14.19/32 Amazon
+52.93.16.0/24 Amazon
+52.93.17.0/24 Amazon
+52.93.18.178/32 Amazon
+52.93.18.179/32 Amazon
+52.93.19.236/32 Amazon
+52.93.19.237/32 Amazon
+52.93.20.0/24 Amazon
+52.93.21.14/32 Amazon
+52.93.21.15/32 Amazon
+52.93.32.176/32 Amazon
+52.93.32.179/32 Amazon
+52.93.32.180/32 Amazon
+52.93.34.40/32 Amazon
+52.93.34.42/32 Amazon
+52.93.34.56/32 Amazon
+52.93.34.57/32 Amazon
+52.93.34.120/31 Amazon
+52.93.34.122/31 Amazon
+52.93.34.124/31 Amazon
+52.93.34.126/31 Amazon
+52.93.35.212/32 Amazon
+52.93.35.213/32 Amazon
+52.93.37.222/32 Amazon
+52.93.37.223/32 Amazon
+52.93.38.0/24 Amazon
+52.93.43.0/24 Amazon
+52.93.48.0/24 Amazon
+52.93.50.128/32 Amazon
+52.93.50.129/32 Amazon
+52.93.50.130/32 Amazon
+52.93.50.131/32 Amazon
+52.93.50.132/31 Amazon
+52.93.50.134/31 Amazon
+52.93.50.136/31 Amazon
+52.93.50.138/31 Amazon
+52.93.50.140/31 Amazon
+52.93.50.142/31 Amazon
+52.93.50.144/31 Amazon
+52.93.50.146/31 Amazon
+52.93.50.148/31 Amazon
+52.93.50.150/31 Amazon
+52.93.50.152/31 Amazon
+52.93.50.154/31 Amazon
+52.93.50.156/31 Amazon
+52.93.50.158/31 Amazon
+52.93.50.160/31 Amazon
+52.93.50.162/31 Amazon
+52.93.50.164/31 Amazon
+52.93.50.166/31 Amazon
+52.93.50.168/31 Amazon
+52.93.50.170/31 Amazon
+52.93.50.172/31 Amazon
+52.93.50.174/31 Amazon
+52.93.50.176/31 Amazon
+52.93.50.178/31 Amazon
+52.93.50.180/31 Amazon
+52.93.50.182/31 Amazon
+52.93.50.184/31 Amazon
+52.93.50.186/31 Amazon
+52.93.50.188/31 Amazon
+52.93.50.190/31 Amazon
+52.93.50.192/31 Amazon
+52.93.50.194/31 Amazon
+52.93.51.28/32 Amazon
+52.93.51.29/32 Amazon
+52.93.55.144/31 Amazon
+52.93.55.146/31 Amazon
+52.93.55.148/31 Amazon
+52.93.55.152/31 Amazon
+52.93.55.154/31 Amazon
+52.93.55.156/31 Amazon
+52.93.55.158/31 Amazon
+52.93.55.160/31 Amazon
+52.93.55.162/31 Amazon
+52.93.55.164/31 Amazon
+52.93.55.166/31 Amazon
+52.93.56.0/24 Amazon
+52.93.57.0/24 Amazon
+52.93.58.32/28 Amazon
+52.93.59.0/24 Amazon
+52.93.60.0/24 Amazon
+52.93.62.0/24 Amazon
+52.93.63.0/24 Amazon
+52.93.64.0/24 Amazon
+52.93.66.0/24 Amazon
+52.93.67.0/24 Amazon
+52.93.69.0/24 Amazon
+52.93.71.37/32 Amazon
+52.93.73.0/26 Amazon
+52.93.75.0/24 Amazon
+52.93.76.0/24 Amazon
+52.93.78.0/24 Amazon
+52.93.80.0/24 Amazon
+52.93.81.0/24 Amazon
+52.93.87.96/27 Amazon
+52.93.91.96/32 Amazon
+52.93.91.97/32 Amazon
+52.93.91.98/32 Amazon
+52.93.91.99/32 Amazon
+52.93.91.100/32 Amazon
+52.93.91.101/32 Amazon
+52.93.91.102/32 Amazon
+52.93.91.103/32 Amazon
+52.93.91.104/32 Amazon
+52.93.91.105/32 Amazon
+52.93.91.106/32 Amazon
+52.93.91.107/32 Amazon
+52.93.91.108/32 Amazon
+52.93.91.109/32 Amazon
+52.93.91.110/32 Amazon
+52.93.91.111/32 Amazon
+52.93.91.112/32 Amazon
+52.93.91.113/32 Amazon
+52.93.91.114/32 Amazon
+52.93.91.115/32 Amazon
+52.93.92.64/31 Amazon
+52.93.92.66/31 Amazon
+52.93.92.68/31 Amazon
+52.93.92.70/31 Amazon
+52.93.92.72/31 Amazon
+52.93.92.74/31 Amazon
+52.93.96.0/24 Amazon
+52.93.97.0/24 Amazon
+52.93.98.0/24 Amazon
+52.93.99.0/24 Amazon
+52.93.112.0/24 Amazon
+52.93.120.176/32 Amazon
+52.93.120.177/32 Amazon
+52.93.120.178/32 Amazon
+52.93.120.179/32 Amazon
+52.93.121.187/32 Amazon
+52.93.121.188/32 Amazon
+52.93.121.189/32 Amazon
+52.93.121.190/32 Amazon
+52.93.121.195/32 Amazon
+52.93.121.196/32 Amazon
+52.93.121.197/32 Amazon
+52.93.121.198/32 Amazon
+52.93.122.131/32 Amazon
+52.93.122.202/32 Amazon
+52.93.122.203/32 Amazon
+52.93.122.218/32 Amazon
+52.93.122.255/32 Amazon
+52.93.123.6/32 Amazon
+52.93.123.11/32 Amazon
+52.93.123.98/32 Amazon
+52.93.123.99/32 Amazon
+52.93.123.136/32 Amazon
+52.93.123.255/32 Amazon
+52.93.124.14/32 Amazon
+52.93.124.15/32 Amazon
+52.93.124.96/32 Amazon
+52.93.124.97/32 Amazon
+52.93.124.210/32 Amazon
+52.93.124.211/32 Amazon
+52.93.124.212/32 Amazon
+52.93.124.213/32 Amazon
+52.93.125.42/32 Amazon
+52.93.125.43/32 Amazon
+52.93.126.76/32 Amazon
+52.93.126.122/32 Amazon
+52.93.126.123/32 Amazon
+52.93.126.132/32 Amazon
+52.93.126.133/32 Amazon
+52.93.126.134/32 Amazon
+52.93.126.135/32 Amazon
+52.93.126.136/32 Amazon
+52.93.126.137/32 Amazon
+52.93.126.138/32 Amazon
+52.93.126.139/32 Amazon
+52.93.126.144/32 Amazon
+52.93.126.145/32 Amazon
+52.93.126.146/32 Amazon
+52.93.126.147/32 Amazon
+52.93.126.198/32 Amazon
+52.93.126.199/32 Amazon
+52.93.126.204/32 Amazon
+52.93.126.205/32 Amazon
+52.93.126.206/32 Amazon
+52.93.126.207/32 Amazon
+52.93.126.212/32 Amazon
+52.93.126.213/32 Amazon
+52.93.126.214/32 Amazon
+52.93.126.215/32 Amazon
+52.93.126.234/32 Amazon
+52.93.126.235/32 Amazon
+52.93.126.244/32 Amazon
+52.93.126.245/32 Amazon
+52.93.126.250/32 Amazon
+52.93.126.251/32 Amazon
+52.93.127.17/32 Amazon
+52.93.127.18/32 Amazon
+52.93.127.19/32 Amazon
+52.93.127.24/32 Amazon
+52.93.127.25/32 Amazon
+52.93.127.26/32 Amazon
+52.93.127.27/32 Amazon
+52.93.127.68/32 Amazon
+52.93.127.69/32 Amazon
+52.93.127.70/32 Amazon
+52.93.127.71/32 Amazon
+52.93.127.92/32 Amazon
+52.93.127.93/32 Amazon
+52.93.127.94/32 Amazon
+52.93.127.95/32 Amazon
+52.93.127.96/32 Amazon
+52.93.127.97/32 Amazon
+52.93.127.98/32 Amazon
+52.93.127.99/32 Amazon
+52.93.127.100/32 Amazon
+52.93.127.101/32 Amazon
+52.93.127.102/32 Amazon
+52.93.127.103/32 Amazon
+52.93.127.104/32 Amazon
+52.93.127.105/32 Amazon
+52.93.127.106/32 Amazon
+52.93.127.107/32 Amazon
+52.93.127.108/32 Amazon
+52.93.127.109/32 Amazon
+52.93.127.110/32 Amazon
+52.93.127.111/32 Amazon
+52.93.127.112/32 Amazon
+52.93.127.113/32 Amazon
+52.93.127.114/32 Amazon
+52.93.127.115/32 Amazon
+52.93.127.116/32 Amazon
+52.93.127.117/32 Amazon
+52.93.127.118/32 Amazon
+52.93.127.119/32 Amazon
+52.93.127.120/32 Amazon
+52.93.127.121/32 Amazon
+52.93.127.122/32 Amazon
+52.93.127.123/32 Amazon
+52.93.127.124/32 Amazon
+52.93.127.125/32 Amazon
+52.93.127.126/32 Amazon
+52.93.127.127/32 Amazon
+52.93.127.128/32 Amazon
+52.93.127.129/32 Amazon
+52.93.127.130/32 Amazon
+52.93.127.131/32 Amazon
+52.93.127.132/32 Amazon
+52.93.127.133/32 Amazon
+52.93.127.138/32 Amazon
+52.93.127.139/32 Amazon
+52.93.127.146/32 Amazon
+52.93.127.147/32 Amazon
+52.93.127.148/32 Amazon
+52.93.127.149/32 Amazon
+52.93.127.152/32 Amazon
+52.93.127.153/32 Amazon
+52.93.127.154/32 Amazon
+52.93.127.155/32 Amazon
+52.93.127.156/32 Amazon
+52.93.127.157/32 Amazon
+52.93.127.158/32 Amazon
+52.93.127.159/32 Amazon
+52.93.127.160/32 Amazon
+52.93.127.161/32 Amazon
+52.93.127.162/32 Amazon
+52.93.127.163/32 Amazon
+52.93.127.164/32 Amazon
+52.93.127.165/32 Amazon
+52.93.127.166/32 Amazon
+52.93.127.167/32 Amazon
+52.93.127.168/32 Amazon
+52.93.127.169/32 Amazon
+52.93.127.172/32 Amazon
+52.93.127.173/32 Amazon
+52.93.127.174/32 Amazon
+52.93.127.175/32 Amazon
+52.93.127.176/32 Amazon
+52.93.127.177/32 Amazon
+52.93.127.178/32 Amazon
+52.93.127.179/32 Amazon
+52.93.127.180/32 Amazon
+52.93.127.181/32 Amazon
+52.93.127.182/32 Amazon
+52.93.127.183/32 Amazon
+52.93.127.184/32 Amazon
+52.93.127.185/32 Amazon
+52.93.127.194/32 Amazon
+52.93.127.195/32 Amazon
+52.93.127.196/32 Amazon
+52.93.127.197/32 Amazon
+52.93.127.198/32 Amazon
+52.93.127.199/32 Amazon
+52.93.127.200/32 Amazon
+52.93.127.201/32 Amazon
+52.93.127.202/32 Amazon
+52.93.127.203/32 Amazon
+52.93.127.204/32 Amazon
+52.93.127.205/32 Amazon
+52.93.127.206/32 Amazon
+52.93.127.207/32 Amazon
+52.93.127.216/32 Amazon
+52.93.127.217/32 Amazon
+52.93.127.218/32 Amazon
+52.93.127.219/32 Amazon
+52.93.127.220/32 Amazon
+52.93.127.221/32 Amazon
+52.93.127.232/32 Amazon
+52.93.127.237/32 Amazon
+52.93.127.238/32 Amazon
+52.93.127.239/32 Amazon
+52.93.127.244/32 Amazon
+52.93.127.245/32 Amazon
+52.93.127.246/32 Amazon
+52.93.127.247/32 Amazon
+52.93.127.248/32 Amazon
+52.93.127.249/32 Amazon
+52.93.127.250/32 Amazon
+52.93.127.251/32 Amazon
+52.93.127.252/32 Amazon
+52.93.127.253/32 Amazon
+52.93.127.254/32 Amazon
+52.93.127.255/32 Amazon
+52.93.129.95/32 Amazon
+52.93.131.217/32 Amazon
+52.93.133.127/32 Amazon
+52.93.133.129/32 Amazon
+52.93.133.131/32 Amazon
+52.93.133.133/32 Amazon
+52.93.133.153/32 Amazon
+52.93.133.155/32 Amazon
+52.93.133.175/32 Amazon
+52.93.133.177/32 Amazon
+52.93.133.179/32 Amazon
+52.93.133.181/32 Amazon
+52.93.134.181/32 Amazon
+52.93.135.195/32 Amazon
+52.93.137.0/24 Amazon
+52.93.138.252/32 Amazon
+52.93.138.253/32 Amazon
+52.93.139.252/32 Amazon
+52.93.139.253/32 Amazon
+52.93.141.212/32 Amazon
+52.93.141.213/32 Amazon
+52.93.141.214/31 Amazon
+52.93.141.216/31 Amazon
+52.93.141.218/31 Amazon
+52.93.141.220/31 Amazon
+52.93.141.222/31 Amazon
+52.93.141.224/31 Amazon
+52.93.141.226/31 Amazon
+52.93.141.228/31 Amazon
+52.93.141.230/31 Amazon
+52.93.141.232/31 Amazon
+52.93.141.234/31 Amazon
+52.93.141.236/31 Amazon
+52.93.141.238/31 Amazon
+52.93.141.240/31 Amazon
+52.93.141.242/31 Amazon
+52.93.141.244/31 Amazon
+52.93.146.5/32 Amazon
+52.93.149.0/24 Amazon
+52.93.150.0/24 Amazon
+52.93.151.0/24 Amazon
+52.93.153.80/32 Amazon
+52.93.153.148/32 Amazon
+52.93.153.149/32 Amazon
+52.93.153.168/32 Amazon
+52.93.153.169/32 Amazon
+52.93.153.170/32 Amazon
+52.93.153.171/32 Amazon
+52.93.153.172/32 Amazon
+52.93.153.173/32 Amazon
+52.93.153.174/32 Amazon
+52.93.153.175/32 Amazon
+52.93.153.176/32 Amazon
+52.93.153.177/32 Amazon
+52.93.153.178/32 Amazon
+52.93.153.179/32 Amazon
+52.93.156.0/22 Amazon
+52.93.178.128/32 Amazon
+52.93.178.129/32 Amazon
+52.93.178.130/32 Amazon
+52.93.178.131/32 Amazon
+52.93.178.132/32 Amazon
+52.93.178.133/32 Amazon
+52.93.178.134/32 Amazon
+52.93.178.135/32 Amazon
+52.93.178.136/32 Amazon
+52.93.178.137/32 Amazon
+52.93.178.138/32 Amazon
+52.93.178.139/32 Amazon
+52.93.178.140/32 Amazon
+52.93.178.141/32 Amazon
+52.93.178.142/32 Amazon
+52.93.178.143/32 Amazon
+52.93.178.144/32 Amazon
+52.93.178.145/32 Amazon
+52.93.178.146/32 Amazon
+52.93.178.147/32 Amazon
+52.93.178.148/32 Amazon
+52.93.178.149/32 Amazon
+52.93.178.150/32 Amazon
+52.93.178.151/32 Amazon
+52.93.178.152/32 Amazon
+52.93.178.153/32 Amazon
+52.93.178.154/32 Amazon
+52.93.178.155/32 Amazon
+52.93.178.156/32 Amazon
+52.93.178.157/32 Amazon
+52.93.178.158/32 Amazon
+52.93.178.159/32 Amazon
+52.93.178.160/32 Amazon
+52.93.178.161/32 Amazon
+52.93.178.162/32 Amazon
+52.93.178.163/32 Amazon
+52.93.178.164/32 Amazon
+52.93.178.165/32 Amazon
+52.93.178.166/32 Amazon
+52.93.178.167/32 Amazon
+52.93.178.168/32 Amazon
+52.93.178.169/32 Amazon
+52.93.178.170/32 Amazon
+52.93.178.171/32 Amazon
+52.93.178.172/32 Amazon
+52.93.178.173/32 Amazon
+52.93.178.174/32 Amazon
+52.93.178.175/32 Amazon
+52.93.178.176/32 Amazon
+52.93.178.177/32 Amazon
+52.93.178.178/32 Amazon
+52.93.178.179/32 Amazon
+52.93.178.180/32 Amazon
+52.93.178.181/32 Amazon
+52.93.178.182/32 Amazon
+52.93.178.183/32 Amazon
+52.93.178.184/32 Amazon
+52.93.178.185/32 Amazon
+52.93.178.186/32 Amazon
+52.93.178.187/32 Amazon
+52.93.178.188/32 Amazon
+52.93.178.189/32 Amazon
+52.93.178.190/32 Amazon
+52.93.178.191/32 Amazon
+52.93.178.192/32 Amazon
+52.93.178.193/32 Amazon
+52.93.178.194/32 Amazon
+52.93.178.195/32 Amazon
+52.93.178.196/32 Amazon
+52.93.178.197/32 Amazon
+52.93.178.198/32 Amazon
+52.93.178.199/32 Amazon
+52.93.178.200/32 Amazon
+52.93.178.201/32 Amazon
+52.93.178.202/32 Amazon
+52.93.178.203/32 Amazon
+52.93.178.204/32 Amazon
+52.93.178.205/32 Amazon
+52.93.178.206/32 Amazon
+52.93.178.207/32 Amazon
+52.93.178.208/32 Amazon
+52.93.178.209/32 Amazon
+52.93.178.210/32 Amazon
+52.93.178.211/32 Amazon
+52.93.178.212/32 Amazon
+52.93.178.213/32 Amazon
+52.93.178.214/32 Amazon
+52.93.178.215/32 Amazon
+52.93.178.216/32 Amazon
+52.93.178.217/32 Amazon
+52.93.178.218/32 Amazon
+52.93.178.219/32 Amazon
+52.93.178.220/32 Amazon
+52.93.178.221/32 Amazon
+52.93.178.222/32 Amazon
+52.93.178.223/32 Amazon
+52.93.178.224/32 Amazon
+52.93.178.225/32 Amazon
+52.93.178.226/32 Amazon
+52.93.178.227/32 Amazon
+52.93.178.228/32 Amazon
+52.93.178.229/32 Amazon
+52.93.178.230/32 Amazon
+52.93.178.231/32 Amazon
+52.93.178.232/32 Amazon
+52.93.178.233/32 Amazon
+52.93.178.234/32 Amazon
+52.93.178.235/32 Amazon
+52.93.193.192/32 Amazon
+52.93.193.193/32 Amazon
+52.93.193.194/32 Amazon
+52.93.193.195/32 Amazon
+52.93.193.196/32 Amazon
+52.93.193.197/32 Amazon
+52.93.193.198/32 Amazon
+52.93.193.199/32 Amazon
+52.93.193.200/32 Amazon
+52.93.193.201/32 Amazon
+52.93.193.202/32 Amazon
+52.93.193.203/32 Amazon
+52.93.198.0/25 Amazon
+52.93.229.148/32 Amazon
+52.93.229.149/32 Amazon
+52.93.236.0/24 Amazon
+52.93.237.0/24 Amazon
+52.93.240.146/31 Amazon
+52.93.240.148/31 Amazon
+52.93.240.150/31 Amazon
+52.93.240.152/31 Amazon
+52.93.240.154/31 Amazon
+52.93.240.156/31 Amazon
+52.93.240.158/31 Amazon
+52.93.240.160/31 Amazon
+52.93.240.162/31 Amazon
+52.93.240.164/31 Amazon
+52.93.240.166/31 Amazon
+52.93.240.168/31 Amazon
+52.93.240.170/31 Amazon
+52.93.240.172/31 Amazon
+52.93.240.174/31 Amazon
+52.93.240.176/31 Amazon
+52.93.240.178/31 Amazon
+52.93.240.180/31 Amazon
+52.93.240.182/31 Amazon
+52.93.240.184/31 Amazon
+52.93.240.186/31 Amazon
+52.93.240.188/31 Amazon
+52.93.240.190/31 Amazon
+52.93.240.192/31 Amazon
+52.93.240.194/31 Amazon
+52.93.240.196/31 Amazon
+52.93.240.198/31 Amazon
+52.93.240.200/31 Amazon
+52.93.240.202/31 Amazon
+52.93.240.204/31 Amazon
+52.93.245.0/24 Amazon
+52.93.247.0/25 Amazon
+52.93.248.0/24 Amazon
+52.93.249.0/24 Amazon
+52.93.250.0/23 Amazon
+52.93.254.0/24 Amazon
+52.94.0.0/22 Amazon
+52.94.4.0/24 Amazon
+52.94.5.0/24 Amazon
+52.94.6.0/24 Amazon
+52.94.7.0/24 Amazon
+52.94.8.0/24 Amazon
+52.94.9.0/24 Amazon
+52.94.10.0/24 Amazon
+52.94.11.0/24 Amazon
+52.94.12.0/24 Amazon
+52.94.13.0/24 Amazon
+52.94.14.0/24 Amazon
+52.94.15.0/24 Amazon
+52.94.16.0/24 Amazon
+52.94.17.0/24 Amazon
+52.94.18.0/24 Amazon
+52.94.19.0/24 Amazon
+52.94.20.0/24 Amazon
+52.94.22.0/24 Amazon
+52.94.23.0/24 Amazon
+52.94.24.0/23 Amazon
+52.94.26.0/23 Amazon
+52.94.28.0/23 Amazon
+52.94.30.0/24 Amazon
+52.94.32.0/20 Amazon
+52.94.48.0/20 Amazon
+52.94.64.0/22 Amazon
+52.94.68.0/24 Amazon
+52.94.69.0/24 Amazon
+52.94.72.0/22 Amazon
+52.94.76.0/22 Amazon
+52.94.80.0/20 Amazon
+52.94.96.0/20 Amazon
+52.94.112.0/22 Amazon
+52.94.116.0/22 Amazon
+52.94.120.0/22 Amazon
+52.94.124.0/22 Amazon
+52.94.128.0/22 Amazon
+52.94.132.0/22 Amazon
+52.94.136.0/21 Amazon
+52.94.148.0/22 Amazon
+52.94.152.3/32 Amazon
+52.94.152.9/32 Amazon
+52.94.152.11/32 Amazon
+52.94.152.12/32 Amazon
+52.94.152.44/32 Amazon
+52.94.152.60/32 Amazon
+52.94.152.61/32 Amazon
+52.94.152.62/32 Amazon
+52.94.152.63/32 Amazon
+52.94.152.64/32 Amazon
+52.94.152.65/32 Amazon
+52.94.152.66/32 Amazon
+52.94.152.67/32 Amazon
+52.94.152.68/32 Amazon
+52.94.152.69/32 Amazon
+52.94.160.0/20 Amazon
+52.94.176.0/20 Amazon
+52.94.192.0/22 Amazon
+52.94.196.0/24 Amazon
+52.94.197.0/24 Amazon
+52.94.198.0/28 Amazon
+52.94.198.16/28 Amazon
+52.94.198.32/28 Amazon
+52.94.198.48/28 Amazon
+52.94.198.64/28 Amazon
+52.94.198.80/28 Amazon
+52.94.198.96/28 Amazon
+52.94.198.112/28 Amazon
+52.94.198.128/28 Amazon
+52.94.198.144/28 Amazon
+52.94.199.0/24 Amazon
+52.94.200.0/24 Amazon
+52.94.201.0/26 Amazon
+52.94.204.0/23 Amazon
+52.94.206.0/23 Amazon
+52.94.208.0/21 Amazon
+52.94.216.0/21 Amazon
+52.94.224.0/20 Amazon
+52.94.240.0/22 Amazon
+52.94.244.0/22 Amazon
+52.94.248.0/28 Amazon
+52.94.248.16/28 Amazon
+52.94.248.32/28 Amazon
+52.94.248.48/28 Amazon
+52.94.248.64/28 Amazon
+52.94.248.80/28 Amazon
+52.94.248.96/28 Amazon
+52.94.248.112/28 Amazon
+52.94.248.128/28 Amazon
+52.94.248.144/28 Amazon
+52.94.248.160/28 Amazon
+52.94.248.176/28 Amazon
+52.94.248.192/28 Amazon
+52.94.248.208/28 Amazon
+52.94.248.224/28 Amazon
+52.94.249.32/28 Amazon
+52.94.249.48/28 Amazon
+52.94.249.64/28 Amazon
+52.94.249.80/28 Amazon
+52.94.249.96/28 Amazon
+52.94.249.112/28 Amazon
+52.94.249.128/28 Amazon
+52.94.249.144/28 Amazon
+52.94.249.160/28 Amazon
+52.94.249.176/28 Amazon
+52.94.249.192/28 Amazon
+52.94.249.208/28 Amazon
+52.94.249.224/28 Amazon
+52.94.249.240/28 Amazon
+52.94.250.0/28 Amazon
+52.94.250.16/28 Amazon
+52.94.252.0/23 Amazon
+52.94.254.0/23 Amazon
+52.95.0.0/20 Amazon
+52.95.16.0/21 Amazon
+52.95.24.0/22 Amazon
+52.95.28.0/24 Amazon
+52.95.29.0/26 Amazon
+52.95.30.0/23 Amazon
+52.95.34.0/24 Amazon
+52.95.35.0/24 Amazon
+52.95.36.0/22 Amazon
+52.95.40.0/24 Amazon
+52.95.41.0/24 Amazon
+52.95.42.0/24 Amazon
+52.95.48.0/22 Amazon
+52.95.52.0/22 Amazon
+52.95.56.0/22 Amazon
+52.95.60.0/24 Amazon
+52.95.61.0/24 Amazon
+52.95.62.0/24 Amazon
+52.95.63.0/24 Amazon
+52.95.64.0/20 Amazon
+52.95.80.0/20 Amazon
+52.95.96.0/22 Amazon
+52.95.100.0/22 Amazon
+52.95.104.0/22 Amazon
+52.95.108.0/23 Amazon
+52.95.110.0/24 Amazon
+52.95.111.0/24 Amazon
+52.95.112.0/20 Amazon
+52.95.128.0/21 Amazon
+52.95.136.0/23 Amazon
+52.95.138.0/24 Amazon
+52.95.139.0/24 Amazon
+52.95.140.0/23 Amazon
+52.95.142.0/23 Amazon
+52.95.144.0/24 Amazon
+52.95.145.0/24 Amazon
+52.95.146.0/23 Amazon
+52.95.148.0/23 Amazon
+52.95.150.0/24 Amazon
+52.95.151.0/24 Amazon
+52.95.152.0/23 Amazon
+52.95.154.0/23 Amazon
+52.95.156.0/24 Amazon
+52.95.157.0/24 Amazon
+52.95.158.0/23 Amazon
+52.95.160.0/23 Amazon
+52.95.162.0/24 Amazon
+52.95.163.0/24 Amazon
+52.95.164.0/23 Amazon
+52.95.166.0/23 Amazon
+52.95.168.0/24 Amazon
+52.95.169.0/24 Amazon
+52.95.170.0/23 Amazon
+52.95.172.0/23 Amazon
+52.95.174.0/24 Amazon
+52.95.175.0/24 Amazon
+52.95.176.0/24 Amazon
+52.95.177.0/24 Amazon
+52.95.178.0/23 Amazon
+52.95.180.0/24 Amazon
+52.95.181.0/24 Amazon
+52.95.182.0/23 Amazon
+52.95.184.0/23 Amazon
+52.95.186.0/24 Amazon
+52.95.187.0/24 Amazon
+52.95.188.0/23 Amazon
+52.95.190.0/24 Amazon
+52.95.192.0/20 Amazon
+52.95.208.0/22 Amazon
+52.95.212.0/22 Amazon
+52.95.216.0/22 Amazon
+52.95.224.0/24 Amazon
+52.95.225.0/24 Amazon
+52.95.226.0/24 Amazon
+52.95.227.0/24 Amazon
+52.95.228.0/24 Amazon
+52.95.229.0/24 Amazon
+52.95.230.0/24 Amazon
+52.95.235.0/24 Amazon
+52.95.239.0/24 Amazon
+52.95.240.0/24 Amazon
+52.95.241.0/24 Amazon
+52.95.242.0/24 Amazon
+52.95.243.0/24 Amazon
+52.95.244.0/24 Amazon
+52.95.245.0/24 Amazon
+52.95.246.0/24 Amazon
+52.95.247.0/24 Amazon
+52.95.248.0/24 Amazon
+52.95.249.0/24 Amazon
+52.95.250.0/24 Amazon
+52.95.251.0/24 Amazon
+52.95.252.0/24 Amazon
+52.95.253.0/24 Amazon
+52.95.254.0/24 Amazon
+52.95.255.0/28 Amazon
+52.95.255.16/28 Amazon
+52.95.255.32/28 Amazon
+52.95.255.48/28 Amazon
+52.95.255.64/28 Amazon
+52.95.255.80/28 Amazon
+52.95.255.96/28 Amazon
+52.95.255.112/28 Amazon
+52.95.255.128/28 Amazon
+52.95.255.144/28 Amazon
+52.119.128.0/20 Amazon
+52.119.144.0/21 Amazon
+52.119.152.0/22 Amazon
+52.119.156.0/22 Amazon
+52.119.160.0/20 Amazon
+52.119.176.0/21 Amazon
+52.119.184.0/22 Amazon
+52.119.188.0/22 Amazon
+52.119.192.0/22 Amazon
+52.119.196.0/22 Amazon
+52.119.205.0/24 Amazon
+52.119.206.0/23 Amazon
+52.119.208.0/23 Amazon
+52.119.210.0/23 Amazon
+52.119.212.0/23 Amazon
+52.119.214.0/23 Amazon
+52.119.216.0/21 Amazon
+52.119.224.0/21 Amazon
+52.119.232.0/21 Amazon
+52.119.240.0/21 Amazon
+52.119.248.0/24 Amazon
+52.119.249.0/24 Amazon
+52.119.252.0/22 Amazon
+52.124.128.0/17 Amazon
+52.144.133.32/27 Amazon
+52.144.192.0/26 Amazon
+52.144.192.64/26 Amazon
+52.144.192.128/26 Amazon
+52.144.192.192/26 Amazon
+52.144.193.0/26 Amazon
+52.144.193.64/26 Amazon
+52.144.193.128/26 Amazon
+52.144.194.0/26 Amazon
+52.144.194.64/26 Amazon
+52.144.194.128/26 Amazon
+52.144.194.192/26 Amazon
+52.144.195.0/26 Amazon
+52.144.196.192/26 Amazon
+52.144.197.128/26 Amazon
+52.144.197.192/26 Amazon
+52.144.199.128/26 Amazon
+52.144.200.64/26 Amazon
+52.144.200.128/26 Amazon
+52.144.201.64/26 Amazon
+52.144.201.128/26 Amazon
+52.144.205.0/26 Amazon
+52.144.208.0/31 Amazon
+52.144.208.2/31 Amazon
+52.144.208.64/26 Amazon
+52.144.208.128/26 Amazon
+52.144.208.192/26 Amazon
+52.144.209.0/26 Amazon
+52.144.209.64/26 Amazon
+52.144.209.128/26 Amazon
+52.144.209.192/26 Amazon
+52.144.210.0/26 Amazon
+52.144.210.64/26 Amazon
+52.144.210.128/26 Amazon
+52.144.210.192/26 Amazon
+52.144.211.0/26 Amazon
+52.144.211.64/26 Amazon
+52.144.211.128/26 Amazon
+52.144.211.192/31 Amazon
+52.144.211.194/31 Amazon
+52.144.211.196/31 Amazon
+52.144.211.198/31 Amazon
+52.144.211.200/31 Amazon
+52.144.211.202/31 Amazon
+52.144.212.64/26 Amazon
+52.144.212.192/26 Amazon
+52.144.213.64/26 Amazon
+52.144.214.128/26 Amazon
+52.144.215.0/31 Amazon
+52.144.215.2/31 Amazon
+52.144.215.192/31 Amazon
+52.144.215.194/31 Amazon
+52.144.215.196/31 Amazon
+52.144.215.198/31 Amazon
+52.144.215.200/31 Amazon
+52.144.215.202/31 Amazon
+52.144.216.0/31 Amazon
+52.144.216.2/31 Amazon
+52.144.216.4/31 Amazon
+52.144.216.6/31 Amazon
+52.144.216.8/31 Amazon
+52.144.216.10/31 Amazon
+52.144.218.0/26 Amazon
+52.144.218.64/26 Amazon
+52.144.223.64/26 Amazon
+52.144.223.128/26 Amazon
+52.144.224.64/26 Amazon
+52.144.224.128/26 Amazon
+52.144.224.192/26 Amazon
+52.144.225.0/26 Amazon
+52.144.225.64/26 Amazon
+52.144.225.128/26 Amazon
+52.144.227.64/26 Amazon
+52.144.227.192/26 Amazon
+52.144.228.0/31 Amazon
+52.144.228.2/31 Amazon
+52.144.228.64/26 Amazon
+52.144.228.128/26 Amazon
+52.144.228.192/26 Amazon
+52.144.229.0/26 Amazon
+52.144.229.64/26 Amazon
+52.144.230.0/26 Amazon
+52.144.231.64/26 Amazon
+52.144.233.64/31 Amazon
+52.144.233.66/31 Amazon
+52.144.233.68/31 Amazon
+52.144.233.70/31 Amazon
+52.144.233.128/31 Amazon
+52.144.233.130/31 Amazon
+52.144.233.132/31 Amazon
+52.144.233.134/31 Amazon
+52.144.233.192/26 Amazon
+52.192.0.0/15 Amazon
+52.194.0.0/15 Amazon
+52.196.0.0/14 Amazon
+52.200.0.0/13 Amazon
+52.208.0.0/13 Amazon
+52.216.0.0/15 Amazon
+52.218.0.0/17 Amazon
+52.218.128.0/17 Amazon
+52.219.0.0/20 Amazon
+52.219.16.0/22 Amazon
+52.219.24.0/21 Amazon
+52.219.32.0/21 Amazon
+52.219.40.0/22 Amazon
+52.219.44.0/22 Amazon
+52.219.56.0/22 Amazon
+52.219.60.0/23 Amazon
+52.219.62.0/23 Amazon
+52.219.64.0/22 Amazon
+52.219.68.0/22 Amazon
+52.219.72.0/22 Amazon
+52.219.80.0/20 Amazon
+52.219.96.0/20 Amazon
+52.219.112.0/21 Amazon
+52.219.120.0/22 Amazon
+52.219.124.0/22 Amazon
+52.219.128.0/22 Amazon
+52.219.132.0/22 Amazon
+52.219.136.0/22 Amazon
+52.219.140.0/24 Amazon
+52.219.141.0/24 Amazon
+52.219.142.0/24 Amazon
+52.219.143.0/24 Amazon
+52.219.144.0/22 Amazon
+52.219.148.0/23 Amazon
+52.219.152.0/22 Amazon
+52.219.156.0/22 Amazon
+52.219.160.0/23 Amazon
+52.219.164.0/22 Amazon
+52.219.168.0/24 Amazon
+52.219.169.0/24 Amazon
+52.219.170.0/23 Amazon
+52.219.172.0/22 Amazon
+52.219.176.0/22 Amazon
+52.219.180.0/22 Amazon
+52.219.184.0/21 Amazon
+52.219.192.0/23 Amazon
+52.219.194.0/24 Amazon
+52.219.195.0/24 Amazon
+52.219.196.0/22 Amazon
+52.219.200.0/24 Amazon
+52.219.202.0/23 Amazon
+52.219.204.0/22 Amazon
+52.220.0.0/15 Amazon
+52.222.0.0/17 Amazon
+52.222.128.0/17 Amazon
+52.223.0.0/17 Amazon
+54.64.0.0/15 Amazon
+54.66.0.0/16 Amazon
+54.67.0.0/16 Amazon
+54.68.0.0/14 Amazon
+54.72.0.0/15 Amazon
+54.74.0.0/15 Amazon
+54.76.0.0/15 Amazon
+54.78.0.0/16 Amazon
+54.79.0.0/16 Amazon
+54.80.0.0/13 Amazon
+54.88.0.0/14 Amazon
+54.92.0.0/17 Amazon
+54.92.128.0/17 Amazon
+54.93.0.0/16 Amazon
+54.94.0.0/16 Amazon
+54.95.0.0/16 Amazon
+54.144.0.0/14 Amazon
+54.148.0.0/15 Amazon
+54.150.0.0/16 Amazon
+54.151.0.0/17 Amazon
+54.151.128.0/17 Amazon
+54.152.0.0/16 Amazon
+54.153.0.0/17 Amazon
+54.153.128.0/17 Amazon
+54.154.0.0/16 Amazon
+54.155.0.0/16 Amazon
+54.156.0.0/14 Amazon
+54.160.0.0/13 Amazon
+54.168.0.0/16 Amazon
+54.169.0.0/16 Amazon
+54.170.0.0/15 Amazon
+54.172.0.0/15 Amazon
+54.174.0.0/15 Amazon
+54.176.0.0/15 Amazon
+54.178.0.0/16 Amazon
+54.179.0.0/16 Amazon
+54.180.0.0/15 Amazon
+54.182.0.0/16 Amazon
+54.183.0.0/16 Amazon
+54.184.0.0/13 Amazon
+54.192.0.0/16 Amazon
+54.193.0.0/16 Amazon
+54.194.0.0/15 Amazon
+54.196.0.0/15 Amazon
+54.198.0.0/16 Amazon
+54.199.0.0/16 Amazon
+54.200.0.0/15 Amazon
+54.202.0.0/15 Amazon
+54.204.0.0/15 Amazon
+54.206.0.0/16 Amazon
+54.207.0.0/16 Amazon
+54.208.0.0/15 Amazon
+54.210.0.0/15 Amazon
+54.212.0.0/15 Amazon
+54.214.0.0/16 Amazon
+54.215.0.0/16 Amazon
+54.216.0.0/15 Amazon
+54.218.0.0/16 Amazon
+54.219.0.0/16 Amazon
+54.220.0.0/16 Amazon
+54.221.0.0/16 Amazon
+54.222.0.0/19 Amazon
+54.222.32.0/22 Amazon
+54.222.36.0/22 Amazon
+54.222.48.0/22 Amazon
+54.222.52.0/22 Amazon
+54.222.57.0/24 Amazon
+54.222.58.0/28 Amazon
+54.222.58.32/28 Amazon
+54.222.58.48/28 Amazon
+54.222.59.0/24 Amazon
+54.222.64.0/23 Amazon
+54.222.66.0/23 Amazon
+54.222.68.0/23 Amazon
+54.222.70.0/24 Amazon
+54.222.71.0/24 Amazon
+54.222.76.0/22 Amazon
+54.222.80.0/21 Amazon
+54.222.128.0/17 Amazon
+54.223.0.0/16 Amazon
+54.224.0.0/15 Amazon
+54.226.0.0/15 Amazon
+54.228.0.0/16 Amazon
+54.229.0.0/16 Amazon
+54.230.0.0/17 Amazon
+54.230.128.0/18 Amazon
+54.230.192.0/21 Amazon
+54.230.200.0/21 Amazon
+54.230.208.0/20 Amazon
+54.230.224.0/19 Amazon
+54.231.0.0/16 Amazon
+54.232.0.0/16 Amazon
+54.233.0.0/18 Amazon
+54.233.64.0/18 Amazon
+54.233.128.0/17 Amazon
+54.234.0.0/15 Amazon
+54.236.0.0/15 Amazon
+54.238.0.0/16 Amazon
+54.239.0.0/28 Amazon
+54.239.0.16/28 Amazon
+54.239.0.32/28 Amazon
+54.239.0.48/28 Amazon
+54.239.0.64/28 Amazon
+54.239.0.80/28 Amazon
+54.239.0.96/28 Amazon
+54.239.0.112/28 Amazon
+54.239.0.128/28 Amazon
+54.239.0.144/28 Amazon
+54.239.0.160/28 Amazon
+54.239.0.176/28 Amazon
+54.239.0.192/28 Amazon
+54.239.0.208/28 Amazon
+54.239.0.224/28 Amazon
+54.239.0.240/28 Amazon
+54.239.1.0/28 Amazon
+54.239.1.16/28 Amazon
+54.239.1.32/28 Amazon
+54.239.1.48/28 Amazon
+54.239.1.64/28 Amazon
+54.239.1.80/28 Amazon
+54.239.1.96/28 Amazon
+54.239.1.112/28 Amazon
+54.239.1.128/28 Amazon
+54.239.1.144/28 Amazon
+54.239.1.160/28 Amazon
+54.239.1.176/28 Amazon
+54.239.1.192/28 Amazon
+54.239.1.208/28 Amazon
+54.239.1.224/28 Amazon
+54.239.2.0/23 Amazon
+54.239.4.0/22 Amazon
+54.239.8.0/21 Amazon
+54.239.16.0/20 Amazon
+54.239.32.0/21 Amazon
+54.239.40.152/29 Amazon
+54.239.48.0/22 Amazon
+54.239.52.0/23 Amazon
+54.239.54.0/23 Amazon
+54.239.56.0/21 Amazon
+54.239.64.0/21 Amazon
+54.239.96.0/24 Amazon
+54.239.98.0/24 Amazon
+54.239.99.0/24 Amazon
+54.239.100.0/23 Amazon
+54.239.102.162/31 Amazon
+54.239.102.232/31 Amazon
+54.239.102.234/31 Amazon
+54.239.102.236/31 Amazon
+54.239.104.0/23 Amazon
+54.239.106.0/23 Amazon
+54.239.108.0/22 Amazon
+54.239.112.0/24 Amazon
+54.239.113.0/24 Amazon
+54.239.115.0/25 Amazon
+54.239.116.0/22 Amazon
+54.239.120.0/21 Amazon
+54.239.128.0/18 Amazon
+54.239.192.0/19 Amazon
+54.240.17.0/24 Amazon
+54.240.128.0/18 Amazon
+54.240.192.0/22 Amazon
+54.240.196.0/24 Amazon
+54.240.197.0/24 Amazon
+54.240.198.0/24 Amazon
+54.240.199.0/24 Amazon
+54.240.200.0/24 Amazon
+54.240.202.0/24 Amazon
+54.240.203.0/24 Amazon
+54.240.204.0/22 Amazon
+54.240.208.0/22 Amazon
+54.240.212.0/22 Amazon
+54.240.216.0/22 Amazon
+54.240.220.0/22 Amazon
+54.240.225.0/24 Amazon
+54.240.226.0/24 Amazon
+54.240.227.0/24 Amazon
+54.240.228.0/23 Amazon
+54.240.230.0/23 Amazon
+54.240.232.0/22 Amazon
+54.240.236.1/32 Amazon
+54.240.236.2/32 Amazon
+54.240.236.5/32 Amazon
+54.240.236.6/32 Amazon
+54.240.236.9/32 Amazon
+54.240.236.10/32 Amazon
+54.240.236.13/32 Amazon
+54.240.236.14/32 Amazon
+54.240.236.17/32 Amazon
+54.240.236.18/32 Amazon
+54.240.236.21/32 Amazon
+54.240.236.22/32 Amazon
+54.240.236.25/32 Amazon
+54.240.236.26/32 Amazon
+54.240.236.29/32 Amazon
+54.240.236.30/32 Amazon
+54.240.236.33/32 Amazon
+54.240.236.34/32 Amazon
+54.240.236.37/32 Amazon
+54.240.236.38/32 Amazon
+54.240.236.41/32 Amazon
+54.240.236.42/32 Amazon
+54.240.236.45/32 Amazon
+54.240.236.46/32 Amazon
+54.240.236.49/32 Amazon
+54.240.236.50/32 Amazon
+54.240.236.53/32 Amazon
+54.240.236.54/32 Amazon
+54.240.236.57/32 Amazon
+54.240.236.58/32 Amazon
+54.240.236.61/32 Amazon
+54.240.236.62/32 Amazon
+54.240.236.65/32 Amazon
+54.240.236.66/32 Amazon
+54.240.236.69/32 Amazon
+54.240.236.70/32 Amazon
+54.240.236.73/32 Amazon
+54.240.236.74/32 Amazon
+54.240.236.77/32 Amazon
+54.240.236.78/32 Amazon
+54.240.236.81/32 Amazon
+54.240.236.82/32 Amazon
+54.240.236.85/32 Amazon
+54.240.236.86/32 Amazon
+54.240.236.89/32 Amazon
+54.240.236.90/32 Amazon
+54.240.236.93/32 Amazon
+54.240.236.94/32 Amazon
+54.240.241.0/24 Amazon
+54.240.244.0/22 Amazon
+54.240.248.0/21 Amazon
+54.241.0.0/16 Amazon
+54.242.0.0/15 Amazon
+54.244.0.0/16 Amazon
+54.245.0.0/16 Amazon
+54.246.0.0/16 Amazon
+54.247.0.0/16 Amazon
+54.248.0.0/15 Amazon
+54.250.0.0/16 Amazon
+54.251.0.0/16 Amazon
+54.252.0.0/16 Amazon
+54.253.0.0/16 Amazon
+54.254.0.0/16 Amazon
+54.255.0.0/16 Amazon
+58.254.138.0/25 Amazon
+58.254.138.128/26 Amazon
+63.32.0.0/14 Amazon
+63.246.112.0/24 Amazon
+63.246.113.0/24 Amazon
+63.246.114.0/23 Amazon
+63.246.119.0/24 Amazon
+64.187.128.0/20 Amazon
+64.252.64.0/18 Amazon
+64.252.128.0/18 Amazon
+65.0.0.0/14 Amazon
+65.8.0.0/16 Amazon
+65.9.0.0/17 Amazon
+65.9.128.0/18 Amazon
+67.202.0.0/18 Amazon
+67.220.224.0/20 Amazon
+67.220.240.0/20 Amazon
+68.66.112.0/20 Amazon
+68.79.0.0/18 Amazon
+69.107.3.176/29 Amazon
+69.107.3.184/29 Amazon
+69.107.6.112/29 Amazon
+69.107.6.120/29 Amazon
+69.107.6.160/29 Amazon
+69.107.6.168/29 Amazon
+69.107.6.200/29 Amazon
+69.107.6.208/29 Amazon
+69.107.6.216/29 Amazon
+69.107.6.224/29 Amazon
+69.107.7.0/29 Amazon
+69.107.7.8/29 Amazon
+69.107.7.16/29 Amazon
+69.107.7.32/29 Amazon
+69.107.7.40/29 Amazon
+69.107.7.48/29 Amazon
+69.107.7.56/29 Amazon
+69.107.7.64/29 Amazon
+69.107.7.72/29 Amazon
+69.107.7.80/29 Amazon
+69.107.7.88/29 Amazon
+69.107.7.96/29 Amazon
+69.107.7.104/29 Amazon
+69.107.7.112/29 Amazon
+69.107.7.120/29 Amazon
+69.107.7.128/29 Amazon
+69.107.7.136/29 Amazon
+69.230.192.0/18 Amazon
+69.231.128.0/18 Amazon
+69.234.192.0/18 Amazon
+69.235.128.0/18 Amazon
+70.132.0.0/18 Amazon
+70.224.192.0/18 Amazon
+70.232.64.0/20 Amazon
+70.232.80.0/21 Amazon
+70.232.88.0/22 Amazon
+70.232.92.0/22 Amazon
+70.232.96.0/20 Amazon
+70.232.112.0/21 Amazon
+70.232.120.0/22 Amazon
+70.232.124.0/22 Amazon
+71.131.192.0/18 Amazon
+71.132.0.0/18 Amazon
+71.137.0.0/22 Amazon
+71.137.4.0/24 Amazon
+71.137.8.0/22 Amazon
+71.152.0.0/17 Amazon
+72.21.192.0/19 Amazon
+72.41.0.0/20 Amazon
+72.44.32.0/19 Amazon
+75.2.0.0/17 Amazon
+75.101.128.0/17 Amazon
+76.223.0.0/17 Amazon
+79.125.0.0/17 Amazon
+87.238.80.0/21 Amazon
+96.127.0.0/17 Amazon
+99.77.0.0/20 Amazon
+99.77.16.0/21 Amazon
+99.77.24.0/22 Amazon
+99.77.28.0/22 Amazon
+99.77.32.0/20 Amazon
+99.77.48.0/21 Amazon
+99.77.56.0/21 Amazon
+99.77.128.0/18 Amazon
+99.77.247.0/24 Amazon
+99.77.250.0/24 Amazon
+99.77.253.0/24 Amazon
+99.77.254.0/24 Amazon
+99.78.128.0/20 Amazon
+99.78.144.0/21 Amazon
+99.78.152.0/22 Amazon
+99.78.156.0/22 Amazon
+99.78.160.0/21 Amazon
+99.78.168.0/23 Amazon
+99.78.170.0/23 Amazon
+99.78.172.0/24 Amazon
+99.78.176.0/21 Amazon
+99.78.184.0/22 Amazon
+99.78.188.0/22 Amazon
+99.78.192.0/22 Amazon
+99.78.196.0/22 Amazon
+99.78.208.0/22 Amazon
+99.78.212.0/22 Amazon
+99.78.216.0/22 Amazon
+99.78.220.0/22 Amazon
+99.78.228.0/22 Amazon
+99.78.232.0/21 Amazon
+99.78.240.0/20 Amazon
+99.79.0.0/16 Amazon
+99.80.0.0/15 Amazon
+99.82.128.0/20 Amazon
+99.82.144.0/21 Amazon
+99.82.152.0/22 Amazon
+99.82.156.0/22 Amazon
+99.82.160.0/24 Amazon
+99.82.161.0/24 Amazon
+99.82.162.0/24 Amazon
+99.82.163.0/24 Amazon
+99.82.164.0/24 Amazon
+99.82.165.0/24 Amazon
+99.82.166.0/24 Amazon
+99.82.167.0/24 Amazon
+99.82.168.0/24 Amazon
+99.82.169.0/24 Amazon
+99.82.170.0/24 Amazon
+99.82.171.0/24 Amazon
+99.82.172.0/24 Amazon
+99.82.173.0/24 Amazon
+99.82.174.0/24 Amazon
+99.82.175.0/24 Amazon
+99.82.176.0/21 Amazon
+99.82.184.0/22 Amazon
+99.82.188.0/22 Amazon
+99.83.64.0/21 Amazon
+99.83.72.0/22 Amazon
+99.83.76.0/22 Amazon
+99.83.80.0/22 Amazon
+99.83.84.0/22 Amazon
+99.83.88.0/21 Amazon
+99.83.96.0/24 Amazon
+99.83.97.0/24 Amazon
+99.83.98.0/24 Amazon
+99.83.99.0/24 Amazon
+99.83.100.0/24 Amazon
+99.83.101.0/24 Amazon
+99.83.112.0/21 Amazon
+99.83.120.0/22 Amazon
+99.83.128.0/17 Amazon
+99.84.0.0/16 Amazon
+99.86.0.0/16 Amazon
+99.87.0.0/22 Amazon
+99.87.4.0/22 Amazon
+99.87.8.0/21 Amazon
+99.87.16.0/20 Amazon
+99.87.32.0/22 Amazon
+99.150.0.0/21 Amazon
+99.150.8.0/21 Amazon
+99.150.16.0/21 Amazon
+99.150.24.0/21 Amazon
+99.150.32.0/21 Amazon
+99.150.40.0/21 Amazon
+99.150.48.0/21 Amazon
+99.150.56.0/21 Amazon
+99.150.64.0/21 Amazon
+99.150.72.0/21 Amazon
+99.150.80.0/21 Amazon
+99.150.88.0/21 Amazon
+99.150.96.0/21 Amazon
+99.150.104.0/21 Amazon
+99.150.112.0/21 Amazon
+99.150.120.0/21 Amazon
+99.151.64.0/21 Amazon
+99.151.72.0/21 Amazon
+99.151.80.0/21 Amazon
+99.151.88.0/21 Amazon
+99.151.96.0/21 Amazon
+99.151.104.0/21 Amazon
+99.151.112.0/21 Amazon
+99.151.120.0/21 Amazon
+99.151.128.0/21 Amazon
+99.151.136.0/21 Amazon
+99.151.144.0/21 Amazon
+100.20.0.0/14 Amazon
+100.24.0.0/13 Amazon
+103.4.8.0/21 Amazon
+103.8.172.0/22 Amazon
+103.246.148.0/23 Amazon
+103.246.150.0/23 Amazon
+104.255.56.11/32 Amazon
+104.255.56.12/32 Amazon
+104.255.59.81/32 Amazon
+104.255.59.82/32 Amazon
+104.255.59.83/32 Amazon
+104.255.59.85/32 Amazon
+104.255.59.86/32 Amazon
+104.255.59.87/32 Amazon
+104.255.59.88/32 Amazon
+104.255.59.91/32 Amazon
+104.255.59.101/32 Amazon
+104.255.59.102/32 Amazon
+104.255.59.103/32 Amazon
+104.255.59.104/32 Amazon
+104.255.59.105/32 Amazon
+104.255.59.106/32 Amazon
+104.255.59.114/32 Amazon
+104.255.59.115/32 Amazon
+104.255.59.118/32 Amazon
+104.255.59.119/32 Amazon
+104.255.59.122/32 Amazon
+104.255.59.130/32 Amazon
+104.255.59.131/32 Amazon
+104.255.59.132/32 Amazon
+104.255.59.133/32 Amazon
+104.255.59.134/32 Amazon
+104.255.59.135/32 Amazon
+104.255.59.136/32 Amazon
+104.255.59.137/32 Amazon
+104.255.59.138/32 Amazon
+104.255.59.139/32 Amazon
+107.20.0.0/14 Amazon
+107.176.0.0/15 Amazon
+108.128.0.0/13 Amazon
+108.136.0.0/15 Amazon
+108.138.0.0/15 Amazon
+108.156.0.0/14 Amazon
+108.166.224.0/21 Amazon
+108.166.232.0/21 Amazon
+108.166.240.0/21 Amazon
+108.166.248.0/21 Amazon
+108.175.48.0/22 Amazon
+108.175.52.0/22 Amazon
+108.175.56.0/22 Amazon
+108.175.60.0/22 Amazon
+116.129.226.0/25 Amazon
+116.129.226.128/26 Amazon
+118.193.97.64/26 Amazon
+118.193.97.128/25 Amazon
+119.147.182.0/25 Amazon
+119.147.182.128/26 Amazon
+120.52.12.64/26 Amazon
+120.52.22.96/27 Amazon
+120.52.39.128/27 Amazon
+120.52.153.192/26 Amazon
+120.232.236.0/25 Amazon
+120.232.236.128/26 Amazon
+120.253.240.192/26 Amazon
+120.253.241.160/27 Amazon
+120.253.245.128/26 Amazon
+120.253.245.192/27 Amazon
+122.248.192.0/18 Amazon
+130.176.0.0/17 Amazon
+130.176.128.0/18 Amazon
+130.176.192.0/19 Amazon
+130.176.224.0/20 Amazon
+130.176.254.0/24 Amazon
+130.176.255.0/24 Amazon
+140.179.0.0/16 Amazon
+142.4.160.0/29 Amazon
+142.4.160.8/29 Amazon
+142.4.160.16/29 Amazon
+142.4.160.24/29 Amazon
+142.4.160.32/29 Amazon
+142.4.160.40/29 Amazon
+142.4.160.48/29 Amazon
+142.4.160.56/29 Amazon
+142.4.160.64/29 Amazon
+142.4.160.72/29 Amazon
+142.4.160.80/29 Amazon
+142.4.160.88/29 Amazon
+142.4.160.96/29 Amazon
+142.4.160.104/29 Amazon
+142.4.160.112/29 Amazon
+143.204.0.0/16 Amazon
+144.220.0.0/16 Amazon
+150.222.0.16/32 Amazon
+150.222.0.17/32 Amazon
+150.222.0.18/32 Amazon
+150.222.0.19/32 Amazon
+150.222.2.0/24 Amazon
+150.222.3.176/32 Amazon
+150.222.3.177/32 Amazon
+150.222.3.178/32 Amazon
+150.222.3.179/32 Amazon
+150.222.3.180/32 Amazon
+150.222.3.181/32 Amazon
+150.222.3.182/32 Amazon
+150.222.3.183/32 Amazon
+150.222.3.184/32 Amazon
+150.222.3.185/32 Amazon
+150.222.3.186/32 Amazon
+150.222.3.187/32 Amazon
+150.222.3.188/32 Amazon
+150.222.3.189/32 Amazon
+150.222.3.190/32 Amazon
+150.222.3.191/32 Amazon
+150.222.3.192/31 Amazon
+150.222.3.194/31 Amazon
+150.222.3.196/31 Amazon
+150.222.3.198/31 Amazon
+150.222.3.200/31 Amazon
+150.222.3.202/31 Amazon
+150.222.3.204/31 Amazon
+150.222.3.206/31 Amazon
+150.222.3.208/31 Amazon
+150.222.3.210/31 Amazon
+150.222.3.212/31 Amazon
+150.222.3.214/31 Amazon
+150.222.3.216/31 Amazon
+150.222.3.218/31 Amazon
+150.222.3.220/31 Amazon
+150.222.3.222/31 Amazon
+150.222.3.224/31 Amazon
+150.222.3.226/31 Amazon
+150.222.3.228/31 Amazon
+150.222.3.230/31 Amazon
+150.222.3.232/31 Amazon
+150.222.3.234/31 Amazon
+150.222.3.236/31 Amazon
+150.222.3.238/31 Amazon
+150.222.3.240/31 Amazon
+150.222.3.242/31 Amazon
+150.222.3.244/31 Amazon
+150.222.3.246/31 Amazon
+150.222.3.248/31 Amazon
+150.222.3.250/31 Amazon
+150.222.3.252/31 Amazon
+150.222.3.254/31 Amazon
+150.222.5.0/24 Amazon
+150.222.6.0/24 Amazon
+150.222.7.0/24 Amazon
+150.222.10.0/24 Amazon
+150.222.11.0/31 Amazon
+150.222.11.74/31 Amazon
+150.222.11.76/31 Amazon
+150.222.11.78/31 Amazon
+150.222.11.80/31 Amazon
+150.222.11.84/31 Amazon
+150.222.11.86/31 Amazon
+150.222.11.88/31 Amazon
+150.222.11.90/31 Amazon
+150.222.11.92/31 Amazon
+150.222.11.94/31 Amazon
+150.222.11.96/31 Amazon
+150.222.12.0/24 Amazon
+150.222.13.0/24 Amazon
+150.222.14.72/31 Amazon
+150.222.15.124/32 Amazon
+150.222.15.125/32 Amazon
+150.222.15.126/32 Amazon
+150.222.15.127/32 Amazon
+150.222.15.128/31 Amazon
+150.222.15.130/31 Amazon
+150.222.28.17/32 Amazon
+150.222.28.18/31 Amazon
+150.222.28.104/32 Amazon
+150.222.28.105/32 Amazon
+150.222.28.106/31 Amazon
+150.222.28.108/31 Amazon
+150.222.28.110/31 Amazon
+150.222.28.112/31 Amazon
+150.222.28.114/31 Amazon
+150.222.28.116/31 Amazon
+150.222.28.118/31 Amazon
+150.222.28.120/31 Amazon
+150.222.28.122/31 Amazon
+150.222.28.124/31 Amazon
+150.222.28.126/31 Amazon
+150.222.28.128/31 Amazon
+150.222.28.130/31 Amazon
+150.222.28.132/31 Amazon
+150.222.28.134/31 Amazon
+150.222.28.136/31 Amazon
+150.222.28.138/31 Amazon
+150.222.28.140/31 Amazon
+150.222.28.142/31 Amazon
+150.222.66.0/24 Amazon
+150.222.67.0/24 Amazon
+150.222.69.0/24 Amazon
+150.222.70.0/24 Amazon
+150.222.71.0/24 Amazon
+150.222.72.0/24 Amazon
+150.222.73.0/24 Amazon
+150.222.74.0/24 Amazon
+150.222.75.0/24 Amazon
+150.222.76.0/24 Amazon
+150.222.77.0/24 Amazon
+150.222.78.0/24 Amazon
+150.222.79.0/24 Amazon
+150.222.80.0/24 Amazon
+150.222.81.0/24 Amazon
+150.222.82.0/24 Amazon
+150.222.83.0/24 Amazon
+150.222.84.0/24 Amazon
+150.222.85.0/24 Amazon
+150.222.87.0/24 Amazon
+150.222.88.0/24 Amazon
+150.222.89.0/24 Amazon
+150.222.90.0/24 Amazon
+150.222.91.0/24 Amazon
+150.222.92.0/22 Amazon
+150.222.96.0/24 Amazon
+150.222.97.0/24 Amazon
+150.222.98.0/24 Amazon
+150.222.99.0/24 Amazon
+150.222.100.0/24 Amazon
+150.222.101.0/24 Amazon
+150.222.102.0/24 Amazon
+150.222.104.0/24 Amazon
+150.222.105.0/24 Amazon
+150.222.106.0/24 Amazon
+150.222.108.0/24 Amazon
+150.222.109.0/24 Amazon
+150.222.110.0/24 Amazon
+150.222.112.0/24 Amazon
+150.222.113.0/24 Amazon
+150.222.114.0/24 Amazon
+150.222.115.0/24 Amazon
+150.222.116.0/24 Amazon
+150.222.117.0/24 Amazon
+150.222.118.0/24 Amazon
+150.222.119.0/24 Amazon
+150.222.120.20/31 Amazon
+150.222.120.62/31 Amazon
+150.222.120.224/31 Amazon
+150.222.120.226/31 Amazon
+150.222.120.228/31 Amazon
+150.222.120.230/31 Amazon
+150.222.120.232/31 Amazon
+150.222.120.234/31 Amazon
+150.222.120.240/31 Amazon
+150.222.120.242/31 Amazon
+150.222.120.244/31 Amazon
+150.222.120.246/31 Amazon
+150.222.120.248/31 Amazon
+150.222.120.250/31 Amazon
+150.222.120.252/32 Amazon
+150.222.120.255/32 Amazon
+150.222.121.0/24 Amazon
+150.222.122.92/31 Amazon
+150.222.122.94/31 Amazon
+150.222.122.96/31 Amazon
+150.222.122.98/31 Amazon
+150.222.122.100/31 Amazon
+150.222.122.102/31 Amazon
+150.222.122.104/31 Amazon
+150.222.122.106/31 Amazon
+150.222.122.108/31 Amazon
+150.222.122.110/31 Amazon
+150.222.122.112/31 Amazon
+150.222.122.114/31 Amazon
+150.222.122.116/31 Amazon
+150.222.129.19/32 Amazon
+150.222.129.20/31 Amazon
+150.222.129.62/31 Amazon
+150.222.129.64/31 Amazon
+150.222.129.66/31 Amazon
+150.222.129.69/32 Amazon
+150.222.129.110/31 Amazon
+150.222.129.112/31 Amazon
+150.222.129.114/31 Amazon
+150.222.129.116/31 Amazon
+150.222.129.118/31 Amazon
+150.222.129.120/31 Amazon
+150.222.129.122/31 Amazon
+150.222.129.124/31 Amazon
+150.222.129.126/31 Amazon
+150.222.129.128/31 Amazon
+150.222.129.130/31 Amazon
+150.222.129.132/31 Amazon
+150.222.129.134/31 Amazon
+150.222.129.136/31 Amazon
+150.222.129.138/31 Amazon
+150.222.129.140/31 Amazon
+150.222.129.142/31 Amazon
+150.222.129.144/31 Amazon
+150.222.129.146/31 Amazon
+150.222.129.152/31 Amazon
+150.222.129.154/31 Amazon
+150.222.129.156/31 Amazon
+150.222.129.158/31 Amazon
+150.222.129.240/31 Amazon
+150.222.129.242/31 Amazon
+150.222.129.244/31 Amazon
+150.222.129.246/31 Amazon
+150.222.129.248/31 Amazon
+150.222.129.250/31 Amazon
+150.222.129.252/32 Amazon
+150.222.129.255/32 Amazon
+150.222.133.0/24 Amazon
+150.222.134.0/24 Amazon
+150.222.135.0/24 Amazon
+150.222.136.0/24 Amazon
+150.222.138.0/24 Amazon
+150.222.139.116/30 Amazon
+150.222.139.120/30 Amazon
+150.222.139.124/30 Amazon
+150.222.140.0/24 Amazon
+150.222.141.0/24 Amazon
+150.222.142.0/24 Amazon
+150.222.143.0/24 Amazon
+150.222.164.208/31 Amazon
+150.222.164.210/32 Amazon
+150.222.164.211/32 Amazon
+150.222.164.220/31 Amazon
+150.222.164.222/32 Amazon
+150.222.176.0/22 Amazon
+150.222.180.0/24 Amazon
+150.222.196.0/24 Amazon
+150.222.199.0/25 Amazon
+150.222.202.0/24 Amazon
+150.222.203.0/24 Amazon
+150.222.204.0/24 Amazon
+150.222.205.0/24 Amazon
+150.222.206.0/24 Amazon
+150.222.207.0/24 Amazon
+150.222.208.64/32 Amazon
+150.222.208.65/32 Amazon
+150.222.208.66/31 Amazon
+150.222.208.68/31 Amazon
+150.222.208.70/31 Amazon
+150.222.208.72/31 Amazon
+150.222.208.74/31 Amazon
+150.222.208.76/31 Amazon
+150.222.208.78/31 Amazon
+150.222.208.80/31 Amazon
+150.222.208.82/31 Amazon
+150.222.208.84/31 Amazon
+150.222.208.86/31 Amazon
+150.222.208.88/31 Amazon
+150.222.208.90/31 Amazon
+150.222.208.92/31 Amazon
+150.222.208.94/31 Amazon
+150.222.208.96/31 Amazon
+150.222.210.0/24 Amazon
+150.222.212.0/24 Amazon
+150.222.213.40/32 Amazon
+150.222.213.41/32 Amazon
+150.222.214.0/24 Amazon
+150.222.215.0/24 Amazon
+150.222.217.17/32 Amazon
+150.222.217.226/31 Amazon
+150.222.217.228/30 Amazon
+150.222.217.232/31 Amazon
+150.222.217.234/31 Amazon
+150.222.217.248/31 Amazon
+150.222.217.250/31 Amazon
+150.222.218.0/24 Amazon
+150.222.219.0/24 Amazon
+150.222.220.0/24 Amazon
+150.222.221.0/24 Amazon
+150.222.222.0/24 Amazon
+150.222.223.0/24 Amazon
+150.222.224.0/24 Amazon
+150.222.226.0/24 Amazon
+150.222.227.0/24 Amazon
+150.222.228.0/24 Amazon
+150.222.229.0/24 Amazon
+150.222.230.92/32 Amazon
+150.222.230.93/32 Amazon
+150.222.230.94/31 Amazon
+150.222.230.96/31 Amazon
+150.222.230.98/31 Amazon
+150.222.230.100/31 Amazon
+150.222.230.102/31 Amazon
+150.222.230.104/31 Amazon
+150.222.230.106/31 Amazon
+150.222.230.108/31 Amazon
+150.222.230.110/31 Amazon
+150.222.230.112/31 Amazon
+150.222.230.114/31 Amazon
+150.222.230.116/31 Amazon
+150.222.230.118/31 Amazon
+150.222.230.120/31 Amazon
+150.222.230.122/31 Amazon
+150.222.230.124/31 Amazon
+150.222.231.0/24 Amazon
+150.222.232.51/32 Amazon
+150.222.232.88/32 Amazon
+150.222.232.94/31 Amazon
+150.222.232.96/28 Amazon
+150.222.232.112/31 Amazon
+150.222.232.114/31 Amazon
+150.222.232.116/31 Amazon
+150.222.232.118/31 Amazon
+150.222.232.120/31 Amazon
+150.222.233.0/24 Amazon
+150.222.234.0/32 Amazon
+150.222.234.1/32 Amazon
+150.222.234.2/32 Amazon
+150.222.234.3/32 Amazon
+150.222.234.4/32 Amazon
+150.222.234.5/32 Amazon
+150.222.234.6/31 Amazon
+150.222.234.8/31 Amazon
+150.222.234.10/31 Amazon
+150.222.234.12/31 Amazon
+150.222.234.14/31 Amazon
+150.222.234.16/31 Amazon
+150.222.234.18/31 Amazon
+150.222.234.20/31 Amazon
+150.222.234.22/31 Amazon
+150.222.234.24/31 Amazon
+150.222.234.26/31 Amazon
+150.222.234.28/31 Amazon
+150.222.234.30/31 Amazon
+150.222.234.32/31 Amazon
+150.222.234.34/31 Amazon
+150.222.234.36/31 Amazon
+150.222.234.38/31 Amazon
+150.222.234.40/31 Amazon
+150.222.234.42/31 Amazon
+150.222.234.44/31 Amazon
+150.222.234.46/31 Amazon
+150.222.234.48/31 Amazon
+150.222.234.50/31 Amazon
+150.222.234.52/31 Amazon
+150.222.234.54/31 Amazon
+150.222.234.56/31 Amazon
+150.222.234.58/31 Amazon
+150.222.234.60/31 Amazon
+150.222.234.62/31 Amazon
+150.222.234.64/31 Amazon
+150.222.234.66/31 Amazon
+150.222.234.68/31 Amazon
+150.222.234.70/31 Amazon
+150.222.234.72/31 Amazon
+150.222.234.74/31 Amazon
+150.222.234.76/31 Amazon
+150.222.234.78/31 Amazon
+150.222.234.80/31 Amazon
+150.222.234.82/31 Amazon
+150.222.234.84/31 Amazon
+150.222.234.86/31 Amazon
+150.222.234.96/31 Amazon
+150.222.234.98/31 Amazon
+150.222.234.100/31 Amazon
+150.222.234.102/32 Amazon
+150.222.234.103/32 Amazon
+150.222.234.104/31 Amazon
+150.222.234.106/31 Amazon
+150.222.234.108/31 Amazon
+150.222.234.110/31 Amazon
+150.222.234.112/31 Amazon
+150.222.234.114/31 Amazon
+150.222.234.116/31 Amazon
+150.222.234.118/31 Amazon
+150.222.234.120/31 Amazon
+150.222.234.122/31 Amazon
+150.222.234.124/31 Amazon
+150.222.234.126/31 Amazon
+150.222.234.128/31 Amazon
+150.222.234.130/31 Amazon
+150.222.234.132/31 Amazon
+150.222.234.134/31 Amazon
+150.222.234.136/31 Amazon
+150.222.234.138/31 Amazon
+150.222.234.140/31 Amazon
+150.222.234.142/31 Amazon
+150.222.235.0/24 Amazon
+150.222.236.0/24 Amazon
+150.222.237.0/24 Amazon
+150.222.239.0/24 Amazon
+150.222.240.131/32 Amazon
+150.222.240.135/32 Amazon
+150.222.240.137/32 Amazon
+150.222.240.161/32 Amazon
+150.222.240.207/32 Amazon
+150.222.240.237/32 Amazon
+150.222.240.245/32 Amazon
+150.222.240.247/32 Amazon
+150.222.240.249/32 Amazon
+150.222.240.251/32 Amazon
+150.222.242.84/31 Amazon
+150.222.242.97/32 Amazon
+150.222.242.99/32 Amazon
+150.222.242.214/31 Amazon
+150.222.242.227/32 Amazon
+150.222.242.229/32 Amazon
+150.222.242.231/32 Amazon
+150.222.242.233/32 Amazon
+150.222.243.9/32 Amazon
+150.222.243.11/32 Amazon
+150.222.243.13/32 Amazon
+150.222.243.15/32 Amazon
+150.222.243.17/32 Amazon
+150.222.243.19/32 Amazon
+150.222.243.33/32 Amazon
+150.222.243.35/32 Amazon
+150.222.243.37/32 Amazon
+150.222.243.39/32 Amazon
+150.222.243.41/32 Amazon
+150.222.243.43/32 Amazon
+150.222.243.45/32 Amazon
+150.222.243.47/32 Amazon
+150.222.243.51/32 Amazon
+150.222.243.53/32 Amazon
+150.222.243.55/32 Amazon
+150.222.243.57/32 Amazon
+150.222.243.59/32 Amazon
+150.222.243.177/32 Amazon
+150.222.244.35/32 Amazon
+150.222.244.37/32 Amazon
+150.222.245.122/31 Amazon
+150.222.252.244/31 Amazon
+150.222.252.246/31 Amazon
+150.222.252.248/31 Amazon
+150.222.252.250/31 Amazon
+157.175.0.0/16 Amazon
+157.241.0.0/16 Amazon
+160.1.0.0/16 Amazon
+161.188.128.0/23 Amazon
+161.188.130.0/23 Amazon
+161.188.132.0/23 Amazon
+161.188.134.0/23 Amazon
+161.188.136.0/23 Amazon
+161.188.138.0/23 Amazon
+161.188.140.0/23 Amazon
+161.188.142.0/23 Amazon
+161.188.144.0/23 Amazon
+161.188.146.0/23 Amazon
+161.188.148.0/23 Amazon
+161.188.150.0/23 Amazon
+161.188.152.0/23 Amazon
+161.188.154.0/23 Amazon
+161.188.156.0/23 Amazon
+161.188.158.0/23 Amazon
+161.188.160.0/23 Amazon
+161.189.0.0/16 Amazon
+162.213.232.0/24 Amazon
+162.213.233.0/24 Amazon
+162.213.234.0/23 Amazon
+162.222.148.0/22 Amazon
+162.250.236.0/24 Amazon
+162.250.237.0/24 Amazon
+162.250.238.0/23 Amazon
+172.96.97.0/24 Amazon
+172.96.98.0/24 Amazon
+172.96.110.0/24 Amazon
+174.129.0.0/16 Amazon
+175.41.128.0/18 Amazon
+175.41.192.0/18 Amazon
+176.32.64.0/19 Amazon
+176.32.96.0/21 Amazon
+176.32.104.0/21 Amazon
+176.32.112.0/21 Amazon
+176.32.120.0/22 Amazon
+176.32.124.128/25 Amazon
+176.32.125.0/25 Amazon
+176.32.125.128/26 Amazon
+176.32.125.192/27 Amazon
+176.32.125.224/31 Amazon
+176.32.125.226/31 Amazon
+176.32.125.228/31 Amazon
+176.32.125.230/31 Amazon
+176.32.125.232/31 Amazon
+176.32.125.234/31 Amazon
+176.32.125.236/31 Amazon
+176.32.125.238/31 Amazon
+176.32.125.240/31 Amazon
+176.32.125.242/31 Amazon
+176.32.125.244/31 Amazon
+176.32.125.246/31 Amazon
+176.32.125.248/31 Amazon
+176.32.125.250/31 Amazon
+176.32.125.252/31 Amazon
+176.32.125.254/31 Amazon
+176.34.0.0/19 Amazon
+176.34.32.0/19 Amazon
+176.34.64.0/18 Amazon
+176.34.128.0/17 Amazon
+177.71.128.0/17 Amazon
+177.72.240.0/21 Amazon
+178.236.0.0/20 Amazon
+180.163.57.0/25 Amazon
+180.163.57.128/26 Amazon
+184.72.0.0/18 Amazon
+184.72.64.0/18 Amazon
+184.72.128.0/17 Amazon
+184.73.0.0/16 Amazon
+184.169.128.0/17 Amazon
+185.48.120.0/22 Amazon
+185.143.16.0/24 Amazon
+195.17.0.0/24 Amazon
+198.99.2.0/24 Amazon
+199.127.232.0/22 Amazon
+203.83.220.0/22 Amazon
+204.45.0.0/16 Amazon
+204.236.128.0/18 Amazon
+204.236.192.0/18 Amazon
+204.246.160.0/22 Amazon
+204.246.164.0/22 Amazon
+204.246.168.0/22 Amazon
+204.246.172.0/24 Amazon
+204.246.173.0/24 Amazon
+204.246.174.0/23 Amazon
+204.246.176.0/20 Amazon
+205.251.192.0/21 Amazon
+205.251.200.0/21 Amazon
+205.251.208.0/20 Amazon
+205.251.224.0/22 Amazon
+205.251.228.0/22 Amazon
+205.251.232.0/22 Amazon
+205.251.236.0/22 Amazon
+205.251.240.0/22 Amazon
+205.251.244.0/23 Amazon
+205.251.246.0/24 Amazon
+205.251.247.0/24 Amazon
+205.251.248.0/24 Amazon
+205.251.249.0/24 Amazon
+205.251.250.0/23 Amazon
+205.251.252.0/23 Amazon
+205.251.254.0/24 Amazon
+207.171.160.0/20 Amazon
+207.171.176.0/20 Amazon
+208.86.88.0/23 Amazon
+208.86.90.0/23 Amazon
+208.110.48.0/20 Amazon
+209.54.176.0/21 Amazon
+209.54.184.0/21 Amazon
+216.137.32.0/19 Amazon
+216.182.224.0/21 Amazon
+216.182.232.0/22 Amazon
+216.182.236.0/23 Amazon
+216.182.238.0/23 Amazon
+223.71.11.0/27 Amazon
+223.71.71.96/27 Amazon
+223.71.71.128/25 Amazon
diff --git a/src/fnettrace/tail.c b/src/fnettrace/tail.c
new file mode 100644
index 000000000..a910788d6
--- /dev/null
+++ b/src/fnettrace/tail.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnettrace.h"
+
+void tail(const char *logfile) {
+        assert(logfile);
+
+        // wait for no more than 5 seconds for the logfile to appear in the filesystem
+        int cnt = 5;
+        while (access(logfile, R_OK) && cnt > 0)
+                cnt--;
+        if (cnt == 0)
+                exit(1);
+
+        off_t last_size = 0;
+
+        while (1) {
+                int fd = open(logfile, O_RDONLY);
+                if (fd == -1)
+                        return;
+
+                off_t size = lseek(fd, 0, SEEK_END);
+                if (size < 0) {
+                        close(fd);
+                        return;
+                }
+
+                char *content = NULL;
+                int mmapped = 0;
+                if (size && size != last_size) {
+                        content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
+                        close(fd);
+                        if (content != MAP_FAILED)
+                                mmapped = 1;
+                }
+
+                if (mmapped) {
+                        printf("%.*s", (int) (size - last_size), content + last_size);
+                        fflush(0);
+                        munmap(content, size);
+                        last_size = size;
+                }
+
+                sleep(1);
+        }
+}
diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h
index fc9dd7db8..2a77f69aa 100644
--- a/src/fsec-optimize/fsec_optimize.h
+++ b/src/fsec-optimize/fsec_optimize.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c
index 84bf2d4f9..ec3420e16 100644
--- a/src/fsec-optimize/main.c
+++ b/src/fsec-optimize/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fsec-optimize/optimizer.c b/src/fsec-optimize/optimizer.c
index 4c02de59d..20333a8a8 100644
--- a/src/fsec-optimize/optimizer.c
+++ b/src/fsec-optimize/optimizer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h
index 75a82c11a..a754e2295 100644
--- a/src/fsec-print/fsec_print.h
+++ b/src/fsec-print/fsec_print.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c
index 5bca93d50..039377999 100644
--- a/src/fsec-print/main.c
+++ b/src/fsec-print/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c
index 143a7a53e..f6af20f04 100644
--- a/src/fsec-print/print.c
+++ b/src/fsec-print/print.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index 97eac9ed8..65337da2a 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 326c29a44..48665ab71 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
index 48dda61dd..25742c173 100644
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 99e671799..49b789755 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
index 846c7f335..ee18ca74f 100644
--- a/src/fseccomp/seccomp_file.c
+++ b/src/fseccomp/seccomp_file.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
index 540892026..d4ccd96b2 100644
--- a/src/fseccomp/seccomp_secondary.c
+++ b/src/fseccomp/seccomp_secondary.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh
index f9a6c4f06..a8379612d 100755
--- a/src/fshaper/fshaper.sh
+++ b/src/fshaper/fshaper.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 TCFILE=""
diff --git a/src/ftee/ftee.h b/src/ftee/ftee.h
index a556efb75..458308a4c 100644
--- a/src/ftee/ftee.h
+++ b/src/ftee/ftee.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/ftee/main.c b/src/ftee/main.c
index 4d447f2c4..d408566fa 100644
--- a/src/ftee/main.c
+++ b/src/ftee/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/include/common.h b/src/include/common.h
index 5bcbaad88..c9640435a 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -73,6 +73,25 @@ static inline int atoip(const char *str, uint32_t *ip) {
         return 0;
 }
 
+// read an IPv4 address in CIDR format, for example 192.168.1.0/24
+static inline int atocidr(const char *str, uint32_t *ip, uint32_t *mask) {
+        unsigned a, b, c, d, e;
+
+        // extract ip
+        int rv = sscanf(str, "%u.%u.%u.%u/%u", &a, &b, &c, &d, &e);
+        if (rv != 5 || a > 255 || b > 255 || c > 255 || d > 255 || e > 32)
+                return 1;
+        *ip = a * 0x1000000 + b * 0x10000 + c * 0x100 + d;
+
+        // extract mask
+        uint32_t tmp;
+        unsigned i;
+        for (i = 0, *mask = 0, tmp = 0x80000000; i < e; i++, tmp >>= 1) {
+                *mask |= tmp;
+        }
+        return 0;
+}
+
 // verify an ip address is in the network range given by ifip and mask
 static inline char *in_netrange(uint32_t ip, uint32_t ifip, uint32_t ifmask) {
         if ((ip & ifmask) != (ifip & ifmask))
@@ -121,6 +140,12 @@ char *pid_proc_comm(const pid_t pid);
 char *pid_proc_cmdline(const pid_t pid);
 int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
 int pid_hidepid(void);
+char *do_replace_cntrl_chars(char *str, char c);
+char *replace_cntrl_chars(const char *str, char c);
+int has_cntrl_chars(const char *str);
+void reject_cntrl_chars(const char *fname);
+void reject_meta_chars(const char *fname, int globbing);
 void warn_dumpable(void);
 const char *gnu_basename(const char *path);
+int *str_to_int_array(const char *str, size_t *sz);
 #endif
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
index 8d8dd95f6..f40cbb9de 100644
--- a/src/include/euid_common.h
+++ b/src/include/euid_common.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/include/firejail_user.h b/src/include/firejail_user.h
index cf17fa0cf..6cf895db8 100644
--- a/src/include/firejail_user.h
+++ b/src/include/firejail_user.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/include/gcov_wrapper.h b/src/include/gcov_wrapper.h
new file mode 100644
index 000000000..144181ca0
--- /dev/null
+++ b/src/include/gcov_wrapper.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef GCOV_WRAPPER_H
+#define GCOV_WRAPPER_H
+
+#ifdef HAS_GCOV
+#include <gcov.h>
+
+/*
+ * __gcov_flush was removed on gcc 11.1.0 (as it's no longer needed), but it
+ * appears to be the safe/"correct" way to do things on previous versions (as
+ * it ensured proper locking, which is now done elsewhere).  Thus, keep using
+ * it in the code and ensure that it exists, in order to support gcc <11.1.0
+ * and gcc >=11.1.0, respectively.
+ */
+#if __GNUC__ > 11 || (__GNUC__ == 11 && __GNUC_MINOR__ >= 1)
+static void __gcov_flush(void) {
+       __gcov_dump();
+       __gcov_reset();
+}
+#endif
+#else
+#define __gcov_dump() ((void)0)
+#define __gcov_reset() ((void)0)
+#define __gcov_flush() ((void)0)
+#endif /* HAS_GCOV */
+
+#endif /* GCOV_WRAPPER_H */
diff --git a/src/include/ldd_utils.h b/src/include/ldd_utils.h
index ffd6e189f..e9dac1171 100644
--- a/src/include/ldd_utils.h
+++ b/src/include/ldd_utils.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/include/pid.h b/src/include/pid.h
index 17e51f660..7e235b713 100644
--- a/src/include/pid.h
+++ b/src/include/pid.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index d14f6782f..4ba3e27f4 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -79,24 +79,8 @@
 #define PATH_SECCOMP_MDWX_32            LIBDIR "/firejail/seccomp.mdwx.32"
 #define PATH_SECCOMP_BLOCK_SECONDARY    LIBDIR "/firejail/seccomp.block_secondary"      // secondary arch blocking filter built during make
 
-
 #define RUN_DEV_DIR                     RUN_MNT_DIR "/dev"
 #define RUN_DEVLOG_FILE                 RUN_MNT_DIR "/devlog"
-
-#define RUN_WHITELIST_X11_DIR           RUN_MNT_DIR "/orig-x11"
-#define RUN_WHITELIST_HOME_USER_DIR     RUN_MNT_DIR "/orig-home-user"           // home directory whitelisting
-#define RUN_WHITELIST_RUN_USER_DIR      RUN_MNT_DIR "/orig-run-user"            // run directory whitelisting
-#define RUN_WHITELIST_TMP_DIR           RUN_MNT_DIR "/orig-tmp"
-#define RUN_WHITELIST_MEDIA_DIR         RUN_MNT_DIR "/orig-media"
-#define RUN_WHITELIST_MNT_DIR           RUN_MNT_DIR "/orig-mnt"
-#define RUN_WHITELIST_VAR_DIR           RUN_MNT_DIR "/orig-var"
-#define RUN_WHITELIST_DEV_DIR           RUN_MNT_DIR "/orig-dev"
-#define RUN_WHITELIST_OPT_DIR           RUN_MNT_DIR "/orig-opt"
-#define RUN_WHITELIST_SRV_DIR           RUN_MNT_DIR "/orig-srv"
-#define RUN_WHITELIST_ETC_DIR           RUN_MNT_DIR "/orig-etc"
-#define RUN_WHITELIST_SHARE_DIR         RUN_MNT_DIR "/orig-share"
-#define RUN_WHITELIST_MODULE_DIR        RUN_MNT_DIR "/orig-module"
-
 #define RUN_XAUTHORITY_FILE             RUN_MNT_DIR "/.Xauthority"              // private options
 #define RUN_XAUTH_FILE                  RUN_MNT_DIR "/xauth"                    // x11=xorg
 #define RUN_XAUTHORITY_SEC_DIR          RUN_MNT_DIR "/.sec.Xauthority"          // x11=xorg
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 43bb73a04..9dbe25bfa 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/include/syscall.h b/src/include/syscall.h
index 015dd01b9..68be16a04 100644
--- a/src/include/syscall.h
+++ b/src/include/syscall.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/jailtest/Makefile.in b/src/jailcheck/Makefile.in
index 6306d24ec..d218c1f90 100644
--- a/src/jailtest/Makefile.in
+++ b/src/jailcheck/Makefile.in
@@ -1,16 +1,16 @@
 .PHONY: all
-all: jailtest
+all: jailcheck
 
 include ../common.mk
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h
         $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-jailtest: $(OBJS)
+jailcheck: $(OBJS)
         $(CC)  $(LDFLAGS) -o $@ $(OBJS)  ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
 
 .PHONY: clean
-clean:; rm -fr *.o jailtest *.gcov *.gcda *.gcno *.plist
+clean:; rm -fr *.o jailcheck *.gcov *.gcda *.gcno *.plist
 
 .PHONY: distclean
 distclean: clean
diff --git a/src/jailtest/access.c b/src/jailcheck/access.c
index 4e737dc7a..3e99b0b52 100644
--- a/src/jailtest/access.c
+++ b/src/jailcheck/access.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,7 +17,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "jailtest.h"
+#include "jailcheck.h"
 #include <dirent.h>
 #include <sys/wait.h>
 
@@ -36,7 +36,7 @@ void access_setup(const char *directory) {
         assert(user_home_dir);
 
         if (files_cnt >= MAX_TEST_FILES) {
-                fprintf(stderr, "Error: maximum number of test directories exceded\n");
+                fprintf(stderr, "Error: maximum number of test directories exceeded\n");
                 exit(1);
         }
 
@@ -74,7 +74,7 @@ void access_setup(const char *directory) {
 
         // create a test file
         char *test_file;
-        if (asprintf(&test_file, "%s/jailtest-access-%d", path, getpid()) == -1)
+        if (asprintf(&test_file, "%s/jailcheck-access-%d", path, getpid()) == -1)
                 errExit("asprintf");
 
         FILE *fp = fopen(test_file, "w");
diff --git a/src/jailtest/apparmor.c b/src/jailcheck/apparmor.c
index 9ddfea3de..521ce047e 100644
--- a/src/jailtest/apparmor.c
+++ b/src/jailcheck/apparmor.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,7 +17,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "jailtest.h"
+#include "jailcheck.h"
 
 #ifdef HAVE_APPARMOR
 #include <sys/apparmor.h>
diff --git a/src/jailtest/jailtest.h b/src/jailcheck/jailcheck.h
index 0c4883061..2d25ee8ce 100644
--- a/src/jailtest/jailtest.h
+++ b/src/jailcheck/jailcheck.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,8 +17,8 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#ifndef JAILTEST_H
-#define JAILTEST_H
+#ifndef JAILCHECK_H
+#define JAILCHECK_H
 
 #include "../include/common.h"
 
@@ -53,10 +53,12 @@ void apparmor_test(pid_t pid);
 // seccomp.c
 void seccomp_test(pid_t pid);
 
+// network.c
+void network_test(void);
 // utils.c
 char *get_sudo_user(void);
 char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
 int find_child(pid_t pid);
 pid_t switch_to_child(pid_t pid);
 
-#endif
\ No newline at end of file
+#endif
diff --git a/src/jailtest/main.c b/src/jailcheck/main.c
index 3369dca39..04fc3a6af 100644
--- a/src/jailtest/main.c
+++ b/src/jailcheck/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,7 +17,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "jailtest.h"
+#include "jailcheck.h"
 #include "../include/firejail_user.h"
 #include "../include/pid.h"
 #include <sys/wait.h>
@@ -30,7 +30,7 @@ char *user_run_dir = NULL;
 int arg_debug = 0;
 
 static char *usage_str =
-        "Usage: jailtest [options] directory [directory]\n\n"
+        "Usage: jailcheck [options] directory [directory]\n\n"
         "Options:\n"
         "   --debug - print debug messages.\n"
         "   --help, -? - this help screen.\n"
@@ -157,6 +157,7 @@ int main(int argc, char **argv) {
                         seccomp_test(pid);
                         fflush(0);
 
+                        // filesystem tests
                         pid_t child = fork();
                         if (child == -1)
                                 errExit("fork");
@@ -185,6 +186,28 @@ int main(int argc, char **argv) {
                         }
                         int status;
                         wait(&status);
+
+                        // network test
+                        child = fork();
+                        if (child == -1)
+                                errExit("fork");
+                        if (child == 0) {
+                                int rv = join_namespace(pid, "net");
+                                if (rv == 0)
+                                        network_test();
+                                else {
+                                        printf("   Error: I cannot join the process network stack\n");
+                                        exit(1);
+                                }
+
+                                // drop privileges in order not to trigger cleanup()
+                                if (setgid(user_gid) != 0)
+                                        errExit("setgid");
+                                if (setuid(user_uid) != 0)
+                                        errExit("setuid");
+                                return 0;
+                        }
+                        wait(&status);
                 }
         }
 
diff --git a/src/jailcheck/network.c b/src/jailcheck/network.c
new file mode 100644
index 000000000..8f70c6ff0
--- /dev/null
+++ b/src/jailcheck/network.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <netdb.h>
+#include <arpa/inet.h>
+#include <ifaddrs.h>
+#include <net/if.h>
+#include <linux/connector.h>
+#include <linux/netlink.h>
+#include <linux/if_link.h>
+#include <linux/sockios.h>
+#include <sys/ioctl.h>
+
+
+void network_test(void) {
+        // I am root running in a network namespace
+        struct ifaddrs *ifaddr, *ifa;
+        int found = 0;
+
+        // walk through the linked list
+        if (getifaddrs(&ifaddr) == -1)
+                errExit("getifaddrs");
+        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
+                if (strcmp(ifa->ifa_name, "lo") == 0)
+                        continue;
+
+                found = 1;
+                break;
+        }
+
+        freeifaddrs(ifaddr);
+
+        if (found)
+                printf("   Networking: enabled\n");
+        else
+                printf("   Networking: disabled\n");
+}
+
+
+
diff --git a/src/jailtest/noexec.c b/src/jailcheck/noexec.c
index 4347b7eef..4cf5dabde 100644
--- a/src/jailtest/noexec.c
+++ b/src/jailcheck/noexec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,7 +17,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "jailtest.h"
+#include "jailcheck.h"
 #include <sys/wait.h>
 #include <sys/stat.h>
 #include <fcntl.h>
@@ -67,7 +67,7 @@ void noexec_test(const char *path) {
                 return;
 
         char *fname;
-        if (asprintf(&fname, "%s/jailtest-noexec-%d", path, getpid()) == -1)
+        if (asprintf(&fname, "%s/jailcheck-noexec-%d", path, getpid()) == -1)
                 errExit("asprintf");
 
         pid_t child = fork();
@@ -110,4 +110,4 @@ void noexec_test(const char *path) {
         wait(&status);
         int rv = unlink(fname);
         (void) rv;
-}
\ No newline at end of file
+}
diff --git a/src/jailtest/seccomp.c b/src/jailcheck/seccomp.c
index 2cecb4b4d..ac8064f0b 100644
--- a/src/jailtest/seccomp.c
+++ b/src/jailcheck/seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,7 +17,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "jailtest.h"
+#include "jailcheck.h"
 #define MAXBUF 4096
 
 void seccomp_test(pid_t pid) {
diff --git a/src/jailtest/sysfiles.c b/src/jailcheck/sysfiles.c
index 7e4709453..0df95d496 100644
--- a/src/jailtest/sysfiles.c
+++ b/src/jailcheck/sysfiles.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,7 +17,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "jailtest.h"
+#include "jailcheck.h"
 #include <dirent.h>
 #include <sys/wait.h>
 
@@ -34,7 +34,7 @@ void sysfiles_setup(const char *file) {
         assert(file);
 
         if (files_cnt >= MAX_TEST_FILES) {
-                fprintf(stderr, "Error: maximum number of system test files exceded\n");
+                fprintf(stderr, "Error: maximum number of system test files exceeded\n");
                 exit(1);
         }
 
diff --git a/src/jailtest/utils.c b/src/jailcheck/utils.c
index 41c21b753..65431e2e1 100644
--- a/src/jailtest/utils.c
+++ b/src/jailcheck/utils.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,7 +17,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "jailtest.h"
+#include "jailcheck.h"
 #include "../include/pid.h"
 #include <errno.h>
 #include <pwd.h>
diff --git a/src/jailtest/virtual.c b/src/jailcheck/virtual.c
index fcdcf9720..93172d65c 100644
--- a/src/jailtest/virtual.c
+++ b/src/jailcheck/virtual.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,7 +17,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "jailtest.h"
+#include "jailcheck.h"
 #include <dirent.h>
 #include <sys/wait.h>
 
@@ -43,7 +43,7 @@ void virtual_setup(const char *directory) {
 
         // create a test file
         char *test_file;
-        if (asprintf(&test_file, "%s/jailtest-private-%d", directory, getpid()) == -1)
+        if (asprintf(&test_file, "%s/jailcheck-private-%d", directory, getpid()) == -1)
                 errExit("asprintf");
 
         FILE *fp = fopen(test_file, "w");
diff --git a/src/lib/common.c b/src/lib/common.c
index f1bd7a6fe..8e84fab26 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -31,6 +31,7 @@
 #include <dirent.h>
 #include <string.h>
 #include <time.h>
+#include <limits.h>
 #include "../include/common.h"
 #define BUFLEN 4096
 
@@ -320,6 +321,115 @@ const char *gnu_basename(const char *path) {
         return last_slash+1;
 }
 
+char *do_replace_cntrl_chars(char *str, char c) {
+        if (str) {
+                size_t i;
+                for (i = 0; str[i]; i++) {
+                        if (iscntrl((unsigned char) str[i]))
+                                str[i] = c;
+                }
+        }
+        return str;
+}
+
+char *replace_cntrl_chars(const char *str, char c) {
+        assert(str);
+
+        char *rv = strdup(str);
+        if (!rv)
+                errExit("strdup");
+
+        do_replace_cntrl_chars(rv, c);
+        return rv;
+}
+
+int has_cntrl_chars(const char *str) {
+        assert(str);
+
+        size_t i;
+        for (i = 0; str[i]; i++) {
+                if (iscntrl((unsigned char) str[i]))
+                        return 1;
+        }
+        return 0;
+}
+
+void reject_cntrl_chars(const char *fname) {
+        assert(fname);
+
+        if (has_cntrl_chars(fname)) {
+                char *fname_print = replace_cntrl_chars(fname, '?');
+
+                fprintf(stderr, "Error: \"%s\" is an invalid filename: no control characters are allowed\n", fname_print);
+                exit(1);
+        }
+}
+
+void reject_meta_chars(const char *fname, int globbing) {
+        assert(fname);
+
+        reject_cntrl_chars(fname);
+
+        const char *reject = "\\&!?\"<>%^{};,*[]";
+        if (globbing)
+                reject = "\\&!\"<>%^{};,"; // file globbing ('*?[]') is allowed
+
+        const char *c = strpbrk(fname, reject);
+        if (c) {
+                fprintf(stderr, "Error: \"%s\" is an invalid filename: rejected character: \"%c\"\n", fname, *c);
+                exit(1);
+        }
+}
+
+// takes string with comma separated int values, returns int array
+int *str_to_int_array(const char *str, size_t *sz) {
+        assert(str && sz);
+
+        size_t curr_sz = 0;
+        size_t arr_sz = 16;
+        int *rv = malloc(arr_sz * sizeof(int));
+        if (!rv)
+                errExit("malloc");
+
+        char *dup = strdup(str);
+        if (!dup)
+                errExit("strdup");
+        char *tok = strtok(dup, ",");
+        if (!tok) {
+                free(dup);
+                free(rv);
+                goto errout;
+        }
+
+        while (tok) {
+                char *end;
+                long val = strtol(tok, &end, 10);
+                if (end == tok || *end != '\0' || val < INT_MIN || val > INT_MAX) {
+                        free(dup);
+                        free(rv);
+                        goto errout;
+                }
+
+                if (curr_sz == arr_sz) {
+                        arr_sz *= 2;
+                        rv = realloc(rv, arr_sz * sizeof(int));
+                        if (!rv)
+                                errExit("realloc");
+                }
+                rv[curr_sz++] = val;
+
+                tok = strtok(NULL, ",");
+        }
+        free(dup);
+
+        *sz = curr_sz;
+        return rv;
+
+errout:
+        *sz = 0;
+        return NULL;
+}
+
 //**************************
 // time trace based on getticks function
 //**************************
diff --git a/src/lib/errno.c b/src/lib/errno.c
index 9edb44c22..b666c5646 100644
--- a/src/lib/errno.c
+++ b/src/lib/errno.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
index d6a3c71ab..bf338ee43 100644
--- a/src/lib/firejail_user.c
+++ b/src/lib/firejail_user.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c
index cd60d74e4..bc4f7cf9c 100644
--- a/src/lib/ldd_utils.c
+++ b/src/lib/ldd_utils.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -50,7 +50,7 @@ int is_lib_64(const char *exe) {
         unsigned char buf[EI_NIDENT];
         ssize_t len = 0;
         while (len < EI_NIDENT) {
-                ssize_t sz = read(fd, buf, EI_NIDENT);
+                ssize_t sz = read(fd, buf + len, EI_NIDENT - len);
                 if (sz <= 0)
                         goto doexit;
                 len += sz;
diff --git a/src/lib/pid.c b/src/lib/pid.c
index ca62aaa42..ad6403f65 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index b3131ac17..a17f6423a 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -253,9 +253,6 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_fanotify_init
           "fanotify_init,"
 #endif
-#ifdef SYS_kcmp
-          "kcmp,"
-#endif
 #ifdef SYS_add_key
           "add_key,"
 #endif
@@ -1681,14 +1678,14 @@ void syscalls_in_list(const char *list, const char *slist, int fd, char **prelis
         sl.postlist = NULL;
         syscall_check_list(list, syscall_in_list, 0, 0, &sl, native);
         if (!arg_quiet) {
-                printf("Seccomp list in: %s,", list);
+                fprintf(stderr, "Seccomp list in: %s,", list);
                 if (sl.slist)
-                        printf(" check list: %s,", sl.slist);
+                        fprintf(stderr, " check list: %s,", sl.slist);
                 if (sl.prelist)
-                        printf(" prelist: %s,", sl.prelist);
+                        fprintf(stderr, " prelist: %s,", sl.prelist);
                 if (sl.postlist)
-                        printf(" postlist: %s", sl.postlist);
-                printf("\n");
+                        fprintf(stderr, " postlist: %s", sl.postlist);
+                fprintf(stderr, "\n");
         }
         *prelist = sl.prelist;
         *postlist = sl.postlist;
diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c
index 1d1eb283b..e2339547e 100644
--- a/src/libpostexecseccomp/libpostexecseccomp.c
+++ b/src/libpostexecseccomp/libpostexecseccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index d88512b0a..c0832cbde 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,12 +18,12 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #define _GNU_SOURCE
+#include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <dlfcn.h>
 #include <sys/types.h>
-#include <limits.h>
 #include <unistd.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -706,10 +706,14 @@ __attribute__((constructor))
 static void log_exec(int argc, char** argv) {
         (void) argc;
         (void) argv;
-        static char buf[PATH_MAX + 1];
-        int rv = readlink("/proc/self/exe", buf, PATH_MAX);
-        if (rv != -1) {
-                buf[rv] = '\0'; // readlink does not add a '\0' at the end
+        char *buf = realpath("/proc/self/exe", NULL);
+        if (buf == NULL) {
+                if (errno == ENOMEM) {
+                        tprintf(ftty, "realpath: %s\n", strerror(errno));
+                        exit(1);
+                }
+        } else {
                 tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf);
+                free(buf);
         }
 }
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c
index b946cc889..760ac7612 100644
--- a/src/libtracelog/libtracelog.c
+++ b/src/libtracelog/libtracelog.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
index 3711d5cec..fbd2d795e 100644
--- a/src/man/Makefile.in
+++ b/src/man/Makefile.in
@@ -1,5 +1,5 @@
 .PHONY: all
-all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailtest.man
+all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man
 
 include ../common.mk
 
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index dbb9397c6..189e9cc8d 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -27,7 +27,7 @@ desktop managers are supported in this moment
 To set it up, run "sudo firecfg" after installing Firejail software.
 The same command should also be run after
 installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
-will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config".
+will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config".
 
 For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
 .SH DEFAULT ACTIONS
@@ -135,4 +135,4 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-profile (5),
 .BR firejail-login (5),
 .BR firejail-users (5),
-.BR jailtest (1)
+.BR jailcheck (1)
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 1b8a4931c..05afd55b5 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -39,4 +39,4 @@ Homepage: https://firejail.wordpress.com
 .BR firecfg (1),
 .BR firejail-profile (5),
 .BR firejail-users (5),
-.BR jailtest (1)
+.BR jailcheck (1)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9d11add06..e962e18da 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -1,18 +1,84 @@
 .TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page"
 .SH NAME
-profile \- Security profile file syntax for Firejail
+profile \- Security profile file syntax, and information about building new application profiles.
 
-.SH USAGE
+.SH SYNOPSIS
+
+Using a specific profile:
+.PP
+.RS
 .TP
-firejail \-\-profile=filename.profile
+\fBfirejail \-\-profile=filename.profile
+.br
+
+.br
+Example:
+.br
+$ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage
+.br
+
+.br
+.TP
+\fBfirejail \-\-profile=profile_name
+.br
+
+.br
+Example:
+.br
+$ firejail --profile=kdenlive --appimage kdenlive.appimage
+.br
+
+.br
+.RE
+.PP
+
+
+
+Building a profile manually:
+.PP
+.RS
+Start with the template in /usr/share/doc/firejail/profile.template and modify it in a text editor.
+To integrate the program in your desktop environment copy the profile file in ~/.config/firejail
+directory and run "sudo firecfg".
 .RE
-firejail \-\-profile=profile_name
+.PP
+
+Aliases and redirections:
+.PP
+.RS
+In some cases the same profile can be used for several applications.
+One such example is LibreOffice.
+Build a regular profile for the main application, and for the rest use
+/usr/share/doc/firejail/redirect_alias-profile.template.
+.RE
+.PP
+
+Running the profile builder:
+.PP
+.RS
+.TP
+\fBfirejail \-\-build=appname.profile appname
+.br
+
+.br
+Example:
+.br
+$ firejail --build=blobby.profile blobby
+.br
+
+.br
+Run the program in "firejail \-\-build" and try to exercise as many program features as possible.
+The profile is extracted and saved in the current directory. Open it in a text editor and add or remove
+sandboxing options as necessary. Test again after modifying the profile. To integrate the program
+in your desktop environment copy the profile file in ~/.config/firejail directory and run "sudo firecfg".
+.RE
+.PP
 
 .SH DESCRIPTION
 Several command line options can be passed to the program using
 profile files. Firejail chooses the profile file as follows:
 
-\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in  /etc/firejail directory. Profile names do not include the .profile suffix.
+\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix.
 Example:
 .PP
 .RS
@@ -94,6 +160,11 @@ Example: "blacklist ~/My Virtual Machines"
 
 .TP
 \fB# this is a comment
+Example:
+
+# disable networking
+.br
+net none # this command creates an empty network namespace
 
 .TP
 \fB?CONDITIONAL: profile line
@@ -103,7 +174,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 
 This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
 
-Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
+Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
 can be enabled or disabled globally in Firejail's configuration file.
 
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
@@ -205,6 +276,10 @@ Mount-bind file1 on top of file2. This option is only available when running as
 \fBdisable-mnt
 Disable /mnt, /media, /run/mount and /run/media access.
 .TP
+\fBkeep-config-pulse
+Disable automatic ~/.config/pulse init, for complex setups such as remote
+pulse servers or non-standard socket paths.
+.TP
 \fBkeep-dev-shm
 /dev/shm directory is untouched (even with private-dev).
 .TP
@@ -249,16 +324,16 @@ Remount the file or the directory noexec, nodev and nosuid.
 #ifdef HAVE_OVERLAYFS
 .TP
 \fBoverlay
-Mount  a  filesystem  overlay  on top of the current filesystem.
-The overlay is stored in $HOME/.firejail/<PID>  directory.
+Mount a filesystem overlay on top of the current filesystem.
+The overlay is stored in $HOME/.firejail/<PID> directory.
 .TP
 \fBoverlay-named name
-Mount  a  filesystem  overlay  on top of the current filesystem.
-The overlay is stored in $HOME/.firejail/name  directory.
+Mount a filesystem overlay on top of the current filesystem.
+The overlay is stored in $HOME/.firejail/name directory.
 .TP
 \fBoverlay-tmpfs
-Mount  a  filesystem  overlay  on top of the current filesystem.
-All filesystem  modifications are discarded when the sandbox is closed.
+Mount a filesystem overlay on top of the current filesystem.
+All filesystem modifications are discarded when the sandbox is closed.
 #endif
 .TP
 \fBprivate
@@ -274,6 +349,7 @@ Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The files in the list must be expressed as relative to the /bin,
 /sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
+Multiple private-bin commands are allowed and they accumulate.
 .TP
 \fBprivate-cache
 Mount an empty temporary filesystem on top of the .cache directory in user home. All
@@ -283,7 +359,7 @@ modifications are discarded when the sandbox is closed.
 Set working directory inside jail to the home directory, and failing that, the root directory.
 .TP
 \fBprivate-cwd directory
-Set working directory inside the jail.
+Set working directory inside the jail. Full directory path is required. Symbolic links are not allowed.
 .TP
 \fBprivate-dev
 Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx,
@@ -299,6 +375,7 @@ the /etc directory, and must not contain the / character
 (e.g., /etc/foo must be expressed as foo, but /etc/foo/bar --
 expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
+Multiple private-etc commands are allowed and they accumulate.
 #ifdef HAVE_PRIVATE_HOME
 .TP
 \fBprivate-home file,directory
@@ -345,7 +422,7 @@ Make directory or file read-only.
 Make directory or file read-write.
 .TP
 \fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
 .TP
 \fBtracelog
 Blacklist violations logged to syslog.
@@ -353,13 +430,19 @@ Blacklist violations logged to syslog.
 \fBwhitelist file_or_directory
 Whitelist directory or file. A temporary file system is mounted on the top directory, and the
 whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-everything else is discarded when the sandbox is closed. The top directory could be
-user home, /dev, /etc, /media, /mnt, /opt, /srv, /sys/module, /usr/share, /var, and /tmp.
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
 .br
 
 .br
 Symbolic link handling: with the exception of user home, both the link and the real file should be in
 the same top directory. For user home, both the link and the real file should be owned by the user.
+
+.TP
+\fBwhitelist-ro file_or_directory
+Equivalent to "whitelist file_or_directory" followed by "read-only file_or_directory"
+
 .TP
 \fBwritable-etc
 Mount /etc directory read-write.
@@ -408,17 +491,21 @@ Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
 cannot acquire new privileges using execve(2);  in particular,
 this means that calling a suid binary (or one with file capabilities)
 does not result in an increase of privilege.
+.TP
+\fBnoprinters
+Disable printers.
 #ifdef HAVE_USERNS
 .TP
 \fBnoroot
-Use this command  to enable an user namespace. The namespace has only one user, the current user.
+Use this command to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
 #endif
 .TP
 \fBprotocol protocol1,protocol2,protocol3
-Enable protocol filter. The filter is based on seccomp and  checks the
+Enable protocol filter. The filter is based on seccomp and checks the
 first argument to socket system call. Recognized values: \fBunix\fR,
-\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
+\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR.
+Multiple protocol commands are allowed.
 .TP
 \fBseccomp
 Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
@@ -530,7 +617,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati
 Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
 .TP
 \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
 .TP
 \fBdbus-user filter
 Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
@@ -640,6 +727,11 @@ env CFLAGS="-W -Wall -Werror"
 .TP
 \fBipc-namespace
 Enable IPC namespace.
+
+.TP
+\fBkeep-fd
+Inherit open file descriptors to sandbox.
+
 .TP
 \fBname sandboxname
 Set sandbox name. Example:
@@ -652,9 +744,8 @@ name browser
 \fBno3d
 Disable 3D hardware acceleration.
 .TP
-\fBnoautopulse
-Disable automatic ~/.config/pulse init, for complex setups such as remote
-pulse servers or non-standard socket paths.
+\fBnoautopulse \fR(deprecated)
+See keep-config-pulse.
 .TP
 \fBnodvd
 Disable DVD and audio CD devices.
@@ -662,6 +753,9 @@ Disable DVD and audio CD devices.
 \fBnogroups
 Disable supplementary user groups
 .TP
+\fBnoinput
+Disable input devices.
+.TP
 \fBnosound
 Disable sound system.
 .TP
@@ -674,8 +768,8 @@ Disable U2F devices.
 \fBnovideo
 Disable video capture devices.
 .TP
-\fBnoinput
-Disable input devices.
+\fBmachine-id
+Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
 .TP
 \fBshell none
 Run the program directly, without a shell.
@@ -795,8 +889,8 @@ a DHCP client and releasing the lease manually.
 
 .TP
 \fBiprange address,address
-Assign  an  IP address in the provided range to the last network
-interface defined by  a  net command.  A  default  gateway  is assigned by default.
+Assign an IP address in the provided range to the last network
+interface defined by a net command.  A default gateway is assigned by default.
 .br
 
 .br
@@ -814,10 +908,6 @@ iprange 192.168.1.150,192.168.1.160
 Assign MAC addresses to the last network interface defined by a net command.
 
 .TP
-\fBmachine-id
-Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
-
-.TP
 \fBmtu number
 Assign a MTU value to the last network interface defined by a net command.
 
@@ -880,18 +970,37 @@ be created and configured using "ip netns".
 Use this name for the interface connected to the bridge for --net=bridge_interface commands,
 instead of the default one.
 #endif
+
 .SH Other
 .TP
 \fBdeterministic-exit-code
 Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
 
 .TP
+\fBdeterministic-shutdown
+Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes.
+
+.TP
 \fBjoin-or-start sandboxname
 Join the sandbox identified by name or start a new one.
 Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
 
 .SH FILES
-/etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
+.TP
+\fB/etc/firejail/appname.profile
+Global Firejail configuration consisting mainly of profiles for each application supported by default.
+
+.TP
+\fB$HOME/.config/firejail/appname.profile
+User application profiles, will take precedence over the global profiles.
+
+.TP
+\fB/usr/share/doc/firejail/profile.template
+Template for building new profiles.
+
+.TP
+\fB/usr/share/doc/firejail/redirect_alias-profile.template
+Template for aliasing/redirecting profiles.
 
 .SH LICENSE
 Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
@@ -903,7 +1012,7 @@ Homepage: https://firejail.wordpress.com
 .BR firecfg (1),
 .BR firejail-login (5),
 .BR firejail-users (5),
-.BR jailtest (1)
+.BR jailcheck (1)
 
 .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles
 .UE
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index c5a9c1848..e3cce7ed5 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -59,4 +59,4 @@ Homepage: https://firejail.wordpress.com
 .BR firecfg (1),
 .BR firejail-profile (5),
 .BR firejail-login (5),
-.BR jailtest (1)
+.BR jailcheck (1)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 23ec23fb1..f9deaeaa4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -45,7 +45,7 @@ firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-deb
 #ifdef HAVE_LTS
 This is Firejail long-term support (LTS), an enterprise focused version of the software,
 LTS is usually supported for two or three years.
-During this time  only bugs and the occasional documentation problems are fixed.
+During this time only bugs and the occasional documentation problems are fixed.
 The attack surface of the SUID executable was greatly reduced by removing some of the features.
 .br
 
@@ -109,7 +109,7 @@ ptrace system call allows a full bypass of the seccomp filter.
 .br
 Example:
 .br
-$ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
+$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
 .TP
 \fB\-\-allusers
 All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
@@ -147,12 +147,12 @@ private-bin and private-lib are disabled by default when running appimages.
 .br
 Example:
 .br
-$ firejail --appimage krita-3.0-x86_64.appimage
+$ firejail --appimage --profile=krita krita-3.0-x86_64.appimage
 .br
-$ firejail --appimage --private krita-3.0-x86_64.appimage
+$ firejail --appimage --private --profile=krita krita-3.0-x86_64.appimage
 .br
 #ifdef HAVE_X11
-$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
+$ firejail --appimage --net=none --x11 --profile=krita krita-3.0-x86_64.appimage
 #endif
 .TP
 #ifdef HAVE_NETWORK
@@ -185,10 +185,7 @@ $ firejail "\-\-blacklist=/home/username/My Virtual Machines"
 $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
 .TP
 \fB\-\-build
-The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
-builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
-with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
-in order to allow strace to run. Chromium and Chromium-based browsers will not work.
+The command builds a whitelisted profile. The profile is printed on the screen. The program is run in a very relaxed sandbox, with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported.
 .br
 
 .br
@@ -197,10 +194,8 @@ Example:
 $ firejail --build vlc ~/Videos/test.mp4
 .TP
 \fB\-\-build=profile-file
-The command builds a whitelisted profile, and saves it in profile-file. If /usr/bin/strace is installed on the system, it also
-builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
-with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
-in order to allow strace to run. Chromium and Chromium-based browsers will not work.
+The command builds a whitelisted profile, and saves it in profile-file. The program is run in a very relaxed sandbox,
+with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported.
 .br
 
 .br
@@ -290,8 +285,8 @@ $ firejail \-\-caps.print=3272
 Print content of file from sandbox container, see FILE TRANSFER section for more details.
 #endif
 .TP
-\fB\-\-cgroup=tasks-file
-Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file.
+\fB\-\-cgroup=file
+Place the sandbox in the specified control group. file is the full path of a tasks or cgroup.procs file.
 .br
 
 .br
@@ -310,6 +305,11 @@ regular user, nonewprivs and a default capabilities filter are enabled.
 Example:
 .br
 $ firejail \-\-chroot=/media/ubuntu warzone2100
+.br
+
+.br
+For automatic mounting of X11 and PulseAudio sockets set environment variables
+FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE.
 #endif
 .TP
 \fB\-\-cpu=cpu-number,cpu-number,cpu-number
@@ -701,6 +701,12 @@ $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
 \fB\-\-deterministic-exit-code
 Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
 .br
+
+.TP
+\fB\-\-deterministic-shutdown
+Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes.
+.br
+
 .TP
 \fB\-\-disable-mnt
 Blacklist /mnt, /media, /run/mount and /run/media access.
@@ -810,6 +816,26 @@ Example:
 $ firejail \-\-hosts-file=~/myhosts firefox
 
 .TP
+\fB\-\-ids-check
+Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-ids-check
+
+.TP
+\fB\-\-ids-init
+Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-ids-init
+
+.TP
 \fB\-\-ignore=command
 Ignore command in profile file.
 .br
@@ -947,7 +973,7 @@ $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150
 
 .TP
 \fB\-\-ipc-namespace
-Enable  a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
+Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
 for sandboxes started as root.
 .br
 
@@ -1014,7 +1040,7 @@ $ sudo firejail --join-network=browser /sbin/iptables -vL
 .br
 
 .br
-# verify  IP addresses
+# verify IP addresses
 .br
 $ sudo firejail --join-network=browser ip addr
 .br
@@ -1052,6 +1078,17 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise
 Note that in contrary to other join options there is respective profile option.
 
 .TP
+\fB\-\-keep-config-pulse
+Disable automatic ~/.config/pulse init, for complex setups such as remote
+pulse servers or non-standard socket paths.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-keep-config-pulse firefox
+
+.TP
 \fB\-\-keep-dev-shm
 /dev/shm directory is untouched (even with --private-dev)
 .br
@@ -1062,6 +1099,26 @@ Example:
 $ firejail --keep-dev-shm --private-dev
 
 .TP
+\fB\-\-keep-fd=all
+Inherit all open file descriptors to the sandbox. By default only file descriptors 0, 1 and 2 are inherited to the sandbox, and all other file descriptors are closed.
+.br
+
+.br
+Example:
+.br
+$ firejail --keep-fd=all
+
+.TP
+\fB\-\-keep-fd=file_descriptor
+Don't close specified open file descriptors. By default only file descriptors 0, 1 and 2 are inherited to the sandbox, and all other file descriptors are closed.
+.br
+
+.br
+Example:
+.br
+$ firejail --keep-fd=3,4,5
+
+.TP
 \fB\-\-keep-var-tmp
 /var/tmp directory is untouched.
 .br
@@ -1214,7 +1271,7 @@ $ firejail \-\-net=br0 \-\-net=br1
 .TP
 \fB\-\-net=ethernet_interface|wireless_interface
 Enable a new network namespace and connect it
-to this ethernet interface using the standard Linux macvlan|ipvaln
+to this ethernet interface using the standard Linux macvlan|ipvlan
 driver. Unless specified with option \-\-ip and \-\-defaultgw, an
 IP address and a default gateway will be assigned automatically
 to the sandbox. The IP address is verified using ARP before
@@ -1401,6 +1458,30 @@ $ firejail --name=browser --net=eth0 --netfilter firefox &
 $ firejail --netfilter6.print=browser
 
 .TP
+\fB\-\-netlock
+Several type of programs (email clients, multiplayer games etc.) talk to a very small
+number of IP addresses. But the best example is tor browser. It only talks to a guard node,
+and there are two or three more on standby in case the main one fails.
+During startup, the browser contacts all of them, after that it keeps talking to the main
+one... for weeks!
+
+Use the network locking feature to build and deploy a custom network firewall in your sandbox.
+The firewall allows only the traffic to the IP addresses detected during the program
+startup. Traffic to any other address is quietly dropped. By default the network monitoring
+time is one minute.
+
+A network namespace (\-\-net=eth0) is required for this feature to work. Example:
+.br
+
+.br
+$ firejail --net=eth0 --netlock \\
+.br
+--private=~/tor-browser_en-US ./start-tor-browser.desktop
+.br
+
+.br
+
+.TP
 \fB\-\-netmask=address
 Use this option when you want to assign an IP address in a new namespace and
 the parent interface specified by --net is not configured. An IP address and
@@ -1437,6 +1518,40 @@ PID  User    RX(KB/s) TX(KB/s) Command
 1294 netblue 53.355   1.473    firejail \-\-net=eth0 firefox
 .br
 7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
+.TP
+\fB\-\-nettrace[=name|pid]
+Monitor TCP and UDP traffic coming into the sandbox specified by name or pid. Only networked sandboxes
+created with \-\-net are supported.
+.br
+
+.br
+Without a name/pid, Firejail will monitor the main system network namespace.
+.br
+
+.br
+ $ firejail --nettrace=browser
+.br
+
+.br
+                        95 KB/s  geoip 457, IP database 4436
+.br
+   52 KB/s ***********           64.222.84.207:443 United States
+.br
+   33 KB/s *******               89.147.74.105:63930 Hungary
+.br
+    0 B/s                        45.90.28.0:443 NextDNS
+.br
+    0 B/s                        94.70.122.176:52309(UDP) Greece
+.br
+  339 B/s                        104.26.7.35:443 Cloudflare
+.br
+
+.br
+If /usr/bin/geoiplookup is installed (geoip-bin package in Debian),
+the country the IP address originates from is added to the trace.
+We also use the static IP map in /etc/firejail/hostnames
+to print the domain names for some of the more common websites and cloud platforms.
+No external services are contacted for reverse IP lookup.
 #endif
 .TP
 \fB\-\-nice=value
@@ -1460,15 +1575,8 @@ Example:
 $ firejail --no3d firefox
 
 .TP
-\fB\-\-noautopulse
-Disable automatic ~/.config/pulse init, for complex setups such as remote
-pulse servers or non-standard socket paths.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-noautopulse firefox
+\fB\-\-noautopulse \fR(deprecated)
+See --keep-config-pulse.
 
 .TP
 \fB\-\-noblacklist=dirname_or_filename
@@ -1576,6 +1684,10 @@ does not result in an increase of privilege. This option
 is enabled by default if seccomp filter is activated.
 
 .TP
+\fB\-\-noprinters
+Disable printers.
+
+.TP
 \fB\-\-noprofile
 Do not use a security profile.
 .br
@@ -1797,8 +1909,9 @@ The files in the list must be expressed as relative to the /bin,
 /sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories.
 If no listed files are found, /bin directory will be empty.
 The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.
-All modifications are discarded when the sandbox is closed. File globbing is supported,
-see \fBFILE GLOBBING\fR section for more details.
+All modifications are discarded when the sandbox is closed.
+Multiple private-bin commands are allowed and they accumulate.
+File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
@@ -1828,7 +1941,6 @@ $ firejail \-\-private-cache openbox
 .TP
 \fB\-\-private-cwd
 Set working directory inside jail to the home directory, and failing that, the root directory.
-.br
 Does not impact working directory of profile include paths.
 .br
 
@@ -1849,7 +1961,7 @@ $ pwd
 .TP
 \fB\-\-private-cwd=directory
 Set working directory inside the jail.
-.br
+Full directory path is required. Symbolic links are not allowed.
 Does not impact working directory of profile include paths.
 .br
 
@@ -1892,11 +2004,10 @@ $
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /etc directory, and must not contain the / character
-(e.g., /etc/foo must be expressed as foo, but /etc/foo/bar --
-expressed as foo/bar -- is disallowed).
+the /etc directory (e.g., /etc/foo must be expressed as foo).
 If no listed file is found, /etc directory will be empty.
 All modifications are discarded when the sandbox is closed.
+Multiple private-etc commands are allowed and they accumulate.
 .br
 
 .br
@@ -1997,7 +2108,7 @@ Build a new /srv in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
 the /srv directory, and must not contain the / character
-(e.g., /opt/srv must be expressed as foo, but /srv/foo/bar --
+(e.g., /srv/foo must be expressed as foo, but /srv/foo/bar --
 expressed as srv/bar -- is disallowed).
 If no listed file is found, /srv directory will be empty.
 All modifications are discarded when the sandbox is closed.
@@ -2055,7 +2166,7 @@ $ firejail \-\-profile.print=browser
 .TP
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
-Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture.
+Recognized values: unix, inet, inet6, netlink, packet, and bluetooth. This option is not supported for i386 architecture.
 .br
 
 .br
@@ -2127,11 +2238,12 @@ $ firejail --read-only=~/test --read-write=~/test/a
 .TP
 \fB\-\-rlimit-as=number
 Set the maximum size of the process's virtual memory (address space) in bytes.
+Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 
 .TP
 \fB\-\-rlimit-cpu=number
 Set the maximum limit, in seconds, for the amount of CPU time each
-sandboxed process  can consume. When the limit is reached, the processes are killed.
+sandboxed process can consume. When the limit is reached, the processes are killed.
 
 The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds
 the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps
@@ -2140,6 +2252,7 @@ track of CPU seconds for each process independently.
 .TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
+Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 .TP
 \fB\-\-rlimit-nofile=number
 Set the maximum number of files that can be opened by a process.
@@ -2174,7 +2287,7 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list,
-which is  @default-nodebuggers unless allow-debuggers is specified,
+which is @default-nodebuggers unless \-\-allow-debuggers is specified,
 then it is @default.
 
 .br
@@ -2185,18 +2298,18 @@ system call groups are defined: @aio, @basic-io, @chown, @clock,
 @network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
 @resources, @setuid, @swap, @sync, @system-service and @timer.
 More information about groups can be found in /usr/share/doc/firejail/syscalls.txt
+.br
 
-In addition, a system call can be specified by its number instead of
-name with prefix $, so for example $165 would be equal to mount on i386.
-Exceptions can be allowed with prefix !.
+.br
+The default list can be customized, see \-\-seccomp= for a description.
+It can be customized also globally in /etc/firejail/firejail.config file.
+.br
 
 .br
 System architecture is strictly imposed only if flag
 \-\-seccomp.block-secondary is used. The filter is applied at run time
 only if the correct architecture was detected. For the case of I386
-and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit
-architecture, an additional filter for 32 bit system calls can be
-installed with \-\-seccomp.32.
+and AMD64 both 32-bit and 64-bit filters are installed.
 .br
 
 .br
@@ -2207,11 +2320,14 @@ Firejail will print seccomp violations to the audit log if the kernel was compil
 Example:
 .br
 $ firejail \-\-seccomp
+
+
 .TP
 \fB\-\-seccomp=syscall,@group,!syscall2
-Enable seccomp filter, whitelist "syscall2", but blacklist the default
-list and the syscalls or syscall groups specified by the
-command.
+Enable seccomp filter, blacklist the default list and the syscalls or syscall groups
+specified by the command, but don't blacklist "syscall2". On a 64 bit
+architecture, an additional filter for 32 bit system calls can be
+installed with \-\-seccomp.32.
 .br
 
 .br
@@ -2221,6 +2337,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox
 .br
 $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
 .br
+$ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious
+.br
+
+.br
+Syscalls can be specified by their number if prefix $ is added,
+so for example $165 would be equal to mount on i386.
+.br
 
 .br
 Instead of dropping the syscall by returning EPERM, another error
@@ -2233,6 +2356,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
 
 .br
 Example:
+.br
 $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes
 .br
 Parent pid 10662, child pid 10663
@@ -2241,9 +2365,13 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 
 .br
@@ -2256,7 +2384,7 @@ filters.
 .br
 Example:
 .br
-$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash
+$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh
 .br
 Parent pid 32751, child pid 32752
 .br
@@ -2268,8 +2396,7 @@ Child process initialized in 46.44 ms
 .br
 $ ls
 .br
-Bad system call
-.br
+Operation not permitted
 
 .TP
 \fB\-\-seccomp.block-secondary
@@ -2313,15 +2440,15 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 
-
-
-
-
 .TP
 \fB\-\-seccomp.keep=syscall,@group,!syscall2
 Enable seccomp filter, blacklist all syscall not listed and "syscall2".
@@ -2556,6 +2683,13 @@ $ firejail \-\-list
 .br
 $ firejail \-\-shutdown=3272
 .TP
+\fB\-\-tab
+Enable shell tab completion in sandboxes using private or whitelisted home directories.
+.br
+
+.br
+$ firejail \-\-private --tab
+.TP
 \fB\-\-timeout=hh:mm:ss
 Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format.
 .br
@@ -2564,14 +2698,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified
 $ firejail \-\-timeout=01:30:00 firefox
 .TP
 \fB\-\-tmpfs=dirname
-Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
-File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
 Example:
 .br
-# firejail \-\-tmpfs=/var
+$ firejail \-\-tmpfs=~/.local/share
 .TP
 \fB\-\-top
 Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.
@@ -2721,8 +2854,9 @@ $ firejail \-\-net=br0 --veth-name=if0
 \fB\-\-whitelist=dirname_or_filename
 Whitelist directory or file. A temporary file system is mounted on the top directory, and the
 whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-everything else is discarded when the sandbox is closed. The top directory could be
-user home, /dev, /etc, /media, /mnt, /opt, /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var.
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
 .br
 
 .br
@@ -2848,7 +2982,7 @@ and it is installed by default on most Linux distributions. It provides support
 connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
 contents of other clients, stealing input events, etc.
 
-The untrusted mode has several limitations. A lot of regular programs  assume they are a trusted X11 clients
+The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients
 and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
 Firefox and transmission-gtk seem to be working fine.
 A network namespace is not required for this option.
@@ -3179,6 +3313,65 @@ $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png
 $ firejail \-\-cat=mybrowser ~/.bashrc
 .br
 #endif
+
+.SH INTRUSION DETECTION SYSTEM (IDS)
+The host-based intrusion detection system tracks down and audits user and system file modifications.
+The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids,
+where USERNAME is the name of the current user. We use BLAKE2 cryptographic function for hashing.
+
+As a regular user, initialize the database:
+.br
+
+.br
+$ firejail --ids-init
+.br
+Opening config file /etc/firejail/ids.config
+.br
+Loading config file /etc/firejail/ids.config
+.br
+Opening config file /etc/firejail/ids.config.local
+.br
+500 1000 1500 2000
+.br
+2466 files scanned
+.br
+IDS database initialized
+.br
+
+.br
+The default configuration targets several system executables in directories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical config files in user home directory
+such as ~/.bashrc, ~/.xinitrc, and ~/.config/autostart. Several system config files in /etc directory are also hashed.
+.br
+
+.br
+Run --ids-check to audit the system:
+.br
+
+.br
+$ firejail --ids-check
+.br
+Opening config file /etc/firejail/ids.config
+.br
+Loading config file /etc/firejail/ids.config
+.br
+Opening config file /etc/firejail/ids.config.local
+.br
+500 1000 1500
+.br
+Warning: modified /home/netblue/.bashrc
+.br
+2000
+.br
+2466 files scanned: modified 1, permissions 0, new 0, removed 0
+.br
+
+.br
+The program will print the files that have been modified since the database was created, or the files with different access permissions.
+New files and deleted files are also flagged.
+
+Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
+The program can also be run as root (sudo firejail --ids-init/--ids-check).
+
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
 for each process entry is as follows:
@@ -3239,7 +3432,7 @@ The owner of the sandbox.
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
 /etc/passwd file for each user that needs to be restricted. Alternatively,
-you can specify /usr/bin/firejail  in adduser command:
+you can specify /usr/bin/firejail in adduser command:
 
 adduser \-\-shell /usr/bin/firejail username
 
@@ -3249,7 +3442,7 @@ Additional arguments passed to firejail executable upon login are declared in /e
 Several command line options can be passed to the program using
 profile files. Firejail chooses the profile file as follows:
 
-1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in  /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
+1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
 Example:
 .PP
 .RS
@@ -3365,7 +3558,7 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-profile (5),
 .BR firejail-login (5),
 .BR firejail-users (5),
-.BR jailtest (1)
+.BR jailcheck (1)
 
 .UR https://github.com/netblue30/firejail/wiki
 .UE ,
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 64f15a1f0..c4e6e15b3 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -56,7 +56,7 @@ Print route table for each sandbox.
 Print seccomp configuration for each sandbox.
 .TP
 \fB\-\-top
-Monitor the most CPU-intensive sandboxes. This command  is similar to
+Monitor the most CPU-intensive sandboxes. This command is similar to
 the regular UNIX top command, however it applies only to sandboxes.
 .TP
 \fB\-\-tree
@@ -120,4 +120,4 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-profile (5),
 .BR firejail-login (5),
 .BR firejail-users (5),
-.BR jailtest (1)
+.BR jailcheck (1)
diff --git a/src/man/jailtest.txt b/src/man/jailcheck.txt
index b52fc5eed..483f47fb9 100644
--- a/src/man/jailtest.txt
+++ b/src/man/jailcheck.txt
@@ -1,29 +1,30 @@
-.TH JAILTEST 1 "MONTH YEAR" "VERSION" "JAILTEST man page"
+.TH JAILCHECK 1 "MONTH YEAR" "VERSION" "JAILCHECK man page"
 .SH NAME
-jailtest \- Simple utility program to test running sandboxes
+jailcheck \- Simple utility program to test running sandboxes
 .SH SYNOPSIS
-sudo jailtest [OPTIONS] [directory]
+sudo jailcheck [OPTIONS] [directory]
 .SH DESCRIPTION
-WORK IN PROGRESS!
-jailtest attaches itself to all sandboxes started by the user and performs some basic tests
+jailcheck attaches itself to all sandboxes started by the user and performs some basic tests
 on the sandbox filesystem:
 .TP
 \fB1. Virtual directories
-jailtest extracts a list with the main virtual directories installed by the sandbox.
+jailcheck extracts a list with the main virtual directories installed by the sandbox.
 These directories are build by firejail at startup using --private* and --whitelist commands.
 .TP
 \fB2. Noexec test
-jailtest inserts executable programs in /home/username, /tmp, and /var/tmp directories
+jailcheck inserts executable programs in /home/username, /tmp, and /var/tmp directories
 and tries to run them from inside the sandbox, thus testing if the directory is executable or not.
 .TP
 \fB3. Read access test
-jailtest creates test files in the directories specified by the user and tries to read
+jailcheck creates test files in the directories specified by the user and tries to read
 them from inside the sandbox.
 .TP
 \fB4. AppArmor test
 .TP
 \fB5. Seccomp test
 .TP
+\fB6. Networking test
+.TP
 The program is started as root using sudo.
 
 .SH OPTIONS
@@ -49,7 +50,7 @@ It is followed by relevant sandbox information, such as the virtual directories
 
 .SH EXAMPLE
 
-$ sudo jailtest
+$ sudo jailcheck
 .br
 2014:netblue::firejail /usr/bin/gimp
 .br
@@ -57,6 +58,8 @@ $ sudo jailtest
 .br
    Warning: I can run programs in /home/netblue
 .br
+   Networking: disabled
+.br
 
 .br
 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
@@ -65,12 +68,16 @@ $ sudo jailtest
 .br
    Warning: I can read ~/.ssh
 .br
+   Networking: enabled
+.br
 
 .br
 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
 .br
    Virtual dirs: /tmp, /var/tmp, /dev,
 .br
+   Networking: enabled
+.br
 
 .br
 26090:netblue::/usr/bin/firejail /opt/firefox/firefox
@@ -79,6 +86,8 @@ $ sudo jailtest
 .br
                  /run/user/1000,
 .br
+   Networking: enabled
+.br
 
 .br
 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
@@ -91,6 +100,8 @@ $ sudo jailtest
 .br
    Warning: I can run programs in /home/netblue
 .br
+   Networking: enabled
+.br
 
 
 .SH LICENSE
diff --git a/src/man/preproc.awk b/src/man/preproc.awk
index 1ce5c82de..d3a2b71c9 100755
--- a/src/man/preproc.awk
+++ b/src/man/preproc.awk
@@ -1,6 +1,6 @@
 #!/usr/bin/gawk -E
 
-# Copyright (c) 2019-2021 rusty-snake
+# Copyright (c) 2019-2022 rusty-snake
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in
index e025f5939..fa1b4f200 100644
--- a/src/profstats/Makefile.in
+++ b/src/profstats/Makefile.in
@@ -3,7 +3,7 @@ all: profstats
 
 include ../common.mk
 
-%.o : %.c $(H_FILE_LIST)
+%.o : %.c $(H_FILE_LIST) ../include/common.h
         $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
 profstats: $(OBJS)
diff --git a/src/profstats/main.c b/src/profstats/main.c
index 5035280b1..595a94c11 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,10 +17,8 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
+
+#include "../include/common.h"
 
 #define MAXBUF 2048
 // stats
@@ -46,6 +44,7 @@ static int cnt_whitelistusrshare = 0;	// include whitelist-usr-share-common.inc
 static int cnt_ssh = 0;
 static int cnt_mdwx = 0;
 static int cnt_whitelisthome = 0;
+static int cnt_noroot = 0;
 
 static int level = 0;
 static int arg_debug = 0;
@@ -65,27 +64,31 @@ static int arg_mdwx = 0;
 static int arg_dbus_system_none = 0;
 static int arg_dbus_user_none = 0;
 static int arg_whitelisthome = 0;
-
+static int arg_noroot = 0;
+static int arg_print_blacklist = 0;
+static int arg_print_whitelist = 0;
 
 static char *profile = NULL;
 
-
 static void usage(void) {
-        printf("proftool - print profile statistics\n");
-        printf("Usage: proftool [options] file[s]\n");
+        printf("profstats - print profile statistics\n");
+        printf("Usage: profstats [options] file[s]\n");
         printf("Options:\n");
         printf("   --apparmor - print profiles without apparmor\n");
         printf("   --caps - print profiles without caps\n");
-        printf("   --dbus-system-none - profiles without  \"dbus-system none\"\n");
-        printf("   --dbus-user-none - profiles without  \"dbus-user none\"\n");
+        printf("   --dbus-system-none - print profiles without \"dbus-system none\"\n");
+        printf("   --dbus-user-none - print profiles without \"dbus-user none\"\n");
         printf("   --ssh - print profiles without \"include disable-common.inc\"\n");
         printf("   --noexec - print profiles without \"include disable-exec.inc\"\n");
+        printf("   --noroot - print profiles without \"noroot\"\n");
         printf("   --private-bin - print profiles without private-bin\n");
         printf("   --private-dev - print profiles without private-dev\n");
         printf("   --private-etc - print profiles without private-etc\n");
         printf("   --private-tmp - print profiles without private-tmp\n");
+        printf("   --print-blacklist - print all --blacklist for a profile\n");
+        printf("   --print-whitelist - print all --private and --whitelist for a profile\n");
         printf("   --seccomp - print profiles without seccomp\n");
-        printf("   --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n");
+        printf("   --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n");
         printf("   --whitelist-home - print profiles whitelisting home directory\n");
         printf("   --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
         printf("   --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n");
@@ -94,8 +97,9 @@ static void usage(void) {
         printf("\n");
 }
 
-void process_file(const char *fname) {
+static void process_file(char *fname) {
         assert(fname);
+        char *tmpfname = NULL;
 
         if (arg_debug)
                 printf("processing #%s#\n", fname);
@@ -104,9 +108,19 @@ void process_file(const char *fname) {
 
         FILE *fp = fopen(fname, "r");
         if (!fp) {
-                fprintf(stderr, "Warning: cannot open %s, while processing %s\n", fname, profile);
-                level--;
-                return;
+                // the file was not found in the current directory
+                // look for it in /etc/firejail directory
+                if (asprintf(&tmpfname, "%s/%s", SYSCONFDIR, fname) == -1)
+                        errExit("asprintf");
+
+                fp = fopen(tmpfname, "r");
+                if (!fp) {
+                        fprintf(stderr, "Warning: cannot open %s or %s, while processing %s\n", fname, tmpfname, profile);
+                        free(tmpfname);
+                        level--;
+                        return;
+                }
+                fname = tmpfname;
         }
 
         int have_include_local = 0;
@@ -122,12 +136,26 @@ void process_file(const char *fname) {
                 if (*ptr == '\n' || *ptr == '#')
                         continue;
 
+                if (arg_print_blacklist) {
+                        if (strncmp(ptr, "blacklist", 9) == 0 ||
+                            strncmp(ptr, "noblacklist", 11) == 0)
+                                printf("%s: %s\n", fname, ptr);
+                }
+                else if (arg_print_whitelist) {
+                        if (strncmp(ptr, "whitelist", 9) == 0 ||
+                            strncmp(ptr, "nowhitelist", 11) == 0 ||
+                            strncmp(ptr, "private", 7) == 0)
+                                printf("%s: %s\n", fname, ptr);
+                }
+
                 if (strncmp(ptr, "seccomp", 7) == 0)
                         cnt_seccomp++;
                 else if (strncmp(ptr, "caps", 4) == 0)
                         cnt_caps++;
                 else if (strncmp(ptr, "include disable-exec.inc", 24) == 0)
                         cnt_noexec++;
+                else if (strncmp(ptr, "noroot", 6) == 0)
+                        cnt_noroot++;
                 else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0)
                         cnt_whitelistvar++;
                 else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 ||
@@ -185,6 +213,8 @@ void process_file(const char *fname) {
         if (!have_include_local)
                 printf("No include .local found in %s\n", fname);
         level--;
+        if (tmpfname)
+                free(tmpfname);
 }
 
 int main(int argc, char **argv) {
@@ -212,6 +242,8 @@ int main(int argc, char **argv) {
                         arg_mdwx = 1;
                 else if (strcmp(argv[i], "--noexec") == 0)
                         arg_noexec = 1;
+                else if (strcmp(argv[i], "--noroot") == 0)
+                        arg_noroot = 1;
                 else if (strcmp(argv[i], "--private-bin") == 0)
                         arg_privatebin = 1;
                 else if (strcmp(argv[i], "--private-dev") == 0)
@@ -220,6 +252,10 @@ int main(int argc, char **argv) {
                         arg_privatetmp = 1;
                 else if (strcmp(argv[i], "--private-etc") == 0)
                         arg_privateetc = 1;
+                else if (strcmp(argv[i], "--print-blacklist") == 0)
+                        arg_print_blacklist = 1;
+                else if (strcmp(argv[i], "--print-whitelist") == 0)
+                        arg_print_whitelist = 1;
                 else if (strcmp(argv[i], "--whitelist-home") == 0)
                         arg_whitelisthome = 1;
                 else if (strcmp(argv[i], "--whitelist-var") == 0)
@@ -256,6 +292,7 @@ int main(int argc, char **argv) {
                 int caps = cnt_caps;
                 int apparmor = cnt_apparmor;
                 int noexec = cnt_noexec;
+                int noroot = cnt_noroot;
                 int privatebin = cnt_privatebin;
                 int privatetmp = cnt_privatetmp;
                 int privatedev = cnt_privatedev;
@@ -313,6 +350,8 @@ int main(int argc, char **argv) {
                         printf("No seccomp found in %s\n", argv[i]);
                 if (arg_noexec && noexec == cnt_noexec)
                         printf("No include disable-exec.inc found in %s\n", argv[i]);
+                if (arg_noroot && noroot == cnt_noroot)
+                        printf("No noroot found in %s\n", argv[i]);
                 if (arg_privatedev && privatedev == cnt_privatedev)
                         printf("No private-dev found in %s\n", argv[i]);
                 if (arg_privatebin && privatebin == cnt_privatebin)
@@ -337,6 +376,9 @@ int main(int argc, char **argv) {
                 assert(level == 0);
         }
 
+        if (arg_print_blacklist || arg_print_whitelist)
+                return 0;
+
         printf("\n");
         printf("Stats:\n");
         printf("    profiles\t\t\t%d\n", cnt_profiles);
@@ -346,6 +388,7 @@ int main(int argc, char **argv) {
         printf("    seccomp\t\t\t%d\n", cnt_seccomp);
         printf("    capabilities\t\t%d\n", cnt_caps);
         printf("    noexec\t\t\t%d   (include disable-exec.inc)\n", cnt_noexec);
+        printf("    noroot\t\t\t%d\n", cnt_noroot);
         printf("    memory-deny-write-execute\t%d\n", cnt_mdwx);
         printf("    apparmor\t\t\t%d\n", cnt_apparmor);
         printf("    private-bin\t\t\t%d\n", cnt_privatebin);
diff --git a/src/tools/check-caps.sh b/src/tools/check-caps.sh
index b7026b1cd..62c3b9066 100755
--- a/src/tools/check-caps.sh
+++ b/src/tools/check-caps.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 if [ $# -eq 0 ]
diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c
index 8da9c452b..5e5b3cdc6 100644
--- a/src/tools/extract_caps.c
+++ b/src/tools/extract_caps.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/tools/extract_errnos.sh b/src/tools/extract_errnos.sh
index 34c416b04..bb430b3e1 100644
--- a/src/tools/extract_errnos.sh
+++ b/src/tools/extract_errnos.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 echo -e "#include <errno.h>\n#include <attr/xattr.h>" | \
diff --git a/src/tools/extract_seccomp.c b/src/tools/extract_seccomp.c
index b5f92d2df..6b644796b 100644
--- a/src/tools/extract_seccomp.c
+++ b/src/tools/extract_seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/tools/extract_syscalls.c b/src/tools/extract_syscalls.c
index 9159b6576..f77a84123 100644
--- a/src/tools/extract_syscalls.c
+++ b/src/tools/extract_syscalls.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/tools/mkcoverit.sh b/src/tools/mkcoverit.sh
index 86d798a11..c7a57cd21 100755
--- a/src/tools/mkcoverit.sh
+++ b/src/tools/mkcoverit.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 # unpack firejail archive
diff --git a/src/tools/testuid.c b/src/tools/testuid.c
index a18d57d5e..1bc617522 100644
--- a/src/tools/testuid.c
+++ b/src/tools/testuid.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/tools/ttytest.c b/src/tools/ttytest.c
index 0f72753bc..9e40d289a 100644
--- a/src/tools/ttytest.c
+++ b/src/tools/ttytest.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/tools/unixsocket.c b/src/tools/unixsocket.c
index c4ecabca7..bd638269d 100644
--- a/src/tools/unixsocket.c
+++ b/src/tools/unixsocket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index fd27bb35f..f7cd3cdff 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -62,6 +62,9 @@ _firejail_args=(
     '--tree[print a tree of all sandboxed processes]'
     '--version[print program version and exit]'
 
+    '--ids-check[verify file system]'
+    '--ids-init[initialize IDS database]'
+
     '--debug[print sandbox debug messages]'
     '--debug-blacklists[debug blacklisting]'
     '--debug-caps[print all recognized capabilities]'
@@ -91,6 +94,7 @@ _firejail_args=(
     '--cgroup=-[place the sandbox in the specified control group]: :'
     '--cpu=-[set cpu affinity]: :->cpus'
     "--deterministic-exit-code[always exit with first child's status code]"
+    '--deterministic-shutdown[terminate orphan processes]'
     '*--dns=-[set DNS server]: :'
     '*--env=-[set environment variable]: :'
     '--hostname=-[set sandbox hostname]: :'
@@ -98,9 +102,11 @@ _firejail_args=(
     '*--ignore=-[ignore command in profile files]: :'
     '--ipc-namespace[enable a new IPC namespace]'
     '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails'
+    '--keep-config-pulse[disable automatic ~/.config/pulse init]'
     '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
+    '--keep-fd[inherit open file descriptors to sandbox]'
     '--keep-var-tmp[/var/tmp directory is untouched]'
-    '--machine-id[preserve /etc/machine-id]'
+    '--machine-id[spoof /etc/machine-id with a random id]'
     '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]'
     '*--mkdir=-[create a directory]:'
     '*--mkfile=-[create a file]:'
@@ -116,7 +122,9 @@ _firejail_args=(
     '--nodvd[disable DVD and audio CD devices]'
     '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files'
     '--nogroups[disable supplementary groups]'
+    '--noinput[disable input devices]'
     '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
+    '--noprinters[disable printers]'
     '--nosound[disable sound system]'
     '--nou2f[disable U2F devices]'
     '--novideo[disable video devices]'
@@ -213,7 +221,7 @@ _firejail_args=(
     '--netfilter.print=-[print the firewall name|pid]: :_all_firejails'
     '--netfilter6=-[enable IPv6 firewall]: :'
     '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails'
-    '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :'
+    '--netmask=-[define a network mask when dealing with unconfigured parent interfaces]: :'
     '--netns=-[Run the program in a named, persistent network namespace]: :'
     '--netstats[monitor network statistics]'
     '--interface=-[move interface in sandbox]: :'
@@ -249,10 +257,8 @@ _firejail_args=(
     '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/'
 #endif
 
-#ifdef HAVE_WHITELIST
     '*--nowhitelist=-[disable whitelist for file or directory]: :_files'
     '*--whitelist=-[whitelist directory or file]: :_files'
-#endif
 
 #ifdef HAVE_X11
     '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp
index eecb9bf82..e1fb8567a 100755
--- a/test/appimage/appimage-args.exp
+++ b/test/appimage/appimage-args.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -23,7 +23,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
@@ -51,7 +51,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/appimage/appimage-trace.exp b/test/appimage/appimage-trace.exp
index 2f67eb531..d1530349e 100755
--- a/test/appimage/appimage-trace.exp
+++ b/test/appimage/appimage-trace.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ set appimage_id $spawn_id
 send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.17-x86_64.AppImage\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
@@ -38,7 +38,7 @@ sleep 1
 send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp
index b8b6e0c96..2fcccfd5b 100755
--- a/test/appimage/appimage-v1.exp
+++ b/test/appimage/appimage-v1.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ set appimage_id $spawn_id
 send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
@@ -39,7 +39,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp
index 243824f75..d289165d9 100755
--- a/test/appimage/appimage-v2.exp
+++ b/test/appimage/appimage-v2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ set appimage_id $spawn_id
 send -- "firejail --name=appimage-test --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
@@ -39,7 +39,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh
index e766b1acd..9afacf5be 100755
--- a/test/appimage/appimage.sh
+++ b/test/appimage/appimage.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/appimage/filename.exp b/test/appimage/filename.exp
index 54d8d722d..711eae8d2 100755
--- a/test/appimage/filename.exp
+++ b/test/appimage/filename.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh
index 7f37914aa..9ed123979 100755
--- a/test/apps-x11-xorg/apps-x11-xorg.sh
+++ b/test/apps-x11-xorg/apps-x11-xorg.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp
index 12fcc13ce..4a85b593b 100755
--- a/test/apps-x11-xorg/firefox.exp
+++ b/test/apps-x11-xorg/firefox.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -36,7 +36,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps-x11-xorg/thunderbird.exp b/test/apps-x11-xorg/thunderbird.exp
index 5c810c517..a06303fc5 100755
--- a/test/apps-x11-xorg/thunderbird.exp
+++ b/test/apps-x11-xorg/thunderbird.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -33,7 +33,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp
index e0f519c00..3e497f9e0 100755
--- a/test/apps-x11-xorg/transmission-gtk.exp
+++ b/test/apps-x11-xorg/transmission-gtk.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -33,7 +33,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps-x11-xorg/transmission-qt.exp b/test/apps-x11-xorg/transmission-qt.exp
index 02a015968..0642d3d32 100755
--- a/test/apps-x11-xorg/transmission-qt.exp
+++ b/test/apps-x11-xorg/transmission-qt.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -33,7 +33,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh
index 9954cb736..a3c946ca4 100755
--- a/test/apps-x11/apps-x11.sh
+++ b/test/apps-x11/apps-x11.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp
index 92739048c..059fd0ad7 100755
--- a/test/apps-x11/chromium.exp
+++ b/test/apps-x11/chromium.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -32,7 +32,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps-x11/firefox.exp b/test/apps-x11/firefox.exp
index 69efc79d9..ac177211d 100755
--- a/test/apps-x11/firefox.exp
+++ b/test/apps-x11/firefox.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -36,7 +36,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps-x11/thunderbird.exp b/test/apps-x11/thunderbird.exp
index 7cfc957b7..391dc52e3 100755
--- a/test/apps-x11/thunderbird.exp
+++ b/test/apps-x11/thunderbird.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -33,7 +33,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps-x11/transmission-gtk.exp b/test/apps-x11/transmission-gtk.exp
index 53e396a9e..21bc4a8bc 100755
--- a/test/apps-x11/transmission-gtk.exp
+++ b/test/apps-x11/transmission-gtk.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -33,7 +33,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps-x11/x11-none.exp b/test/apps-x11/x11-none.exp
index b45751aa7..e6ff12f27 100755
--- a/test/apps-x11/x11-none.exp
+++ b/test/apps-x11/x11-none.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -17,7 +17,7 @@ sleep 1
 send -- "firejail --name=test --net=none --x11=none\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/apps-x11/x11-xephyr.exp b/test/apps-x11/x11-xephyr.exp
index 3da0e1a46..f0090d713 100755
--- a/test/apps-x11/x11-xephyr.exp
+++ b/test/apps-x11/x11-xephyr.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --name=test --x11=xephyr xterm\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 
 exit
@@ -28,7 +28,7 @@ sleep 1
 send -- "firejail --name=test --net=none --x11=none\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/apps-x11/xterm-xephyr.exp b/test/apps-x11/xterm-xephyr.exp
index 5edbadad9..3db6cf793 100755
--- a/test/apps-x11/xterm-xephyr.exp
+++ b/test/apps-x11/xterm-xephyr.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -33,7 +33,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps-x11/xterm-xorg.exp b/test/apps-x11/xterm-xorg.exp
index a2a027729..409b39f40 100755
--- a/test/apps-x11/xterm-xorg.exp
+++ b/test/apps-x11/xterm-xorg.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -33,7 +33,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps-x11/xterm-xpra.exp b/test/apps-x11/xterm-xpra.exp
index 0f1458d15..4acf780ac 100755
--- a/test/apps-x11/xterm-xpra.exp
+++ b/test/apps-x11/xterm-xpra.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -33,7 +33,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/apps.sh b/test/apps/apps.sh
index c332fe416..83e977ba0 100755
--- a/test/apps/apps.sh
+++ b/test/apps/apps.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp
index d65bc93a9..4e036dee9 100755
--- a/test/apps/chromium.exp
+++ b/test/apps/chromium.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 10
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/deluge.exp b/test/apps/deluge.exp
index 25c98623c..5df35fce4 100755
--- a/test/apps/deluge.exp
+++ b/test/apps/deluge.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 10
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/fbreader.exp b/test/apps/fbreader.exp
index 67301c1d2..ebb21bcf2 100755
--- a/test/apps/fbreader.exp
+++ b/test/apps/fbreader.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp
index da37f1eff..397904860 100755
--- a/test/apps/filezilla.exp
+++ b/test/apps/filezilla.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/firefox.exp b/test/apps/firefox.exp
index 2a6f18276..f09c76b5d 100755
--- a/test/apps/firefox.exp
+++ b/test/apps/firefox.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 10
 
@@ -47,7 +47,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp
index 564220d95..4d7ccff81 100755
--- a/test/apps/gnome-mplayer.exp
+++ b/test/apps/gnome-mplayer.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 5
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp
index 569adcd34..0da1572b2 100755
--- a/test/apps/gthumb.exp
+++ b/test/apps/gthumb.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/hexchat.exp b/test/apps/hexchat.exp
index adea02216..8ed823dd5 100755
--- a/test/apps/hexchat.exp
+++ b/test/apps/hexchat.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/kcalc.exp b/test/apps/kcalc.exp
index aaeb5221d..d7251eec1 100755
--- a/test/apps/kcalc.exp
+++ b/test/apps/kcalc.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/ktorrent.exp b/test/apps/ktorrent.exp
index 8693f5f1d..efa3f1d08 100755
--- a/test/apps/ktorrent.exp
+++ b/test/apps/ktorrent.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/midori.exp b/test/apps/midori.exp
index fae41e6da..431b43f8d 100755
--- a/test/apps/midori.exp
+++ b/test/apps/midori.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 5
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/opera.exp b/test/apps/opera.exp
index 990476ed5..b0d1f3b9d 100755
--- a/test/apps/opera.exp
+++ b/test/apps/opera.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 10
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp
index bc0386335..842e47986 100755
--- a/test/apps/qbittorrent.exp
+++ b/test/apps/qbittorrent.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/thunderbird.exp b/test/apps/thunderbird.exp
index 10d0bb2f6..2b93835b6 100755
--- a/test/apps/thunderbird.exp
+++ b/test/apps/thunderbird.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 5
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/transmission-qt.exp b/test/apps/transmission-qt.exp
index fec18a8bf..90b0ef4ac 100755
--- a/test/apps/transmission-qt.exp
+++ b/test/apps/transmission-qt.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp
index caa4063b9..21b859ee2 100755
--- a/test/apps/uget-gtk.exp
+++ b/test/apps/uget-gtk.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/vlc.exp b/test/apps/vlc.exp
index ce3df1ba6..a0aed9cc9 100755
--- a/test/apps/vlc.exp
+++ b/test/apps/vlc.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/apps/wine.exp b/test/apps/wine.exp
index 982a0c6d9..e2a08089f 100755
--- a/test/apps/wine.exp
+++ b/test/apps/wine.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
diff --git a/test/apps/xchat.exp b/test/apps/xchat.exp
index 9ed75d821..ca17f44e4 100755
--- a/test/apps/xchat.exp
+++ b/test/apps/xchat.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh
index 1ac5cf47e..3c3e7311b 100755
--- a/test/chroot/chroot.sh
+++ b/test/chroot/chroot.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/chroot/configure b/test/chroot/configure
index 747dc4383..3f3555193 100755
--- a/test/chroot/configure
+++ b/test/chroot/configure
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 # build a very small chroot
diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp
index 650425829..c379e389c 100755
--- a/test/chroot/fs_chroot.exp
+++ b/test/chroot/fs_chroot.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ send -- "firejail  --chroot=/tmp/chroot\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit}
-        "Child process initialized" {puts "chroot available\n"};
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "chroot available\n"};
 }
 sleep 1
 
diff --git a/test/chroot/unchroot-as-root.exp b/test/chroot/unchroot-as-root.exp
index b88367054..f67590768 100755
--- a/test/chroot/unchroot-as-root.exp
+++ b/test/chroot/unchroot-as-root.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ send -- "firejail  --chroot=/tmp/chroot\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit}
-        "Child process initialized" {puts "chroot available\n"};
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "chroot available\n"};
 }
 sleep 1
 
diff --git a/test/chroot/unchroot.c b/test/chroot/unchroot.c
index 643983ce4..5d006e318 100644
--- a/test/chroot/unchroot.c
+++ b/test/chroot/unchroot.c
@@ -1,5 +1,5 @@
 // This file is part of Firejail project
-// Copyright (C) 2014-2021 Firejail Authors
+// Copyright (C) 2014-2022 Firejail Authors
 // License GPL v2
 
 // simple unchroot example from http://linux-vserver.org/Secure_chroot_Barrier
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index 101998187..0a87913f1 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 # not currently covered
diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp
index f660c123a..f972b5788 100755
--- a/test/environment/allow-debuggers.exp
+++ b/test/environment/allow-debuggers.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --allow-debuggers\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized" { puts "\n"}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" { puts "\n"}
         "is disabled on Linux kernels prior to 4.8" { puts "TESTING SKIP: kernel too old\n"; exit }
 }
 after 100
diff --git a/test/environment/csh.exp b/test/environment/csh.exp
index f8ced07b5..31bfbfa40 100755
--- a/test/environment/csh.exp
+++ b/test/environment/csh.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --private --shell=/bin/csh\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/environment/dash.exp b/test/environment/dash.exp
index 983a527cf..4dd5cac9f 100755
--- a/test/environment/dash.exp
+++ b/test/environment/dash.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --private --tracelog --shell=/bin/dash\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/environment/deterministic-exit-code.exp b/test/environment/deterministic-exit-code.exp
index 1a1e53605..9f5be2c3d 100755
--- a/test/environment/deterministic-exit-code.exp
+++ b/test/environment/deterministic-exit-code.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 4
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -32,7 +32,7 @@ after 100
 send -- "firejail --deterministic-exit-code\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/environment/deterministic-shutdown.exp b/test/environment/deterministic-shutdown.exp
new file mode 100755
index 000000000..be4e9c42e
--- /dev/null
+++ b/test/environment/deterministic-shutdown.exp
@@ -0,0 +1,17 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --deterministic-shutdown bash -c \"sleep 100 & exec sleep 1\"\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Parent is shutting down, bye..."
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/environment/dns.exp b/test/environment/dns.exp
index 5b06b51c0..b5a8c119b 100755
--- a/test/environment/dns.exp
+++ b/test/environment/dns.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -30,7 +30,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.5\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 1.6\n";exit}
@@ -47,7 +47,7 @@ expect {
         "DNS server 8.8.8.8" {puts "TESTING ERROR 2.3\n";exit}
         "DNS server 4.2.2.1" {puts "TESTING ERROR 2.4\n";exit}
         "DNS server ::2" {puts "TESTING ERROR 2.5\n";exit}
-        "Child process initialized" {puts "TESTING ERROR 2.6\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "TESTING ERROR 2.6\n";exit}
         "Parent is shutting down, bye..." {puts "TESTING ERROR 2.7\n";exit}
         "root"
 }
@@ -56,7 +56,7 @@ after 100
 send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1 --dns=::2\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -85,7 +85,7 @@ sleep 1
 send -- "firejail --profile=dns.profile\r"
 expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/environment/doubledash.exp b/test/environment/doubledash.exp
index 275755337..dd2725426 100755
--- a/test/environment/doubledash.exp
+++ b/test/environment/doubledash.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail -- ls -- -testdir\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
@@ -26,7 +26,7 @@ sleep 1
 send --  "firejail --name=testing -- -testdir/bash\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
diff --git a/test/environment/env.exp b/test/environment/env.exp
index 4f6f8a1b7..9394f2066 100755
--- a/test/environment/env.exp
+++ b/test/environment/env.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --env=ENV1=env1 --env=ENV2=env2 --env=ENV3=env3\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -37,7 +37,7 @@ after 100
 send -- "firejail --profile=env.profile\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "env | grep LD_LIBRARY_PATH\r"
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index 152975c9d..2b77973ac 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
@@ -112,14 +112,26 @@ echo "TESTING: rlimit (test/environment/rlimit.exp)"
 echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)"
 ./rlimit-profile.exp
 
+echo "TESTING: rlimit join (test/environment/rlimit-join.exp)"
+./rlimit-join.exp
+
 echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)"
 ./rlimit-bad.exp
 
 echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)"
 ./rlimit-bad-profile.exp
 
-echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp"
+echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp)"
 ./deterministic-exit-code.exp
 
-echo "TESTING: retain umask (test/environment/umask.exp"
+echo "TESTING: deterministic shutdown (test/environment/deterministic-shutdown.exp)"
+./deterministic-shutdown.exp
+
+echo "TESTING: keep fd (test/environment/keep-fd.exp)"
+./keep-fd.exp
+
+echo "TESTING: keep fd errors (test/environment/keep-fd-bad.exp)"
+./keep-fd-bad.exp
+
+echo "TESTING: retain umask (test/environment/umask.exp)"
 (umask 123 && ./umask.exp)
diff --git a/test/environment/extract_command.exp b/test/environment/extract_command.exp
index f91a10fa6..45ff1f291 100755
--- a/test/environment/extract_command.exp
+++ b/test/environment/extract_command.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
diff --git a/test/environment/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp
index 459056260..4a60d5611 100755
--- a/test/environment/firejail-in-firejail.exp
+++ b/test/environment/firejail-in-firejail.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/environment/hostfile.exp b/test/environment/hostfile.exp
index 6b98863e5..ccc8d049e 100755
--- a/test/environment/hostfile.exp
+++ b/test/environment/hostfile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 
@@ -15,7 +15,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
diff --git a/test/environment/ibus.exp b/test/environment/ibus.exp
index 089736f33..e9dd290a1 100755
--- a/test/environment/ibus.exp
+++ b/test/environment/ibus.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
diff --git a/test/environment/keep-fd-bad.exp b/test/environment/keep-fd-bad.exp
new file mode 100755
index 000000000..e8b411ea0
--- /dev/null
+++ b/test/environment/keep-fd-bad.exp
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+send -- "firejail --noprofile --keep-fd=\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Error: invalid keep-fd option"
+}
+after 100
+
+send -- "firejail --noprofile --keep-fd=,,,\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Error: invalid keep-fd option"
+}
+after 100
+
+send -- "firejail --noprofile --keep-fd=dall\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Error: invalid keep-fd option"
+}
+after 100
+
+send -- "firejail --noprofile --keep-fd=6,7,8,10b,11\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Error: invalid keep-fd option"
+}
+after 100
+
+
+puts "\nall done\n"
diff --git a/test/environment/keep-fd.exp b/test/environment/keep-fd.exp
new file mode 100755
index 000000000..440cbd860
--- /dev/null
+++ b/test/environment/keep-fd.exp
@@ -0,0 +1,223 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+#
+# obtain some open file descriptors
+#
+send -- "exec {WRITE_FD}> blabla\r"
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "/blabla"
+}
+after 100
+
+send -- "exec {READ_FD}< blabla\r"
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "/blabla"
+}
+after 100
+
+
+#
+# inherit environment variables
+#
+send -- "export READ_FD\r"
+send -- "export WRITE_FD\r"
+after 100
+
+
+#
+# close all file descriptors
+# 0, 1, 2 stay open
+#
+send -- "firejail --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        -re {Child process initialized in [0-9]+.[0-9]+ ms}
+}
+after 100
+
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "4"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "No such file or directory"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "No such file or directory"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# keep one file descriptor
+#
+send -- "firejail --noprofile --keep-fd=\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        -re {Child process initialized in [0-9]+.[0-9]+ ms}
+}
+after 100
+
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "5"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "/blabla"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "No such file or directory"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# keep other file descriptor
+#
+send -- "firejail --noprofile --keep-fd=\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        -re {Child process initialized in [0-9]+.[0-9]+ ms}
+}
+after 100
+
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "5"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "No such file or directory"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "/blabla"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# keep both file descriptors
+#
+send -- "firejail --noprofile --keep-fd=\$READ_FD,\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        -re {Child process initialized in [0-9]+.[0-9]+ ms}
+}
+after 100
+
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "6"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "/blabla"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "/blabla"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# keep all file descriptors
+#
+send -- "firejail --noprofile --keep-fd=all\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        -re {Child process initialized in [0-9]+.[0-9]+ ms}
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "/blabla"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "/blabla"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# cleanup
+#
+send -- "rm -f blabla\r"
+after 100
+
+
+puts "\nall done\n"
diff --git a/test/environment/machineid.exp b/test/environment/machineid.exp
index f0b3d2942..2392dc9d6 100755
--- a/test/environment/machineid.exp
+++ b/test/environment/machineid.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 
@@ -15,7 +15,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "exit\r"
diff --git a/test/environment/nice.exp b/test/environment/nice.exp
index 80591978d..823d10c67 100755
--- a/test/environment/nice.exp
+++ b/test/environment/nice.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --nice=15\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -39,7 +39,7 @@ after 100
 send -- "firejail --profile=nice.profile\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -70,7 +70,7 @@ after 100
 send -- "firejail --nice=-5\r"
 expect {
         timeout {puts "TESTING ERROR 17\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/environment/output.exp b/test/environment/output.exp
index dd03001d7..2b9594b61 100755
--- a/test/environment/output.exp
+++ b/test/environment/output.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/environment/output.sh b/test/environment/output.sh
index edf7dc4cb..329cb40c7 100755
--- a/test/environment/output.sh
+++ b/test/environment/output.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 i="0"
diff --git a/test/environment/quiet.exp b/test/environment/quiet.exp
index 510491738..b1b3b0173 100755
--- a/test/environment/quiet.exp
+++ b/test/environment/quiet.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 4
diff --git a/test/environment/rlimit-bad-profile.exp b/test/environment/rlimit-bad-profile.exp
index b838f83f4..627cc860f 100755
--- a/test/environment/rlimit-bad-profile.exp
+++ b/test/environment/rlimit-bad-profile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --profile=rlimit-bad1.profile\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "invalid rlimit"
+        "invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix."
 }
 after 100
 
diff --git a/test/environment/rlimit-bad.exp b/test/environment/rlimit-bad.exp
index 3a82ded9b..24df1874c 100755
--- a/test/environment/rlimit-bad.exp
+++ b/test/environment/rlimit-bad.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --rlimit-fsize=-1024\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "invalid rlimit"
+        "invalid rlimit-fsize. Only use positive numbers and k, m or g suffix."
 }
 after 100
 
diff --git a/test/environment/rlimit-join.exp b/test/environment/rlimit-join.exp
new file mode 100755
index 000000000..9e7161241
--- /dev/null
+++ b/test/environment/rlimit-join.exp
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --noprofile --name=\"rlimit testing\"\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+spawn $env(SHELL)
+send --  "firejail --rlimit-nofile=1234 --join=\"rlimit testing\"\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Switching to pid"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+send -- "cat /proc/self/limits\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Max open files            1234                 1234"
+}
+after 100
+
+send -- "exit\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp
index 4071675ee..762f70ba9 100755
--- a/test/environment/rlimit-profile.exp
+++ b/test/environment/rlimit-profile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --profile=rlimit.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp
index 6fcb554a7..acc87277b 100755
--- a/test/environment/rlimit.exp
+++ b/test/environment/rlimit.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200 --rlimit-as=1234567890\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/environment/shell-none.exp b/test/environment/shell-none.exp
index 507225326..512e2efc2 100755
--- a/test/environment/shell-none.exp
+++ b/test/environment/shell-none.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -24,7 +24,7 @@ after 100
 send -- "firejail  --shell=none ls\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
@@ -35,7 +35,7 @@ after 100
 send -- "firejail  --profile=shell-none.profile ls\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
diff --git a/test/environment/sound.exp b/test/environment/sound.exp
index e5fa27e77..7ee1c74d7 100755
--- a/test/environment/sound.exp
+++ b/test/environment/sound.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --nosound speaker-test\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
@@ -22,7 +22,7 @@ sleep 2
 send -- "firejail --nosound aplay -l\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
@@ -39,7 +39,7 @@ sleep 2
 send -- "firejail --profile=sound.profile speaker-test\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
@@ -50,7 +50,7 @@ sleep 2
 send -- "firejail --profile=sound.profile aplay -l\r"
 expect {
         timeout {puts "TESTING ERROR 13\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 14\n";exit}
@@ -67,7 +67,7 @@ sleep 2
 send -- "firejail aplay -l\r"
 expect {
         timeout {puts "TESTING ERROR 23\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 24\n";exit}
diff --git a/test/environment/timeout.exp b/test/environment/timeout.exp
index ea0dd67b7..b38881c81 100755
--- a/test/environment/timeout.exp
+++ b/test/environment/timeout.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "time firejail --timeout=00:00:05\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/environment/umask.exp b/test/environment/umask.exp
index e1f520fcd..46bd80a92 100755
--- a/test/environment/umask.exp
+++ b/test/environment/umask.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp
index a750ac55c..9f871ea54 100755
--- a/test/environment/zsh.exp
+++ b/test/environment/zsh.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --private --shell=/bin/zsh\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/fcopy/cmdline.exp b/test/fcopy/cmdline.exp
index 00e44e489..91f18c332 100755
--- a/test/fcopy/cmdline.exp
+++ b/test/fcopy/cmdline.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -32,14 +32,22 @@ after 100
 send -- "fcopy f%oo1 foo2\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "invalid source file name"
+        "Error:"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "is an invalid filename"
 }
 after 100
 
 send -- "fcopy foo1 f,oo2\r"
 expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "invalid dest file name"
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Error:"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "is an invalid filename"
 }
 after 100
 
diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp
index 633d12d08..a779f80cd 100755
--- a/test/fcopy/dircopy.exp
+++ b/test/fcopy/dircopy.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 #
@@ -12,9 +12,21 @@ match_max 100000
 
 send -- "rm -fr dest/*\r"
 after 100
+send -- "cd src\r"
+after 100
+send -- "ln -s ../dircopy.exp dircopy.exp\r"
+after 100
+send -- "cd ..\r"
+after 100
 
 send -- "fcopy src dest\r"
 after 100
+send -- "cd src\r"
+after 100
+send -- "ln -s ../dircopy.exp dircopy.exp\r"
+after 100
+send -- "cd ..\r"
+after 100
 
 send -- "find dest\r"
 expect {
@@ -135,5 +147,7 @@ expect {
 
 send -- "rm -fr dest/*\r"
 after 100
+send -- "rm -f src/dircopy.exp\r"
+after 100
 
 puts "\nall done\n"
diff --git a/test/fcopy/fcopy.sh b/test/fcopy/fcopy.sh
index 822f6a9cd..fca599889 100755
--- a/test/fcopy/fcopy.sh
+++ b/test/fcopy/fcopy.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
@@ -19,13 +19,14 @@ mkdir dest
 echo "TESTING: fcopy cmdline (test/fcopy/cmdline.exp)"
 ./cmdline.exp
 
-echo "TESTING: fcopy directory (test/fcopy/dircopy.exp)"
-./dircopy.exp
-
 echo "TESTING: fcopy file (test/fcopy/filecopy.exp)"
 ./filecopy.exp
 
 echo "TESTING: fcopy link (test/fcopy/linkcopy.exp)"
 ./linkcopy.exp
 
+echo "TESTING: fcopy directory (test/fcopy/dircopy.exp)"
+./dircopy.exp
+
 rm -fr dest/*
+rm -f src/dircopy.exp
\ No newline at end of file
diff --git a/test/fcopy/filecopy.exp b/test/fcopy/filecopy.exp
index fb911e222..155c1ce31 100755
--- a/test/fcopy/filecopy.exp
+++ b/test/fcopy/filecopy.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 #
diff --git a/test/fcopy/linkcopy.exp b/test/fcopy/linkcopy.exp
index dbc33c6a7..7c085e552 100755
--- a/test/fcopy/linkcopy.exp
+++ b/test/fcopy/linkcopy.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 #
@@ -12,6 +12,12 @@ match_max 100000
 
 send -- "rm -fr dest/*\r"
 after 100
+send -- "cd src\r"
+after 100
+send -- "ln -s ../dircopy.exp dircopy.exp\r"
+after 100
+send -- "cd ..\r"
+after 100
 
 send -- "fcopy src/dircopy.exp dest\r"
 after 100
@@ -19,7 +25,7 @@ after 100
 send -- "find dest\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "dest/"
+        "dest"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -27,11 +33,11 @@ expect {
 }
 after 100
 
-
 send -- "ls -al dest\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "lrwxrwxrwx"
+        "rwxr-xr-x" { puts "umask 0022\n" }
+        "rwxrwxr-x" { puts "umask 0002\n" }
 }
 after 100
 send -- "stty -echo\r"
@@ -52,5 +58,7 @@ expect {
 
 send -- "rm -fr dest/*\r"
 after 100
+send -- "rm -f src/dircopy.exp\r"
+after 100
 
 puts "\nall done\n"
diff --git a/test/fcopy/src/dircopy.exp b/test/fcopy/src/dircopy.exp
deleted file mode 120000
index 2acf88f7b..000000000
--- a/test/fcopy/src/dircopy.exp
+++ /dev/null
@@ -1 +0,0 @@
-../dircopy.exp
\ No newline at end of file
diff --git a/test/features/1.1.exp b/test/features/1.1.exp
index fe1e0f132..916a610a6 100755
--- a/test/features/1.1.exp
+++ b/test/features/1.1.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # disable /boot
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -40,7 +40,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -61,7 +61,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/1.10.exp b/test/features/1.10.exp
index 5dd03ecef..53279f71e 100755
--- a/test/features/1.10.exp
+++ b/test/features/1.10.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # disable /selinux
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -41,7 +41,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -63,7 +63,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/1.2.exp b/test/features/1.2.exp
index f7a55b445..3043f0104 100755
--- a/test/features/1.2.exp
+++ b/test/features/1.2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # new /proc
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -64,7 +64,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -105,7 +105,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/1.4.exp b/test/features/1.4.exp
index 66a8c1175..b7e8246a2 100755
--- a/test/features/1.4.exp
+++ b/test/features/1.4.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # mask other users
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -53,7 +53,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -86,7 +86,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/1.5.exp b/test/features/1.5.exp
index ba0aea220..cce8f490f 100755
--- a/test/features/1.5.exp
+++ b/test/features/1.5.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # PID namespace
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -40,7 +40,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -61,7 +61,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/1.6.exp b/test/features/1.6.exp
index 89fa29de0..81da44c64 100755
--- a/test/features/1.6.exp
+++ b/test/features/1.6.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # new /var/log
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -40,7 +40,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -61,7 +61,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/1.7.exp b/test/features/1.7.exp
index 3e9c0908f..a84b723de 100755
--- a/test/features/1.7.exp
+++ b/test/features/1.7.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # new /var/tmp
@@ -20,7 +20,7 @@ sleep 1
 send -- "firejail --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -42,7 +42,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -63,7 +63,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/1.8.exp b/test/features/1.8.exp
index 15936c2fb..5f7b0cdbc 100755
--- a/test/features/1.8.exp
+++ b/test/features/1.8.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # disable /etc/firejail and ~/.config/firejail
@@ -19,7 +19,7 @@ sleep 1
 send -- "firejail --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -71,7 +71,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
         send -- "ls ~/.config/firejail\r"
@@ -122,7 +122,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
         send -- "ls ~/.config/firejail\r"
diff --git a/test/features/2.1.exp b/test/features/2.1.exp
index 6e741a1c2..b56cbc135 100755
--- a/test/features/2.1.exp
+++ b/test/features/2.1.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # hostname
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile --hostname=bingo\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -56,7 +56,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -93,7 +93,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --hostname=bingo --chroot=/tmp/chroot\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/2.2.exp b/test/features/2.2.exp
index 3f30d0bad..378bd529a 100755
--- a/test/features/2.2.exp
+++ b/test/features/2.2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # DNS
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile --dns=4.2.2.1\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -48,7 +48,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -77,7 +77,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --dns=4.2.2.1 --chroot=/tmp/chroot\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/2.3.exp b/test/features/2.3.exp
index 6c520fdba..5a188ccc3 100755
--- a/test/features/2.3.exp
+++ b/test/features/2.3.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # mac-vlan
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile --net=eth0 --dns=8.8.8.8 --dns=8.8.4.4\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -62,7 +62,7 @@ sleep 3
 send -- "firejail --noprofile --net=eth0 --ip=192.168.1.244 --dns=8.8.8.8 --dns=8.8.4.4\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -111,7 +111,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -155,7 +155,7 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile  --net=eth0 --ip=192.168.1.244 --overlay --dns=8.8.8.8 --dns=8.8.4.4\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
@@ -205,7 +205,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --net=eth0 --chroot=/tmp/chroot --dns=8.8.8.8 --dns=8.8.4.4\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
@@ -249,7 +249,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --net=eth0 --ip=192.168.1.244 --chroot=/tmp/chroot --dns=8.8.8.8 --dns=8.8.4.4\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/2.4.exp b/test/features/2.4.exp
index 74b7881f0..15159c9b7 100755
--- a/test/features/2.4.exp
+++ b/test/features/2.4.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # bridge
@@ -19,7 +19,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile --net=br0\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -56,7 +56,7 @@ sleep 1
 send -- "firejail --noprofile --net=br0 --ip=10.10.20.4\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -99,7 +99,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -136,7 +136,7 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile  --net=br0 --ip=10.10.20.4 --overlay\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
@@ -179,7 +179,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --net=br0 --chroot=/tmp/chroot\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
@@ -208,7 +208,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --net=br0 --ip=10.10.20.4 --chroot=/tmp/chroot\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/2.5.exp b/test/features/2.5.exp
index bc3e44e8f..2995d34f7 100755
--- a/test/features/2.5.exp
+++ b/test/features/2.5.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # interface
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile --interface=eth0.5\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -51,7 +51,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -84,7 +84,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot --interface=eth0.7\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/2.6.exp b/test/features/2.6.exp
index 7c763e6f1..e8cd780ee 100755
--- a/test/features/2.6.exp
+++ b/test/features/2.6.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # default gateway
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile --net=eth0 --defaultgw=192.168.1.10 --protocol=unix,inet,netlink\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -39,7 +39,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -60,7 +60,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot --net=eth0 --defaultgw=192.168.1.10 --protocol=unix,inet,netlink\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/3.1.exp b/test/features/3.1.exp
index 6ba56517a..95d1d609b 100755
--- a/test/features/3.1.exp
+++ b/test/features/3.1.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # private
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile --private\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -70,7 +70,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -120,7 +120,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot --private\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/3.10.exp b/test/features/3.10.exp
index 4797c765b..5d4414f40 100755
--- a/test/features/3.10.exp
+++ b/test/features/3.10.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # whitelist tmp
@@ -22,7 +22,7 @@ sleep 1
 send -- "firejail --noprofile --whitelist=/tmp/test1dir\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -78,7 +78,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -136,7 +136,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot  --whitelist=/tmp/test1dir\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/3.11.exp b/test/features/3.11.exp
index b26d7b888..8287f9dbf 100755
--- a/test/features/3.11.exp
+++ b/test/features/3.11.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # mkdir
@@ -21,7 +21,7 @@ sleep 1
 send -- "firejail --profile=3.11.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -73,7 +73,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 10\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -127,7 +127,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --profile=3.11.profile\r"
         expect {
                 timeout {puts "TESTING ERROR 20\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/3.2.exp b/test/features/3.2.exp
index df73b9786..9af0513ea 100755
--- a/test/features/3.2.exp
+++ b/test/features/3.2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # read-only
@@ -20,7 +20,7 @@ sleep 1
 send -- "firejail --noprofile --read-only=/home/netblue/.config\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -41,7 +41,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -64,7 +64,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot --read-only=/home/netblue/.config\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/3.3.exp b/test/features/3.3.exp
index 499718dbd..71b6f70db 100755
--- a/test/features/3.3.exp
+++ b/test/features/3.3.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # blacklist
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile --blacklist=/home/netblue/.config\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -40,7 +40,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -61,7 +61,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot --blacklist=/home/netblue/.config\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/3.4.exp b/test/features/3.4.exp
index e59ff8a38..d3f894da2 100755
--- a/test/features/3.4.exp
+++ b/test/features/3.4.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # whitelist home
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile --whitelist=/home/netblue/.config\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -83,7 +83,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -147,7 +147,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot --whitelist=/home/netblue/.config\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/3.5.exp b/test/features/3.5.exp
index 8c37aebb3..c19680d41 100755
--- a/test/features/3.5.exp
+++ b/test/features/3.5.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # private-dev
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile --private-dev\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -41,7 +41,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -64,7 +64,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot --private-dev\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/3.6.exp b/test/features/3.6.exp
index 0149a04cd..31978e764 100755
--- a/test/features/3.6.exp
+++ b/test/features/3.6.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # private-etc
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -40,7 +40,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -68,7 +68,7 @@ if { $chroot == "chroot" } {
         expect {
                 timeout {puts "TESTING ERROR 5\n";exit}
                 "chroot option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/3.7.exp b/test/features/3.7.exp
index 9d3e7265c..4a0cb0d79 100755
--- a/test/features/3.7.exp
+++ b/test/features/3.7.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # private-tmp
@@ -22,7 +22,7 @@ sleep 1
 send -- "firejail --noprofile --private-tmp\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -49,7 +49,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -76,7 +76,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot --private-tmp\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/3.8.exp b/test/features/3.8.exp
index 5546ef15b..0a53599a9 100755
--- a/test/features/3.8.exp
+++ b/test/features/3.8.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # private-bin
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile --private-bin=bash,cat,cp,ls,wc\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -41,7 +41,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -68,7 +68,7 @@ if { $chroot == "chroot" } {
         }
         expect {
                 timeout {puts "TESTING ERROR 5\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/3.9.exp b/test/features/3.9.exp
index 6029160a6..7d843e7cc 100755
--- a/test/features/3.9.exp
+++ b/test/features/3.9.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # whitelist dev
@@ -18,7 +18,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile --whitelist=/dev/tty --whitelist=/dev/null\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -42,7 +42,7 @@ if { $overlay == "overlay" } {
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "overlay option is not available" {puts "grsecurity\n"; exit}
-                "Child process initialized" {puts "normal system\n"}
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "normal system\n"}
         }
         sleep 1
 
@@ -65,7 +65,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot --whitelist=/dev/tty --whitelist=/dev/null\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         sleep 1
 
diff --git a/test/features/test.sh b/test/features/test.sh
index 392e6c159..b507c6d37 100755
--- a/test/features/test.sh
+++ b/test/features/test.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export LC_ALL=C
diff --git a/test/filters/apparmor.exp b/test/filters/apparmor.exp
index f20326fe0..13ce4dd06 100755
--- a/test/filters/apparmor.exp
+++ b/test/filters/apparmor.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --name=test1 --apparmor\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -18,7 +18,7 @@ spawn $env(SHELL)
 send --  "firejail --name=test2 --apparmor\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/filters/caps-join.exp b/test/filters/caps-join.exp
index 4f3a2832d..921d6b695 100755
--- a/test/filters/caps-join.exp
+++ b/test/filters/caps-join.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -20,7 +20,7 @@ set spawn_id $id1
 send --  "firejail --name=jointesting\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -44,7 +44,7 @@ set spawn_id $id1
 send --  "firejail --name=jointesting --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -76,7 +76,7 @@ set spawn_id $id1
 send --  "firejail --name=jointesting --noprofile --caps.keep=chown,fowner\r"
 expect {
         timeout {puts "TESTING ERROR20\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/filters/caps-print.exp b/test/filters/caps-print.exp
index e8465aee1..f4f2fc7ca 100755
--- a/test/filters/caps-print.exp
+++ b/test/filters/caps-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -42,7 +42,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/filters/caps.exp b/test/filters/caps.exp
index 8776e83d4..29437beea 100755
--- a/test/filters/caps.exp
+++ b/test/filters/caps.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --caps.keep=chown,fowner --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -29,7 +29,7 @@ sleep 1
 send -- "firejail --caps.drop=all --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -48,7 +48,7 @@ sleep 1
 send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -81,7 +81,7 @@ expect {
 expect {
         timeout {puts "TESTING ERROR 13\n";exit}
         "Drop CAP_" {puts "TESTING ERROR 14\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "exit\r"
@@ -93,7 +93,7 @@ sleep 1
 #send -- "firejail --profile=caps2.profile\r"
 #expect {
 #       timeout {puts "TESTING ERROR 15\n";exit}
-#       "Child process initialized"
+#       -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 #}
 #after 100
 #
@@ -113,7 +113,7 @@ sleep 1
 send -- "firejail --profile=caps3.profile\r"
 expect {
         timeout {puts "TESTING ERROR 18\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
diff --git a/test/filters/debug.exp b/test/filters/debug.exp
index b2ca95191..769c03273 100755
--- a/test/filters/debug.exp
+++ b/test/filters/debug.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index a9f06b60a..04d7080d6 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
@@ -33,8 +33,12 @@ fi
 echo "TESTING: debug options (test/filters/debug.exp)"
 ./debug.exp
 
-echo "TESTING: seccomp run files (test/filters/seccomp-run-files.exp)"
-./seccomp-run-files.exp
+if [ "$(uname -m)" = "x86_64" ]; then
+    echo "TESTING: seccomp run files (test/filters/seccomp-run-files.exp)"
+    ./seccomp-run-files.exp
+else
+    echo "TESTING SKIP: seccomp-run-files test implemented only for x86_64."
+fi
 
 echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)"
 ./seccomp-postexec.exp
@@ -111,14 +115,11 @@ echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod
 echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)"
 ./seccomp-empty.exp
 
-echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)"
-./seccomp-numeric.exp
-
 if [ "$(uname -m)" = "x86_64" ]; then
-        echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)"
-        ./seccomp-dualfilter.exp
+    echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)"
+    ./seccomp-numeric.exp
 else
-        echo "TESTING SKIP: seccomp dual, not running on x86_64"
+        echo "TESTING SKIP: seccomp numeric test implemented only for x86_64"
 fi
 
 if [ "$(uname -m)" = "x86_64" ]; then
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp
index 59f812d6d..ff0179a1c 100755
--- a/test/filters/fseccomp.exp
+++ b/test/filters/fseccomp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -111,7 +111,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 9.3\n";exit}
-        "ret KILL"
+        "ret ERRNO"
 }
 
 
diff --git a/test/filters/memwrexe b/test/filters/memwrexe
index 669f0d320..1173cdc07 100755
--- a/test/filters/memwrexe
+++ b/test/filters/memwrexe
diff --git a/test/filters/memwrexe-32 b/test/filters/memwrexe-32
index 70c98b796..bdf71dcb4 100755
--- a/test/filters/memwrexe-32
+++ b/test/filters/memwrexe-32
diff --git a/test/filters/memwrexe-32.exp b/test/filters/memwrexe-32.exp
index 1aeaacc82..211052514 100755
--- a/test/filters/memwrexe-32.exp
+++ b/test/filters/memwrexe-32.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --memory-deny-write-execute ./memwrexe-32 mmap\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -22,7 +22,7 @@ after 100
 send --  "firejail --memory-deny-write-execute ./memwrexe-32 mprotect\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
@@ -34,7 +34,7 @@ after 100
 send --  "firejail --memory-deny-write-execute ./memwrexe-32 memfd_create\r"
 expect {
         timeout {puts "TESTING ERROR 20\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 21\n";exit}
diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c
index 4fbf05f78..042c31086 100644
--- a/test/filters/memwrexe.c
+++ b/test/filters/memwrexe.c
@@ -1,5 +1,5 @@
 // This file is part of Firejail project
-// Copyright (C) 2014-2021 Firejail Authors
+// Copyright (C) 2014-2022 Firejail Authors
 // License GPL v2
 
 #include <stdio.h>
@@ -42,6 +42,11 @@ int main(int argc, char **argv) {
                 }
 
                 void *p = mmap (0, size, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0);
+                if (p == MAP_FAILED) {
+                        printf("mmap failed\n");
+                        return 0;
+                }
+
                 printf("mmap successful\n");
 
                 // wait for expect to timeout
@@ -70,7 +75,12 @@ int main(int argc, char **argv) {
                         return 1;
                 }
 
-                mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC);
+                int rv = mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC);
+                if (rv) {
+                        printf("mprotect failed\n");
+                        return 1;
+                }
+
                 printf("mprotect successful\n");
 
                 // wait for expect to timeout
@@ -82,7 +92,7 @@ int main(int argc, char **argv) {
         else if (strcmp(argv[1], "memfd_create") == 0) {
                 int fd = syscall(SYS_memfd_create, "memfd_create", 0);
                 if (fd == -1) {
-                        fprintf(stderr, "TESTING ERROR: cannot run memfd_create test\n");
+                        printf("memfd_create failed\n");
                         return 1;
                 }
                 printf("memfd_create successful\n");
diff --git a/test/filters/memwrexe.exp b/test/filters/memwrexe.exp
index 2b170803c..950acbf50 100755
--- a/test/filters/memwrexe.exp
+++ b/test/filters/memwrexe.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --memory-deny-write-execute ./memwrexe mmap\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -22,7 +22,7 @@ after 100
 send --  "firejail --memory-deny-write-execute ./memwrexe mprotect\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
@@ -34,7 +34,7 @@ after 100
 send --  "firejail --memory-deny-write-execute ./memwrexe memfd_create\r"
 expect {
         timeout {puts "TESTING ERROR 20\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 21\n";exit}
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp
index 64f72f610..66e1e4e27 100755
--- a/test/filters/noroot.exp
+++ b/test/filters/noroot.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --name=test --noroot --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -72,7 +72,7 @@ expect {
 send -- "cat /proc/self/gid_map | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
-        "5"
+        "9"
 }
 
 
@@ -104,7 +104,7 @@ expect {
 send -- "cat /proc/self/gid_map | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 17\n";exit}
-        "5"
+        "9"
 }
 
 # check seccomp disabled and all caps enabled
diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp
index 071460e4c..cbc7fdc1a 100755
--- a/test/filters/protocol.exp
+++ b/test/filters/protocol.exp
@@ -1,185 +1,44 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r"
+send -- "firejail --noprofile --protocol=unix --debug\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit}
-        "Child process initialized"
+        "0009: 20 00 00 00000000   ld  data.syscall-number"
 }
 expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit}
-        "socket AF_INET"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.2\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.3\n";exit}
-        "socket AF_INET6"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.4\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.5\n";exit}
-        "socket AF_NETLINK"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.6\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.7\n";exit}
-        "socket AF_UNIX"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.8\n";exit}
-        "socket AF_PACKETX"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.9\n";exit}
-        "Operation not supported"
-}
-sleep 1
-
-send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r"
-expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "socket AF_INET"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.3\n";exit}
-        "socket AF_INET6"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.4\n";exit}
-        "socket AF_NETLINK"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.5\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.6\n";exit}
-        "socket AF_UNIX"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.7\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.8\n";exit}
-        "socket AF_PACKETX"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.9\n";exit}
-        "after socket"
+        "000a: 15 01 00 00000029   jeq socket 000c (false 000b)"
 }
-sleep 1
-
-# profile testing
-send -- "firejail --profile=protocol1.profile ./syscall_test socket\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "socket AF_INET"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.2\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.3\n";exit}
-        "socket AF_INET6"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.4\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.5\n";exit}
-        "socket AF_NETLINK"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.6\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.7\n";exit}
-        "socket AF_UNIX"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.8\n";exit}
-        "socket AF_PACKETX"
+        "000b: 06 00 00 7fff0000   ret ALLOW"
 }
 expect {
-        timeout {puts "TESTING ERROR 3.9\n";exit}
-        "Operation not supported"
-}
-sleep 1
-
-send -- "firejail --profile=protocol2.profile ./syscall_test socket\r"
-expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.1\n";exit}
-        "socket AF_INET"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.2\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.3\n";exit}
-        "socket AF_INET6"
+        "000c: 20 00 00 00000010   ld  data.args"
 }
 expect {
-        timeout {puts "TESTING ERROR 4.4\n";exit}
-        "socket AF_NETLINK"
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "000d: 15 00 01 00000001   jeq 1 000e (false 000f)"
 }
 expect {
-        timeout {puts "TESTING ERROR 4.5\n";exit}
-        "Operation not supported"
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "000e: 06 00 00 7fff0000   ret ALLOW"
+        ""
 }
 expect {
-        timeout {puts "TESTING ERROR 4.6\n";exit}
-        "socket AF_UNIX"
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "000f: 06 00 00 0005005f   ret ERRNO(95)"
 }
-expect {
-        timeout {puts "TESTING ERROR 4.7\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.8\n";exit}
-        "socket AF_PACKETX"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.9\n";exit}
-        "after socket"
-}
-after 100
 
+after 100
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/filters/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp
index 5e7c8e1b5..484dc32a9 100755
--- a/test/filters/seccomp-bad-empty.exp
+++ b/test/filters/seccomp-bad-empty.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp
index 5587e056c..ac16015cd 100755
--- a/test/filters/seccomp-chmod-profile.exp
+++ b/test/filters/seccomp-chmod-profile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --profile=seccomp.profile --private\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp
index 0d01d4ff2..913ea18a7 100755
--- a/test/filters/seccomp-chmod.exp
+++ b/test/filters/seccomp-chmod.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --seccomp=chmod,fchmod,fchmodat --private\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/filters/seccomp-chown.exp b/test/filters/seccomp-chown.exp
index 0a19229b4..be6c13e2d 100755
--- a/test/filters/seccomp-chown.exp
+++ b/test/filters/seccomp-chown.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --seccomp=chown,fchown,fchownat,lchown --private\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/filters/seccomp-debug-32.exp b/test/filters/seccomp-debug-32.exp
index 677ca4e30..71d653c1f 100755
--- a/test/filters/seccomp-debug-32.exp
+++ b/test/filters/seccomp-debug-32.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -13,19 +13,15 @@ after 100
 send --  "firejail --debug sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "SECCOMP Filter"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "BLACKLIST"
+        "seccomp entries in /run/firejail/mnt/seccomp/seccomp"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "open_by_handle_at"
+        "jeq open_by_handle_at"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
@@ -34,58 +30,30 @@ expect {
 after 100
 
 
-# i686 architecture
-send --  "firejail --debug sleep 1; echo done\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
-}
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "Installing /run/firejail/mnt/seccomp.64 seccomp filter"
-}
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "done"
-}
-after 100
-
-# i686 architecture - ignore seccomp
+# 64 bit architecture - ignore seccomp
 send --  "firejail --debug --ignore=seccomp sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
-        "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 12\n";exit}
-        "Child process initialized"
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
-        "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 15\n";exit}
+        timeout {puts "TESTING ERROR 16\n";exit}
         "done"
 }
 after 100
 
-# i686 architecture - ignore protocol
+# 64 bit architecture - ignore protocol
 send --  "firejail --debug --ignore=protocol sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 17\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 19\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
-}
-expect {
-        timeout {puts "TESTING ERROR 21\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
-        "Installing /run/firejail/mnt/seccomp.64 seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 23\n";exit}
@@ -97,11 +65,11 @@ after 100
 send --  "firejail --debug --memory-deny-write-execute sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 24\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 25\n";exit}
-        "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 26\n";exit}
@@ -109,17 +77,22 @@ expect {
 }
 
 
-# i686 architecture - seccomp.block-secondary
+# 64 bit architecture - seccomp.block-secondary
 send --  "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 27\n";exit}
-        "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 28\n";exit}
-        "Child process initialized"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 29\n";exit}
-        "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 30\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 31\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 33\n";exit}
@@ -127,17 +100,17 @@ expect {
 }
 after 100
 
-# i686 architecture - seccomp.block-secondary, profile
+# 64 bit architecture - seccomp.block-secondary, profile
 send --  "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 33\n";exit}
-        "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 34\n";exit}
-        "Child process initialized"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 35\n";exit}
-        "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 35\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 37\n";exit}
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp
index 852abf822..b4a9e158d 100755
--- a/test/filters/seccomp-debug.exp
+++ b/test/filters/seccomp-debug.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -21,7 +21,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
@@ -34,7 +34,7 @@ after 100
 send --  "firejail --debug sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -60,7 +60,7 @@ expect {
         timeout {puts "TESTING ERROR 10\n";exit}
         "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
         "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 13\n";exit}
@@ -79,7 +79,7 @@ send --  "firejail --debug --ignore=protocol sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 17\n";exit}
         "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 19\n";exit}
@@ -101,7 +101,7 @@ after 100
 send --  "firejail --debug --memory-deny-write-execute sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 24\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 25\n";exit}
@@ -118,7 +118,7 @@ send --  "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 27\n";exit}
         "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 29\n";exit}
@@ -141,7 +141,7 @@ send --  "firejail --debug --profile=block-secondary.profile sleep 1; echo done\
 expect {
         timeout {puts "TESTING ERROR 33\n";exit}
         "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 35\n";exit}
diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp
deleted file mode 100755
index e655be848..000000000
--- a/test/filters/seccomp-dualfilter.exp
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-
-set timeout 1
-spawn $env(SHELL)
-match_max 100000
-
-send -- "./syscall_test\r"
-expect {
-        timeout {puts "\nTESTING SKIP: 64-bit support missing\n";exit}
-        "Usage"
-}
-
-send -- "./syscall_test32\r"
-expect {
-        timeout {puts "\nTESTING SKIP: 32-bit support missing\n";exit}
-        "Usage"
-}
-
-set timeout 10
-send -- "firejail ./syscall_test mount\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "before mount"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "after mount" {puts "TESTING ERROR 3\n";exit}
-        "Parent is shutting down"
-}
-sleep 1
-
-send -- "firejail ./syscall_test32 mount\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "before mount"
-}
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "after mount" {puts "TESTING ERROR 7\n";exit}
-        "Parent is shutting down"
-}
-
-after 100
-puts "\nall done\n"
diff --git a/test/filters/seccomp-empty.exp b/test/filters/seccomp-empty.exp
index 3baa7f0c6..7a5597727 100755
--- a/test/filters/seccomp-empty.exp
+++ b/test/filters/seccomp-empty.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -42,7 +42,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 0.7\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 send -- "exit\r"
@@ -78,7 +78,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.7\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 send -- "exit\r"
@@ -120,7 +120,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2.7\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 send -- "exit\r"
@@ -156,7 +156,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 3.7\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 send -- "exit\r"
diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp
index 6c7c63e88..f5e9ff402 100755
--- a/test/filters/seccomp-errno.exp
+++ b/test/filters/seccomp-errno.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -31,7 +31,7 @@ sleep 1
 send --  "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "rm seccomp-test-file\r"
diff --git a/test/filters/seccomp-join.exp b/test/filters/seccomp-join.exp
index 9a8767ed7..1e62e75e7 100755
--- a/test/filters/seccomp-join.exp
+++ b/test/filters/seccomp-join.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-numeric.exp b/test/filters/seccomp-numeric.exp
index 59fc26884..fa1d8ada9 100755
--- a/test/filters/seccomp-numeric.exp
+++ b/test/filters/seccomp-numeric.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-postexec.exp b/test/filters/seccomp-postexec.exp
index 18263520a..1d4166067 100755
--- a/test/filters/seccomp-postexec.exp
+++ b/test/filters/seccomp-postexec.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,20 +14,17 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "data.architecture"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
         "monitoring pid"
 }
+sleep 1
+
+send -- "ls\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Sandbox monitor: waitpid"
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Parent is shutting down"
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "not permitted"
 }
-sleep 1
 
+
+send -- "exit\r"
+after 100
 puts "all done\n"
diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp
index ec8ab615c..9bde7355f 100755
--- a/test/filters/seccomp-ptrace.exp
+++ b/test/filters/seccomp-ptrace.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,15 +10,14 @@ match_max 100000
 send --  "firejail --noprofile --seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
 send -- "strace ls\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Bad system call" {puts "version 1\n";}
-        " unexpected signal 31" {puts "version 2\n"}
+        "not permitted"
 }
 
 send -- "exit\r"
diff --git a/test/filters/seccomp-run-files.exp b/test/filters/seccomp-run-files.exp
index 1e3827f0f..59a576c20 100755
--- a/test/filters/seccomp-run-files.exp
+++ b/test/filters/seccomp-run-files.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp
index 4bd8b5e93..d204a4295 100755
--- a/test/filters/seccomp-su.exp
+++ b/test/filters/seccomp-su.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --noprofile --seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/filters/syscall_test b/test/filters/syscall_test
deleted file mode 100755
index bf29c5b99..000000000
--- a/test/filters/syscall_test
+++ /dev/null
diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c
deleted file mode 100644
index 55ee31afb..000000000
--- a/test/filters/syscall_test.c
+++ /dev/null
@@ -1,82 +0,0 @@
-// This file is part of Firejail project
-// Copyright (C) 2014-2021 Firejail Authors
-// License GPL v2
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <linux/netlink.h>
-#include <net/ethernet.h>
-#include <sys/mount.h>
-
-int main(int argc, char **argv) {
-        if (argc != 2) {
-                printf("Usage: test [sleep|socket|mkdir|mount]\n");
-                return 1;
-        }
-
-        if (strcmp(argv[1], "sleep") == 0) {
-                printf("before sleep\n");
-                sleep(1);
-                printf("after sleep\n");
-        }
-        else if (strcmp(argv[1], "socket") == 0) {
-                int sock;
-
-                printf("testing socket AF_INET\n");
-                if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
-                        perror("socket");
-                }
-                else
-                        close(sock);
-
-                printf("testing socket AF_INET6\n");
-                if ((sock = socket(AF_INET6, SOCK_STREAM, 0)) < 0) {
-                        perror("socket");
-                }
-                else
-                        close(sock);
-
-                printf("testing socket AF_NETLINK\n");
-                if ((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) {
-                        perror("socket");
-                }
-                else
-                        close(sock);
-
-                printf("testing socket AF_UNIX\n");
-                if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
-                        perror("socket");
-                }
-                else
-                        close(sock);
-
-                // root needed to be able to handle this
-                printf("testing socket AF_PACKETX\n");
-                if ((sock = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP))) < 0) {
-                        perror("socket");
-                }
-                else
-                        close(sock);
-                printf("after socket\n");
-        }
-        else if (strcmp(argv[1], "mkdir") == 0) {
-                printf("before mkdir\n");
-                mkdir("tmp", 0777);
-                printf("after mkdir\n");
-        }
-        else if (strcmp(argv[1], "mount") == 0) {
-                printf("before mount\n");
-                if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0) {
-                        perror("mount");
-                }
-                printf("after mount\n");
-        }
-        else {
-                fprintf(stderr, "Error: invalid argument\n");
-                return 1;
-        }
-        return 0;
-}
diff --git a/test/filters/syscall_test32 b/test/filters/syscall_test32
deleted file mode 100755
index 8d72f58c4..000000000
--- a/test/filters/syscall_test32
+++ /dev/null
diff --git a/test/fnetfilter/cmdline.exp b/test/fnetfilter/cmdline.exp
index 16e8ccb81..514d3f890 100755
--- a/test/fnetfilter/cmdline.exp
+++ b/test/fnetfilter/cmdline.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fnetfilter/copy.exp b/test/fnetfilter/copy.exp
index 6c672141f..b03b3e19b 100755
--- a/test/fnetfilter/copy.exp
+++ b/test/fnetfilter/copy.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fnetfilter/default.exp b/test/fnetfilter/default.exp
index fee9fb5f3..545837cc1 100755
--- a/test/fnetfilter/default.exp
+++ b/test/fnetfilter/default.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -31,9 +31,14 @@ after 100
 send -- "fnetfilter test1.net,33\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "cannot open test1.net,33"
+        "Error:"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "is an invalid filename"
 }
 after 100
+
 send -- "rm outfile\r"
 after 100
 
diff --git a/test/fnetfilter/fnetfilter.sh b/test/fnetfilter/fnetfilter.sh
index 9fac92d39..9ad822753 100755
--- a/test/fnetfilter/fnetfilter.sh
+++ b/test/fnetfilter/fnetfilter.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/fnetfilter/template.exp b/test/fnetfilter/template.exp
index 0ff09a024..2c5dba920 100755
--- a/test/fnetfilter/template.exp
+++ b/test/fnetfilter/template.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -66,13 +66,17 @@ after 100
 send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request\r"
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
-        "cannot open test2.net,"
+        "Error:"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "is an invalid filename"
 }
 after 100
 
 send -- "fnetfilter test3.net,44 outfile\r"
 expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
+        timeout {puts "TESTING ERROR 14\n";exit}
         "invalid template argument on line 1"
 }
 after 100
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
index 591fc1a06..b49e447b7 100755
--- a/test/fs/fs.sh
+++ b/test/fs/fs.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
@@ -10,20 +10,26 @@ export LC_ALL=C
 # These directories are required by some tests:
 mkdir -p ~/Desktop ~/Documents ~/Downloads ~/Music ~/Pictures ~/Videos
 
+echo "TESTING: tab completion (test/fs/tab.exp)"
+./tab.exp
+
 rm -fr ~/_firejail_test_*
 echo "TESTING: mkdir/mkfile (test/fs/mkdir_mkfile.exp)"
 ./mkdir_mkfile.exp
 rm -fr ~/_firejail_test_*
 
-mkdir ~/_firejail_test_dir
-touch ~/_firejail_test_dir/a
-mkdir ~/_firejail_test_dir/test1
-touch ~/_firejail_test_dir/test1/b
+echo "TESTING: recursive mkdir (test/fs/mkdir.exp)"
+./mkdir.exp
+rm -fr ~/_firejail_test_*
+rm -fr /tmp/_firejail_test_*
+
 echo "TESTING: read/write (test/fs/read-write.exp)"
 ./read-write.exp
+rm -fr ~/_firejail_test_dir
+
 echo "TESTING: whitelist readonly (test/fs/whitelist-readonly.exp)"
 ./whitelist-readonly.exp
-rm -fr ~/_firejail_test_*
+rm -f ~/_firejail_test_dir
 
 echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)"
 ./sys_fs.exp
@@ -37,16 +43,23 @@ fi
 
 echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)"
 ./fs_var_tmp.exp
+rm -f /var/tmp/_firejail_test_file
 
-echo "TESTING: private-lib (test/fs/private-lib.exp)"
-./private-lib.exp
+if [ "$(uname -m)" = "x86_64" ]; then
+    echo "TESTING: private-lib (test/fs/private-lib.exp)"
+    ./private-lib.exp
+else
+    echo "TESTING SKIP: private-lib test implemented only for x86_64."
+fi
 
 echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)"
 ./fs_var_lock.exp
+rm -f /var/lock/_firejail_test_file
 
 if [ -w /dev/shm ]; then
     echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)"
     ./fs_dev_shm.exp
+    rm -f /dev/shm/_firejail_test_file
 else
     echo "TESTING SKIP: /dev/shm not writable"
 fi
@@ -56,12 +69,23 @@ echo "TESTING: private (test/fs/private.exp)"
 
 echo "TESTING: private home (test/fs/private-home.exp)"
 ./private-home.exp
+rm -f ~/_firejail_test_file1
+rm -f ~/_firejail_test_file2
+rm -fr ~/_firejail_test_dir1
+rm -f ~/_firejail_test_link1
+rm -f ~/_firejail_test_link2
 
 echo "TESTING: private home dir (test/fs/private-home-dir.exp)"
 ./private-home-dir.exp
+rm -fr ~/_firejail_test_dir1
 
 echo "TESTING: private home dir same as user home (test/fs/private-homedir.exp)"
 ./private-homedir.exp
+rm -f ~/_firejail_test_file1
+rm -f ~/_firejail_test_file2
+rm -fr ~/_firejail_test_dir1
+rm -f ~/_firejail_test_link1
+rm -f ~/_firejail_test_link2
 
 echo "TESTING: private-etc (test/fs/private-etc.exp)"
 ./private-etc.exp
@@ -74,6 +98,7 @@ echo "TESTING: private-bin (test/fs/private-bin.exp)"
 
 echo "TESTING: private-cache (test/fs/private-cache.exp)"
 ./private-cache.exp
+rm -f ~/.cache/abcdefg
 
 echo "TESTING: private-cwd (test/fs/private-cwd.exp)"
 ./private-cwd.exp
@@ -83,6 +108,12 @@ echo "TESTING: macros (test/fs/macro.exp)"
 
 echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)"
 ./whitelist-empty.exp
+rm -f ~/Videos/_firejail_test_fil
+rm -f ~/Pictures/_firejail_test_file
+rm -f ~/Music/_firejail_test_file
+rm -f ~/Downloads/_firejail_test_file
+rm -f ~/Documents/_firejail_test_file
+rm -f ~/Desktop/_firejail_test_file
 
 echo "TESTING: private whitelist (test/fs/private-whitelist.exp)"
 ./private-whitelist.exp
@@ -95,9 +126,11 @@ echo "TESTING: blacklist directory (test/fs/option_blacklist.exp)"
 
 echo "TESTING: blacklist file (test/fs/option_blacklist_file.exp)"
 ./option_blacklist_file.exp
+rm -fr ~/_firejail_test_dir
 
 echo "TESTING: blacklist glob (test/fs/option_blacklist_glob.exp)"
 ./option_blacklist_glob.exp
+rm -fr ~/_firejail_test_dir
 
 echo "TESTING: noblacklist blacklist noexec (test/fs/noblacklist-blacklist-noexec.exp)"
 ./noblacklist-blacklist-noexec.exp
@@ -108,14 +141,13 @@ echo "TESTING: noblacklist blacklist readonly (test/fs/noblacklist-blacklist-rea
 echo "TESTING: bind as user (test/fs/option_bind_user.exp)"
 ./option_bind_user.exp
 
-echo "TESTING: recursive mkdir (test/fs/mkdir.exp)"
-./mkdir.exp
-
 echo "TESTING: double whitelist (test/fs/whitelist-double.exp)"
 ./whitelist-double.exp
+rm -f /tmp/_firejail_test_file
 
 echo "TESTING: whitelist (test/fs/whitelist.exp)"
 ./whitelist.exp
+rm -fr ~/_firejail_test_*
 
 echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)"
 ./whitelist-dev.exp
@@ -131,6 +163,8 @@ echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)"
 
 echo "TESTING: fscheck --tmpfs non root (test/fs/fscheck-tmpfs.exp)"
 ./fscheck-tmpfs.exp
+rm -fr ~/_firejail_test_dir
+rm -fr /tmp/_firejail_test_dir
 
 echo "TESTING: fscheck --private= (test/fs/fscheck-private.exp)"
 ./fscheck-private.exp
@@ -139,10 +173,4 @@ echo "TESTING: fscheck --read-only= (test/fs/fscheck-readonly.exp)"
 ./fscheck-readonly.exp
 
 #cleanup
-rm -fr ~/fjtest-dir
-rm -fr ~/fjtest-dir-lnk
-rm -f ~/fjtest-file
-rm -f ~/fjtest-file-lnk
-rm -f /tmp/fjtest-file
-rm -fr /tmp/fjtest-dir
-rm -fr ~/_firejail_test_*
+rm -fr ~/_firejail_test*
diff --git a/test/fs/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp
index 04e6e2383..5d57a8975 100755
--- a/test/fs/fs_dev_shm.exp
+++ b/test/fs/fs_dev_shm.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,18 +11,18 @@ match_max 100000
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "stty -echo\r"
 
-send -- "echo mytest > /dev/shm/ttt;echo done\r"
+send -- "echo mytest > /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "done"
 }
 
-send -- "cat /dev/shm/ttt;echo done\r"
+send -- "cat /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "mytest"
@@ -32,13 +32,13 @@ expect {
         "done"
 }
 
-send -- "rm /dev/shm/ttt;echo done\r"
+send -- "rm /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "done"
 }
 
-send -- "cat /dev/shm/ttt;echo done\r"
+send -- "cat /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "mytest" {puts "TESTING ERROR 6\n";exit}
@@ -52,18 +52,18 @@ sleep 1
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "stty -echo\r"
 
-send -- "echo mytest > /dev/shm/ttt;echo done\r"
+send -- "echo mytest > /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "done"
 }
 
-send -- "cat /dev/shm/ttt;echo done\r"
+send -- "cat /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
         "mytest"
@@ -73,13 +73,13 @@ expect {
         "done"
 }
 
-send -- "rm /dev/shm/ttt;echo done\r"
+send -- "rm /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
         "done"
 }
 
-send -- "cat /dev/shm/ttt;echo done\r"
+send -- "cat /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
         "mytest" {puts "TESTING ERROR 13\n";exit}
diff --git a/test/fs/fs_var_lock.exp b/test/fs/fs_var_lock.exp
index 3ea98c3e3..ce3eb836e 100755
--- a/test/fs/fs_var_lock.exp
+++ b/test/fs/fs_var_lock.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "stty -echo\r"
@@ -53,7 +53,7 @@ sleep 1
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "stty -echo\r"
diff --git a/test/fs/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp
index 004425719..8c2da085f 100755
--- a/test/fs/fs_var_tmp.exp
+++ b/test/fs/fs_var_tmp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,18 +11,18 @@ match_max 100000
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "stty -echo\r"
 
-send -- "echo mytest > /var/tmp/ttt;echo done\r"
+send -- "echo mytest > /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "done"
 }
 
-send -- "cat /var/tmp/ttt;echo done\r"
+send -- "cat /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "mytest"
@@ -32,13 +32,13 @@ expect {
         "done"
 }
 
-send -- "rm /var/tmp/ttt;echo done\r"
+send -- "rm /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "done"
 }
 
-send -- "cat /var/tmp/ttt;echo done\r"
+send -- "cat /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "mytest" {puts "TESTING ERROR 6\n";exit}
@@ -53,18 +53,18 @@ sleep 1
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "stty -echo\r"
 
-send -- "echo mytest > /var/tmp/ttt;echo done\r"
+send -- "echo mytest > /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "done"
 }
 
-send -- "cat /var/tmp/ttt;echo done\r"
+send -- "cat /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
         "mytest"
@@ -74,13 +74,13 @@ expect {
         "done"
 }
 
-send -- "rm /var/tmp/ttt;echo done\r"
+send -- "rm /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
         "done"
 }
 
-send -- "cat /var/tmp/ttt;echo done\r"
+send -- "cat /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
         "mytest" {puts "TESTING ERROR 13\n";exit}
diff --git a/test/fs/fscheck-bindnoroot.exp b/test/fs/fscheck-bindnoroot.exp
index 53a3922ee..6142a270a 100755
--- a/test/fs/fscheck-bindnoroot.exp
+++ b/test/fs/fscheck-bindnoroot.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/fscheck-private.exp b/test/fs/fscheck-private.exp
index ab39b43e1..0b3f41115 100755
--- a/test/fs/fscheck-private.exp
+++ b/test/fs/fscheck-private.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/fscheck-readonly.exp b/test/fs/fscheck-readonly.exp
index 5d4821dea..6c58f41da 100755
--- a/test/fs/fscheck-readonly.exp
+++ b/test/fs/fscheck-readonly.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp
index 8dd08aa72..223bb63ba 100755
--- a/test/fs/fscheck-tmpfs.exp
+++ b/test/fs/fscheck-tmpfs.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -24,7 +24,7 @@ if { ! [file exists /tmp/fjtest-dir] } {
 send -- "firejail --noprofile --tmpfs=~/fjtest-dir\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 500
 
@@ -41,7 +41,7 @@ after 500
 send -- "firejail --noprofile --tmpfs=/tmp/fjtest-dir\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "Error"
+        "Warning: you are not allowed to mount a tmpfs"
 }
 after 500
 
diff --git a/test/fs/invalid_filename.exp b/test/fs/invalid_filename.exp
index 7c4797976..dd63bf647 100755
--- a/test/fs/invalid_filename.exp
+++ b/test/fs/invalid_filename.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/kmsg.exp b/test/fs/kmsg.exp
index 209cb8d3b..e7d765bff 100755
--- a/test/fs/kmsg.exp
+++ b/test/fs/kmsg.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/fs/macro.exp b/test/fs/macro.exp
index 45e892088..c01123f41 100755
--- a/test/fs/macro.exp
+++ b/test/fs/macro.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --profile=macro-whitelist.profile ls ~\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -42,7 +42,7 @@ sleep 1
 send -- "firejail --profile=macro-blacklist.profile ls ~/Desktop\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
@@ -53,7 +53,7 @@ sleep 1
 send -- "firejail --profile=macro-blacklist.profile ls ~/Documents\r"
 expect {
         timeout {puts "TESTING ERROR 9n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
@@ -64,7 +64,7 @@ sleep 1
 send -- "firejail --profile=macro-blacklist.profile ls ~/Downloads\r"
 expect {
         timeout {puts "TESTING ERROR 11n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 12n";exit}
@@ -75,7 +75,7 @@ sleep 1
 send -- "firejail --profile=macro-blacklist.profile ls ~/Music\r"
 expect {
         timeout {puts "TESTING ERROR 13\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 14\n";exit}
@@ -86,7 +86,7 @@ sleep 1
 send -- "firejail --profile=macro-blacklist.profile ls ~/Pictures\r"
 expect {
         timeout {puts "TESTING ERROR 15\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 16\n";exit}
@@ -97,7 +97,7 @@ sleep 1
 send -- "firejail --profile=macro-blacklist.profile ls ~/Videos\r"
 expect {
         timeout {puts "TESTING ERROR 17\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 18\n";exit}
@@ -108,7 +108,7 @@ sleep 1
 send -- "firejail --profile=macro-readonly.profile touch ~/Desktop/blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 19\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 20\n";exit}
@@ -119,7 +119,7 @@ sleep 1
 send -- "firejail --profile=macro-readonly.profile touch ~/Documents/blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 21\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 22\n";exit}
@@ -130,7 +130,7 @@ sleep 1
 send -- "firejail --profile=macro-readonly.profile touch ~/Downloads/blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 23\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 24\n";exit}
@@ -141,7 +141,7 @@ sleep 1
 send -- "firejail --profile=macro-readonly.profile touch ~/Music/blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 25\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 26\n";exit}
@@ -152,7 +152,7 @@ sleep 1
 send -- "firejail --profile=macro-readonly.profile touch ~/Pictures/blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 27\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 28\n";exit}
@@ -163,7 +163,7 @@ sleep 1
 send -- "firejail --profile=macro-readonly.profile touch ~/Videos/blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 29\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 30\n";exit}
diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp
index 8b787f114..b9e8d5ce4 100755
--- a/test/fs/mkdir.exp
+++ b/test/fs/mkdir.exp
@@ -1,40 +1,40 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 3
 spawn $env(SHELL)
 match_max 100000
 
-send -- "rm -fr ~/.firejail_test\r"
+send -- "rm -fr ~/_firejail_test_dir\r"
 after 100
 
-send -- "firejail --profile=mkdir.profile find ~/.firejail_test\r"
+send -- "firejail --profile=mkdir.profile find ~/_firejail_test_dir\r"
 expect {
         timeout {puts "TESTING ERROR 1.1\n";exit}
-        ".firejail_test/a/b/c/d.txt"
+        "_firejail_test_dir/_firejail_test_file"
 }
-send -- "rm -rf ~/.firejail_test\r"
+send -- "rm -rf ~/_firejail_test_dir\r"
 after 100
 
-send -- "firejail --profile=mkdir.profile find /tmp/.firejail_test\r"
+send -- "firejail --profile=mkdir.profile find /tmp/_firejail_test_dir\r"
 expect {
         timeout {puts "TESTING ERROR 2.1\n";exit}
-        "/tmp/.firejail_test/a/b/c/d.txt"
+        "_firejail_test_dir/_firejail_test_file"
 }
-send -- "rm -rf /tmp/.firejail_test\r"
+send -- "rm -rf /tmp/_firejail_test_dir\r"
 after 100
 
 set UID [exec id -u]
 set fexist [file exist /run/user/$UID]
 if { $fexist } {
-        send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r"
+        send -- "firejail --profile=mkdir.profile find /run/user/$UID/_firejail_test_dir\r"
         expect {
                 timeout {puts "TESTING ERROR 3.1\n";exit}
-                "/run/user/$UID/.firejail_test/a/b/c/d.txt"
+                "_firejail_test_dir/_firejail_test_file"
         }
-        send -- "rm -rf /run/user/$UID/.firejail_test\r"
+        send -- "rm -rf /run/user/$UID/_firejail_test_dir\r"
         after 100
 
 
diff --git a/test/fs/mkdir.profile b/test/fs/mkdir.profile
index 35c27c872..fba93f466 100644
--- a/test/fs/mkdir.profile
+++ b/test/fs/mkdir.profile
@@ -1,6 +1,6 @@
-mkdir ~/.firejail_test/a/b/c
-mkfile ~/.firejail_test/a/b/c/d.txt
-mkdir /tmp/.firejail_test/a/b/c
-mkfile /tmp/.firejail_test/a/b/c/d.txt
-mkdir ${RUNUSER}/.firejail_test/a/b/c
-mkfile ${RUNUSER}/.firejail_test/a/b/c/d.txt
+mkdir ~/_firejail_test_dir
+mkfile ~/_firejail_test_dir/_firejail_test_file
+mkdir /tmp/_firejail_test_dir
+mkfile /tmp/_firejail_test_dir/_firejail_test_file
+mkdir ${RUNUSER}/_firejail_test_dir
+mkfile ${RUNUSER}/_firejail_test_dir/_firejail_test_file
diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp
index eddc6ebfb..c1dce58ea 100755
--- a/test/fs/mkdir_mkfile.exp
+++ b/test/fs/mkdir_mkfile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,7 +12,7 @@ match_max 100000
 send -- "firejail --private --profile=mkdir_mkfile.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/fs/noblacklist-blacklist-noexec.exp b/test/fs/noblacklist-blacklist-noexec.exp
index 9f5794a7d..3bc5e7c79 100755
--- a/test/fs/noblacklist-blacklist-noexec.exp
+++ b/test/fs/noblacklist-blacklist-noexec.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,7 +12,7 @@ set PWD $env(PWD)
 send -- "firejail --noprofile --noblacklist=$PWD --blacklist=$PWD --noexec=$PWD\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/fs/noblacklist-blacklist-readonly.exp b/test/fs/noblacklist-blacklist-readonly.exp
index 558d3ac9c..b5d3ef045 100755
--- a/test/fs/noblacklist-blacklist-readonly.exp
+++ b/test/fs/noblacklist-blacklist-readonly.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --noprofile --noblacklist=~ --blacklist=~ --read-only=~\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/fs/option_bind_user.exp b/test/fs/option_bind_user.exp
index 08b892121..c58c23d8c 100755
--- a/test/fs/option_bind_user.exp
+++ b/test/fs/option_bind_user.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/option_blacklist.exp b/test/fs/option_blacklist.exp
index 6ee2b07ca..9e1533435 100755
--- a/test/fs/option_blacklist.exp
+++ b/test/fs/option_blacklist.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --blacklist=/var\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "stty -echo\r"
@@ -35,4 +35,4 @@ expect {
 }
 after 100
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/fs/option_blacklist_file.exp b/test/fs/option_blacklist_file.exp
index b0bcc741b..93284a140 100755
--- a/test/fs/option_blacklist_file.exp
+++ b/test/fs/option_blacklist_file.exp
@@ -1,22 +1,37 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --blacklist=/etc/passwd\r"
+send -- "mkdir ~/_firejail_test_dir\r"
+after 100
+send -- "touch ~/_firejail_test_dir/a\r"
+after 100
+
+send -- "firejail --blacklist=/etc/passwd --blacklist=~/_firejail_test_dir\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
 send -- "cat /etc/passwd;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
+        "No such file or directory"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "done"
+}
+after 100
+send -- "cat ~/_firejail_test_dir/a;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
         "Permission denied"
 }
 expect {
@@ -25,4 +40,10 @@ expect {
 }
 after 100
 
-puts "\n"
+send -- "exit\r"
+sleep 1
+
+send -- "rm -fr ~/_firejail_test_dir\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/fs/option_blacklist_glob.exp b/test/fs/option_blacklist_glob.exp
index ee79eabf4..83b123a4b 100755
--- a/test/fs/option_blacklist_glob.exp
+++ b/test/fs/option_blacklist_glob.exp
@@ -1,32 +1,47 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --blacklist=testdir1/*\r"
+send -- "mkdir ~/_firejail_test_dir\r"
+after 100
+send -- "touch ~/_firejail_test_dir/a\r"
+after 100
+send -- "mkdir ~/_firejail_test_dir/test1\r"
+after 100
+send -- "touch ~/_firejail_test_dir/test1/b\r"
+after 100
+
+send -- "firejail --blacklist=~/_firejail_test_dir/*\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
-send -- "cd testdir1\r"
+send -- "cd ~/_firejail_test_dir\r"
 sleep 1
 
-send -- "cat .file\r"
+send -- "cat a\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Permission denied"
 }
 
-send -- "ls .directory\r"
+send -- "ls test1\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "Permission denied"
 }
 after 100
 
-puts "\n"
+send -- "exit\r"
+sleep 1
+
+send -- "rm -fr ~/_firejail_test_dir\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp
index b5d205780..e4b36e114 100755
--- a/test/fs/private-bin.exp
+++ b/test/fs/private-bin.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --private-bin=bash,ls,sh\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -40,7 +40,7 @@ sleep 1
 send -- "firejail --profile=private-bin.profile\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/fs/private-cache.exp b/test/fs/private-cache.exp
index 3244c21c1..f21d799b4 100755
--- a/test/fs/private-cache.exp
+++ b/test/fs/private-cache.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -21,7 +21,7 @@ if { ! [file exists ~/.cache/abcdefg] } {
 send -- "firejail --noprofile --private-cache\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/fs/private-cwd.exp b/test/fs/private-cwd.exp
index 54804a6a6..77374e086 100755
--- a/test/fs/private-cwd.exp
+++ b/test/fs/private-cwd.exp
@@ -1,52 +1,54 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "cd /tmp\r"
-after 100
-
-# testing profile and private
-send -- "firejail --private-cwd\r"
+send -- "firejail --private-cwd pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "$env(HOME)"
 }
 sleep 1
 
-send -- "pwd\r"
+send -- "firejail --private-cwd=/etc pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "$env(HOME)"
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/etc"
 }
-after 100
-
-send -- "exit\r"
 sleep 1
 
-send -- "cd /\r"
-after 100
-
-# testing profile and private
-send -- "firejail --private-cwd=/tmp\r"
+send -- "firejail --private --private-cwd=. pwd\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        "invalid private working directory"
 }
 sleep 1
 
-send -- "pwd\r"
+after 100
+send -- "firejail  --private-cwd='\${HOME}' pwd\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "/tmp"
+        "$env(HOME)"
 }
-after 100
+sleep 1
 
-send -- "exit\r"
+after 100
+send -- "firejail  --private-cwd=\"\${HOME}\" pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "$env(HOME)"
+}
 sleep 1
 
+send -- "firejail  --profile=private-cwd.profile pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "$env(HOME)"
+}
+after 100
+
 puts "all done\n"
diff --git a/test/fs/private-cwd.profile b/test/fs/private-cwd.profile
new file mode 100644
index 000000000..9dd97a8ac
--- /dev/null
+++ b/test/fs/private-cwd.profile
@@ -0,0 +1 @@
+private-cwd ${HOME}
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp
index 9be18f9bd..6878a642c 100755
--- a/test/fs/private-etc-empty.exp
+++ b/test/fs/private-etc-empty.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --private-etc=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -26,7 +26,7 @@ sleep 1
 send -- "firejail --profile=private-etc-empty.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/fs/private-etc.exp b/test/fs/private-etc.exp
index c9a74f96e..f51fc5221 100755
--- a/test/fs/private-etc.exp
+++ b/test/fs/private-etc.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --private-etc=passwd,group,resolv.conf,X11\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -64,9 +64,6 @@ expect {
 }
 after 100
 
-
-
-
-
+send -- "exit\r"
 after 100
 puts "\nall done\n"
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp
index 75ac5aea5..e46d2b113 100755
--- a/test/fs/private-home-dir.exp
+++ b/test/fs/private-home-dir.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -21,16 +21,16 @@ if {[file exists ~/.Xauthority]} {
         send -- "touch ~/.Xauthority\r"
 }
 after 100
-send -- "rm -fr ~/_firejail_test_dir_\r"
+send -- "rm -fr ~/_firejail_test_dir1_\r"
 after 100
-send -- "mkdir ~/_firejail_test_dir_\r"
+send -- "mkdir ~/_firejail_test_dir1_\r"
 sleep 1
 
 # testing profile and private
-send -- "firejail --private=~/_firejail_test_dir_\r"
+send -- "firejail --private=~/_firejail_test_dir1_\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -67,12 +67,12 @@ expect {
         "private directory is not owned by the current user"
 }
 sleep 1
-send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r"
+send -- "mkdir ~/_firejail_test_dir1_/test_dir_2\r"
 after 100
-send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r"
+send -- "touch ~/_firejail_test_dir1_/test_dir_2/testfile\r"
 sleep 1
 
-send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
+send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir1_\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
         "Disable"
@@ -83,7 +83,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 
 sleep 1
@@ -98,7 +98,8 @@ after 100
 send "exit\r"
 sleep 1
 
-send -- "rm -fr ~/_firejail_test_dir_\r"
+send -- "rm -fr ~/_firejail_test_dir1\r"
 after 100
 
+
 puts "\nall done\n"
diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp
index 2f297e93f..99456a211 100755
--- a/test/fs/private-home.exp
+++ b/test/fs/private-home.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -26,7 +26,7 @@ after 100
 send -- "firejail --private-home=_firejail_test_file1,_firejail_test_file2,_firejail_test_dir1\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -86,7 +86,7 @@ after 100
 send -- "firejail --private-home=_firejail_test_link2\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "file ~/_firejail_test_link2\r"
@@ -95,8 +95,19 @@ expect {
         "broken symbolic link"
 }
 send -- "exit\r"
+sleep 1
 
-send -- "rm -f ~/_firejail_test*\r"
+send -- "echo cleanup\r"
+after 100
+send -- "rm -f ~/_firejail_test_file1\r"
+after 100
+send -- "rm -f ~/_firejail_test_file2\r"
+after 100
+send -- "rm -fr ~/_firejail_test_dir1\r"
+after 100
+send -- "rm -f ~/_firejail_test_link1\r"
+after 100
+send -- "rm -f ~/_firejail_test_link2\r"
 after 100
 
 puts "\nall done\n"
diff --git a/test/fs/private-homedir.exp b/test/fs/private-homedir.exp
index 78fb705ec..0b4348514 100755
--- a/test/fs/private-homedir.exp
+++ b/test/fs/private-homedir.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --private=~\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
diff --git a/test/fs/private-lib.exp b/test/fs/private-lib.exp
index f32affabb..5290def35 100755
--- a/test/fs/private-lib.exp
+++ b/test/fs/private-lib.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --private-lib --private-bin=sh,bash,dash,ps,grep,ls,find,echo,stty \r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "stty -echo\r"
diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp
index 1879a3d54..48add880c 100755
--- a/test/fs/private-whitelist.exp
+++ b/test/fs/private-whitelist.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --private --whitelist=/tmp/.X11-unix\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
diff --git a/test/fs/private.exp b/test/fs/private.exp
index d4f7fc893..ff8e0c66e 100755
--- a/test/fs/private.exp
+++ b/test/fs/private.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -26,7 +26,7 @@ after 100
 send -- "firejail --private\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/fs/read-write.exp b/test/fs/read-write.exp
index ad51c2db1..f0ef0842c 100755
--- a/test/fs/read-write.exp
+++ b/test/fs/read-write.exp
@@ -1,17 +1,25 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
+send -- "mkdir ~/_firejail_test_dir\r"
+after 100
+send -- "touch ~/_firejail_test_dir/a\r"
+after 100
+send -- "mkdir ~/_firejail_test_dir/test1\r"
+after 100
+send -- "touch ~/_firejail_test_dir/test1/b\r"
+after 100
 
 send -- "firejail --read-only=~/_firejail_test_dir --read-write=~/_firejail_test_dir/test1\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -32,4 +40,9 @@ expect {
 }
 
 after 100
+send -- "exit\r"
+sleep 1
+
+send -- "rm -fr ~/_firejail_test_dir\r"
+after 100
 puts "\nall done\n"
diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp
index de7fadf6c..ce1fb04de 100755
--- a/test/fs/sys_fs.exp
+++ b/test/fs/sys_fs.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -27,7 +27,7 @@ sleep 1
 send -- "firejail --noblacklist=/sys/fs\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/fs/tab.exp b/test/fs/tab.exp
new file mode 100755
index 000000000..cc9e11ed5
--- /dev/null
+++ b/test/fs/tab.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+send -- "firejail --private ls -al\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        ".inputrc"
+}
+sleep 1
+
+send -- "firejail --private --tab ls -al\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ".inputrc" {puts "TESTING ERROR 4\n";exit}
+        "Parent is shutting down"
+}
+sleep 1
+
+send -- "firejail --private --profile=tab.profile ls -al\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ".inputrc" {puts "TESTING ERROR 7\n";exit}
+        "Parent is shutting down"
+}
+sleep 1
+
+puts "\nall done\n"
diff --git a/test/fs/tab.profile b/test/fs/tab.profile
new file mode 100644
index 000000000..8cc35a3d5
--- /dev/null
+++ b/test/fs/tab.profile
@@ -0,0 +1 @@
+tab
diff --git a/test/fs/testdir1/.directory/file b/test/fs/testdir1/.directory/file
deleted file mode 100644
index e69de29bb..000000000
--- a/test/fs/testdir1/.directory/file
+++ /dev/null
diff --git a/test/fs/testdir1/.file b/test/fs/testdir1/.file
deleted file mode 100644
index e69de29bb..000000000
--- a/test/fs/testdir1/.file
+++ /dev/null
diff --git a/test/fs/testfile1 b/test/fs/testfile1
deleted file mode 100644
index e69de29bb..000000000
--- a/test/fs/testfile1
+++ /dev/null
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp
index ad5c54a9c..7459462f8 100755
--- a/test/fs/whitelist-dev.exp
+++ b/test/fs/whitelist-dev.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --whitelist=/dev/null --debug\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -26,7 +26,7 @@ sleep 1
 send -- "firejail --whitelist=/dev/null --whitelist=/dev/random\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -42,7 +42,7 @@ sleep 1
 send -- "firejail --private-dev --debug\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -61,6 +61,9 @@ expect {
         "19" {puts "OK\n"}
         "20" {puts "OK\n"}
         "21" {puts "OK\n"}
+        "22" {puts "OK\n"}
+        "23" {puts "OK\n"}
+        "24" {puts "OK\n"}
 }
 after 100
 
@@ -94,7 +97,7 @@ if { $have_snd > 0 } {
         send -- "firejail --private-dev --nosound ls /dev\r"
         expect {
                 timeout {puts "TESTING ERROR 7\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         expect {
                 timeout {puts "TESTING ERROR 8\n";exit}
@@ -111,7 +114,7 @@ if { $have_dvd > 0 } {
         send -- "firejail --private-dev --nodvd ls /dev\r"
         expect {
                 timeout {puts "TESTING ERROR 10\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         expect {
                 timeout {puts "TESTING ERROR 11\n";exit}
@@ -132,7 +135,7 @@ if { $have_dri > 0 } {
         send -- "firejail --private-dev --no3d ls /dev\r"
         expect {
                 timeout {puts "TESTING ERROR 17\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         expect {
                 timeout {puts "TESTING ERROR 18\n";exit}
diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp
index 5ce9d8ad7..b3b48f2cd 100755
--- a/test/fs/whitelist-double.exp
+++ b/test/fs/whitelist-double.exp
@@ -1,23 +1,23 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "echo 123 > /tmp/firejal-deleteme\r"
+send -- "echo 123 > /tmp/_firejail_test_file\r"
 sleep 1
 
-send -- "firejail --whitelist=/tmp/firejal-deleteme --whitelist=/tmp/firejal-deleteme\r"
+send -- "firejail --whitelist=/tmp/_firejail_test_file --whitelist=/tmp/_firejail_test_file\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
-send -- "cat /tmp/firejal-deleteme\r"
+send -- "cat /tmp/_firejail_test_file\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "123"
@@ -26,13 +26,13 @@ expect {
 send -- "exit\r"
 sleep 1
 
-send -- "cat /tmp/firejal-deleteme\r"
+send -- "cat /tmp/_firejail_test_file\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "123"
 }
 
-send -- "rm -v /tmp/firejal-deleteme\r"
+send -- "rm -v /tmp/_firejail_test_file\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "removed"
diff --git a/test/fs/whitelist-empty.exp b/test/fs/whitelist-empty.exp
index dbc04cf30..18d4561d6 100755
--- a/test/fs/whitelist-empty.exp
+++ b/test/fs/whitelist-empty.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 30
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/fs/whitelist-noexec.exp b/test/fs/whitelist-noexec.exp
index e1c39b66f..ba3ca4d92 100755
--- a/test/fs/whitelist-noexec.exp
+++ b/test/fs/whitelist-noexec.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,7 +12,7 @@ set PWD $env(PWD)
 send -- "firejail --noprofile --whitelist=$PWD --noexec=$PWD\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/fs/whitelist-readonly.exp b/test/fs/whitelist-readonly.exp
index e5c9cc400..676131ade 100755
--- a/test/fs/whitelist-readonly.exp
+++ b/test/fs/whitelist-readonly.exp
@@ -1,17 +1,25 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
+send -- "mkdir ~/_firejail_test_dir\r"
+after 100
+send -- "touch ~/_firejail_test_dir/a\r"
+after 100
+send -- "mkdir ~/_firejail_test_dir/test1\r"
+after 100
+send -- "touch ~/_firejail_test_dir/test1/b\r"
+after 100
 
 send -- "firejail --noprofile --whitelist=~/_firejail_test_dir --read-only=~\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -25,4 +33,6 @@ after 100
 send -- "exit\r"
 sleep 1
 
+send -- "rm -fr ~/_firejail_test_dir\r"
+after 100
 puts "\nall done\n"
diff --git a/test/fs/whitelist-whitespace.exp b/test/fs/whitelist-whitespace.exp
index 1b1c4c1cb..885b90f2a 100755
--- a/test/fs/whitelist-whitespace.exp
+++ b/test/fs/whitelist-whitespace.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -13,7 +13,7 @@ after 100
 send -- "firejail --noprofile --whitelist=~/filewith\\\ \\\ many\\\ whitespaces\\\ \r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp
index 27ee2433e..8e98b9dfa 100755
--- a/test/fs/whitelist.exp
+++ b/test/fs/whitelist.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -16,10 +16,7 @@ send -- "rm ~/fjtest-file\r"
 after 200
 send -- "rm ~/fjtest-file-lnk\r"
 after 200
-send -- "rm /tmp/fjtest-file\r"
-after 200
-send -- "rm -fr /tmp/fjtest-dir\r"
-after 200
+
 
 
 # simple files and directories
@@ -39,7 +36,7 @@ after 200
 send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir --debug\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -76,7 +73,7 @@ sleep 1
 send -- "firejail --whitelist=~/fjtest-dir/fjtest-dir/fjtest-file\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -101,7 +98,7 @@ sleep 1
 send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
 expect {
         timeout {puts "TESTING ERROR 20\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -149,63 +146,7 @@ expect {
 send -- "exit\r"
 sleep 1
 
-# symlinks outside home to a file we don't own
-send -- "rm ~/fjtest-file-lnk\r"
-after 200
-send -- "ln -s /etc/passwd ~/fjtest-file-lnk\r"
-after 200
-send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
-expect {
-        timeout {puts "TESTING ERROR 30\n";exit}
-        "invalid whitelist path"
-}
-expect {
-        timeout {puts "TESTING ERROR 31\n";exit}
-        "cannot sync with peer"
-}
-sleep 1
 
-# symlinks outside home to a file we own
-send -- "rm -fr ~/fjtest-dir-lnk\r"
-after 200
-send -- "rm ~/fjtest-file-lnk\r"
-after 200
-send -- "echo 123 > /tmp/fjtest-file\r"
-after 200
-send -- "mkdir /tmp/fjtest-dir\r"
-after 200
-send -- "echo 123 > /tmp/fjtest-dir/fjtest-file\r"
-after 200
-send -- "ln -s /tmp/fjtest-file ~/fjtest-file-lnk\r"
-after 200
-send -- "ln -s /tmp/fjtest-dir ~/fjtest-dir-lnk\r"
-after 200
-send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
-expect {
-        timeout {puts "TESTING ERROR 40\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls -l ~/ | grep -v total | wc -l\r"
-expect {
-        timeout {puts "TESTING ERROR 41\n";exit}
-        "2"
-}
-
-send -- "cat ~/fjtest-file-lnk\r"
-expect {
-        timeout {puts "TESTING ERROR 42\n";exit}
-        "123"
-}
-
-send -- "cat ~/fjtest-dir-lnk/fjtest-file\r"
-expect {
-        timeout {puts "TESTING ERROR 43\n";exit}
-        "123"
-}
-send -- "exit\r"
-sleep 1
 
 # cleanup
 send -- "rm -fr ~/fjtest-dir\r"
@@ -216,10 +157,5 @@ send -- "rm ~/fjtest-file\r"
 after 200
 send -- "rm ~/fjtest-file-lnk\r"
 after 200
-send -- "rm /tmp/fjtest-file\r"
-after 200
-send -- "rm -fr /tmp/fjtest-dir\r"
-after 200
-
 
 puts "\nall done\n"
diff --git a/test/network/4bridges_arp.exp b/test/network/4bridges_arp.exp
index d608128f8..b7138851a 100755
--- a/test/network/4bridges_arp.exp
+++ b/test/network/4bridges_arp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -27,7 +27,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 0.4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "exit\r"
@@ -53,7 +53,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "exit\r"
@@ -80,7 +80,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2.4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "exit\r"
@@ -108,7 +108,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "exit\r"
@@ -137,7 +137,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/4bridges_ip.exp b/test/network/4bridges_ip.exp
index 586dfcba9..60e9d3bab 100755
--- a/test/network/4bridges_ip.exp
+++ b/test/network/4bridges_ip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -27,7 +27,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 0.4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "exit\r"
@@ -53,7 +53,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "exit\r"
@@ -80,7 +80,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2.4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "exit\r"
@@ -108,7 +108,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "exit\r"
@@ -137,7 +137,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 
 # check default gateway
diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp
index d73669ebe..1a27bc0bf 100755
--- a/test/network/bandwidth.exp
+++ b/test/network/bandwidth.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --name=test --net=br0\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/configure b/test/network/configure
index f75e9b23f..2b7b257bc 100755
--- a/test/network/configure
+++ b/test/network/configure
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 brctl addbr br0
diff --git a/test/network/dns-print.exp b/test/network/dns-print.exp
index 5ee4c0d19..fd19b79ed 100755
--- a/test/network/dns-print.exp
+++ b/test/network/dns-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --name=test-dns --net=eth0 --dns=1.2.3.4 --dns=2.3.4.5 --dns=3.4.5.6\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/firemon-arp.exp b/test/network/firemon-arp.exp
index 8e0a0b1b0..0e98b9f36 100755
--- a/test/network/firemon-arp.exp
+++ b/test/network/firemon-arp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -17,7 +17,7 @@ match_max 100000
 send --  "firejail --name=test1\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -25,7 +25,7 @@ spawn $env(SHELL)
 send --  "firejail --name=test2\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/firemon-interfaces.exp b/test/network/firemon-interfaces.exp
index 494496a26..8eb9f4d87 100755
--- a/test/network/firemon-interfaces.exp
+++ b/test/network/firemon-interfaces.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --net=eth0 --name=test1\r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -18,7 +18,7 @@ spawn $env(SHELL)
 send -- "firejail --net=eth0 --name=test2\r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/firemon-route.exp b/test/network/firemon-route.exp
index a1ded08c1..4eea5c14c 100755
--- a/test/network/firemon-route.exp
+++ b/test/network/firemon-route.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --name=test1\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -18,7 +18,7 @@ spawn $env(SHELL)
 send --  "firejail --name=test2\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/hostname.exp b/test/network/hostname.exp
index 825f1f6cf..12266a170 100755
--- a/test/network/hostname.exp
+++ b/test/network/hostname.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --hostname=bingo --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "stty -echo\r"
diff --git a/test/network/interface.exp b/test/network/interface.exp
index 78178e233..7c3e39fea 100755
--- a/test/network/interface.exp
+++ b/test/network/interface.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 #
 # interface
@@ -20,7 +20,7 @@ set chroot [lindex $argv 1]
 send -- "firejail --noprofile --interface=eth0.5 --interface=eth0.6\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/ip6.exp b/test/network/ip6.exp
index ed29964c6..665081db7 100755
--- a/test/network/ip6.exp
+++ b/test/network/ip6.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -23,7 +23,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
@@ -64,7 +64,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 13\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
@@ -90,7 +90,7 @@ send -- "firejail --debug --netfilter6=ipv6.net\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
         "Installing IPv6 firewall" {puts "TESTING ERROR 12\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "exit\r"
diff --git a/test/network/iprange.exp b/test/network/iprange.exp
index 2690a128a..d45ecaa40 100755
--- a/test/network/iprange.exp
+++ b/test/network/iprange.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -27,7 +27,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "exit\r"
@@ -53,7 +53,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "exit\r"
diff --git a/test/network/net_arp.exp b/test/network/net_arp.exp
index 84912cddd..dee4ac1c1 100755
--- a/test/network/net_arp.exp
+++ b/test/network/net_arp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,27 +10,27 @@ match_max 100000
 send -- "firejail --net=br0 sleep 20 &\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 send -- "firejail --net=br0 sleep 20 &\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 send -- "firejail --net=br0 sleep 20 &\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 send -- "firejail --net=br0 sleep 20 &\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 send -- "firejail --net=br0 sleep 20 &\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 
 # will fail
diff --git a/test/network/net_badip.exp b/test/network/net_badip.exp
index b09f4d192..b3fde5dc1 100755
--- a/test/network/net_badip.exp
+++ b/test/network/net_badip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_defaultgw.exp b/test/network/net_defaultgw.exp
index 19dd94dbd..6a5a0b64e 100755
--- a/test/network/net_defaultgw.exp
+++ b/test/network/net_defaultgw.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -27,7 +27,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/net_defaultgw2.exp b/test/network/net_defaultgw2.exp
index 4f5864822..5d18571b6 100755
--- a/test/network/net_defaultgw2.exp
+++ b/test/network/net_defaultgw2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -15,7 +15,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/net_defaultgw3.exp b/test/network/net_defaultgw3.exp
index dc3589c3c..708c37a47 100755
--- a/test/network/net_defaultgw3.exp
+++ b/test/network/net_defaultgw3.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp
index 098eed758..bdac67155 100755
--- a/test/network/net_ip.exp
+++ b/test/network/net_ip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -27,7 +27,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "exit\r"
@@ -53,7 +53,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/net_local.exp b/test/network/net_local.exp
index d5d4170e8..6d02de089 100755
--- a/test/network/net_local.exp
+++ b/test/network/net_local.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -15,7 +15,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "exit\r"
@@ -25,7 +25,7 @@ sleep 1
 send -- "firejail --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/net_mac.exp b/test/network/net_mac.exp
index e067f604f..3bd871a06 100755
--- a/test/network/net_mac.exp
+++ b/test/network/net_mac.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -31,7 +31,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 send -- "exit\r"
 after 100
diff --git a/test/network/net_macvlan2.exp b/test/network/net_macvlan2.exp
index 1f67f059e..abc6641bf 100755
--- a/test/network/net_macvlan2.exp
+++ b/test/network/net_macvlan2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -30,7 +30,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 0.6\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "exit\r"
diff --git a/test/network/net_mtu.exp b/test/network/net_mtu.exp
index 439e05334..81c89e147 100755
--- a/test/network/net_mtu.exp
+++ b/test/network/net_mtu.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --net=br0 --mtu=1000 --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/net_netfilter.exp b/test/network/net_netfilter.exp
index 8a949c22b..eef4a145f 100755
--- a/test/network/net_netfilter.exp
+++ b/test/network/net_netfilter.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -27,7 +27,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "exit\r"
@@ -41,7 +41,7 @@ expect {
         "Chain INPUT (policy DROP" {puts "TESTING ERROR 5.1\n";exit}
         "ACCEPT     all  --  any    any     anywhere" {puts "TESTING ERROR 5.1\n";exit}
         "ACCEPT     icmp --  any    any     anywhere" {puts "TESTING ERROR 5.1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "exit\r"
@@ -55,7 +55,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 6.1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "ping -c 1 -w 3 10.10.20.1\r"
@@ -75,7 +75,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 7.1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 send -- "ping -c 1 -w 3 10.10.20.1\r"
diff --git a/test/network/net_noip.exp b/test/network/net_noip.exp
index 53b719f6c..11d12c3d3 100755
--- a/test/network/net_noip.exp
+++ b/test/network/net_noip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,7 +12,7 @@ send -- "firejail --noprofile --net=br0 --ip=none\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "eth0" {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "bash\r"
diff --git a/test/network/net_noip2.exp b/test/network/net_noip2.exp
index aa74d6ba8..09607d4b5 100755
--- a/test/network/net_noip2.exp
+++ b/test/network/net_noip2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,7 +12,7 @@ send -- "firejail --noprofile --net=br1 --ip=none --defaultgw=10.10.30.78\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "eth0" {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "bash\r"
diff --git a/test/network/net_none.exp b/test/network/net_none.exp
index c8787c342..32d7532ce 100755
--- a/test/network/net_none.exp
+++ b/test/network/net_none.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,7 +12,7 @@ send -- "firejail --net=none\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "eth0" {puts "TESTING ERROR 0.1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -47,7 +47,7 @@ send -- "firejail --profile=net_none.profile\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "eth0" {puts "TESTING ERROR 3.1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp
index e7c6530df..3d6f8fdbb 100755
--- a/test/network/net_profile.exp
+++ b/test/network/net_profile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -31,7 +31,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 0.4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/net_scan.exp b/test/network/net_scan.exp
index b9260925a..42dd74df0 100755
--- a/test/network/net_scan.exp
+++ b/test/network/net_scan.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -23,7 +23,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -43,7 +43,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -63,7 +63,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/net_unconfigured.exp b/test/network/net_unconfigured.exp
index d2b60d73c..92d7a33eb 100755
--- a/test/network/net_unconfigured.exp
+++ b/test/network/net_unconfigured.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,7 +12,7 @@ send -- "firejail --noprofile --net=br-unconfigured --ip=none\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "eth0" {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "bash\r"
@@ -53,7 +53,7 @@ send -- "firejail --noprofile --net=br-unconfigured\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
         "eth0" {puts "TESTING ERROR 8\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "bash\r"
@@ -93,7 +93,7 @@ send -- "firejail --noprofile --net=br-unconfigured --defaultgw=10.10.80.1\r"
 expect {
         timeout {puts "TESTING ERROR 14\n";exit}
         "eth0" {puts "TESTING ERROR 15\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "bash\r"
@@ -133,7 +133,7 @@ send -- "firejail --noprofile --net=br-unconfigured --ip=10.10.80.1 --defaultgw=
 expect {
         timeout {puts "TESTING ERROR 21\n";exit}
         "eth0" {puts "TESTING ERROR 22\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "bash\r"
@@ -180,7 +180,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 30\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "bash\r"
diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp
index cd4e64e24..781cc194c 100755
--- a/test/network/net_veth.exp
+++ b/test/network/net_veth.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -42,7 +42,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "exit\r"
@@ -119,7 +119,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 27\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "exit\r"
diff --git a/test/network/netfilter-template.exp b/test/network/netfilter-template.exp
index dadea1430..ba09aaea7 100755
--- a/test/network/netfilter-template.exp
+++ b/test/network/netfilter-template.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -18,7 +18,7 @@ sleep 1
 send -- "firejail --net=br1 --ip=10.10.30.10 --name=test1 --netfilter=/etc/firejail/tcpserver.net,5555 ./tcpserver 5555\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/netns.exp b/test/network/netns.exp
index 9ef4ed554..034f4736e 100755
--- a/test/network/netns.exp
+++ b/test/network/netns.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --netns=red --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
diff --git a/test/network/netstats.exp b/test/network/netstats.exp
index e15e2f42d..e06e6769d 100755
--- a/test/network/netstats.exp
+++ b/test/network/netstats.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --net=eth0 --name=test1\r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -18,7 +18,7 @@ spawn $env(SHELL)
 send -- "firejail --net=eth0 --name=test2\r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/network/network.sh b/test/network/network.sh
index 9f2b9e1cd..1f676ff50 100755
--- a/test/network/network.sh
+++ b/test/network/network.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/network/tcpserver.c b/test/network/tcpserver.c
index 72730b674..d2c0a6e5d 100644
--- a/test/network/tcpserver.c
+++ b/test/network/tcpserver.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/test/network/veth-name.exp b/test/network/veth-name.exp
index 1790381e3..1c9f23c54 100755
--- a/test/network/veth-name.exp
+++ b/test/network/veth-name.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -23,7 +23,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -55,7 +55,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/overlay/firefox-x11-xorg.exp b/test/overlay/firefox-x11-xorg.exp
index ecb9288b0..691e58437 100755
--- a/test/overlay/firefox-x11-xorg.exp
+++ b/test/overlay/firefox-x11-xorg.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -36,7 +36,7 @@ expect {
 send -- "firejail --overlay --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/overlay/firefox-x11.exp b/test/overlay/firefox-x11.exp
index 5b7b1bec3..96c6796bb 100755
--- a/test/overlay/firefox-x11.exp
+++ b/test/overlay/firefox-x11.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -36,7 +36,7 @@ expect {
 send -- "firejail --name=blablabla --overlay\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/overlay/firefox.exp b/test/overlay/firefox.exp
index 25c6e5e07..eb7276f99 100755
--- a/test/overlay/firefox.exp
+++ b/test/overlay/firefox.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 10
 
@@ -47,7 +47,7 @@ expect {
 send -- "firejail --name=blablabla --overlay\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/overlay/fs-named.exp b/test/overlay/fs-named.exp
index df1dfc244..25762337b 100755
--- a/test/overlay/fs-named.exp
+++ b/test/overlay/fs-named.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,7 +12,7 @@ expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
         "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
-        "Child process initialized" {puts "found\n"}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "found\n"}
 }
 sleep 1
 send -- "stty -echo\r"
@@ -52,7 +52,7 @@ expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
         "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
-        "Child process initialized" {puts "found\n"}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "found\n"}
 }
 sleep 1
 
diff --git a/test/overlay/fs-tmpfs.exp b/test/overlay/fs-tmpfs.exp
index 5bd2b25fc..442a0fffa 100755
--- a/test/overlay/fs-tmpfs.exp
+++ b/test/overlay/fs-tmpfs.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -21,7 +21,7 @@ expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
         "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
-        "Child process initialized" {puts "found\n"}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "found\n"}
 }
 sleep 1
 send -- "stty -echo\r"
diff --git a/test/overlay/fs.exp b/test/overlay/fs.exp
index 3314e849d..21de942ec 100755
--- a/test/overlay/fs.exp
+++ b/test/overlay/fs.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,7 +12,7 @@ expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
         "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
-        "Child process initialized" {puts "found\n"}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "found\n"}
 }
 sleep 1
 
diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh
index f1daba935..490b180e1 100755
--- a/test/overlay/overlay.sh
+++ b/test/overlay/overlay.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/private-lib/atril.exp b/test/private-lib/atril.exp
index 679799f02..cad118c0a 100755
--- a/test/private-lib/atril.exp
+++ b/test/private-lib/atril.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/dig.exp b/test/private-lib/dig.exp
index 39f3f6d49..fd40cd48c 100755
--- a/test/private-lib/dig.exp
+++ b/test/private-lib/dig.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/private-lib/eog.exp b/test/private-lib/eog.exp
index ac6ecfff7..c4bfc0aa7 100755
--- a/test/private-lib/eog.exp
+++ b/test/private-lib/eog.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/eom.exp b/test/private-lib/eom.exp
index 47e749712..a7709b0ec 100755
--- a/test/private-lib/eom.exp
+++ b/test/private-lib/eom.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/evince.exp b/test/private-lib/evince.exp
index 1e270a2ef..8f54ee345 100755
--- a/test/private-lib/evince.exp
+++ b/test/private-lib/evince.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/galculator.exp b/test/private-lib/galculator.exp
index 68ff9f834..4cf6b6a73 100755
--- a/test/private-lib/galculator.exp
+++ b/test/private-lib/galculator.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/gedit.exp b/test/private-lib/gedit.exp
index 67be5c215..838ffad21 100755
--- a/test/private-lib/gedit.exp
+++ b/test/private-lib/gedit.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/gnome-calculator.exp b/test/private-lib/gnome-calculator.exp
index 67712bd67..37e6b86cb 100755
--- a/test/private-lib/gnome-calculator.exp
+++ b/test/private-lib/gnome-calculator.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -16,7 +16,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -43,7 +43,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/gnome-logs.exp b/test/private-lib/gnome-logs.exp
index f671effe4..3f0cc3544 100755
--- a/test/private-lib/gnome-logs.exp
+++ b/test/private-lib/gnome-logs.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/gnome-nettool.exp b/test/private-lib/gnome-nettool.exp
index a68084776..3a08fe3df 100755
--- a/test/private-lib/gnome-nettool.exp
+++ b/test/private-lib/gnome-nettool.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/gnome-system-log.exp b/test/private-lib/gnome-system-log.exp
index c3b1f2377..5ab819a89 100755
--- a/test/private-lib/gnome-system-log.exp
+++ b/test/private-lib/gnome-system-log.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/gpicview.exp b/test/private-lib/gpicview.exp
index b438c6de3..ea0964787 100755
--- a/test/private-lib/gpicview.exp
+++ b/test/private-lib/gpicview.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/leafpad.exp b/test/private-lib/leafpad.exp
index fbe8e284c..9e4dc7fed 100755
--- a/test/private-lib/leafpad.exp
+++ b/test/private-lib/leafpad.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/mousepad.exp b/test/private-lib/mousepad.exp
index f47dfe464..9c7501473 100755
--- a/test/private-lib/mousepad.exp
+++ b/test/private-lib/mousepad.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/pavucontrol.exp b/test/private-lib/pavucontrol.exp
index 7b8883ade..3aeda709a 100755
--- a/test/private-lib/pavucontrol.exp
+++ b/test/private-lib/pavucontrol.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/pluma.exp b/test/private-lib/pluma.exp
index 99d4299fb..64cb16d5a 100755
--- a/test/private-lib/pluma.exp
+++ b/test/private-lib/pluma.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh
index a70c3fad6..d168c2b1b 100755
--- a/test/private-lib/private-lib.sh
+++ b/test/private-lib/private-lib.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3g
diff --git a/test/private-lib/transmission-gtk.exp b/test/private-lib/transmission-gtk.exp
index 3c5402c81..0f297cc42 100755
--- a/test/private-lib/transmission-gtk.exp
+++ b/test/private-lib/transmission-gtk.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/private-lib/whois.exp b/test/private-lib/whois.exp
index 83dc54c76..29190253c 100755
--- a/test/private-lib/whois.exp
+++ b/test/private-lib/whois.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/private-lib/xcalc.exp b/test/private-lib/xcalc.exp
index 7cd74d3bd..e9c541684 100755
--- a/test/private-lib/xcalc.exp
+++ b/test/private-lib/xcalc.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 3
 
@@ -41,7 +41,7 @@ expect {
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/profiles/comment.profile b/test/profiles/comment.profile
new file mode 100644
index 000000000..4a907a408
--- /dev/null
+++ b/test/profiles/comment.profile
@@ -0,0 +1,3 @@
+# this is a comment
+net none # this is another comment
+private # some other comment
diff --git a/test/profiles/conditional.exp b/test/profiles/conditional.exp
index b06b983c1..40bae3878 100755
--- a/test/profiles/conditional.exp
+++ b/test/profiles/conditional.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "exit\r"
@@ -24,7 +24,7 @@ send -- "firejail --debug --profile=cond1.profile\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "conditional HAS_NODBUS, private" {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "exit\r"
diff --git a/test/profiles/ignore.exp b/test/profiles/ignore.exp
index e7f210a46..df4337e1e 100755
--- a/test/profiles/ignore.exp
+++ b/test/profiles/ignore.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -17,7 +17,7 @@ send -- "firejail --debug --ignore=seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         BLACKLIST {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 send -- "exit\r"
@@ -26,7 +26,7 @@ sleep 1
 send -- "firejail --ignore=seccomp --ignore=shell --profile=ignore.profile \r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -42,7 +42,7 @@ sleep 1
 send -- "firejail --ignore=private --ignore=shell --profile=ignore.profile \r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -59,7 +59,7 @@ send -- "firejail --debug --profile=ignore2.profile\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
         BLACKLIST {puts "TESTING ERROR 8\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 
 after 100
@@ -69,7 +69,7 @@ sleep 1
 send -- "firejail --ignore=quiet --ignore=shell --profile=ignore.profile \r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
diff --git a/test/profiles/profile_appname.exp b/test/profiles/profile_appname.exp
index 240a44697..fce278b4c 100755
--- a/test/profiles/profile_appname.exp
+++ b/test/profiles/profile_appname.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/profiles/profile_comment.exp b/test/profiles/profile_comment.exp
new file mode 100755
index 000000000..73e92d864
--- /dev/null
+++ b/test/profiles/profile_comment.exp
@@ -0,0 +1,52 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "rm -fr /tmp/firejailtest*\r"
+send -- "rm -fr /tmp/firejail-strace*\r"
+send -- "rm -fr /tmp/firejail-trace*\r"
+sleep 1
+
+send -- "firejail --profile=comment.profile /usr/bin/true\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Parent is shutting down"
+}
+sleep 2
+
+send -- "firejail --build=/tmp/firejailtest.profile /usr/bin/true\r"
+sleep 1
+
+send -- "cat /tmp/firejailtest.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "seccomp"
+}
+after 100
+
+send -- "firejail --profile=/tmp/firejailtest.profile /usr/bin/true\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Parent is shutting down"
+}
+after 100
+
+send -- "rm -fr /tmp/firejailtest*\r"
+send -- "rm -fr /tmp/firejail-strace*\r"
+send -- "rm -fr /tmp/firejail-trace*\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/profiles/profile_followlnk.exp b/test/profiles/profile_followlnk.exp
index 0500eac35..112acbbc9 100755
--- a/test/profiles/profile_followlnk.exp
+++ b/test/profiles/profile_followlnk.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -16,7 +16,7 @@ sleep 1
 send -- "firejail --profile=readonly-lnk.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 
 send -- "ls > /tmp/firejailtestdirlnk/ttt\r"
diff --git a/test/profiles/profile_noperm.exp b/test/profiles/profile_noperm.exp
index 609364389..c6a571473 100755
--- a/test/profiles/profile_noperm.exp
+++ b/test/profiles/profile_noperm.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/profiles/profile_readonly.exp b/test/profiles/profile_readonly.exp
index 2046cc297..4c1bcba89 100755
--- a/test/profiles/profile_readonly.exp
+++ b/test/profiles/profile_readonly.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ sleep 1
 send -- "firejail --profile=readonly.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/profiles/profile_recursivity.exp b/test/profiles/profile_recursivity.exp
index c761a1039..a3d4843ab 100755
--- a/test/profiles/profile_recursivity.exp
+++ b/test/profiles/profile_recursivity.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp
index 258089a39..2bce76d83 100755
--- a/test/profiles/profile_syntax.exp
+++ b/test/profiles/profile_syntax.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --profile=test.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 
 sleep 2
@@ -22,7 +22,7 @@ expect {
 }
 
 sleep 1
-send -- "ls -l /etc/shadow\r"
+send -- "ls -l /dev/console\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "root root"
diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp
index e2ec20ca5..2ddaded88 100755
--- a/test/profiles/profile_syntax2.exp
+++ b/test/profiles/profile_syntax2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh
index a5f74f2e2..ce2fa32c4 100755
--- a/test/profiles/profiles.sh
+++ b/test/profiles/profiles.sh
@@ -1,12 +1,15 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 export LC_ALL=C
 
+echo "TESTING: profile comments (test/profiles/profilecomment.exp)"
+./profile_comment.exp
+
 echo "TESTING: profile conditional (test/profiles/conditional.exp)"
 ./conditional.exp
 
diff --git a/test/profiles/test-profile.exp b/test/profiles/test-profile.exp
index 625cb6511..5f18695a7 100755
--- a/test/profiles/test-profile.exp
+++ b/test/profiles/test-profile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/profiles/test.profile b/test/profiles/test.profile
index 26d6de849..27cb99606 100644
--- a/test/profiles/test.profile
+++ b/test/profiles/test.profile
@@ -1,5 +1,5 @@
 blacklist /sbin/iptables
-blacklist /etc/shadow
+blacklist /dev/console
 blacklist /bin/rmdir
 blacklist ${PATH}/umount
 blacklist ${PATH}/mount
diff --git a/test/root/apache2.exp b/test/root/apache2.exp
index 0b4b65dc7..a6b25de2f 100755
--- a/test/root/apache2.exp
+++ b/test/root/apache2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 5
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --name=apache /etc/init.d/apache2 start\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/root/cgroup.exp b/test/root/cgroup.exp
index d24a39d07..9a1bbe161 100755
--- a/test/root/cgroup.exp
+++ b/test/root/cgroup.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -20,7 +20,7 @@ expect {
 send --  "firejail --name=\"join testing\" --cgroup=/sys/fs/cgroup/systemd/firejail/tasks\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
@@ -37,14 +37,18 @@ expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "Switching to pid"
 }
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
 sleep 1
 send -- "ps aux\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
         "/bin/bash"
 }
 expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
+        timeout {puts "TESTING ERROR 6\n";exit}
         "/bin/bash"
 }
 
@@ -53,7 +57,7 @@ after 100
 spawn $env(SHELL)
 send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r"
 expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
         "3"
 }
 after 100
diff --git a/test/root/checkcfg.exp b/test/root/checkcfg.exp
index 9a4c666e1..94d9e08fc 100755
--- a/test/root/checkcfg.exp
+++ b/test/root/checkcfg.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp
index 65ecefe5d..917cea90f 100755
--- a/test/root/firecfg.exp
+++ b/test/root/firecfg.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/root/firemon-events.exp b/test/root/firemon-events.exp
index 7bf51e2c8..8eab93a2a 100755
--- a/test/root/firemon-events.exp
+++ b/test/root/firemon-events.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -18,7 +18,7 @@ set firejail_id $spawn_id
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 
 # get messages on firemon
diff --git a/test/root/isc-dhcp.exp b/test/root/isc-dhcp.exp
index 4c468c3e8..20e5ef408 100755
--- a/test/root/isc-dhcp.exp
+++ b/test/root/isc-dhcp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 5
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --name=dhcpd /etc/init.d/isc-dhcp-server start\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/root/join.exp b/test/root/join.exp
index d995d8aa5..291ee9115 100755
--- a/test/root/join.exp
+++ b/test/root/join.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send --  "firejail --name=jointesting --cpu=0 --nice=2\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
@@ -21,14 +21,18 @@ expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Switching to pid"
 }
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
 sleep 1
 send -- "ps aux\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
         "/bin/bash"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "/bin/bash"
 }
 
@@ -36,15 +40,15 @@ send -- "exit\r"
 sleep 1
 send --  "firejail --join-network=jointesting\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        timeout {puts "TESTING ERROR 5\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 send -- "exit\r"
 sleep 1
 send --  "firejail --join-filesystem=jointesting\r"
 expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "Child process initialized"
+        timeout {puts "TESTING ERROR 6\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 
 after 100
diff --git a/test/root/login_nobody.exp b/test/root/login_nobody.exp
index 42d8fe013..9c0932196 100755
--- a/test/root/login_nobody.exp
+++ b/test/root/login_nobody.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send --  "su - nobody -s /usr/bin/firejail\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
diff --git a/test/root/nginx.exp b/test/root/nginx.exp
index 924ee8afd..40d8cb51e 100755
--- a/test/root/nginx.exp
+++ b/test/root/nginx.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 5
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --name=nginx /etc/init.d/nginx start\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/root/option_bind_directory.exp b/test/root/option_bind_directory.exp
index ac6421593..4fabf0cd8 100755
--- a/test/root/option_bind_directory.exp
+++ b/test/root/option_bind_directory.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --bind=/tmp/chroot,mntpoint\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/root/option_bind_file.exp b/test/root/option_bind_file.exp
index 6ead284a8..6c796a2b0 100755
--- a/test/root/option_bind_file.exp
+++ b/test/root/option_bind_file.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --bind=tmpfile,/etc/passwd\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/root/option_tmpfs.exp b/test/root/option_tmpfs.exp
index 67a678c68..13820afe8 100755
--- a/test/root/option_tmpfs.exp
+++ b/test/root/option_tmpfs.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --tmpfs=/var\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/root/private.exp b/test/root/private.exp
index 373bd6cef..70d0218fa 100755
--- a/test/root/private.exp
+++ b/test/root/private.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --private\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
@@ -42,7 +42,7 @@ after 100
 send -- "firejail --private-opt=firejail-test-file,firejail-test-dir --debug\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -57,7 +57,7 @@ sleep 1
 send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r"
 expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -80,7 +80,7 @@ after 100
 send -- "firejail --private-srv=firejail-test-file,firejail-test-dir --debug\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -95,7 +95,7 @@ sleep 1
 send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r"
 expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/root/profile_tmpfs.exp b/test/root/profile_tmpfs.exp
index 8a46d666e..fba63773f 100755
--- a/test/root/profile_tmpfs.exp
+++ b/test/root/profile_tmpfs.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --profile=tmpfs.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/root/root.sh b/test/root/root.sh
index d6b60cb23..78a6619d7 100755
--- a/test/root/root.sh
+++ b/test/root/root.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 # set a new firejail config file
diff --git a/test/root/seccomp-chmod.exp b/test/root/seccomp-chmod.exp
index d6f8b8bcc..ef0453548 100755
--- a/test/root/seccomp-chmod.exp
+++ b/test/root/seccomp-chmod.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --seccomp=chmod,fchmod,fchmodat --private\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/root/seccomp-chown.exp b/test/root/seccomp-chown.exp
index daf3a5d06..968a4bc96 100755
--- a/test/root/seccomp-chown.exp
+++ b/test/root/seccomp-chown.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --seccomp=chown,fchown,fchownat,lchown --private\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/root/seccomp-umount.exp b/test/root/seccomp-umount.exp
index 0a7310fdd..b99ec30f7 100755
--- a/test/root/seccomp-umount.exp
+++ b/test/root/seccomp-umount.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --seccomp --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/root/snmpd.exp b/test/root/snmpd.exp
index d1fc49967..510abfbad 100755
--- a/test/root/snmpd.exp
+++ b/test/root/snmpd.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 5
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --name=snmpd /etc/init.d/snmpd start\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/root/unbound.exp b/test/root/unbound.exp
index 710a95bf4..6440304b2 100755
--- a/test/root/unbound.exp
+++ b/test/root/unbound.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 5
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --name=unbound unbound\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/root/whitelist.exp b/test/root/whitelist.exp
index 429a4153e..2397f6a90 100755
--- a/test/root/whitelist.exp
+++ b/test/root/whitelist.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -16,7 +16,7 @@ after 100
 send -- "firejail --whitelist=/mnt/firejail-test-file --whitelist=/mnt/firejail-test-dir --debug\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -39,7 +39,7 @@ after 100
 send -- "firejail --whitelist=/opt/firejail-test-file  --whitelist=/opt/firejail-test-dir --debug\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -61,7 +61,7 @@ after 100
 send -- "firejail --whitelist=/media/firejail-test-file --whitelist=/media/firejail-test-dir --debug\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -78,7 +78,7 @@ sleep 1
 send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -100,7 +100,7 @@ after 100
 send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/ssh/login.exp b/test/ssh/login.exp
index 6a5086a77..5d6a6216b 100755
--- a/test/ssh/login.exp
+++ b/test/ssh/login.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "ssh firejail-test@0\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized" {puts "OK\n"}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"}
         "an existing sandbox was detected" {puts "OK\n"}
 }
 sleep 1
diff --git a/test/ssh/scp.exp b/test/ssh/scp.exp
index bca6a124f..13163564b 100755
--- a/test/ssh/scp.exp
+++ b/test/ssh/scp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "ssh firejail-test@0\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized" {puts "OK\n"}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"}
         "an existing sandbox was detected" {puts "OK\n"}
 }
 sleep 1
@@ -33,7 +33,7 @@ sleep 1
 send -- "ssh firejail-test@0\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized" {puts "OK\n"}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"}
         "an existing sandbox was detected" {puts "OK\n"}
 }
 sleep 1
diff --git a/test/ssh/sftp.exp b/test/ssh/sftp.exp
index 09d3c119e..01c1e7e04 100755
--- a/test/ssh/sftp.exp
+++ b/test/ssh/sftp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "ssh firejail-test@0\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized" {puts "OK\n"}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"}
         "an existing sandbox was detected" {puts "OK\n"}
 }
 sleep 1
@@ -45,7 +45,7 @@ sleep 1
 send -- "ssh firejail-test@0\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized" {puts "OK\n"}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "OK\n"}
         "an existing sandbox was detected" {puts "OK\n"}
 }
 sleep 1
diff --git a/test/ssh/ssh.sh b/test/ssh/ssh.sh
index bdad8cf87..c0d545a55 100755
--- a/test/ssh/ssh.sh
+++ b/test/ssh/ssh.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/stress/blacklist.exp b/test/stress/blacklist.exp
index fae874b25..7d32ad114 100755
--- a/test/stress/blacklist.exp
+++ b/test/stress/blacklist.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ set i 1
 send -- "firejail --profile=blacklist.profile\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 
 while { $i <= $MAXi } {
@@ -36,7 +36,7 @@ set i 1
 send -- "firejail --profile=noblacklist.profile\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 
 while { $i <= $MAXi } {
diff --git a/test/stress/env.exp b/test/stress/env.exp
index d69558114..5411819ec 100755
--- a/test/stress/env.exp
+++ b/test/stress/env.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --profile=env.profile\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 
 send -- "env | grep FJSTRESS77\r"
diff --git a/test/stress/net_macvlan.exp b/test/stress/net_macvlan.exp
index a535afa2a..f17067cbb 100755
--- a/test/stress/net_macvlan.exp
+++ b/test/stress/net_macvlan.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -15,7 +15,7 @@ while { $i <= $MAXi } {
         send -- "firejail --net=eth0 --ip=192.168.1.$i\r"
         expect {
                 timeout {puts "TESTING ERROR 0\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         incr i
         after 100
@@ -30,7 +30,7 @@ while { $i <= $MAXi } {
         send -- "firejail --net=eth0 --iprange=192.168.1.201,192.168.1.220\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
         }
         puts "************ $i ******************\n"
         incr i
diff --git a/test/stress/stress.sh b/test/stress/stress.sh
index d32ffe907..675cb0614 100755
--- a/test/stress/stress.sh
+++ b/test/stress/stress.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp
index 4230ba375..e4ab77525 100755
--- a/test/sysutils/cpio.exp
+++ b/test/sysutils/cpio.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/file.exp b/test/sysutils/file.exp
index b97c0c283..dcc253dad 100755
--- a/test/sysutils/file.exp
+++ b/test/sysutils/file.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp
index be2222f06..75b51694c 100755
--- a/test/sysutils/gzip.exp
+++ b/test/sysutils/gzip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp
index 265b0e474..e6698eab0 100755
--- a/test/sysutils/less.exp
+++ b/test/sysutils/less.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/ping.exp b/test/sysutils/ping.exp
index fac4b2ac3..dd6073234 100755
--- a/test/sysutils/ping.exp
+++ b/test/sysutils/ping.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp
index 7c91fb78a..47b75accc 100755
--- a/test/sysutils/strings.exp
+++ b/test/sysutils/strings.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
index 96962d324..a903c7c6b 100755
--- a/test/sysutils/sysutils.sh
+++ b/test/sysutils/sysutils.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/sysutils/tar.exp b/test/sysutils/tar.exp
index 60e05f847..ed68179f9 100755
--- a/test/sysutils/tar.exp
+++ b/test/sysutils/tar.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp
index 4c6fcea9d..9ee85cde4 100755
--- a/test/sysutils/xz.exp
+++ b/test/sysutils/xz.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 60
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp
index 737517d54..1b525e3bd 100755
--- a/test/sysutils/xzdec.exp
+++ b/test/sysutils/xzdec.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/build.exp b/test/utils/build.exp
index cdc2f3b7b..a1f1d10fb 100755
--- a/test/utils/build.exp
+++ b/test/utils/build.exp
@@ -1,19 +1,19 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "echo testing > ~/firejail-test-file-7699\r"
+send -- "echo testing > ~/_firejail-test-file\r"
 after 100
 
-send -- "firejail --build cat ~/firejail-test-file-7699\r"
+send -- "firejail --build cat ~/_firejail-test-file\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "whitelist $\{HOME\}/firejail-test-file-7699"
+        "whitelist $\{HOME\}/_firejail-test-file"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -21,35 +21,35 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "blacklist /usr/share"
+        "include whitelist-usr-share-common.inc"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "blacklist /var"
+        "include whitelist-var-common.inc"
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "private-bin cat,"
+        "caps.drop all"
 }
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "private-dev"
+        "ipc-namespace"
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "private-etc"
+        "netfilter"
 }
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "private-tmp"
+        "nonewprivs"
 }
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
-        "caps.drop all"
+        "noroot"
 }
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "nonewprivs"
+        "net none"
 }
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
@@ -57,15 +57,28 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
-        "net none"
+        "shell none"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "private-bin cat,"
 }
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
-        "shell none"
+        "private-dev"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "private-etc none"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "private-tmp"
 }
 after 100
 
-
+send -- "rm -f ~/_firejail-test-file\r"
+after 100
 
 send -- "firejail --build cat /etc/passwd\r"
 expect {
diff --git a/test/utils/caps-print.exp b/test/utils/caps-print.exp
index 6b6090476..b6ccd05d4 100755
--- a/test/utils/caps-print.exp
+++ b/test/utils/caps-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --name=test\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/utils/catchsignal-master.sh b/test/utils/catchsignal-master.sh
index 28e646ddb..881aac270 100755
--- a/test/utils/catchsignal-master.sh
+++ b/test/utils/catchsignal-master.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 ./catchsignal.sh &
diff --git a/test/utils/catchsignal.sh b/test/utils/catchsignal.sh
index f7a501011..117179143 100755
--- a/test/utils/catchsignal.sh
+++ b/test/utils/catchsignal.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 _term() {
diff --git a/test/utils/catchsignal2.sh b/test/utils/catchsignal2.sh
index 9ba939ef4..1bd7852cd 100755
--- a/test/utils/catchsignal2.sh
+++ b/test/utils/catchsignal2.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 _term() {
diff --git a/test/utils/command.exp b/test/utils/command.exp
index 6cb52a7fa..5e15efc14 100755
--- a/test/utils/command.exp
+++ b/test/utils/command.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp
index e7d709cee..3e4d63f2a 100755
--- a/test/utils/cpu-print.exp
+++ b/test/utils/cpu-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --name=test --cpu=0\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "cat /proc/self/status | grep Cpus\r"
@@ -30,7 +30,7 @@ sleep 1
 send -- "firejail --name=test --cpu=1\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/utils/dns-print.exp b/test/utils/dns-print.exp
index b3b732bee..c0cf2ff0f 100755
--- a/test/utils/dns-print.exp
+++ b/test/utils/dns-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --name=test --dns=1.2.3.4 --dns=::2\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/utils/firemon-caps.exp b/test/utils/firemon-caps.exp
index 837d08271..02b317341 100755
--- a/test/utils/firemon-caps.exp
+++ b/test/utils/firemon-caps.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --name=bingo1 --noprofile --caps\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -18,7 +18,7 @@ spawn $env(SHELL)
 send --  "firejail --name=bingo2 --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -26,7 +26,7 @@ spawn $env(SHELL)
 send --  "firejail --name=bingo3 --noprofile --caps.drop=all\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -34,7 +34,7 @@ spawn $env(SHELL)
 send --  "firejail --noprofile --name=bingo4 --caps.drop=chown,kill\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -42,7 +42,7 @@ spawn $env(SHELL)
 send --  "firejail --noprofile --name=bingo5 --caps.keep=chown,kill\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -50,7 +50,7 @@ spawn $env(SHELL)
 send --  "firejail --name=bingo6 --profile=caps1.profile\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -58,7 +58,7 @@ spawn $env(SHELL)
 send --  "firejail --name=bingo7 --profile=caps2.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/utils/firemon-cgroup.exp b/test/utils/firemon-cgroup.exp
index 3976b0c50..2dbc04a50 100755
--- a/test/utils/firemon-cgroup.exp
+++ b/test/utils/firemon-cgroup.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --name=test1\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -18,7 +18,7 @@ spawn $env(SHELL)
 send --  "firejail --name=test2\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/utils/firemon-cpu.exp b/test/utils/firemon-cpu.exp
index b410c764e..db5069ede 100755
--- a/test/utils/firemon-cpu.exp
+++ b/test/utils/firemon-cpu.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --name=test1\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -18,7 +18,7 @@ spawn $env(SHELL)
 send --  "firejail --name=test2\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/utils/firemon-interface.exp b/test/utils/firemon-interface.exp
index 0c358d129..7e4e5f0ae 100755
--- a/test/utils/firemon-interface.exp
+++ b/test/utils/firemon-interface.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/firemon-name.exp b/test/utils/firemon-name.exp
index 57729d662..f8161cc81 100755
--- a/test/utils/firemon-name.exp
+++ b/test/utils/firemon-name.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --name=test\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/utils/firemon-seccomp.exp b/test/utils/firemon-seccomp.exp
index d35027827..7eb6f9168 100755
--- a/test/utils/firemon-seccomp.exp
+++ b/test/utils/firemon-seccomp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --noprofile --name=bingo1 --seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -18,7 +18,7 @@ spawn $env(SHELL)
 send --  "firejail --noprofile --name=bingo2\r"
 expect {
         timeout {puts "TESTING ERROR 0.1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/utils/firemon-version.exp b/test/utils/firemon-version.exp
index 8e4e33ec0..81ab2e8b0 100755
--- a/test/utils/firemon-version.exp
+++ b/test/utils/firemon-version.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/fs-print.exp b/test/utils/fs-print.exp
index 4b6eac391..536d59dbd 100755
--- a/test/utils/fs-print.exp
+++ b/test/utils/fs-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --name=test\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/utils/help.exp b/test/utils/help.exp
index 71bb5788c..4c5f46e8a 100755
--- a/test/utils/help.exp
+++ b/test/utils/help.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/join-profile.exp b/test/utils/join-profile.exp
index d6fcc50d7..565010b82 100755
--- a/test/utils/join-profile.exp
+++ b/test/utils/join-profile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send --  "firejail --profile=name.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
@@ -21,14 +21,18 @@ expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Switching to pid"
 }
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
 sleep 1
 send -- "ps aux\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
         "/bin/bash"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "/bin/bash"
 }
 
diff --git a/test/utils/join.exp b/test/utils/join.exp
index 25dd31922..82decce51 100755
--- a/test/utils/join.exp
+++ b/test/utils/join.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send --  "firejail --name=jointesting --cpu=0 --nice=2\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
@@ -26,17 +26,21 @@ after 100
 
 send --  "firejail --join=jointesting\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
         "Switching to pid"
 }
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
 sleep 1
 send -- "ps aux\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "/bin/bash"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
         "/bin/bash"
 }
 
@@ -44,13 +48,13 @@ send -- "exit\r"
 sleep 1
 send --  "firejail --join-network=jointesting\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 6\n";exit}
         "is only available to root user"
 }
 after 100
 send --  "firejail --join-filesystem=jointesting\r"
 expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
         "is only available to root user"
 }
 
diff --git a/test/utils/join2.exp b/test/utils/join2.exp
index dada97158..5f5a6bfe0 100755
--- a/test/utils/join2.exp
+++ b/test/utils/join2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send --  "firejail --name=\"join testing\"\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
@@ -21,14 +21,18 @@ expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Switching to pid"
 }
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
 sleep 1
 send -- "ps aux\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
         "/bin/bash"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "/bin/bash"
 }
 
diff --git a/test/utils/join3.exp b/test/utils/join3.exp
index 305000e92..c771b924b 100755
--- a/test/utils/join3.exp
+++ b/test/utils/join3.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send --  "firejail --name=join\\ testing\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
@@ -21,14 +21,18 @@ expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Switching to pid"
 }
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
 sleep 1
 send -- "ps aux\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
         "/bin/bash"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "/bin/bash"
 }
 
diff --git a/test/utils/join4.exp b/test/utils/join4.exp
index 8c5e91d68..cddf7ad18 100755
--- a/test/utils/join4.exp
+++ b/test/utils/join4.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send --  "firejail --name=123test\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
@@ -21,14 +21,18 @@ expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Switching to pid"
 }
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
 sleep 1
 send -- "ps aux\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
         "/bin/bash"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "/bin/bash"
 }
 
diff --git a/test/utils/join5.exp b/test/utils/join5.exp
index 3d365944d..c0990ebf1 100755
--- a/test/utils/join5.exp
+++ b/test/utils/join5.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -9,8 +9,8 @@ match_max 100000
 
 send --  "firejail --name=test123 --profile=join5.profile\r"
 expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "Child process initialized"
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 spawn $env(SHELL)
@@ -19,14 +19,18 @@ expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Switching to pid"
 }
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
 sleep 1
 send -- "ps aux\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
         "/bin/bash"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "/bin/bash"
 }
 
@@ -35,11 +39,11 @@ after 100
 
 send --  "firejail --protocol.print=test123\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
         "Switching to pid"
 }
 expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
+        timeout {puts "TESTING ERROR 6\n";exit}
         "unix"
 }
 
diff --git a/test/utils/list.exp b/test/utils/list.exp
index d7d39357d..30344e22a 100755
--- a/test/utils/list.exp
+++ b/test/utils/list.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -18,7 +18,7 @@ spawn $env(SHELL)
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -26,7 +26,7 @@ spawn $env(SHELL)
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/utils/ls.exp b/test/utils/ls.exp
index 080bfdad2..6b6c67ede 100755
--- a/test/utils/ls.exp
+++ b/test/utils/ls.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,7 +14,7 @@ sleep 1
 send -- "firejail --private --name=test\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 send -- "echo my_testing > ~/lstesting\r"
diff --git a/test/utils/man.exp b/test/utils/man.exp
index 41f5a2ff8..3a0ca46d6 100755
--- a/test/utils/man.exp
+++ b/test/utils/man.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/name.exp b/test/utils/name.exp
index 9e5367ba7..cd4465d41 100755
--- a/test/utils/name.exp
+++ b/test/utils/name.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --name=ftest\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -19,7 +19,7 @@ spawn $env(SHELL)
 send -- "firejail --name=ftest\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -27,7 +27,7 @@ spawn $env(SHELL)
 send -- "firejail --name=ftest\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -35,7 +35,7 @@ spawn $env(SHELL)
 send -- "firejail --name=ftest\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -43,7 +43,7 @@ spawn $env(SHELL)
 send -- "firejail --name=ftest\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -51,7 +51,7 @@ spawn $env(SHELL)
 send -- "firejail --name=ftest\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -59,7 +59,7 @@ spawn $env(SHELL)
 send -- "firejail --name=ftest\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -67,7 +67,7 @@ spawn $env(SHELL)
 send -- "firejail --name=ftest\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -75,7 +75,7 @@ spawn $env(SHELL)
 send -- "firejail --name=ftest\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -83,7 +83,7 @@ spawn $env(SHELL)
 send -- "firejail --name=ftest\r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -91,7 +91,7 @@ spawn $env(SHELL)
 send -- "firejail --name=ftest\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -99,7 +99,7 @@ spawn $env(SHELL)
 send -- "firejail --name=ftest\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
diff --git a/test/utils/profile_print.exp b/test/utils/profile_print.exp
index f8f6708bb..9b2d65d84 100755
--- a/test/utils/profile_print.exp
+++ b/test/utils/profile_print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --name=ftest\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
diff --git a/test/utils/protocol-print.exp b/test/utils/protocol-print.exp
index 1ed92ddd6..ca74b7fc9 100755
--- a/test/utils/protocol-print.exp
+++ b/test/utils/protocol-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --name=test\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/utils/seccomp-print.exp b/test/utils/seccomp-print.exp
index 86f1e9845..a9525ce2e 100755
--- a/test/utils/seccomp-print.exp
+++ b/test/utils/seccomp-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --name=test\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp
index 35d2750db..3950e901c 100755
--- a/test/utils/shutdown.exp
+++ b/test/utils/shutdown.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 15
@@ -11,7 +11,7 @@ match_max 100000
 send --  "firejail --name=shutdowntesting\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/utils/shutdown2.exp b/test/utils/shutdown2.exp
index 7eb3d516b..4dabf6c23 100755
--- a/test/utils/shutdown2.exp
+++ b/test/utils/shutdown2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,7 +12,7 @@ set firstspawn $spawn_id
 send --  "firejail --name=shutdowntesting ./catchsignal.sh\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/utils/shutdown3.exp b/test/utils/shutdown3.exp
index a543bb9e5..8017d753d 100755
--- a/test/utils/shutdown3.exp
+++ b/test/utils/shutdown3.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,7 +12,7 @@ set firstspawn $spawn_id
 send --  "firejail --name=shutdowntesting ./catchsignal-master.sh\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/utils/shutdown4.exp b/test/utils/shutdown4.exp
index a9a3978ea..09db3f140 100755
--- a/test/utils/shutdown4.exp
+++ b/test/utils/shutdown4.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,7 +12,7 @@ set firstspawn $spawn_id
 send --  "firejail --name=shutdowntesting ./catchsignal2.sh\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
diff --git a/test/utils/top.exp b/test/utils/top.exp
index 150011bba..402d7c2df 100755
--- a/test/utils/top.exp
+++ b/test/utils/top.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send --  "firejail --name=test1\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
@@ -18,7 +18,7 @@ spawn $env(SHELL)
 send --  "firejail --name=test2\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/utils/trace.exp b/test/utils/trace.exp
index 3ed09565b..f14001c88 100755
--- a/test/utils/trace.exp
+++ b/test/utils/trace.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 30
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --trace mkdir ttt\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -21,7 +21,7 @@ sleep 1
 send -- "firejail --trace rmdir ttt\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
@@ -32,7 +32,7 @@ sleep 1
 send -- "firejail --trace touch ttt\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
@@ -44,7 +44,7 @@ sleep 1
 send -- "firejail --trace rm ttt\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
@@ -55,7 +55,7 @@ sleep 1
 send -- "firejail --trace wget -q debian.org\r"
 #expect {
 #       timeout {puts "TESTING ERROR 8.1\n";exit}
-#       "Child process initialized"
+#       -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 #}
 #expect {
 #       timeout {puts "TESTING ERROR 8.2\n";exit}
@@ -86,7 +86,7 @@ sleep 1
 send -- "firejail --trace rm index.html\r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
@@ -98,7 +98,7 @@ sleep 1
 send --  "firejail --trace\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
diff --git a/test/utils/tree.exp b/test/utils/tree.exp
index ff834bec6..4b1f70bd2 100755
--- a/test/utils/tree.exp
+++ b/test/utils/tree.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -18,7 +18,7 @@ spawn $env(SHELL)
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 after 100
 
@@ -26,7 +26,7 @@ spawn $env(SHELL)
 send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 1
 
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index c021d6287..18f749ed8 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
@@ -15,8 +15,8 @@ export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
 
 echo "TESTING: build (test/utils/build.exp)"
 ./build.exp
-rm -f ~/firejail-test-file-7699
-rm -f firejail-test-file-4388
+rm -f ~/_firejail-test-file
+rm -f _firejail-test-file
 
 echo "TESTING: name (test/utils/name.exp)"
 ./name.exp
diff --git a/test/utils/version.exp b/test/utils/version.exp
index be0d152b8..f010809f8 100755
--- a/test/utils/version.exp
+++ b/test/utils/version.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
+# Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
 set timeout 10