209 files changed, 2166 insertions, 1319 deletions

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 53066013d..fc74640d4 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -22,7 +22,8 @@ _Describe the bug_
 
 _Steps to reproduce the behavior_
 
-1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody)
+1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent
+   output in English that can be understood by everybody)
 2. Click on '....'
 3. Scroll down to '....'
 4. See error `ERROR`
@@ -37,7 +38,8 @@ _What actually happened_
 
 ### Behavior without a profile
 
-_What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_
+_What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a
+terminal?_
 
 ### Additional context
 
@@ -47,7 +49,8 @@ _Any other detail that may help to understand/debug the problem_
 
 - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")
 - Firejail version (`firejail --version`).
-- If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`).
+- If you use a development version of firejail, also the commit from which it
+  was compiled (`git rev-parse HEAD`).
 
 ### Checklist
 
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
index a723cdbde..ce1b70e39 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -4,6 +4,7 @@ about: Suggest an idea for this project
 title: ''
 labels: ''
 assignees: ''
+
 ---
 
 ### Is your feature request related to a problem? Please describe.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 3c256dd87..4a7998e87 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,17 +1,21 @@
-If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.
+If your PR isn't about profiles or you have no idea how to do one of these,
+skip the following and go ahead with this PR.
 
-If you submit a PR for new profiles or changing profiles, please do the following:
- - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
-   > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository.
- - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py).
- The path to it depends on your distro:
+If you submit a PR for new profiles or changing profiles, please do the
+following:
 
-   | Distro | Path |
-   | ------ | ---- |
-   | Arch/Fedora | `/usr/lib64/firejail/sort.py` |
-   | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` |
-   | local git clone | `contrib/sort.py` |
+- The ordering of options follow the rules described in
+  [etc/templates/profile.template](../blob/master/etc/templates/profile.template)
+  (/usr/share/doc/firejail/profile.template when installed).
+- Order the arguments of options alphabetically.  You can easily do this with
+  [sort.py](../blob/master/contrib/sort.py).
 
-   Note also that the sort.py script exists only since firejail `0.9.61`.
+  The path to it depends on your distro:
 
-See also [CONTRIBUTING.md](/CONTRIBUTING.md).
+  | Distro | Path |
+  | ------ | ---- |
+  | Arch/Fedora | `/usr/lib64/firejail/sort.py` |
+  | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` |
+  | local git clone | `contrib/sort.py` |
+
+See also [CONTRIBUTING.md](../blob/master/CONTRIBUTING.md).
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index f7d0bb479..c812e4572 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -2,7 +2,6 @@ name: Build-extra CI
 
 on:
   push:
-    branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
       - 'contrib/syntax/**'
@@ -12,6 +11,7 @@ on:
       - .git-blame-ignore-revs
       - .github/dependabot.yml
       - .github/pull_request_template.md
+      - .github/workflows/build.yml
       - .github/workflows/codeql-analysis.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
@@ -24,7 +24,6 @@ on:
       - SECURITY.md
       - src/firecfg/firecfg.config
   pull_request:
-    branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
       - 'contrib/syntax/**'
@@ -34,6 +33,7 @@ on:
       - .git-blame-ignore-revs
       - .github/dependabot.yml
       - .github/pull_request_template.md
+      - .github/workflows/build.yml
       - .github/workflows/codeql-analysis.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
@@ -54,17 +54,23 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         egress-policy: block
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - name: update package information
+      run: sudo apt-get update
     - name: install dependencies
       run: sudo apt-get install libapparmor-dev libselinux1-dev
+    - name: print env
+      run: ./ci/printenv.sh
     - name: configure
-      run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux
+      run: >
+        CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
+        --enable-selinux
     - name: make
       run: make
     - name: make install
@@ -75,63 +81,80 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         egress-policy: block
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - name: update package information
+      run: sudo apt-get update
     - name: install clang-tools-14 and dependencies
       run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev
+    - name: print env
+      run: ./ci/printenv.sh
     - name: configure
-      run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux
+      run: >
+        CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
+        --enable-selinux
     - name: scan-build
       run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make
   cppcheck:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         egress-policy: block
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - name: update package information
+      run: sudo apt-get update
     - name: install cppcheck
       run: sudo apt-get install cppcheck
+    - run: cppcheck --version
     - name: cppcheck
-      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance -i src/firejail/checkcfg.c -i src/firejail/main.c .
-  # new cppcheck version currently chokes on checkcfg.c and main.c, therefore scan all files also
-  # with older cppcheck version from ubuntu 20.04.
+      run: >
+        cppcheck -q --force --error-exitcode=1 --enable=warning,performance
+        -i src/firejail/checkcfg.c -i src/firejail/main.c .
+  # new cppcheck version currently chokes on checkcfg.c and main.c, therefore
+  # scan all files also with older cppcheck version from ubuntu 20.04.
   cppcheck_old:
     runs-on: ubuntu-20.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         egress-policy: block
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - name: update package information
+      run: sudo apt-get update
     - name: install cppcheck
       run: sudo apt-get install cppcheck
+    - run: cppcheck --version
     - name: cppcheck
       run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
   codespell:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         egress-policy: block
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - name: update package information
+      run: sudo apt-get update
     - name: install dependencies
       run: sudo apt-get install codespell
+    - run: codespell --version
     - name: codespell
       run: make codespell
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9f2072c74..e896ba8e0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,12 +2,12 @@ name: Build CI
 
 on:
   push:
-    branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
       - .github/pull_request_template.md
+      - .github/workflows/build-extra.yml
       - .github/workflows/codeql-analysis.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
@@ -19,12 +19,12 @@ on:
       - RELNOTES
       - SECURITY.md
   pull_request:
-    branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
       - .github/pull_request_template.md
+      - .github/workflows/build-extra.yml
       - .github/workflows/codeql-analysis.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
@@ -42,58 +42,58 @@ permissions:  # added using https://github.com/step-security/secure-workflows
 jobs:
   build_and_test:
     runs-on: ubuntu-22.04
+    env:
+      SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         egress-policy: block
         allowed-endpoints: >
+          1.1.1.1:1025
           azure.archive.ubuntu.com:80
           debian.org:80
+          dns.quad9.net:53
           github.com:443
           packages.microsoft.com:443
           ppa.launchpadcontent.net:443
+          whois.pir.org:43
           www.debian.org:443
           www.debian.org:80
           yahoo.com:1025
-    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
     - name: update package information
       run: sudo apt-get update
     - name: install dependencies
-      run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois bridge-utils
+      run: >
+        sudo apt-get install
+        gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois
+        bridge-utils
+    - name: print env
+      run: ./ci/printenv.sh
     - name: configure
-      run: CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux
+      run: >
+        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
+        --enable-analyzer --enable-apparmor --enable-selinux
     - name: make
       run: make
     - name: make install
       run: sudo make install
     - name: print firejail version
       run: command -V firejail && firejail --version
-    - name: lab setup
-      run: SHELL=/bin/bash make lab-setup
-    - name: run firecfg tests
-      run: SHELL=/bin/bash make test-firecfg
-    - name: run apparmor tests
-      run: SHELL=/bin/bash make test-apparmor
-    - name: run network tests
-      run: SHELL=/bin/bash make test-network
-    - name: run appimage tests
-      run: SHELL=/bin/bash make test-appimage
-    - name: run chroot tests
-      run: SHELL=/bin/bash make test-chroot
-    - name: run sysutils tests
-      run: SHELL=/bin/bash make test-sysutils
-    - name: run private-etc tests
-      run: SHELL=/bin/bash make test-private-etc
-    - name: run profile tests
-      run: SHELL=/bin/bash make test-profiles
-    - name: run fcopy tests
-      run: SHELL=/bin/bash make test-fcopy
-    - name: run fnetfilter tests
-      run: SHELL=/bin/bash make test-fnetfilter
-    - name: run fs tests
-      run: SHELL=/bin/bash make test-fs
-    - name: run utils tests
-      run: SHELL=/bin/bash make test-utils
-    - name: run environment tests
-      run: SHELL=/bin/bash make test-environment
+    - run: make lab-setup
+    - run: make test-seccomp-extra
+    - run: make test-firecfg
+    - run: make test-capabilities
+    - run: make test-apparmor
+    - run: make test-appimage
+    - run: make test-chroot
+    - run: make test-sysutils
+    - run: make test-private-etc
+    - run: make test-profiles
+    - run: make test-fcopy
+    - run: make test-fnetfilter
+    - run: make test-fs
+    - run: make test-utils
+    - run: make test-environment
+    - run: make test-network
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index edf8dad19..68f14d729 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -7,7 +7,6 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
       - 'contrib/syntax/**'
@@ -17,6 +16,8 @@ on:
       - .git-blame-ignore-revs
       - .github/dependabot.yml
       - .github/pull_request_template.md
+      - .github/workflows/build-extra.yml
+      - .github/workflows/build.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
       - .gitlab-ci.yml
@@ -28,8 +29,6 @@ on:
       - SECURITY.md
       - src/firecfg/firecfg.config
   pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
       - 'contrib/syntax/**'
@@ -39,6 +38,8 @@ on:
       - .git-blame-ignore-revs
       - .github/dependabot.yml
       - .github/pull_request_template.md
+      - .github/workflows/build-extra.yml
+      - .github/workflows/build.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
       - .gitlab-ci.yml
@@ -74,21 +75,25 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         disable-sudo: true
         egress-policy: block
         allowed-endpoints: >
           api.github.com:443
           github.com:443
+          objects.githubusercontent.com:443
           uploads.github.com:443
 
     - name: Checkout repository
-      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+
+    - name: print env
+      run: ./ci/printenv.sh
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5
+      uses: github/codeql-action/init@29b1f65c5e92e24fe6b6647da1eaabe529cec70f
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -99,7 +104,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@32dc499307d133bb5085bae78498c0ac2cf762d5
+      uses: github/codeql-action/autobuild@29b1f65c5e92e24fe6b6647da1eaabe529cec70f
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -113,4 +118,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5
+      uses: github/codeql-action/analyze@29b1f65c5e92e24fe6b6647da1eaabe529cec70f
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index 97e5378fd..8500481cd 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -2,7 +2,6 @@ name: Profile Checks
 
 on:
   push:
-    branches: [ master ]
     paths:
       - 'ci/check/profiles/**'
       - 'etc/**'
@@ -10,7 +9,6 @@ on:
       - contrib/sort.py
       - src/firecfg/firecfg.config
   pull_request:
-    branches: [ master ]
     paths:
       - 'ci/check/profiles/**'
       - 'etc/**'
@@ -26,20 +24,32 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         disable-sudo: true
         egress-policy: block
         allowed-endpoints: >
           github.com:443
 
-    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - name: print env
+      run: ./ci/printenv.sh
+    - run: python3 --version
+
 #   - name: sort.py
-#      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+#     run: >
+#       ./ci/check/profiles/sort.py
+#       etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
 # Currently broken (see #5610)
-#    - name: private-etc-always-required.sh
-#      run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+#   - name: private-etc-always-required.sh
+#     run: >
+#       ./ci/check/profiles/private-etc-always-required.sh
+#       etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
     - name: sort-disable-programs.sh
-      run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc
+      run: >
+        ./ci/check/profiles/sort-disable-programs.sh
+        etc/inc/disable-programs.inc
     - name: sort-firecfg.config.sh
-      run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
+      run: >
+        ./ci/check/profiles/sort-firecfg.config.sh
+        src/firecfg/firecfg.config
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6dcb40e67..38d121c49 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -5,21 +5,33 @@
 # and fedora:latest for new setups
 # 3. Alpine for installing directly from source
 # Also builds apparmor package for Ubuntu LTS
+
 build_ubuntu_package:
     image: ubuntu:rolling
     script:
         - apt-get update -qq
-        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config python3 gawk
-        - ./configure && make deb && dpkg -i firejail*.deb
+        - >
+            DEBIAN_FRONTEND=noninteractive apt-get install -y -qq
+            build-essential lintian libapparmor-dev pkg-config python3 gawk
+        - ./ci/printenv.sh
+        - ./configure
+        - make deb
+        - dpkg -i firejail*.deb
         - command -V firejail && firejail --version
-        - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
+        # - python3 --version
+        # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
 build_debian_package:
-    image: debian:stretch
+    image: debian:buster
     script:
         - apt-get update -qq
-        - apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config gawk
-        - ./configure && make deb && dpkg -i firejail*.deb
+        - >
+            apt-get install -y -qq
+            build-essential lintian libapparmor-dev pkg-config gawk
+        - ./ci/printenv.sh
+        - ./configure
+        - make deb
+        - dpkg -i firejail*.deb
         - command -V firejail && firejail --version
 
 build_redhat_package:
@@ -27,7 +39,10 @@ build_redhat_package:
     script:
         - dnf update -y
         - dnf install -y rpm-build gcc make
-        - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm
+        - ./ci/printenv.sh
+        - ./configure --prefix=/usr
+        - make rpms
+        - rpm -i firejail*.rpm
         - command -V firejail && firejail --version
 
 build_fedora_package:
@@ -35,9 +50,13 @@ build_fedora_package:
     script:
         - dnf update -y
         - dnf install -y rpm-build gcc make
-        - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm
+        - ./ci/printenv.sh
+        - ./configure --prefix=/usr
+        - make rpms
+        - rpm -i firejail*.rpm
         - command -V firejail && firejail --version
-        - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
+        # - python3 --version
+        # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
 build_src_package:
     image: alpine:latest
@@ -45,16 +64,26 @@ build_src_package:
         - apk update
         - apk upgrade
         - apk add build-base linux-headers python3 gawk
-        - ./configure --prefix=/usr && make && make install-strip
+        - ./ci/printenv.sh
+        - ./configure --prefix=/usr
+        - make
+        - make install-strip
         - command -V firejail && firejail --version
-        # - python3 contrib/sort.py etc/*.{profile,inc}
+        # - python3 --version
+        # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
 build_no_apparmor:
     image: ubuntu:latest
     script:
         - apt-get update -qq
-        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config gawk
-        - ./configure && make dist && ./mkdeb.sh --disable-apparmor && dpkg -i firejail*.deb
+        - >
+            DEBIAN_FRONTEND=noninteractive apt-get install -y -qq
+            build-essential lintian pkg-config gawk
+        - ./ci/printenv.sh
+        - ./configure
+        - make dist
+        - ./mkdeb.sh --disable-apparmor
+        - dpkg -i firejail*.deb
         - command -V firejail && firejail --version
         - firejail --version | grep -F 'AppArmor support is disabled'
 
@@ -64,20 +93,36 @@ debian_ci:
         DEBFULLNAME: "$GITLAB_USER_NAME"
         DEBEMAIL: "$GITLAB_USER_EMAIL"
     before_script:
-        - git checkout -B ci_build $CI_COMMIT_SHA
+        - git checkout -B ci_build "$CI_COMMIT_SHA"
         - gitlab-ci-enable-sid
         - gitlab-ci-enable-experimental
-        - echo "deb-src http://deb.debian.org/debian sid main" >> /etc/apt/sources.list
-        - echo "deb-src http://deb.debian.org/debian experimental main" >> /etc/apt/sources.list
+        - |
+            cat >>/etc/apt/sources.list <<EOF
+            deb-src http://deb.debian.org/debian sid main
+            deb-src http://deb.debian.org/debian experimental main
+            EOF
         - apt-get update
-        - git config user.email "$GITLAB_USER_NAME" && git config user.name "$GITLAB_USER_EMAIL"
-        - cd $CI_PROJECT_DIR/.. && (apt-get source --download-only -t experimental firejail || apt-get source --download-only firejail)
-        - cd $CI_PROJECT_DIR && tar xf ../firejail_*.debian.tar.*
+        - git config user.name "$DEBFULLNAME"
+        - git config user.email "$DEBEMAIL"
+        - |
+            cd "$CI_PROJECT_DIR/.."
+            apt-get source --download-only -t experimental firejail ||
+            apt-get source --download-only firejail
+        - |
+            cd "$CI_PROJECT_DIR"
+            tar xf ../firejail_*.debian.tar.*
         - rm -rf debian/patches/
-        - VERSION=$(grep ^PACKAGE_VERSION= configure | cut -d"'" -f2) && dch -v ${VERSION}-0.1~ci "Non-maintainer upload." && git archive -o ../firejail_${VERSION}.orig.tar.gz HEAD && pristine-tar commit ../firejail_${VERSION}.orig.tar.gz ci_build && git branch -m pristine-tar origin/pristine-tar
-        - git add debian && git commit -m "add debian/"
-        - export CI_COMMIT_SHA=$(git rev-parse HEAD)
+        - |
+            VERSION="$(grep ^PACKAGE_VERSION= configure | cut -d "'" -f 2)"
+            dch -v "${VERSION}-0.1~ci" 'Non-maintainer upload.'
+            git archive -o "../firejail_${VERSION}.orig.tar.gz" HEAD
+            pristine-tar commit "../firejail_${VERSION}.orig.tar.gz" ci_build
+            git branch -m pristine-tar origin/pristine-tar
+        - git add debian
+        - git commit -m 'add debian/'
+        - export CI_COMMIT_SHA="$(git rev-parse HEAD)"
     script:
         - apt-get --no-install-recommends install -y -qq gawk
+        - ./ci/printenv.sh
         - gitlab-ci-git-buildpackage
         - gitlab-ci-lintian
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 76d3e709b..1ae293264 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,38 +1,58 @@
+# Contributing
+
 Welcome to firejail, and thank you for your interest in contributing!
 
-# Opening an issue:
-We welcome issues, whether to ask a question, provide information, request a new profile or
-feature, or to report a suspected bug or problem.
+## Opening an issue
+
+We welcome issues, whether to ask a question, provide information, request a
+new profile or feature, or to report a suspected bug or problem.
+
+If you want to request a program profile that we don't already have, please add
+a comment in our dedicated issue:
 
-If you want to request a program profile that we don't already have, please add a comment in
-our [dedicated issue](https://github.com/netblue30/firejail/issues/1139).
+- [Profile requests](https://github.com/netblue30/firejail/issues/1139)
 
 When submitting a bug report, please provide the following information so that
 we can handle the report more easily:
-- firejail version. If you're not sure, open a terminal and type `firejail --version`.
+
+- firejail version.  If you're not sure, open a terminal and type `firejail
+  --version`.
 - Linux distribution (so that we can try to reproduce it, if necessary).
-- If you know that the problem did not exist in an earlier version of firejail, please mention it.
-- If you are reporting that a program does not work with firejail, please also run firejail with
-the `--noprofile` argument.
-For example, if `firejail firefox` does not work, please also run `firejail --noprofile firefox` and
-let us know if it runs correctly or not.
-- You may also try disabling various options provided in `/etc/firejail/<ProgramName.profile>` until you find out which one causes problems. It will significantly help to find solution for your issue.
-
-Please note: if you are running Debian, Ubuntu, Linux Mint, or another related
+- If you know that the problem did not exist in an earlier version of firejail,
+  please mention it.
+- If you are reporting that a program does not work with firejail, please also
+  run firejail with the `--noprofile` argument.  For example, if `firejail
+  firefox` does not work, please also run `firejail --noprofile firefox` and
+  let us know if it runs correctly or not.
+- You may also try disabling various options provided in
+  `/etc/firejail/<ProgramName.profile>` until you find out which one causes
+  problems.  It will significantly help in finding a solution for your issue.
+
+Please note: If you are running Debian, Ubuntu, Linux Mint, or another related
 distribution and you installed firejail from your distro's repositories, please
-ensure that **both** of the following were installed:
-`firejail` and `firejail-profiles`. A common source of issues is that
-firejail-profiles was not installed when installing firejail.
+ensure that **all** of the following packages were installed:
+
+- firejail
+- firejail-profiles
 
-We take security bugs very seriously. If you believe you have found one, please report it by
-emailing us at netblue30@protonmail.com
+A common source of issues is that firejail-profiles was not installed when
+installing firejail.
+
+## Security vulnerabilities
+
+See [SECURITY.md](SECURITY.md).
+
+## Opening a pull request
 
-# Opening an pull request:
 Pull requests with enhancements, bugfixes or new profiles are very welcome.
 
 If you want to write a new profile, the easiest way to do this is to use the
-[profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
-If you have already written a profile, please make sure it follows the rules described in the template.
+profile template:
+
+- [etc/templates/profile.template](etc/templates/profile.template)
+
+If you have already written a profile, please make sure it follows the rules
+described in the template.
 
 If you add a new command, here's the checklist:
 
@@ -41,6 +61,7 @@ If you add a new command, here's the checklist:
 - [ ] Update syntax files (run `make syntax` or just `make`)
 - [ ] Update --help
 
-# Editing the wiki
+## Editing the wiki
 
-You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki).
+You are highly encouraged to add your own tips and tricks to the
+[wiki](https://github.com/netblue30/firejail/wiki).
diff --git a/Makefile b/Makefile
index 3bb128ccc..749457b1b 100644
--- a/Makefile
+++ b/Makefile
@@ -314,7 +314,7 @@ mkman.sh \
 platform \
 src
 
-DISTFILES_TEST = test/Makefile test/apps test/apps-x11 test/apps-x11-xorg test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils
+DISTFILES_TEST = test/Makefile test/apps test/apps-x11 test/apps-x11-xorg test/capabilities test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils
 
 .PHONY: dist
 dist: config.mk
@@ -364,11 +364,15 @@ scan-build: clean
 codespell: clean
         codespell --ignore-regex "UE|creat|shotcut|ether" src test
 
+.PHONY: print-env
+print-env:
+        ./ci/printenv.sh
+
 #
 # make test
 #
 
-TESTS=profiles apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter private-etc
+TESTS=profiles capabilities apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter private-etc seccomp-extra
 TEST_TARGETS=$(patsubst %,test-%,$(TESTS))
 
 $(TEST_TARGETS):
@@ -378,7 +382,7 @@ $(TEST_TARGETS):
 # extract some data about the testing setup: kernel, network connectivity, user
 lab-setup:; uname -r; ldd --version | grep GLIBC; pwd; whoami; ip addr show; cat /etc/resolv.conf; cat /etc/hosts; ls /etc
 
-test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
+test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-seccomp-extra
         echo "TEST COMPLETE"
 
 test-noprofiles: lab-setup test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
diff --git a/README b/README
index a6474fdb2..0d402a854 100644
--- a/README
+++ b/README
@@ -1,13 +1,14 @@
-Firejail is a SUID sandbox program that reduces the risk of security
-breaches by restricting the running environment of untrusted applications
-using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
-Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission,
-VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
-DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove,
-Pidgin, Quassel, and XChat.
+Firejail is a SUID sandbox program that reduces the risk of security breaches
+by restricting the running environment of untrusted applications using Linux
+namespaces and seccomp-bpf.
+
+It includes sandbox profiles for many programs, including Iceweasel/Mozilla
+Firefox, Chromium, Midori, Opera, Evince, Transmission, VLC, Audacious,
+Clementine, Rhythmbox, Totem, Deluge, qBittorrent, DeaDBeeF, Dropbox, Empathy,
+FileZilla, IceCat, Thunderbird/Icedove, Pidgin, Quassel, and XChat.
 
 Firejail also expands the restricted shell facility found in bash by adding
-Linux namespace support. It supports sandboxing specific users upon login.
+Linux namespace support.  It supports sandboxing specific users upon login.
 
 Download: https://sourceforge.net/projects/firejail/files/
 Build and install: ./configure && make && sudo make install
@@ -17,30 +18,33 @@ Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
 Development: https://github.com/netblue30/firejail
 License: GPL v2
 
-Please report all security vulnerabilities at netblue30@protonmail.com
+Please report all security vulnerabilities to:
+
+* <netblue30@protonmail.com>
 
-Compile and install mainline version from GitHub:
+Compile and install the mainline version from GitHub:
 
-$ git clone https://github.com/netblue30/firejail.git
-$ cd firejail
-$ ./configure && make && sudo make install-strip
+    git clone https://github.com/netblue30/firejail.git
+    cd firejail
+    ./configure && make && sudo make install-strip
 
-On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor
-development libraries and pkg-config are required when using --enable-apparmor
+On Debian/Ubuntu you will need to install git and gcc.  AppArmor development
+libraries and pkg-config are required when using the --enable-apparmor
 ./configure option:
 
-$ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
+    sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
 
 For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).
 
-We build our release firejail.tar.xz and firejail.deb packages using the following command:
-$ make distclean && ./configure && make deb
+We build our release firejail.tar.xz and firejail.deb packages using the
+following commands:
 
+    make distclean && ./configure && make deb
 
 Maintainer:
 - netblue30 (netblue30@protonmail.com)
 
-Committers
+Committers:
 - chiraag-nataraj (https://github.com/chiraag-nataraj)
 - crass (https://github.com/crass)
 - ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
@@ -55,15 +59,16 @@ Committers
 - rusty-snake (https://github.com/rusty-snake)
 - smitsohu (https://github.com/smitsohu)
 - SkewedZeppelin (https://github.com/SkewedZeppelin)
-- startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer)
+- startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches
+  maintainer)
 - Topi Miettinen (https://github.com/topimiettinen)
 - veloute (https://github.com/veloute)
 - Vincent43 (https://github.com/Vincent43)
 - netblue30 (netblue30@protonmail.com)
 
+---
 
-
-Firejail Authors (alphabetical order)
+Firejail Authors (alphabetical order):
 
 0x7969 (https://github.com/0x7969)
         - fix wire-desktop.profile
@@ -313,7 +318,8 @@ curiosityseeker (https://github.com/curiosityseeker - new)
         - updated keypassxc profile
         - added syscalls.sh, which determine the necessary syscalls for a program
         - fixed conky profile
-        - thunderbird.profile: harden and enable the rules necessary to make Firefox open links
+        - thunderbird.profile: harden and enable the rules necessary to make
+          Firefox open links
 da2x (https://github.com/da2x)
         - matched RPM license tag
 Daan Bakker (https://github.com/dbakker)
@@ -358,7 +364,8 @@ Disconnect3d (https://github.com/disconnect3d)
 dm9pZCAq (https://github.com/dm9pZCAq)
         - fix for compilation under musl
 dmfreemon (https://github.com/dmfreemon)
-        - add sandbox name or name of private directory to the window title when xpra is used
+        - add sandbox name or name of private directory to the window title
+          when xpra is used
         - handle malloc() failures; use gnu_basename() instead of basenaem()
 Dmitriy Chestnykh (https://github.com/chestnykh)
         - add ability to disable user profiles at compile time
@@ -720,6 +727,7 @@ Manuel Dipolt (https://github.com/xeniter)
         - stack alignment for the ARM Architecture
 Marek Küthe (https://github.com/marek22k)
         - allow loading plugins in gajim
+        - allow bsfilter in email-common.profile
 Martin Carpenter (https://github.com/mcarpenter)
         - security audit and bug fixes
         - Centos 6.x support
@@ -780,6 +788,8 @@ Neo00001 (https://github.com/Neo00001)
         - update telegram profile
         - add spectacle profile
         - add kdiff3 profile
+Neotamandua (https://github.com/Neotamandua)
+        - add Discord PTB profile
 netcarver (https://github.com/netcarver)
         - prevent access to LUKS keyfile
 NetSysFire (https://github.com/NetSysFire)
@@ -1027,7 +1037,8 @@ soredake (https://github.com/soredake)
         - add localtime to private-etc to make qtox show correct time
         - fixes for the keepassxc 2.2.5 version
 SkewedZeppelin (https://github.com/SkewedZeppelin)
-        - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
+        - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI,
+          Lollypop, MultiMC5 profiles
         - added PDFSam, Pithos, and Xonotic profiles
         - disabled Go, Rust, and OpenSSL in disable-devel.conf
         - added dino profile
@@ -1045,7 +1056,8 @@ SkewedZeppelin (https://github.com/SkewedZeppelin)
         - added IntelliJ IDEA and Android Studio profiles
         - added arm profile
         - lots of profile improvements/tightening
-        - added apktool, baobab, dex2jar, gitg, hashcat, obs, picard, remmina, sdat2img,
+        - added apktool, baobab, dex2jar, gitg, hashcat, obs, picard, remmina,
+          sdat2img,
         soundconverter, sqlitebrowser, and truecraft profiles
         - added gnome-twitch profile
         - Unified all 341 profiles
@@ -1082,10 +1094,12 @@ SYN-cook (https://github.com/SYN-cook)
         - gnome-calculator changes
 startx2017 (https://github.com/startx2017)
         - syscall list update
-        - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module,
-          settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old
+        - updated default seccomp filters - added bpf, clock_settime,
+          personality, process_vm_writev, query_module, settimeofday, stime,
+          umount, userfaultfd, ustat, vm86, and vm86old
         - enable/disable join support in /etc/firejail/firejail.config
-        - firecfg fix: create ~/.local/share/applications directory if it doesn't exist
+        - firecfg fix: create ~/.local/share/applications directory if it
+          doesn't exist
         - firejail.config cleanup
         - --quiet fixes
         - bugfixes branches maintainer
@@ -1107,6 +1121,8 @@ thewisenerd (https://github.com/thewisenerd)
         - allow multiple private-home commands
         - use $SHELL variable if the shell is not specified
         - appimage: pass commandline arguments
+Thijs Raymakers (https://github.com/ThijsRay)
+        - keepassxc: Allow offering the Secret Service
 Thomas Jarosch (https://github.com/thomasjfox)
         - disable keepassx in disable-passwdmgr.inc
         - added uudeview profile
@@ -1245,10 +1261,9 @@ Zack Weinberg (https://github.com/zackw)
         - wait_for_other function rewrite
         - Xvfb X11 server support
         - Xvfb and Xephyr profiles, modified Xpra profile
-        - support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes when started
-          with firejail --x11
+        - support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes
+          when started with firejail --x11
         - support for xpra-extra-params in firejail.config
-
 zupatisc (https://github.com/zupatisc)
         - patch-util fix
 
diff --git a/README.md b/README.md
index 22e2fa291..781304451 100644
--- a/README.md
+++ b/README.md
@@ -1,79 +1,91 @@
 # Firejail
-[![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/)
-[![CodeQL](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL)
-[![Build CI](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22)
-[![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions)
-
-Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting
-the running environment of untrusted applications using Linux namespaces, seccomp-bpf
-and Linux capabilities. It allows a process and all its descendants to have their own private
-view of the globally shared kernel resources, such as the network stack, process table, mount table.
-Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.
-
-Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel
-version or newer. It can sandbox any type of processes: servers, graphical applications, and even
-user login sessions. The software includes sandbox profiles for a number of more common Linux programs,
+
+[![Build CI (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines)
+[![Build CI (GitHub)](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22)
+[![CodeQL CI](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL)
+[![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions)
+
+Firejail is a SUID sandbox program that reduces the risk of security breaches
+by restricting the running environment of untrusted applications using Linux
+namespaces, seccomp-bpf and Linux capabilities.  It allows a process and all
+its descendants to have their own private view of the globally shared kernel
+resources, such as the network stack, process table, mount table.  Firejail can
+work in a SELinux or AppArmor environment, and it is integrated with Linux
+Control Groups.
+
+Written in C with virtually no dependencies, the software runs on any Linux
+computer with a 3.x kernel version or newer.  It can sandbox any type of
+processes: servers, graphical applications, and even user login sessions.  The
+software includes sandbox profiles for a number of more common Linux programs,
 such as Mozilla Firefox, Chromium, VLC, Transmission etc.
 
-The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit,
-no socket connections open, no daemons running in the background. All security features are
-implemented directly in Linux kernel and available on any Linux computer.
+The sandbox is lightweight, the overhead is low.  There are no complicated
+configuration files to edit, no socket connections open, no daemons running in
+the background.  All security features are implemented directly in Linux kernel
+and available on any Linux computer.
+
+## Videos
 
-<table><tr>
+<table>
+<tr>
 
 <td>
 <a href="https://odysee.com/@netblue30:9/firefox:c" target="_blank">
 <img src="https://thumbs.odycdn.com/acf4b1c66737feb97640fb1d28a7daa6.png"
-alt="Advanced Browser Security" width="240" height="142" border="10" /><br/>Advanced Browser Security</a>
+alt="Advanced Browser Security" width="240" height="142" border="10" />
+<br/>Advanced Browser Security
+</a>
 </td>
 
 <td>
 <a href="https://odysee.com/@netblue30:9/nonet:7" target="_blank">
 <img src="https://thumbs.odycdn.com/5be2964201c31689ee8f78cb9f35e89a.png"
-alt="How To Disable Network Access" width="240" height="142" border="10" /><br/>How To Disable Network Access</a>
+alt="How To Disable Network Access" width="240" height="142" border="10" />
+<br/>How To Disable Network Access
+</a>
 </td>
 
 <td>
 <a href="https://odysee.com/@netblue30:9/divested:2" target="_blank">
 <img src="https://thumbs.odycdn.com/f30ece33a6547af9ae48244f4ba73028.png"
-alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a>
+alt="Deep Dive" width="240" height="142" border="10" />
+<br/>Deep Dive
+</a>
 </td>
 
-</tr></table>
-
-Project webpage: https://firejail.wordpress.com/
-
-IRC: https://web.libera.chat/#firejail
-
-Download and Installation: https://firejail.wordpress.com/download-2/
-
-Features: https://firejail.wordpress.com/features-3/
-
-Documentation: https://firejail.wordpress.com/documentation-2/
+</tr>
+</table>
 
-FAQ: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
+## Links
 
-Wiki: https://github.com/netblue30/firejail/wiki
-
-GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/
-
-Video Channel: https://odysee.com/@netblue30:9?order=new
-
-Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
+* Project webpage: <https://firejail.wordpress.com/>
+* IRC: <https://web.libera.chat/#firejail>
+* Download and Installation: <https://firejail.wordpress.com/download-2/>
+* Features: <https://firejail.wordpress.com/features-3/>
+* Documentation: <https://firejail.wordpress.com/documentation-2/>
+* FAQ: <https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions>
+* Wiki: <https://github.com/netblue30/firejail/wiki>
+* GitHub Actions: <https://github.com/netblue30/firejail/actions>
+* GitLab CI: <https://gitlab.com/Firejail/firejail_ci/pipelines>
+* Video Channel: <https://odysee.com/@netblue30:9?order=new>
+* Backup Video Channel: <https://www.bitchute.com/profile/JSBsA1aoQVfW/>
 
 ## Security vulnerabilities
 
-We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com
+See [SECURITY.md](SECURITY.md).
 
 ## Installing
 
 ### Debian
 
-Debian stable (bullseye): We recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package.
+Debian stable (bullseye): We recommend to use the
+[backports](https://packages.debian.org/bullseye-backports/firejail) package.
 
 ### Ubuntu
 
-For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly advised** to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail).
+For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly
+advised** to use the
+[PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail).
 
 How to add and install from the PPA:
 
@@ -83,140 +95,200 @@ sudo apt-get update
 sudo apt-get install firejail firejail-profiles
 ```
 
-Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to CVE-2021-26910 for months after a patch for it was posted on Launchpad:
+Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to
+CVE-2021-26910 for months after a patch for it was posted on Launchpad:
 
-* [firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767)
+* [CVE-2021-26910](https://github.com/advisories/GHSA-2q4h-h5jp-942w)
+* [firejail version in Ubuntu 20.04 LTS is vulnerable to
+  CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767)
 
 See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>:
 
 > What software is supported by the Ubuntu Security team?
 >
 > Ubuntu is currently divided into four components: main, restricted, universe
-> and multiverse. All binary packages in main and restricted are supported by
+> and multiverse.  All binary packages in main and restricted are supported by
 > the Ubuntu Security team for the life of an Ubuntu release, while binary
 > packages in universe and multiverse are supported by the Ubuntu community.
 
-Additionally, the PPA version is likely to be more recent and to contain more profile fixes.
+Additionally, the PPA version is likely to be more recent and to contain more
+profile fixes.
 
 See the following discussions for details:
 
-* [Should I keep using the version of firejail available in my distro repos?](https://github.com/netblue30/firejail/discussions/4666)
-* [How to install the latest version on Ubuntu and derivatives](https://github.com/netblue30/firejail/discussions/4663)
+* [Should I keep using the version of firejail available in my distro
+  repos?](https://github.com/netblue30/firejail/discussions/4666)
+* [How to install the latest version on Ubuntu and
+  derivatives](https://github.com/netblue30/firejail/discussions/4663)
 
 ### Other
 
-Firejail is included in a large number of Linux distributions.
+Firejail is available in multiple Linux distributions:
+
+<details>
+<summary>Repology</summary>
+<p>
+
+[![Packaging status (Repology)](https://repology.org/badge/vertical-allrepos/firejail.svg)](https://repology.org/project/firejail/versions)
+
+</p>
+</details>
+
+Other than the [aforementioned exceptions](#installing), as long as your
+distribution provides a [supported version](SECURITY.md) of firejail, it's
+generally a good idea to install it from the distribution.
 
-You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually:
+The version can be checked with `firejail --version` after installing.
 
-`````
-$ git clone https://github.com/netblue30/firejail.git
-$ cd firejail
-$ ./configure && make && sudo make install-strip
-`````
-On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor
-development libraries and pkg-config are required when using `--enable-apparmor`
+You can also install one of the [released
+packages](https://github.com/netblue30/firejail/releases).
+
+Or clone the source code from our git repository and build manually:
+
+```sh
+git clone https://github.com/netblue30/firejail.git
+cd firejail
+./configure && make && sudo make install-strip
+```
+
+On Debian/Ubuntu you will need to install git and gcc.  AppArmor development
+libraries and pkg-config are required when using the `--enable-apparmor`
 ./configure option:
-`````
-$ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
-`````
+
+```sh
+sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
+```
+
 For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora).
 
-Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git).
+Detailed information on using firejail from git is available on the
+[wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git).
 
 ## Running the sandbox
 
 To start the sandbox, prefix your command with `firejail`:
 
-`````
-$ firejail firefox            # starting Mozilla Firefox
-$ firejail transmission-gtk   # starting Transmission BitTorrent
-$ firejail vlc                # starting VideoLAN Client
-$ sudo firejail /etc/init.d/nginx start
-`````
-Run `firejail --list` in a terminal to list all active sandboxes. Example:
-`````
+```sh
+firejail firefox            # starting Mozilla Firefox
+firejail transmission-gtk   # starting Transmission BitTorrent
+firejail vlc                # starting VideoLAN Client
+sudo firejail /etc/init.d/nginx start
+```
+
+Run `firejail --list` in a terminal to list all active sandboxes.  Example:
+
+```console
 $ firejail --list
 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr
 7719:netblue:/usr/bin/firejail /usr/bin/transmission-qt
 7779:netblue:/usr/bin/firejail /usr/bin/galculator
 7874:netblue:/usr/bin/firejail /usr/bin/vlc --started-from-file file:///home/netblue/firejail-whitelist.mp4
 7916:netblue:firejail --list
-`````
+```
 
 ## Desktop integration
 
 Integrate your sandbox into your desktop by running the following two commands:
-`````
-$ firecfg --fix-sound
-$ sudo firecfg
-`````
 
-The first command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9.
-The second command integrates Firejail into your desktop. You would need to logout and login back to apply
-PulseAudio changes.
+```sh
+firecfg --fix-sound
+sudo firecfg
+```
+
+The first command solves some shared memory/PID namespace bugs in PulseAudio
+software prior to version 9.  The second command integrates Firejail into your
+desktop.  You would need to logout and login back to apply PulseAudio changes.
 
-Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers.
-The integration applies to any program supported by default by Firejail. There are about 250 default applications
-in current Firejail version, and the number goes up with every new release.
-We keep the application list in [/etc/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file.
+Start your programs the way you are used to: desktop manager menus, file
+manager, desktop launchers.
+
+The integration applies to any program supported by default by Firejail.  There
+are over 900 default applications in the current Firejail version, and the
+number goes up with every new release.
+
+We keep the application list in
+[src/firecfg/firecfg.config](src/firecfg/firecfg.config)
+(/etc/firejail/firecfg.config when installed).
 
 ## Security profiles
 
-Most Firejail command line options can be passed to the sandbox using profile files.
-You can find the profiles for all supported applications in [/etc/firejail](https://github.com/netblue30/firejail/tree/master/etc) directory.
+Most Firejail command line options can be passed to the sandbox using profile
+files.
+
+You can find the profiles for all supported applications in [etc/](etc/)
+(/etc/firejail/ when installed).
+
+We also keep a list of profile fixes for previous released versions in
+[etc-fixes/](etc-fixes/).
+
+If you keep additional Firejail security profiles in a public repository,
+please give us a link:
+
+* <https://github.com/chiraag-nataraj/firejail-profiles>
+* <https://github.com/triceratops1/fe>
+
+Use this issue to request new profiles:
+
+* [Profile requests](https://github.com/netblue30/firejail/issues/1139)
+
+You can also use this tool to get a list of syscalls needed by a program:
 
-If you keep additional Firejail security profiles in a public repository, please give us a link:
+* [contrib/syscalls.sh](contrib/syscalls.sh)
 
-* https://github.com/chiraag-nataraj/firejail-profiles
+## Uninstalling
 
-* https://github.com/triceratops1/fe
+firecfg creates symlinks in /usr/local/bin, so to fully remove firejail, run
+the following before uninstalling:
 
-Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139)
+```sh
+sudo firecfg --clean
+```
 
-You can also use this tool to get a list of syscalls needed by a program: [contrib/syscalls.sh](contrib/syscalls.sh).
+See `man firecfg` for details.
 
-We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
+Note: Broken symlinks are ignored when searching for an executable in `$PATH`,
+so uninstalling without doing the above should not cause issues.
 
 ## Latest released version: 0.9.72
 
 ## Current development version: 0.9.73
 
 ### --keep-shell-rc
-`````
+
+```text
        --keep-shell-rc
               By default, when using a private home directory, firejail copies
               files  from the system's user home template (/etc/skel) into it,
               which overrides attempts to whitelist the original  files  (such
               as  ~/.bashrc and ~/.zshrc).  This option disables this feature,
               and enables the user to whitelist the original files.
-
-`````
+```
 
 ### private-etc rework
-`````
+
+```text
        --private-etc, --private-etc=file,directory,@group
-              The files installed by --private-etc are copies of the  original
-              system  files  from  /etc  directory.   By  default, the command
-              brings in a skeleton of files and directories used by most  con‐
-              sole tools:
+              The files installed by --private-etc are copies of the original
+              system files from /etc directory.  By default, the command
+              brings in a skeleton of files and directories used by most
+              console tools:
 
               $ firejail --private-etc dig debian.org
 
-              For  X11/GTK/QT/Gnome/KDE   programs add @x11 group as a parame‐
-              ter. Example:
+              For X11/GTK/QT/Gnome/KDE  programs add @x11 group as a
+              parameter. Example:
 
               $ firejail --private-etc=@x11,gcrypt,python* gimp
 
-              gcrypt and /etc/python* directories are not part of the  generic
+              gcrypt and /etc/python* directories are not part of the generic
               @x11 group.  File globbing is supported.
 
               For games, add @games group:
 
               $ firejail --private-etc=@games,@x11 warzone2100
 
-              Sound  and  networking  files are included automatically, unless
-              --nosound or --net=none  are  specified.   Files  for  encrypted
+              Sound and networking files are included automatically, unless
+              --nosound or --net=none are specified.  Files for encrypted
               TLS/SSL protocol are in @tls-ca group.
 
               $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
@@ -225,22 +297,29 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
               by your program is using strace utility:
 
               $ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc
+```
 
-`````
-We keep the list of groups in [src/include/etc_groups.h](https://github.com/netblue30/firejail/blob/master/src/include/etc_groups.h)
-Discussion: https://github.com/netblue30/firejail/discussions/5610
+We keep the list of groups in
+[src/include/etc_groups.h](src/include/etc_groups.h).
+
+Discussion:
+
+* [private-etc rework](https://github.com/netblue30/firejail/discussions/5610)
 
 ### Profile Statistics
 
-A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
+A small tool to print profile statistics.  Compile and install as usual.  The
+tool is installed in the /usr/lib/firejail directory.
+
 Run it over the profiles in /etc/profiles:
-```
+
+```console
 $ /usr/lib/firejail/profstats /etc/firejail/*.profile
 No include .local found in /etc/firejail/noprofile.profile
 Warning: multiple caps in /etc/firejail/transmission-daemon.profile
 
 Stats:
-     profiles                   1209
+    profiles                    1209
     include local profile       1208   (include profile-name.local)
     include globals             1181   (include globals.local)
     blacklist ~/.ssh            1079   (include disable-common.inc)
@@ -266,5 +345,4 @@ Stats:
     dbus-user filter            141
     dbus-system none            851
     dbus-system filter          12
-
 ```
diff --git a/RELNOTES b/RELNOTES
index c003c6185..72bdeb8f7 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,28 +4,41 @@ firejail (0.9.73) baseline; urgency=low
   * feature: Print the argument when failing with "too long arguments" (#5677)
   * feature: a random hostname is assigned to each sandbox unless
     overwritten using --hostname command
+  * feature: add IPv6 support for --net.print option
   * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
   * modif: Prevent sandbox name (--name=) and host name (--hostname=)
     from containing only digits (#5578)
   * modif: Escape control characters of the command line (#5613)
   * modif: Allow only letters and digits for sandbox name (--name=) and
     host name (--hostname=)
-  * bugfix: fix --hostname and --hosts-file commands
+  * modif: remove firemon --interface option (duplicating --net.print option)
   * bugfix: qutebrowser: links will not open in the existing instance (#5601
     #5618)
+  * bugfix: fix --hostname and --hosts-file commands
+  * bugfix: arp.c: ensure positive timeout on select(2) (#5806)
   * build: auto-generate syntax files (#5627)
   * build: mark most phony targets as such (#5637)
   * build: mkdeb.sh: pass all arguments to ./configure (#5654)
   * build: deb: enable apparmor by default & remove deb-apparmor (#5668)
   * build: Fix whitespace and add .editorconfig (#5674)
+  * ci: always update the package db before installing packages (#5742)
+  * ci: fix codeql unable to download its own bundle (#5783)
+  * ci: split configure/build/install commands on gitlab (#5784)
+  * ci: fix swapped name/email arguments in debian_ci (#5795)
+  * ci: formatting and misc improvements (#5802)
+  * ci: run for every branch instead of just master (#5815)
+  * ci: upgrade debian:stretch to debian:buster (#5818)
   * test: split individual test groups in github workflows
   * test: add chroot, appimage and network tests in github workflows
   * docs: remove apparmor options in --help when building without apparmor
     support (#5589)
-  * docs: selinux.c: Split Copyright notice & use same license as upstream
+  * docs: fix typos (#5693)
+  * docs: markdown formatting and misc improvements (#5757)
+  * docs: add uninstall instructions to README.md (#5812)
+  * legal: selinux.c: Split Copyright notice & use same license as upstream
     (#5667)
-  * new profiles: fix-qdf, qpdf, zlib-flate
- -- netblue30 <netblue30@yahoo.com>  Mon, 16 Jan 2023 09:00:00 -0500
+  * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater
+ -- netblue30 <netblue30@yahoo.com>  Mon, 17 Jan 2023 09:00:00 -0500
 
 firejail (0.9.72) baseline; urgency=low
   * feature: On failing to remount a fuse filesystem, give warning instead of
diff --git a/SECURITY.md b/SECURITY.md
index 734d04ccf..2a9cc7f6f 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -26,4 +26,8 @@
 
 ## Security vulnerabilities
 
-We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@@protonmail.com
+We take security bugs very seriously.
+
+If you believe you have found one, please report it to:
+
+* <netblue30@protonmail.com>
diff --git a/ci/printenv.sh b/ci/printenv.sh
new file mode 100755
index 000000000..4b7e03fa7
--- /dev/null
+++ b/ci/printenv.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+# Print information that may be useful for debugging CI.
+
+test -f /etc/os-release && . /etc/os-release
+
+cat <<EOF
+nproc:  $(nproc)
+kernel: $(uname -srvm)
+distro: $PRETTY_NAME
+sh:     $(ls -l /bin/sh | sed 's|.* /bin|/bin|')
+user:   $(id | cut -f -2 -d ' ')
+
+[/etc/os-release]
+$(cat /etc/os-release)
+EOF
+
+if test -z "$CI_VERBOSE"; then
+        exit
+fi
+
+cat <<EOF
+
+[env]
+$(env | LC_ALL=C sort)
+EOF
diff --git a/config.mk.in b/config.mk.in
index cfef6b8d3..6b6cf1b99 100644
--- a/config.mk.in
+++ b/config.mk.in
@@ -21,7 +21,6 @@ docdir=@docdir@
 mandir=@mandir@
 sysconfdir=@sysconfdir@
 
-HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@
 BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
 HAVE_SUID=@HAVE_SUID@
@@ -38,6 +37,7 @@ HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
 HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+HAVE_PRIVATE_LIB=@HAVE_PRIVATE_LIB@
 HAVE_IDS=@HAVE_IDS@
 HAVE_GCOV=@HAVE_GCOV@
 HAVE_SELINUX=@HAVE_SELINUX@
@@ -49,7 +49,7 @@ HAVE_LTS=@HAVE_LTS@
 HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
 HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@
 
-MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_PRIVATE_LIB) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
 
 # User variables - should not be modified in the code (as they are reserved for
 # the user building the package); see the following for details:
diff --git a/configure b/configure
index c40a794e9..dd210cd67 100755
--- a/configure
+++ b/configure
@@ -641,6 +641,7 @@ HAVE_USERNS
 HAVE_NETWORK
 HAVE_GLOBALCFG
 HAVE_CHROOT
+HAVE_PRIVATE_LIB
 HAVE_PRIVATE_HOME
 HAVE_FIRETUNNEL
 HAVE_GAWK
@@ -719,6 +720,7 @@ enable_usertmpfs
 enable_man
 enable_firetunnel
 enable_private_home
+enable_private_lib
 enable_chroot
 enable_globalcfg
 enable_network
@@ -1380,6 +1382,7 @@ Optional Features:
   --disable-man           disable man pages
   --enable-firetunnel     enable firetunnel
   --disable-private-home  disable private home feature
+  --disable-private-lib   disable private lib feature
   --disable-chroot        disable chroot
   --disable-globalcfg     if the global config file firejail.config is not
                           present, continue the program using defaults
@@ -3485,6 +3488,19 @@ if test "x$enable_private_home" != "xno"; then :
 
 fi
 
+HAVE_PRIVATE_LIB=""
+
+# Check whether --enable-private-lib was given.
+if test "${enable_private_lib+set}" = set; then :
+  enableval=$enable_private_lib;
+fi
+
+if test "x$enable_private_lib" = "xyes"; then :
+
+        HAVE_PRIVATE_LIB="-DHAVE_PRIVATE_LIB"
+
+fi
+
 HAVE_CHROOT=""
 
 # Check whether --enable-chroot was given.
@@ -3674,6 +3690,7 @@ if test "x$enable_lts" = "xyes"; then :
         HAVE_MAN="-DHAVE_MAN"
         HAVE_FIRETUNNEL=""
         HAVE_PRIVATE_HOME=""
+        HAVE_PRIVATE_LIB=""
         HAVE_CHROOT=""
         HAVE_GLOBALCFG=""
         HAVE_USERNS=""
@@ -5291,6 +5308,7 @@ Features:
    network: $HAVE_NETWORK
    overlayfs support: $HAVE_OVERLAYFS
    private home support: $HAVE_PRIVATE_HOME
+   private lib support: $HAVE_PRIVATE_LIB
    SELinux labeling support: $HAVE_SELINUX
    user namespace: $HAVE_USERNS
    X11 sandboxing support: $HAVE_X11
diff --git a/configure.ac b/configure.ac
index 2dd49bcb2..357d1da45 100644
--- a/configure.ac
+++ b/configure.ac
@@ -147,6 +147,14 @@ AS_IF([test "x$enable_private_home" != "xno"], [
         HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
 ])
 
+HAVE_PRIVATE_LIB=""
+AC_SUBST([HAVE_PRIVATE_LIB])
+AC_ARG_ENABLE([private-lib],
+    [AS_HELP_STRING([--disable-private-lib], [disable private lib feature])])
+AS_IF([test "x$enable_private_lib" = "xyes"], [
+        HAVE_PRIVATE_LIB="-DHAVE_PRIVATE_LIB"
+])
+
 HAVE_CHROOT=""
 AC_SUBST([HAVE_CHROOT])
 AC_ARG_ENABLE([chroot],
@@ -268,6 +276,7 @@ AS_IF([test "x$enable_lts" = "xyes"], [
         HAVE_MAN="-DHAVE_MAN"
         HAVE_FIRETUNNEL=""
         HAVE_PRIVATE_HOME=""
+        HAVE_PRIVATE_LIB=""
         HAVE_CHROOT=""
         HAVE_GLOBALCFG=""
         HAVE_USERNS=""
@@ -324,6 +333,7 @@ Features:
    network: $HAVE_NETWORK
    overlayfs support: $HAVE_OVERLAYFS
    private home support: $HAVE_PRIVATE_HOME
+   private lib support: $HAVE_PRIVATE_LIB
    SELinux labeling support: $HAVE_SELINUX
    user namespace: $HAVE_USERNS
    X11 sandboxing support: $HAVE_X11
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local
index e7236b0bc..557204d75 100644
--- a/etc/apparmor/firejail-local
+++ b/etc/apparmor/firejail-local
@@ -1,12 +1,12 @@
 # Site-specific additions and overrides for 'firejail-default'.
 # For more details, please see /etc/apparmor.d/local/README.
 
-# Here are some examples to allow running programs from home directory.
+# Here are some examples to allow running programs from your home directory.
 # Don't enable all of these, just pick a specific one or write a custom rule
 # instead as done below for torbrowser-launcher.
 #owner @HOME/** ix,
-#owner @HOME/bin/** ix
-#owner @HOME/.local/bin/** ix
+#owner @HOME/bin/** ix,
+#owner @HOME/.local/bin/** ix,
 
 # Uncomment to opt-in to apparmor for brave + ipfs
 #owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix,
diff --git a/etc/inc/allow-python2.inc b/etc/inc/allow-python2.inc
index b0525e2e1..0d4ab8c35 100644
--- a/etc/inc/allow-python2.inc
+++ b/etc/inc/allow-python2.inc
@@ -2,6 +2,7 @@
 # Persistent customizations should go in a .local file.
 include allow-python2.local
 
+noblacklist ${HOME}/.local/lib/python2*
 noblacklist ${PATH}/python2*
 noblacklist /usr/include/python2*
 noblacklist /usr/lib/python2*
diff --git a/etc/inc/allow-python3.inc b/etc/inc/allow-python3.inc
index d968886b0..0693fb7e7 100644
--- a/etc/inc/allow-python3.inc
+++ b/etc/inc/allow-python3.inc
@@ -2,6 +2,7 @@
 # Persistent customizations should go in a .local file.
 include allow-python3.local
 
+noblacklist ${HOME}/.local/lib/python3*
 noblacklist ${PATH}/python3*
 noblacklist /usr/include/python3*
 noblacklist /usr/lib/python3*
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 65159b951..4277100ce 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -69,6 +69,9 @@ blacklist ${HOME}/.xsessionrc
 blacklist /etc/X11/Xsession.d
 blacklist /etc/xdg/autostart
 read-only ${HOME}/.Xauthority
+read-only ${HOME}/.config/awesome/autorun.sh
+read-only ${HOME}/.config/openbox/autostart
+read-only ${HOME}/.config/openbox/environment
 
 # Session manager
 # see #3358
@@ -123,6 +126,7 @@ read-only ${HOME}/.config/kio_httprc
 read-only ${HOME}/.config/kiorc
 read-only ${HOME}/.config/kioslaverc
 read-only ${HOME}/.config/ksslcablacklist
+read-only ${HOME}/.config/lxqt
 read-only ${HOME}/.kde/share/apps/konsole
 read-only ${HOME}/.kde/share/apps/kssl
 read-only ${HOME}/.kde/share/config/*notifyrc
@@ -329,6 +333,7 @@ read-only ${HOME}/.ssh/config.d
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
 read-only ${HOME}/.cargo/env
+read-only ${HOME}/.config/mpv
 read-only ${HOME}/.config/nano
 read-only ${HOME}/.config/nvim
 read-only ${HOME}/.config/pkcs11
@@ -337,6 +342,7 @@ read-only ${HOME}/.elinks
 read-only ${HOME}/.emacs
 read-only ${HOME}/.emacs.d
 read-only ${HOME}/.exrc
+read-only ${HOME}/.gnupg/gpg.conf
 read-only ${HOME}/.gvimrc
 read-only ${HOME}/.homesick
 read-only ${HOME}/.iscreenrc
@@ -345,6 +351,7 @@ read-only ${HOME}/.local/share/cool-retro-term
 read-only ${HOME}/.local/share/nvim
 read-only ${HOME}/.local/state/nvim
 read-only ${HOME}/.mailcap
+read-only ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.msmtprc
 read-only ${HOME}/.mutt/muttrc
 read-only ${HOME}/.muttrc
@@ -366,6 +373,10 @@ read-only ${HOME}/_gvimrc
 read-only ${HOME}/_vimrc
 read-only ${HOME}/dotfiles
 
+# System package managers and AUR helpers
+blacklist ${HOME}/.config/cower
+read-only ${HOME}/.config/cower/config
+
 # Make directories commonly found in $PATH read-only
 read-only ${HOME}/.bin
 read-only ${HOME}/.cargo/bin
@@ -391,6 +402,11 @@ read-only ${HOME}/.config/user-dirs.dirs
 read-only ${HOME}/.config/user-dirs.locale
 read-only ${HOME}/.local/share/mime
 
+# Configuration files that do not allow arbitrary command execution but that
+# are intended to be modified manually (in a text editor and/or by a program
+# dedicated to managing them)
+read-only ${HOME}/.config/MangoHud
+
 # Write-protection for thumbnailer dir
 read-only ${HOME}/.local/share/thumbnailers
 
@@ -556,6 +572,7 @@ blacklist ${PATH}/ss
 blacklist ${PATH}/traceroute
 
 # other SUID binaries
+blacklist /opt/microsoft/msedge*/msedge-sandbox
 blacklist /usr/lib/virtualbox
 blacklist /usr/lib64/virtualbox
 
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index ca43e5ed9..4e3590fed 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -61,6 +61,7 @@ blacklist /usr/lib64/ruby
 
 # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
 # Python 2
+blacklist ${HOME}/.local/lib/python2*
 blacklist ${PATH}/python2*
 blacklist /usr/include/python2*
 blacklist /usr/lib/python2*
@@ -70,6 +71,7 @@ blacklist /usr/share/python2*
 # You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026)
 
 # Python 3
+blacklist ${HOME}/.local/lib/python3*
 blacklist ${PATH}/python3*
 blacklist /usr/include/python3*
 blacklist /usr/lib/python3*
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 3eb6c03d5..211111aaa 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -51,6 +51,7 @@ blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
 blacklist ${HOME}/.blobby
 blacklist ${HOME}/.bogofilter
+blacklist ${HOME}/.bsfilter
 blacklist ${HOME}/.bundle
 blacklist ${HOME}/.bzf
 blacklist ${HOME}/.cache/0ad
@@ -83,6 +84,7 @@ blacklist ${HOME}/.cache/Tox
 blacklist ${HOME}/.cache/Zeal
 blacklist ${HOME}/.cache/agenda
 blacklist ${HOME}/.cache/akonadi*
+blacklist ${HOME}/.cache/ani-cli
 blacklist ${HOME}/.cache/atril
 blacklist ${HOME}/.cache/attic
 blacklist ${HOME}/.cache/audacity
@@ -318,6 +320,7 @@ blacklist ${HOME}/.config/PacmanLogViewer
 blacklist ${HOME}/.config/PawelStolowski
 blacklist ${HOME}/.config/Philipp Schmieder
 blacklist ${HOME}/.config/Pinta
+blacklist ${HOME}/.config/Postman
 blacklist ${HOME}/.config/QGIS
 blacklist ${HOME}/.config/QMediathekView
 blacklist ${HOME}/.config/QQ
@@ -399,7 +402,6 @@ blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/cointop
 blacklist ${HOME}/.config/com.github.bleakgrey.tootle
 blacklist ${HOME}/.config/corebird
-blacklist ${HOME}/.config/cower
 blacklist ${HOME}/.config/coyim
 blacklist ${HOME}/.config/d-feet
 blacklist ${HOME}/.config/darktable
@@ -410,6 +412,7 @@ blacklist ${HOME}/.config/digikam
 blacklist ${HOME}/.config/digikamrc
 blacklist ${HOME}/.config/discord
 blacklist ${HOME}/.config/discordcanary
+blacklist ${HOME}/.config/discordptb
 blacklist ${HOME}/.config/dkl
 blacklist ${HOME}/.config/dnox
 blacklist ${HOME}/.config/dolphin-emu
@@ -477,6 +480,7 @@ blacklist ${HOME}/.config/inox
 blacklist ${HOME}/.config/iridium
 blacklist ${HOME}/.config/itch
 blacklist ${HOME}/.config/jami
+blacklist ${HOME}/.config/jami.net
 blacklist ${HOME}/.config/jd-gui.cfg
 blacklist ${HOME}/.config/jgit
 blacklist ${HOME}/.config/k3brc
@@ -517,6 +521,7 @@ blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
 blacklist ${HOME}/.config/linphone
+blacklist ${HOME}/.config/lobster
 blacklist ${HOME}/.config/lugaru
 blacklist ${HOME}/.config/lutris
 blacklist ${HOME}/.config/lximage-qt
@@ -952,6 +957,7 @@ blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/kxmlgui5/*
 blacklist ${HOME}/.local/share/liferea
 blacklist ${HOME}/.local/share/linphone
+blacklist ${HOME}/.local/share/lobster
 blacklist ${HOME}/.local/share/local-mail
 blacklist ${HOME}/.local/share/lollypop
 blacklist ${HOME}/.local/share/love
@@ -1027,6 +1033,7 @@ blacklist ${HOME}/.local/share/wormux
 blacklist ${HOME}/.local/share/xplayer
 blacklist ${HOME}/.local/share/xreader
 blacklist ${HOME}/.local/share/zathura
+blacklist ${HOME}/.local/state/ani-cli
 blacklist ${HOME}/.local/state/audacity
 blacklist ${HOME}/.local/state/pipewire
 blacklist ${HOME}/.lv2
@@ -1177,6 +1184,7 @@ blacklist ${HOME}/Arduino
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud
 blacklist ${HOME}/Nextcloud/Notes
+blacklist ${HOME}/Postman
 blacklist ${HOME}/Seafile/.seafile-data
 blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc
index c9f21b2dc..cae059f89 100644
--- a/etc/inc/whitelist-common.inc
+++ b/etc/inc/whitelist-common.inc
@@ -10,16 +10,12 @@ whitelist ${HOME}/.asoundrc
 whitelist ${HOME}/.config/ibus
 whitelist ${HOME}/.config/mimeapps.list
 whitelist ${HOME}/.config/pkcs11
-read-only ${HOME}/.config/pkcs11
 whitelist ${HOME}/.config/user-dirs.dirs
-read-only ${HOME}/.config/user-dirs.dirs
 whitelist ${HOME}/.config/user-dirs.locale
-read-only ${HOME}/.config/user-dirs.locale
 whitelist ${HOME}/.drirc
 whitelist ${HOME}/.icons
 ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
 whitelist ${HOME}/.local/share/applications
-read-only ${HOME}/.local/share/applications
 whitelist ${HOME}/.local/share/icons
 whitelist ${HOME}/.local/share/mime
 whitelist ${HOME}/.mime.types
@@ -68,6 +64,7 @@ whitelist ${HOME}/.config/kdeglobals
 whitelist ${HOME}/.config/kio_httprc
 whitelist ${HOME}/.config/kioslaverc
 whitelist ${HOME}/.config/ksslcablacklist
+whitelist ${HOME}/.config/lxqt
 whitelist ${HOME}/.config/qt5ct
 whitelist ${HOME}/.config/qt6ct
 whitelist ${HOME}/.config/qtcurve
diff --git a/etc/profile-a-l/DiscordPTB.profile b/etc/profile-a-l/DiscordPTB.profile
new file mode 100644
index 000000000..4570f0103
--- /dev/null
+++ b/etc/profile-a-l/DiscordPTB.profile
@@ -0,0 +1,10 @@
+# Firejail profile for DiscordPTB
+# This file is overwritten after every install/update
+# Persistent local customizations
+include DiscordPTB.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include discord-ptb.profile
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index 7a36302f1..9ebbf1cb0 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -28,7 +28,6 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
-hostname agetpkg
 ipc-namespace
 machine-id
 netfilter
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile
new file mode 100644
index 000000000..f05653719
--- /dev/null
+++ b/etc/profile-a-l/ani-cli.profile
@@ -0,0 +1,39 @@
+# Firejail profile for ani-cli
+# Description: Shell script to watch Anime from the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ani-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/ani-cli
+noblacklist ${HOME}/.local/state/ani-cli
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-proc.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/ani-cli
+mkdir ${HOME}/.local/state/ani-cli
+whitelist ${HOME}/.cache/ani-cli
+whitelist ${HOME}/.local/state/ani-cli
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+
+#machine-id
+nodvd
+noprinters
+notv
+
+disable-mnt
+private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohup,patch,sed,sh,sort,tail,tput,tr,uname,wc
+#private-cache
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+
+# Redirect
+include mpv.profile
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 0655c2e6f..cc9c893de 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -1,5 +1,5 @@
 # Firejail profile for apostrophe
-# Description: Distraction free Markdown editor for GNU/Linux made with GTK+
+# Description: Distraction free Markdown editor for GNU/Linux made with GTK
 # This file is overwritten after every install/update
 # Persistent local customizations
 include apostrophe.local
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index ef875c5b7..487e0c5f8 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -23,7 +23,6 @@ include disable-shell.inc
 
 apparmor
 caps.drop all
-hostname archiver
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile
index d8c073c8d..910dd8a91 100644
--- a/etc/profile-a-l/awesome.profile
+++ b/etc/profile-a-l/awesome.profile
@@ -16,5 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp !chroot
 
-read-only ${HOME}/.config/awesome/autorun.sh
 #restrict-namespaces
diff --git a/etc/profile-a-l/blink-common-hardened.inc.profile b/etc/profile-a-l/blink-common-hardened.inc.profile
new file mode 100644
index 000000000..c092a9746
--- /dev/null
+++ b/etc/profile-a-l/blink-common-hardened.inc.profile
@@ -0,0 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include blink-common-hardened.inc.local
+
+caps.drop all
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+
+#restrict-namespaces
diff --git a/etc/profile-a-l/blink-common.profile b/etc/profile-a-l/blink-common.profile
new file mode 100644
index 000000000..ff17dc479
--- /dev/null
+++ b/etc/profile-a-l/blink-common.profile
@@ -0,0 +1,40 @@
+# Firejail profile for blink-common
+# Description: Common profile for Blink-based applications
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blink-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+#include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# If your kernel allows the creation of user namespaces by unprivileged users
+# (for example, if running `unshare -U echo enabled` prints "enabled"), you
+# can add the next line to your blink-common.local.
+#include blink-common-hardened.inc.profile
+
+apparmor
+caps.keep sys_admin,sys_chroot
+netfilter
+nodvd
+nogroups
+noinput
+notv
+
+disable-mnt
+private-cache
+
+dbus-system none
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile
index d24f76262..e65f76a60 100644
--- a/etc/profile-a-l/bluefish.profile
+++ b/etc/profile-a-l/bluefish.profile
@@ -1,5 +1,5 @@
 # Firejail profile for bluefish
-# Description: Advanced Gtk+ text editor for web and software development
+# Description: Advanced GTK text editor for web and software development
 # This file is overwritten after every install/update
 # Persistent local customizations
 include bluefish.local
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 7b0f7bdf0..9f83b8232 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -1,5 +1,5 @@
 # Firejail profile for celluloid
-# Description: Simple GTK+ frontend for mpv
+# Description: Simple GTK frontend for mpv
 # This file is overwritten after every install/update
 # Persistent local customizations
 include celluloid.local
diff --git a/etc/profile-a-l/chafa.profile b/etc/profile-a-l/chafa.profile
index 72f79681d..f21a34f36 100644
--- a/etc/profile-a-l/chafa.profile
+++ b/etc/profile-a-l/chafa.profile
@@ -39,6 +39,7 @@ nosound
 notv
 nou2f
 novideo
+# block socket syscall to simulate empty protocol option (see #639)
 seccomp socket
 seccomp.block-secondary
 tracelog
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile
index c3944bd65..0e0416de1 100644
--- a/etc/profile-a-l/chromium-common-hardened.inc.profile
+++ b/etc/profile-a-l/chromium-common-hardened.inc.profile
@@ -1,11 +1,10 @@
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
+# Firejail profile alias for blink-common-hardened.inc
+# This file is overwritten after every install/update
+# Persistent local customizations
 include chromium-common-hardened.inc.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
 
-caps.drop all
-nonewprivs
-noroot
-protocol unix,inet,inet6,netlink
-seccomp !chroot
-
-#restrict-namespaces
+# Redirect
+include blink-common-hardened.inc.profile
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index f1f2f5f68..878e0fe1d 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -17,42 +17,21 @@ noblacklist /usr/lib/chromium/chrome-sandbox
 # to have access to Gnome extensions (extensions.gnome.org) via browser connector
 #include allow-python3.inc
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-xdg.inc
-
 mkdir ${HOME}/.local/share/pki
 mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.local/share/pki
 whitelist ${HOME}/.pki
 whitelist /usr/share/mozilla/extensions
 whitelist /usr/share/webext
-include whitelist-common.inc
 include whitelist-run-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
 # If your kernel allows the creation of user namespaces by unprivileged users
 # (for example, if running `unshare -U echo enabled` prints "enabled"), you
 # can add the next line to your chromium-common.local.
 #include chromium-common-hardened.inc.profile
 
-apparmor
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-noinput
-notv
 ?BROWSER_DISABLE_U2F: nou2f
 
-disable-mnt
-private-cache
 ?BROWSER_DISABLE_U2F: private-dev
 #private-tmp - issues when using multiple browser sessions
 
@@ -61,7 +40,9 @@ blacklist ${PATH}/wget
 blacklist ${PATH}/wget2
 
 #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
-dbus-system none
 
 # The file dialog needs to work without d-bus.
 ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
+
+# Redirect
+include blink-common.profile
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index e0f1bca94..7fefc68b1 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -1,5 +1,5 @@
 # Firejail profile for claws-mail
-# Description: Fast, lightweight and user-friendly GTK based email client
+# Description: Fast, lightweight and user-friendly GTK-based email client
 # This file is overwritten after every install/update
 # Persistent local customizations
 include claws-mail.local
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile
index 504bce0b1..321d59783 100644
--- a/etc/profile-a-l/clipit.profile
+++ b/etc/profile-a-l/clipit.profile
@@ -1,5 +1,5 @@
 # Firejail profile for clipit
-# Description: Lightweight GTK+ clipboard manager
+# Description: Lightweight GTK clipboard manager
 # This file is overwritten after every install/update
 # Persistent local customizations
 include clipit.local
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 8b7d2317c..180282869 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -1,5 +1,5 @@
 # Firejail profile for com.github.bleakgrey.tootle
-# Description: Gtk Mastodon client
+# Description: GTK Mastodon client
 # This file is overwritten after every install/update
 # Persistent local customizations
 include com.github.bleakgrey.tootle.local
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile
index 1774669f1..09f80d7bb 100644
--- a/etc/profile-a-l/corebird.profile
+++ b/etc/profile-a-l/corebird.profile
@@ -1,5 +1,5 @@
 # Firejail profile for corebird
-# Description: Native Gtk+ Twitter client for the Linux desktop
+# Description: Native GTK Twitter client for the Linux desktop
 # This file is overwritten after every install/update
 # Persistent local customizations
 include corebird.local
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index e896f3537..9b05b4416 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -45,5 +45,4 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-read-only ${HOME}/.config/cower/config
 restrict-namespaces
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile
index 4eb89503a..71afecd7a 100644
--- a/etc/profile-a-l/deadbeef.profile
+++ b/etc/profile-a-l/deadbeef.profile
@@ -1,5 +1,5 @@
 # Firejail profile for deadbeef
-# Description: A GTK+ audio player for GNU/Linux
+# Description: A GTK audio player for GNU/Linux
 # This file is overwritten after every install/update
 # Persistent local customizations
 include deadbeef.local
diff --git a/etc/profile-a-l/dino-im.profile b/etc/profile-a-l/dino-im.profile
index ae0549d3e..3f4e3a381 100644
--- a/etc/profile-a-l/dino-im.profile
+++ b/etc/profile-a-l/dino-im.profile
@@ -1,5 +1,5 @@
 # Firejail profile for dino-im
-# Description: Modern XMPP Chat Client using GTK+/Vala, Ubuntu specific bin name
+# Description: Modern XMPP Chat Client using GTK/Vala, Ubuntu specific bin name
 # This file is overwritten after every install/update
 # Persistent local customizations
 include dino-im.local
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index 1f7134ff2..fe2b59a1e 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -1,5 +1,5 @@
 # Firejail profile for dino
-# Description: Modern XMPP Chat Client using GTK+/Vala
+# Description: Modern XMPP Chat Client using GTK/Vala
 # This file is overwritten after every install/update
 # Persistent local customizations
 include dino.local
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile
new file mode 100644
index 000000000..c39c0d843
--- /dev/null
+++ b/etc/profile-a-l/discord-ptb.profile
@@ -0,0 +1,17 @@
+# Firejail profile for discord-ptb   
+# This file is overwritten after every install/update
+# Persistent local customizations
+include discord-ptb.local   
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/discordptb   
+
+mkdir ${HOME}/.config/discordptb   
+whitelist ${HOME}/.config/discordptb   
+
+private-bin discord-ptb,DiscordPTB   
+private-opt discord-ptb,DiscordPTB   
+
+# Redirect
+include discord-common.profile
diff --git a/etc/profile-a-l/electron-common.profile b/etc/profile-a-l/electron-common.profile
index 73b6d1067..bb48d6332 100644
--- a/etc/profile-a-l/electron-common.profile
+++ b/etc/profile-a-l/electron-common.profile
@@ -7,40 +7,21 @@ include electron-common.local
 noblacklist ${HOME}/.config/Electron
 noblacklist ${HOME}/.config/electron*-flag*.conf
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-xdg.inc
-
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Electron
 whitelist ${HOME}/.config/electron*-flag*.conf
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
 # If your kernel allows the creation of user namespaces by unprivileged users
 # (for example, if running `unshare -U echo enabled` prints "enabled"), you
 # can add the next line to your electron-common.local.
 #include electron-common-hardened.inc.profile
 
-apparmor
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-noinput
-notv
 nou2f
 novideo
 
-disable-mnt
-private-cache
 private-dev
 private-tmp
 
 dbus-user none
-dbus-system none
+
+# Redirect
+include blink-common.profile
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 9f4fabd68..766fe523b 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -24,7 +24,6 @@ whitelist ${HOME}/.config/electron-mail
 # there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 machine-id
 nosound
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index 48a826f2e..7b4994a85 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -18,6 +18,7 @@ whitelist /opt/Element
 private-opt Element
 
 dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.secrets
 
 # Redirect
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index bf5b67255..8eee662ad 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -8,6 +8,7 @@ include email-common.local
 #include globals.local
 
 noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.bsfilter
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.signature
@@ -20,6 +21,9 @@ noblacklist /var/spool/mail
 
 noblacklist ${DOCUMENTS}
 
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -30,15 +34,18 @@ include disable-xdg.inc
 mkdir ${HOME}/.gnupg
 mkfile ${HOME}/.config/mimeapps.list
 mkfile ${HOME}/.signature
+whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.bsfilter
 whitelist ${HOME}/.config/mimeapps.list
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.signature
 whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
 # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
 whitelist ${HOME}/Mail
 whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/bogofilter
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /var/lib/clamav 
@@ -71,7 +78,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc @tls-ca,@x11,clamav,gnupg,hosts.conf,mailname,timezone
+private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone
 private-tmp
 # encrypting and signing email
 writable-run-user
@@ -86,6 +93,5 @@ dbus-user.talk org.gnome.seahorse.*
 dbus-user.talk org.mozilla.*
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.signature
 restrict-namespaces
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index 1118c3bf0..e1d107dc7 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -10,18 +10,21 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
+machine-id
 net none
 no3d
 nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -29,6 +32,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 tracelog
 
 # private-bin engrampa
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 4f39bec55..78e2751b3 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -29,6 +29,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -45,6 +46,10 @@ private-dev
 private-etc @x11
 # private-tmp
 
+dbus-user filter
+dbus-user.own org.gnome.ArchiveManager1
+dbus-user.own org.gnome.FileRoller
+dbus-user.talk ca.desrt.dconf
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
index a5fd05bc7..78f1327c5 100644
--- a/etc/profile-a-l/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -15,7 +15,6 @@ include disable-programs.inc
 
 apparmor
 caps.drop all
-hostname file
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 0e1d30958..42d59157c 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -14,6 +14,9 @@ include globals.local
 # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
 # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
 
+# (Ignore entry from disable-common.inc)
+ignore read-only ${HOME}/.mozilla/firefox/profiles.ini
+
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
 noblacklist ${RUNUSER}/*firefox*
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index c8414ad1b..7cef2dbbb 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -1,5 +1,5 @@
 # Firejail profile for gajim
-# Description: GTK+-based Jabber client
+# Description: GTK-based Jabber client
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gajim.local
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 96ded592d..44d62cc86 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-#hostname galculator - breaks Arch Linux
 #ipc-namespace
 net none
 nodvd
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile
index 9c8200dc4..9643820e7 100644
--- a/etc/profile-a-l/gallery-dl.profile
+++ b/etc/profile-a-l/gallery-dl.profile
@@ -15,4 +15,4 @@ private-bin gallery-dl
 private-etc gallery-dl.conf
 
 # Redirect
-include youtube-dl.profile
+include yt-dlp.profile
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile
index 4eb94edf4..4066a1ebf 100644
--- a/etc/profile-a-l/gdu.profile
+++ b/etc/profile-a-l/gdu.profile
@@ -26,7 +26,7 @@ nosound
 notv
 nou2f
 novideo
-# block the socket syscall to simulate an be empty protocol line, see #639
+# block socket syscall to simulate empty protocol option (see #639)
 seccomp socket
 seccomp.block-secondary
 x11 none
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index a19a20ba7..ba0837780 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -91,5 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5
 dbus-user.talk org.mozilla.*
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 restrict-namespaces
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index 3a929774a..e8d4c013f 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -25,7 +25,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-hostname geekbench
 ipc-namespace
 machine-id
 netfilter
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index 95adc6840..f81a49e4f 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -1,5 +1,5 @@
 # Firejail profile for geeqie
-# Description: Image viewer using GTK+
+# Description: Image viewer using GTK
 # This file is overwritten after every install/update
 # Persistent local customizations
 include geeqie.local
diff --git a/etc/profile-a-l/gtk-lbry-viewer.profile b/etc/profile-a-l/gtk-lbry-viewer.profile
index e1fb53b16..6d143bbe0 100644
--- a/etc/profile-a-l/gtk-lbry-viewer.profile
+++ b/etc/profile-a-l/gtk-lbry-viewer.profile
@@ -1,12 +1,14 @@
 # Firejail profile for gtk-lbry-viewer
-# Description: Gtk front-end to lbry-viewer
+# Description: GTK front-end to lbry-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-lbry-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk-lbry-viewer
+
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include lbry-viewer.profile
diff --git a/etc/profile-a-l/gtk-pipe-viewer.profile b/etc/profile-a-l/gtk-pipe-viewer.profile
index 9c212ff6e..059961742 100644
--- a/etc/profile-a-l/gtk-pipe-viewer.profile
+++ b/etc/profile-a-l/gtk-pipe-viewer.profile
@@ -1,12 +1,14 @@
 # Firejail profile for gtk-pipe-viewer
-# Description: Gtk front-end to pipe-viewer
+# Description: GTK front-end to pipe-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-pipe-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk-pipe-viewer
+
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include pipe-viewer.profile
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile
index 978b3d896..5f1933258 100644
--- a/etc/profile-a-l/gtk-straw-viewer.profile
+++ b/etc/profile-a-l/gtk-straw-viewer.profile
@@ -1,12 +1,14 @@
 # Firejail profile for gtk-straw-viewer
-# Description: Gtk front-end to straw-viewer
+# Description: GTK front-end to straw-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-straw-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk-straw-viewer
+
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include straw-viewer.profile
diff --git a/etc/profile-a-l/gtk-youtube-viewer.profile b/etc/profile-a-l/gtk-youtube-viewer.profile
index c814f0fef..2bbd8910e 100644
--- a/etc/profile-a-l/gtk-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk-youtube-viewer.profile
@@ -1,12 +1,14 @@
 # Firejail profile for gtk-youtube-viewer
-# Description: Gtk front-end to youtube-viewer
+# Description: GTK front-end to youtube-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-youtube-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk-youtube-viewer
+
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk-youtube-viewers-common.profile b/etc/profile-a-l/gtk-youtube-viewers-common.profile
new file mode 100644
index 000000000..049448a23
--- /dev/null
+++ b/etc/profile-a-l/gtk-youtube-viewers-common.profile
@@ -0,0 +1,22 @@
+# Firejail profile for gtk-youtube-viewer clones
+# Description: common profile for Trizen's gtk Youtube viewers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-youtube-viewers-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+ignore quiet
+
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
+private-bin firefox,xterm
+
+dbus-user filter
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
diff --git a/etc/profile-a-l/gtk2-youtube-viewer.profile b/etc/profile-a-l/gtk2-youtube-viewer.profile
index 787c7bd90..8ff09f4d2 100644
--- a/etc/profile-a-l/gtk2-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk2-youtube-viewer.profile
@@ -1,17 +1,14 @@
 # Firejail profile for gtk2-youtube-viewer
-# Description: Gtk front-end to youtube-viewer
+# Description: GTK front-end to youtube-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk2-youtube-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk2-youtube-viewer
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}
-
-include whitelist-runuser-common.inc
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk3-youtube-viewer.profile b/etc/profile-a-l/gtk3-youtube-viewer.profile
index 988882622..fdcb438de 100644
--- a/etc/profile-a-l/gtk3-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk3-youtube-viewer.profile
@@ -1,17 +1,14 @@
 # Firejail profile for gtk3-youtube-viewer
-# Description: Gtk front-end to youtube-viewer
+# Description: GTK front-end to youtube-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk3-youtube-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk3-youtube-viewer
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}
-
-include whitelist-runuser-common.inc
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include youtube-viewer.profile
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
index 467bee3a0..0e4125791 100644
--- a/etc/profile-a-l/guvcview.profile
+++ b/etc/profile-a-l/guvcview.profile
@@ -1,5 +1,5 @@
 # Firejail profile for guvcview
-# Description: GTK+ base UVC Viewer
+# Description: GTK-based UVC Viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include guvcview.local
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile
index 488665154..e0ef23cce 100644
--- a/etc/profile-a-l/handbrake.profile
+++ b/etc/profile-a-l/handbrake.profile
@@ -1,5 +1,5 @@
 # Firejail profile for handbrake
-# Description: Versatile DVD ripper and video transcoder (GTK+ GUI)
+# Description: Versatile DVD ripper and video transcoder (GTK GUI)
 # This file is overwritten after every install/update
 # Persistent local customizations
 include handbrake.local
diff --git a/etc/profile-a-l/jami.profile b/etc/profile-a-l/jami.profile
new file mode 100644
index 000000000..deff54bcd
--- /dev/null
+++ b/etc/profile-a-l/jami.profile
@@ -0,0 +1,18 @@
+# Firejail profile for jami
+# Description: An encrypted peer-to-peer messenger
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jami.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+noblacklist ${HOME}/.config/jami.net
+
+mkdir ${HOME}/.config/jami.net
+mkdir ${HOME}/Videos/Jami
+whitelist ${HOME}/.config/jami.net
+whitelist ${HOME}/Videos/Jami
+
+# Redirect
+include jami-gnome.profile
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index f7959ca81..4e8c8e449 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -93,6 +93,7 @@ private-etc
 private-tmp
 
 dbus-user filter
+dbus-user.own org.freedesktop.secrets
 dbus-user.own org.keepassxc.KeePassXC.*
 dbus-user.talk com.canonical.Unity
 dbus-user.talk org.freedesktop.ScreenSaver
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 5183a9327..5cf30ed40 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -77,5 +77,4 @@ dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 restrict-namespaces
diff --git a/etc/profile-a-l/lbry-viewer.profile b/etc/profile-a-l/lbry-viewer.profile
index f6a02ac83..aad1330e0 100644
--- a/etc/profile-a-l/lbry-viewer.profile
+++ b/etc/profile-a-l/lbry-viewer.profile
@@ -15,7 +15,7 @@ mkdir ${HOME}/.cache/lbry-viewer
 whitelist ${HOME}/.cache/lbry-viewer
 whitelist ${HOME}/.config/lbry-viewer
 
-private-bin gtk-lbry-viewer,lbry-viewer
+private-bin lbry-viewer
 
 # Redirect
 include youtube-viewers-common.profile
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile
index 27b27a20b..ef0029c73 100644
--- a/etc/profile-a-l/leafpad.profile
+++ b/etc/profile-a-l/leafpad.profile
@@ -1,5 +1,5 @@
 # Firejail profile for leafpad
-# Description: GTK+ based simple text editor
+# Description: GTK-based simple text editor
 # This file is overwritten after every install/update
 # Persistent local customizations
 include leafpad.local
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile
index 9157d910b..6ca8b8103 100644
--- a/etc/profile-a-l/linuxqq.profile
+++ b/etc/profile-a-l/linuxqq.profile
@@ -37,7 +37,5 @@ dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.mozilla.*
 ignore dbus-user none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
-
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile
new file mode 100644
index 000000000..2b0fc5275
--- /dev/null
+++ b/etc/profile-a-l/lobster.profile
@@ -0,0 +1,39 @@
+# Firejail profile for lobster
+# Description: Shell script to watch Movies/Webseries/Shows from the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lobster.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/lobster
+noblacklist ${HOME}/.local/share/lobster
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-proc.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/lobster
+mkdir ${HOME}/.local/share/lobster
+whitelist ${HOME}/.config/lobster
+whitelist ${HOME}/.local/share/lobster
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+
+#machine-id
+nodvd
+noprinters
+notv
+
+disable-mnt
+private-bin curl,cut,fzf,grep,head,lobster,mv,patch,rm,sed,sh,tail,tput,tr,uname
+#private-cache
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+
+# Redirect
+include mpv.profile
diff --git a/etc/profile-m-z/Postman.profile b/etc/profile-m-z/Postman.profile
new file mode 100644
index 000000000..d08acf60b
--- /dev/null
+++ b/etc/profile-m-z/Postman.profile
@@ -0,0 +1,10 @@
+# Firejail profile for Postman
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Postman.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include postman.profile
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index e9d245a6d..266d00395 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -19,7 +19,6 @@ blacklist ${RUNUSER}/wayland-*
 
 # Enable severely restricted access to ${HOME}/.gnupg
 noblacklist ${HOME}/.gnupg
-read-only ${HOME}/.gnupg/gpg.conf
 read-only ${HOME}/.gnupg/trustdb.gpg
 read-only ${HOME}/.gnupg/pubring.kbx
 blacklist ${HOME}/.gnupg/random_seed
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
index 2fb527ad5..e7daedea5 100644
--- a/etc/profile-m-z/marker.profile
+++ b/etc/profile-m-z/marker.profile
@@ -1,5 +1,5 @@
 # Firejail profile for marker
-# Description: Marker is a markdown editor for Linux made with Gtk+-3.0
+# Description: Marker is a markdown editor for Linux made with GTK
 # This file is overwritten after every install/update
 # Persistent local customizations
 include marker.local
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index d3b3c6d48..7b83d61e1 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -21,7 +21,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-hostname mdr
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
index 63844ad70..6843c11c7 100644
--- a/etc/profile-m-z/microsoft-edge-beta.profile
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -1,5 +1,5 @@
 # Firejail profile for Microsoft Edge Beta
-# Description: Web browser from Microsoft,beta channel
+# Description: Web browser from Microsoft, beta channel
 # This file is overwritten after every install/update
 # Persistent local customizations
 include microsoft-edge-beta.local
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${HOME}/.cache/microsoft-edge-beta
 noblacklist ${HOME}/.config/microsoft-edge-beta
+noblacklist /opt/microsoft/msedge-beta/msedge-sandbox
 
 mkdir ${HOME}/.cache/microsoft-edge-beta
 mkdir ${HOME}/.config/microsoft-edge-beta
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge-beta
 whitelist ${HOME}/.config/microsoft-edge-beta
 
 whitelist /opt/microsoft/msedge-beta
+# private-opt might break the file-copy-limit, see #5307
+#private-opt microsoft
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile
index b01fd7c25..b9cdaf98b 100644
--- a/etc/profile-m-z/microsoft-edge-dev.profile
+++ b/etc/profile-m-z/microsoft-edge-dev.profile
@@ -1,5 +1,5 @@
 # Firejail profile for Microsoft Edge Dev
-# Description: Web browser from Microsoft,dev channel
+# Description: Web browser from Microsoft, dev channel
 # This file is overwritten after every install/update
 # Persistent local customizations
 include microsoft-edge-dev.local
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${HOME}/.cache/microsoft-edge-dev
 noblacklist ${HOME}/.config/microsoft-edge-dev
+noblacklist /opt/microsoft/msedge-dev/msedge-sandbox
 
 mkdir ${HOME}/.cache/microsoft-edge-dev
 mkdir ${HOME}/.config/microsoft-edge-dev
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge-dev
 whitelist ${HOME}/.config/microsoft-edge-dev
 
 whitelist /opt/microsoft/msedge-dev
+# private-opt might break file-copy-limit, see #5307
+#private-opt microsoft
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/microsoft-edge-stable.profile b/etc/profile-m-z/microsoft-edge-stable.profile
new file mode 100644
index 000000000..c5b2b4301
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge-stable.profile
@@ -0,0 +1,11 @@
+# Firejail profile for Microsoft Edge Stable
+# Description: Web browser from Microsoft, stable channel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge-stable.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include microsoft-edge.profile
diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile
index 4cd8c85a5..ededb9cbd 100644
--- a/etc/profile-m-z/microsoft-edge.profile
+++ b/etc/profile-m-z/microsoft-edge.profile
@@ -1,5 +1,5 @@
 # Firejail profile for Microsoft Edge
-# Description: Web browser from Microsoft,stable channel
+# Description: Web browser from Microsoft, stable channel
 # This file is overwritten after every install/update
 # Persistent local customizations
 include microsoft-edge.local
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${HOME}/.cache/microsoft-edge
 noblacklist ${HOME}/.config/microsoft-edge
+noblacklist /opt/microsoft/msedge/msedge-sandbox
 
 mkdir ${HOME}/.cache/microsoft-edge
 mkdir ${HOME}/.config/microsoft-edge
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge
 whitelist ${HOME}/.config/microsoft-edge
 
 whitelist /opt/microsoft/msedge
+# private-opt might break default file-copy-limit, see #5307
+#private-opt microsoft
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile
new file mode 100644
index 000000000..74d630e24
--- /dev/null
+++ b/etc/profile-m-z/mov-cli.profile
@@ -0,0 +1,29 @@
+# Firejail profile for mov-cli
+# Description: Python script for watching movies and TV shows via the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include mov-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include disable-proc.inc
+include disable-xdg.inc
+
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+
+#machine-id
+nodvd
+noprinters
+notv
+
+disable-mnt
+private-bin ffmpeg,fzf,mov-cli
+#private-cache
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+
+# Redirect
+include mpv.profile
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index ed344ba3f..682b0173d 100644
--- a/etc/profile-m-z/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -1,5 +1,5 @@
 # Firejail profile for mp3splt-gtk
-# Description: Gtk utility for mp3/ogg splitting without decoding
+# Description: GTK utility for mp3/ogg splitting without decoding
 # This file is overwritten after every install/update
 # Persistent local customizations
 include mp3splt-gtk.local
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index c9706999a..85f414562 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,13 +11,13 @@ include globals.local
 # edit ~/.config/mpv/foobar.conf:
 #    screenshot-directory=~/Pictures
 
-# Mpv has a powerful lua-API, some off these lua-scripts interact
-# with external resources which are blocked by firejail. In such cases
-# you need to allow these resources by
-#  - adding additional binaries to private-bin
+# mpv has a powerful Lua API and some of the Lua scripts interact with
+# external resources which are blocked by firejail. In such cases you need to
+# allow these resources by:
+#  - noblacklisting additional paths
 #  - whitelisting additional paths
-#  - noblacklisting paths
-#  - weaking the dbus-policy
+#  - adding additional binaries to private-bin
+#  - changing/weakening the D-Bus policy
 #  - ...
 #
 # Often these scripts require a shell:
@@ -75,10 +75,12 @@ nonewprivs
 noroot
 nou2f
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !set_mempolicy
 seccomp.block-secondary
 tracelog
 
+# mpv links to libluajit, so no need to reference "lua*" in private-bin:
+# https://github.com/netblue30/firejail/pull/5711#discussion_r1125622615
 private-bin env,mpv,python*,waf,youtube-dl,yt-dlp
 # private-cache causes slow OSD, see #2838
 #private-cache
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile
index 2da867dec..9b566a42b 100644
--- a/etc/profile-m-z/openbox.profile
+++ b/etc/profile-m-z/openbox.profile
@@ -16,6 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp !chroot
 
-read-only ${HOME}/.config/openbox/autostart
-read-only ${HOME}/.config/openbox/environment
 #restrict-namespaces
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index 2dc49a28d..d78478687 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -36,7 +36,7 @@ nonewprivs
 noroot
 notv
 nou2f
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 # shell none
 tracelog
diff --git a/etc/profile-m-z/pipe-viewer.profile b/etc/profile-m-z/pipe-viewer.profile
index 3de064311..77393274e 100644
--- a/etc/profile-m-z/pipe-viewer.profile
+++ b/etc/profile-m-z/pipe-viewer.profile
@@ -15,7 +15,7 @@ mkdir ${HOME}/.cache/pipe-viewer
 whitelist ${HOME}/.cache/pipe-viewer
 whitelist ${HOME}/.config/pipe-viewer
 
-private-bin gtk-pipe-viewer,pipe-viewer
+private-bin pipe-viewer
 
 # Redirect
 include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 34199a08d..481bade92 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -38,7 +38,7 @@ nosound
 notv
 nou2f
 novideo
-# block the socket syscall to simulate an be empty protocol line, see #639
+# block socket syscall to simulate empty protocol option (see #639)
 seccomp socket
 tracelog
 x11 none
diff --git a/etc/profile-m-z/porn-cli.profile b/etc/profile-m-z/porn-cli.profile
new file mode 100644
index 000000000..f33ff439c
--- /dev/null
+++ b/etc/profile-m-z/porn-cli.profile
@@ -0,0 +1,14 @@
+# Firejail profile for porn-cli
+# Description: Python script for watching porn via the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include porn-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin porn-cli
+
+# Redirect
+include mov-cli.profile
diff --git a/etc/profile-m-z/postman.profile b/etc/profile-m-z/postman.profile
new file mode 100644
index 000000000..c8f00584d
--- /dev/null
+++ b/etc/profile-m-z/postman.profile
@@ -0,0 +1,28 @@
+# Firejail profile for postman
+# Description: API testing platform
+# This file is overwritten after every install/update
+# Persistent local customizations
+include postman.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Postman
+noblacklist ${HOME}/Postman
+
+mkdir ${HOME}/.config/Postman
+mkdir ${HOME}/Postman
+whitelist ${HOME}/.config/Postman
+whitelist ${HOME}/Postman
+include whitelist-run-common.inc
+
+protocol unix,inet,inet6,netlink
+
+private-bin electron,electron[0-9],electron[0-9][0-9],locale,node,Postman,postman,sh
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
+# private-opt breaks file-copy-limit, use a whitelist instead of draining RAM
+# https://github.com/netblue30/firejail/discussions/5307
+#private-opt postman
+whitelist /opt/postman
+
+# Redirect
+include electron-common.profile
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile
index 126f5cec8..b61089d36 100644
--- a/etc/profile-m-z/pycharm-professional.profile
+++ b/etc/profile-m-z/pycharm-professional.profile
@@ -1,7 +1,7 @@
 # Firejail profilen alias for pycharm-professional
 # This file is overwritten after every install/update
 # Persistent local customizations
-include pyucharm-professional.local
+include pycharm-professional.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
diff --git a/etc/profile-m-z/qpdf.profile b/etc/profile-m-z/qpdf.profile
index 0c1e09e92..edec7cf0a 100644
--- a/etc/profile-m-z/qpdf.profile
+++ b/etc/profile-m-z/qpdf.profile
@@ -31,7 +31,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-hostname qpdf
 ipc-namespace
 machine-id
 net none
@@ -46,7 +45,7 @@ nosound
 notv
 nou2f
 novideo
-# block the socket syscall to simulate an be empty protocol line, see #639
+# block socket syscall to simulate empty protocol option (see #639)
 seccomp socket
 tracelog
 x11 none
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
index 0d35dbbad..9062c8c18 100644
--- a/etc/profile-m-z/qutebrowser.profile
+++ b/etc/profile-m-z/qutebrowser.profile
@@ -62,6 +62,9 @@ private-etc @tls-ca
 private-tmp
 
 dbus-user filter
+# qutebrowser-qt6 uses a newer chrome version which uses the name 'chromium'
+# see https://github.com/qutebrowser/qutebrowser/issues/7431
+dbus-user.own org.mpris.MediaPlayer2.chromium.*
 dbus-user.own org.mpris.MediaPlayer2.qutebrowser.*
 dbus-user.talk org.freedesktop.Notifications
 # Add the next line to your qutebrowser.local to allow screen sharing under wayland.
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile
index 208f57710..1fb0c0626 100644
--- a/etc/profile-m-z/remmina.profile
+++ b/etc/profile-m-z/remmina.profile
@@ -1,5 +1,5 @@
 # Firejail profile for remmina
-# Description: GTK+ Remote Desktop Client
+# Description: GTK Remote Desktop Client
 # This file is overwritten after every install/update
 # Persistent local customizations
 include remmina.local
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index a26b41524..3e1899ef3 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -14,7 +14,6 @@ noblacklist ${HOME}/.config/Signal
 # These lines are needed to allow Firefox to open links
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 mkdir ${HOME}/.config/Signal
 whitelist ${HOME}/.config/Signal
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index f130176c1..7ce6748d1 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free
 private-cache
 private-dev
-private-etc @tls-ca,SoftMaker
+private-etc @tls-ca,fstab,SoftMaker
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/standard-notes.profile b/etc/profile-m-z/standard-notes.profile
new file mode 100644
index 000000000..db96cc80f
--- /dev/null
+++ b/etc/profile-m-z/standard-notes.profile
@@ -0,0 +1,10 @@
+# Firejail profile for standard-notes
+# This file is overwritten after every install/update
+# Persistent local customizations
+include standard-notes.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include standardnotes-desktop.profile
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 95dc35741..3fe0963a9 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -18,6 +18,10 @@ mkdir ${HOME}/Standard Notes Backups
 mkdir ${HOME}/.config/Standard Notes
 whitelist ${HOME}/Standard Notes Backups
 whitelist ${HOME}/.config/Standard Notes
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index a5b4d5d87..63d629a32 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -181,5 +181,4 @@ private-tmp
 #dbus-user none
 #dbus-system none
 
-read-only ${HOME}/.config/MangoHud
 #restrict-namespaces
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
index 513abc21b..48f83fabc 100644
--- a/etc/profile-m-z/straw-viewer.profile
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -15,7 +15,7 @@ mkdir ${HOME}/.cache/straw-viewer
 whitelist ${HOME}/.cache/straw-viewer
 whitelist ${HOME}/.config/straw-viewer
 
-private-bin gtk-straw-viewer,straw-viewer
+private-bin straw-viewer
 
 # Redirect
 include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 6abef85f0..5fb35aa04 100644
--- a/etc/profile-m-z/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
@@ -1,5 +1,5 @@
 # Firejail profile for sylpheed
-# Description: Light weight e-mail client with GTK+
+# Description: Lightweight e-mail client made with GTK
 # This file is overwritten after every install/update
 # Persistent local customizations
 include sylpheed.local
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile
index 54568b7d3..5babfb8d2 100644
--- a/etc/profile-m-z/tesseract.profile
+++ b/etc/profile-m-z/tesseract.profile
@@ -31,7 +31,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-hostname tesseract
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 1ac80bc9a..5df207e25 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -24,7 +24,6 @@ writable-run-user
 # These lines are needed to allow Firefox to load your profile when clicking a link in an email
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 noblacklist ${HOME}/.cache/thunderbird
 noblacklist ${HOME}/.gnupg
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 378c8a1b7..ba68ccb53 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -60,5 +60,4 @@ dbus-user filter
 dbus-user.talk org.freedesktop.secrets
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 restrict-namespaces
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
index 4af8b9292..55e4a4392 100644
--- a/etc/profile-m-z/tutanota-desktop.profile
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -1,5 +1,5 @@
 # Firejail profile for tutanota-desktop
-# Description: Encrypted email client
+# Description: Official desktop client for the Tutanota E2E encrypted email provider
 # This file is overwritten after every install/update
 # Persistent local customizations
 include tutanota-desktop.local
@@ -9,8 +9,13 @@ include globals.local
 noblacklist ${HOME}/.config/tuta_integration
 noblacklist ${HOME}/.config/tutanota-desktop
 
+ignore dbus-user none
+ignore disable-mnt
 ignore noexec /tmp
 
+# sh is needed to allow Firefox to open links
+include allow-bin-sh.inc
+
 include disable-shell.inc
 
 mkdir ${HOME}/.config/tuta_integration
@@ -18,14 +23,25 @@ mkdir ${HOME}/.config/tutanota-desktop
 whitelist ${HOME}/.config/tuta_integration
 whitelist ${HOME}/.config/tutanota-desktop
 
-# These lines are needed to allow Firefox to open links
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
+
+machine-id
+nosound
 
 ?HAS_APPIMAGE: ignore private-dev
 private-etc @tls-ca
 private-opt tutanota-desktop
 
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
+
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index aac99aed5..cdfd72a5b 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-hostname unf
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-m-z/url-eater.profile b/etc/profile-m-z/url-eater.profile
new file mode 100644
index 000000000..a894ff0f6
--- /dev/null
+++ b/etc/profile-m-z/url-eater.profile
@@ -0,0 +1,58 @@
+# Firejail profile for url-eater
+# Description: Clean unnecessary parameters from URLs copied to clipboard
+# This file is overwritten after every install/update
+# Persistent local customizations
+include url-eater.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin url-eater
+private-cache
+private-dev
+private-etc url-eater.kdl
+private-lib
+#private-tmp # breaks on Arch
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
index a6d2a65e9..9a9915669 100644
--- a/etc/profile-m-z/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -19,7 +19,6 @@ include disable-shell.inc
 include whitelist-usr-share-common.inc
 
 caps.drop all
-hostname uudeview
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 8958564ef..8265e1ff8 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-hostname whois
 ipc-namespace
 machine-id
 netfilter
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 8376b4989..9e81d745d 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -5,63 +5,17 @@ quiet
 # Persistent local customizations
 include youtube-dl.local
 # Persistent global definitions
-include globals.local
-
-# breaks when installed under ${HOME} via `pip install --user` (see #2833)
-ignore noexec ${HOME}
+# added by included profile
+#include globals.local
 
 noblacklist ${HOME}/.cache/youtube-dl
 noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${HOME}/.netrc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
-include allow-python3.inc
-
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
-
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-seccomp.block-secondary
-tracelog
-
-private-bin env,ffmpeg,python*,youtube-dl
-private-cache
-private-dev
-private-etc @tls-ca,mime.types,youtube-dl.conf
-private-tmp
 
-dbus-user none
-dbus-system none
+private-bin youtube-dl
+private-etc youtube-dl.conf
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
-restrict-namespaces
+# Redirect
+include yt-dlp.profile
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index 825599fcc..4a0e26540 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -15,7 +15,7 @@ mkdir ${HOME}/.config/youtube-viewer
 whitelist ${HOME}/.cache/youtube-viewer
 whitelist ${HOME}/.config/youtube-viewer
 
-private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer
+private-bin youtube-viewer
 
 # Redirect
 include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index 9ef90eb92..c9d2ea53b 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -8,6 +8,7 @@ include youtube-viewers-common.local
 #include globals.local
 
 noblacklist ${HOME}/.cache/youtube-dl
+noblacklist ${HOME}/.config/mpv
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -19,13 +20,6 @@ include allow-perl.inc
 include allow-python2.inc
 include allow-python3.inc
 
-# The lines below are needed to find the default Firefox profile name, to allow
-# opening links in an existing instance of Firefox (note that it still fails if
-# there isn't a Firefox instance running with the default profile; see #5352)
-noblacklist ${HOME}/.mozilla
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
-
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -35,7 +29,9 @@ include disable-xdg.inc
 
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+whitelist ${HOME}/.config/mpv
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -56,16 +52,12 @@ seccomp
 tracelog
 
 disable-mnt
-private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,xterm,youtube-dl,yt-dlp
+private-bin bash,ffmpeg,ffprobe,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,youtube-dl,yt-dlp
 private-cache
 private-dev
 private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
-dbus-user filter
-# allow D-Bus communication with firefox for opening links
-dbus-user.talk org.mozilla.*
-
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
index 49d4b3b56..97f9e620a 100644
--- a/etc/profile-m-z/yt-dlp.profile
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -5,17 +5,73 @@ quiet
 # Persistent local customizations
 include yt-dlp.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+# If you installed via pip under ${HOME}
+# add 'ignore noexec ${HOME}' in yt-dlp.local.
+# AppArmor needs to allow it too,
+# add 'ignore apparmor' in yt-dlp.local
+# OR in /etc/apparmor.d/local/firejail-default add:
+# 'owner @HOME/.local/bin/** ix,'
+# 'owner @HOME/.local/lib/python*/** ix,'
+# then run the command
+# 'sudo apparmor_parser -r /etc/apparmor.d/firejail-default'
 
 noblacklist ${HOME}/.cache/yt-dlp
 noblacklist ${HOME}/.config/yt-dlp
 noblacklist ${HOME}/.config/yt-dlp.conf
 noblacklist ${HOME}/yt-dlp.conf
 noblacklist ${HOME}/yt-dlp.conf.txt
+noblacklist ${HOME}/.netrc
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+
+private-bin env,ffmpeg,ffprobe,python*,yt-dlp
+private-cache
+private-dev
+private-etc @tls-ca,mime.types,yt-dlp.conf
+private-tmp
+
+dbus-user none
+dbus-system none
 
-private-bin ffprobe,yt-dlp
-private-etc yt-dlp.conf
+memory-deny-write-execute
 
-# Redirect
-include youtube-dl.profile
+restrict-namespaces
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index caf9eab63..09a1d37a3 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -23,7 +23,6 @@ include disable-xdg.inc
 # This also requires dbus-user filtering (see below).
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 mkdir ${HOME}/.cache/Zeal
 mkdir ${HOME}/.config/Zeal
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index fd328f36c..b88566f54 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -221,6 +221,8 @@ include globals.local
 #dbus-user.talk org.freedesktop.Notifications
 #dbus-system none
 
+# Note: read-only entries should usually go in disable-common.inc (especially
+# entries for configuration files that allow arbitrary command execution).
 ##deterministic-shutdown
 ##env VAR=VALUE
 ##join-or-start NAME
diff --git a/gcov.sh b/gcov.sh
index 9b02d801c..735205668 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -5,7 +5,7 @@
 
 # GCOV test setup
 # required: sudo, lcov (apt-get install lcov)
-# setup: make distclean && ./configure --prefix=/usr --enable-apparmor --enable-gcov && make -j4 && sudo make install
+# setup: modify ./configure line below if necessary
 # run as regular user: ./gcov.sh
 # result in gcov-dir/index.html
 
@@ -13,37 +13,42 @@ gcov_generate() {
         USER="$(whoami)"
         find . -exec sudo chown "$USER:$USER" '{}' +
         lcov -q --capture -d src/firejail -d src/lib -d src/firecfg -d src/firemon \
-                -d src/fnet -d src/fnetfilter --output-file gcov-file
+                -d src/fnet -d src/fnetfilter -d src/fcopy -d src/fseccomp --output-file gcov-file
         genhtml -q gcov-file --output-directory gcov-dir
 }
 
+make distclean && ./configure --prefix=/usr --enable-apparmor --enable-gcov --enable-fatal-warnings && make -j4 && sudo make install
 rm -fr gcov-dir gcov-file
 firejail --version
 gcov_generate
 
-#make test-firecfg | grep TESTING
-#gcov_generate
-#make test-apparmor | grep TESTING
-#gcov_generate
+make test-firecfg | grep TESTING
+gcov_generate
+make test-capabilities | grep TESTING
+gcov_generate
+make test-seccomp-extra | grep TESTING
+gcov_generate
+make test-apparmor | grep TESTING
+gcov_generate
 make test-network | grep TESTING
 gcov_generate
-#make test-appimage | grep TESTING
-#gcov_generate
-#make test-chroot | grep TESTING
-#gcov_generate
-#make test-sysutils | grep TESTING
-#gcov_generate
-#make test-private-etc | grep TESTING
-#gcov_generate
-#make test-profiles | grep TESTING
-#gcov_generate
-#make test-fcopy | grep TESTING
-#gcov_generate
+make test-appimage | grep TESTING
+gcov_generate
+make test-chroot | grep TESTING
+gcov_generate
+make test-sysutils | grep TESTING
+gcov_generate
+make test-private-etc | grep TESTING
+gcov_generate
+make test-profiles | grep TESTING
+gcov_generate
+make test-fcopy | grep TESTING
+gcov_generate
 make test-fnetfilter | grep TESTING
 gcov_generate
-#make test-fs | grep TESTING
-#gcov_generate
-#make test-utils | grep TESTING
-#gcov_generate
-#make test-environment | grep TESTING
-#gcov_generate
+make test-fs | grep TESTING
+gcov_generate
+make test-utils | grep TESTING
+gcov_generate
+make test-environment | grep TESTING
+gcov_generate
diff --git a/src/etc-cleanup/Makefile b/src/etc-cleanup/Makefile
index 349da8821..10c28cd76 100644
--- a/src/etc-cleanup/Makefile
+++ b/src/etc-cleanup/Makefile
@@ -4,6 +4,6 @@ ROOT = ../..
 PROG = etc-cleanup
 TARGET = $(PROG)
 
-MOD_HDRS = ../include/etc-groups.h
+MOD_HDRS = ../include/etc_groups.h
 
 include $(ROOT)/src/prog.mk
diff --git a/src/etc-cleanup/main.c b/src/etc-cleanup/main.c
index 6c7bea6d6..f15ba53cd 100644
--- a/src/etc-cleanup/main.c
+++ b/src/etc-cleanup/main.c
@@ -212,13 +212,16 @@ static void process_file(const char *fname) {
         }
 }
 
+static const char *const usage_str =
+        "usage: cleanup-etc [options] file.profile [file.profile]\n"
+        "Group and clean private-etc entries in one or more profile files.\n"
+        "Options:\n"
+        "   --debug - print debug messages\n"
+        "   -h, -?, --help - this help screen\n"
+        "   --replace - replace profile file\n";
+
 static void usage(void) {
-        printf("usage: cleanup-etc [options] file.profile [file.profile]\n");
-        printf("Group and clean private-etc entries in one or more profile files.\n");
-        printf("Options:\n");
-        printf("   --debug - print debug messages\n");
-        printf("   -h, -?, --help - this help screen\n");
-        printf("   --replace - replace profile file\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c
index 7fdf9af68..a85d4a931 100644
--- a/src/fbuilder/main.c
+++ b/src/fbuilder/main.c
@@ -21,9 +21,12 @@
 int arg_debug = 0;
 int arg_appimage = 0;
 
+static const char *const usage_str =
+        "Firejail profile builder\n"
+        "Usage: firejail [--debug] --build[=profile-file] program-and-arguments\n";
+
 static void usage(void) {
-        printf("Firejail profile builder\n");
-        printf("Usage: firejail [--debug] --build[=profile-file] program-and-arguments\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index ce2efb295..a56e8a91b 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -416,18 +416,19 @@ static void duplicate_link(const char *src, const char *dest, struct stat *s) {
         free(rdest);
 }
 
+static const char *const usage_str =
+        "Usage: fcopy [--follow-link] src dest\n"
+        "\n"
+        "Copy SRC to DEST/SRC. SRC may be a file, directory, or symbolic link.\n"
+        "If SRC is a directory it is copied recursively.  If it is a symlink,\n"
+        "the link itself is duplicated, unless --follow-link is given,\n"
+        "in which case the destination of the link is copied.\n"
+        "DEST must already exist and must be a directory.\n";
 
 static void usage(void) {
-        fputs("Usage: fcopy [--follow-link] src dest\n"
-                "\n"
-                "Copy SRC to DEST/SRC. SRC may be a file, directory, or symbolic link.\n"
-                "If SRC is a directory it is copied recursively.  If it is a symlink,\n"
-                "the link itself is duplicated, unless --follow-link is given,\n"
-                "in which case the destination of the link is copied.\n"
-                "DEST must already exist and must be a directory.\n", stderr);
+        fputs(usage_str, stderr);
 }
 
-
 int main(int argc, char **argv) {
 #if 0
         {
diff --git a/src/fids/main.c b/src/fids/main.c
index f1dfdac8e..915edb6ca 100644
--- a/src/fids/main.c
+++ b/src/fids/main.c
@@ -318,10 +318,11 @@ static void process_config(const char *fname) {
         include_level--;
 }
 
-
+static const char *const usage_str =
+        "Usage: fids [--help|-h|-?] --init|--check homedir\n";
 
 void usage(void) {
-        printf("Usage: fids [--help|-h|-?] --init|--check homedir\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 45457fb47..1e996ef72 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -11,6 +11,7 @@ Cryptocat
 Cyberfox
 Discord
 DiscordCanary
+DiscordPTB
 Documents
 FossaMail
 Fritzing
@@ -24,6 +25,7 @@ Natron
 PCSX2
 PPSSPPQt
 PPSSPPSDL
+Postman
 QMediathekView
 QOwnNotes
 Screenshot
@@ -44,6 +46,7 @@ amarok
 amule
 amuled
 android-studio
+ani-cli
 anydesk
 apktool
 apostrophe
@@ -196,6 +199,7 @@ dino
 dino-im
 discord
 discord-canary
+discord-ptb
 display
 display-im6.q16
 dnox
@@ -418,6 +422,7 @@ ipcalc
 ipcalc-ng
 iridium
 iridium-browser
+jami
 jd-gui
 jdownloader
 jerry
@@ -483,6 +488,7 @@ linphone
 linuxqq
 lmms
 lobase
+lobster
 localc
 lodraw
 loffice
@@ -533,6 +539,7 @@ meteo-qt
 microsoft-edge
 microsoft-edge-beta
 microsoft-edge-dev
+microsoft-edge-stable
 midori
 min
 mindless
@@ -543,6 +550,7 @@ mirage
 mirrormagic
 mocp
 mousepad
+mov-cli
 mp3splt
 mp3splt-gtk
 mp3wrap
@@ -676,6 +684,8 @@ pluma
 plv
 pngquant
 polari
+porn-cli
+postman
 ppsspp
 pragha
 presentations18
@@ -873,6 +883,7 @@ unbound
 unf
 unknown-horizons
 # unzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+url-eater
 utox
 uudeview
 uzbl-browser
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index e1ff7e17a..da962c35d 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -24,7 +24,7 @@ int arg_debug = 0;
 char *arg_bindir = "/usr/local/bin";
 int arg_guide = 0;
 
-static char *usage_str =
+static const char *const usage_str =
         "Firecfg is the desktop configuration utility for Firejail software. The utility\n"
         "creates several symbolic links to firejail executable. This allows the user to\n"
         "sandbox applications automatically, just by clicking on a regular desktop\n"
@@ -57,14 +57,17 @@ static char *usage_str =
         "   [...]\n"
         "\n"
         "License GPL version 2 or later\n"
-        "Homepage: https://firejail.wordpress.com\n\n";
+        "Homepage: https://firejail.wordpress.com\n";
+
+static void print_version(void) {
+        printf("firecfg version %s\n\n", VERSION);
+}
 
 static void usage(void) {
-        printf("firecfg - version %s\n\n", VERSION);
+        print_version();
         puts(usage_str);
 }
 
-
 static void list(void) {
         DIR *dir = opendir(arg_bindir);
         if (!dir) {
@@ -364,7 +367,7 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--debug") == 0)
                         arg_debug = 1;
                 else if (strcmp(argv[i], "--version") == 0) {
-                        printf("firecfg version %s\n\n", VERSION);
+                        print_version();
                         return 0;
                 }
                 else if (strcmp(argv[i], "--clean") == 0) {
@@ -410,6 +413,7 @@ int main(int argc, char **argv) {
                 }
         }
 
+        print_version();
         if (arg_debug)
                 printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid());
 
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index d4288b29e..ed14eb171 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -197,7 +197,11 @@ int arp_check(const char *dev, uint32_t destaddr) {
                 double timeout = timerend - now;
                 ts.tv_sec = timeout;
                 ts.tv_usec = (timeout - ts.tv_sec) * 1000000;
-                int nready = select(maxfd + 1,  &fds, (fd_set *) 0, (fd_set *) 0, &ts);
+                if (ts.tv_sec < 0)
+                        ts.tv_sec = 0;
+                if (ts.tv_usec < 0)
+                        ts.tv_usec = 0;
+                int nready = select(maxfd + 1, &fds, (fd_set *) 0, (fd_set *) 0, &ts);
                 if (nready < 0)
                         errExit("select");
                 else if (nready == 0) { // timeout
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 56f983854..d2289bb40 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -305,139 +305,128 @@ errout:
         exit(1);
 }
 
-void print_version(void) {
-        printf("firejail version %s\n", VERSION);
-        printf("\n");
-        print_compiletime_support();
-        printf("\n");
-}
-
-void print_compiletime_support(void) {
-        printf("Compile time support:\n");
-        printf("\t- always force nonewprivs support is %s\n",
+static const char *const compiletime_support =
+        "Compile time support:"
+        "\n\t- always force nonewprivs support is "
 #ifdef HAVE_FORCE_NONEWPRIVS
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- AppArmor support is %s\n",
+        "\n\t- AppArmor support is "
 #ifdef HAVE_APPARMOR
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- AppImage support is %s\n",
+        "\n\t- AppImage support is "
 #ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- chroot support is %s\n",
+        "\n\t- chroot support is "
 #ifdef HAVE_CHROOT
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- D-BUS proxy support is %s\n",
+        "\n\t- D-BUS proxy support is "
 #ifdef HAVE_DBUSPROXY
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- file transfer support is %s\n",
+        "\n\t- file transfer support is "
 #ifdef HAVE_FILE_TRANSFER
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- firetunnel support is %s\n",
+        "\n\t- firetunnel support is "
 #ifdef HAVE_FIRETUNNEL
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- IDS support is %s\n",
+        "\n\t- IDS support is "
 #ifdef HAVE_IDS
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- networking support is %s\n",
+        "\n\t- networking support is "
 #ifdef HAVE_NETWORK
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- output logging is %s\n",
+        "\n\t- output logging is "
 #ifdef HAVE_OUTPUT
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
-        printf("\t- overlayfs support is %s\n",
+
+        "\n\t- overlayfs support is "
 #ifdef HAVE_OVERLAYFS
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- private-home support is %s\n",
+        "\n\t- private-home support is "
 #ifdef HAVE_PRIVATE_HOME
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- private-cache and tmpfs as user %s\n",
+        "\n\t- private-lib support is "
+#ifdef HAVE_PRIVATE_LIB
+                "enabled"
+#else
+                "disabled"
+#endif
+
+        "\n\t- private-cache and tmpfs as user "
 #ifdef HAVE_USERTMPFS
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- SELinux support is %s\n",
+        "\n\t- SELinux support is "
 #ifdef HAVE_SELINUX
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- user namespace support is %s\n",
+        "\n\t- user namespace support is "
 #ifdef HAVE_USERNS
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- X11 sandboxing support is %s\n",
+        "\n\t- X11 sandboxing support is "
 #ifdef HAVE_X11
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
+        "\n";
+
+void print_compiletime_support(void) {
+        puts(compiletime_support);
 }
diff --git a/src/firejail/env.c b/src/firejail/env.c
index ede5f812d..da3c3ac53 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -279,7 +279,8 @@ static void env_apply_list(const char * const *list, unsigned int num_items) {
 
         while (env) {
                 if (env->op == SETENV) {
-                        for (unsigned int i = 0; i < num_items; i++)
+                        unsigned int i;
+                        for (i = 0; i < num_items; i++)
                                 if (strcmp(env->name, list[i]) == 0) {
                                         // sanity check for whitelisted environment variables
                                         if (strlen(env->name) + strlen(env->value) >= MAX_ENV_LEN) {
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 5295393f0..d85b470e6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -477,6 +477,8 @@ void tree(void);
 void top(void);
 
 // usage.c
+void print_version(void);
+void print_version_full(void);
 void usage(void);
 
 // process.c
@@ -525,7 +527,6 @@ int macro_id(const char *name);
 
 
 // util.c
-int invalid_name(const char *name);
 void errLogExit(char* fmt, ...) __attribute__((noreturn));
 void fwarning(char* fmt, ...);
 void fmessage(char* fmt, ...);
@@ -581,6 +582,13 @@ int has_handler(pid_t pid, int signal);
 void enter_network_namespace(pid_t pid);
 int read_pid(const char *name, pid_t *pid);
 pid_t require_pid(const char *name);
+int ascii_isalnum(unsigned char c);
+int ascii_isalpha(unsigned char c);
+int ascii_isdigit(unsigned char c);
+int ascii_islower(unsigned char c);
+int ascii_isupper(unsigned char c);
+int ascii_isxdigit(unsigned char c);
+int invalid_name(const char *name);
 void check_homedir(const char *dir);
 
 // Get info regarding the last kernel mount operation from /proc/self/mountinfo
@@ -606,7 +614,6 @@ void fs_var_run(void);
 void fs_var_lock(void);
 void fs_var_tmp(void);
 void fs_var_utmp(void);
-void dbg_test_dir(const char *dir);
 
 // fs_dev.c
 void fs_dev_shm(void);
@@ -851,7 +858,6 @@ extern char *config_seccomp_filter_add;
 extern char **whitelist_reject_topdirs;
 
 int checkcfg(int val);
-void print_version(void);
 void print_compiletime_support(void);
 
 // appimage.c
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 51a58013d..9ca73eb35 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -177,7 +177,6 @@ static void mount_dev_shm(void) {
         int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0");
         if (rv == -1) {
                 fwarning("cannot mount the old /dev/shm in private-dev\n");
-                dbg_test_dir(RUN_DEV_DIR "/shm");
                 empty_dev_shm();
                 return;
         }
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 3b7369ea8..dc4e5c228 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -111,6 +111,11 @@ char *fs_etc_build(char *str) {
 }
 
 void fs_resolvconf(void) {
+        if (arg_nonetwork) {
+                if (arg_debug)
+                        printf("arg_nonetwork found (--net=none). Skip creating /etc/resolv.conf file\n");
+                return;
+        }
         if (arg_debug)
                 printf("Creating a new /etc/resolv.conf file\n");
         FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe");
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 624e74fe4..fd2441832 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -185,20 +185,10 @@ static int store_asoundrc(void) {
                 errExit("asprintf");
 
         struct stat s;
-        if (lstat(src, &s) == 0) {
-                if (S_ISLNK(s.st_mode)) {
-                        // make sure the real path of the file is inside the home directory
-                        /* coverity[toctou] */
-                        char *rp = realpath(src, NULL);
-                        if (!rp) {
-                                fprintf(stderr, "Error: Cannot access %s\n", src);
-                                exit(1);
-                        }
-                        if (strncmp(rp, cfg.homedir, strlen(cfg.homedir)) != 0 || rp[strlen(cfg.homedir)] != '/') {
-                                fprintf(stderr, "Error: .asoundrc is a symbolic link pointing to a file outside home directory\n");
-                                exit(1);
-                        }
-                        free(rp);
+        if (stat(src, &s) == 0) {
+                if (s.st_uid != getuid()) {
+                        fwarning(".asoundrc is not owned by the current user, skipping...\n");
+                        return 0;
                 }
 
                 // create an empty file as root, and change ownership to user
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index e349941fa..ba7a291ee 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -32,35 +32,6 @@ extern void fslib_install_stdc(void);
 extern void fslib_install_firejail(void);
 extern void fslib_install_system(void);
 
-static int lib_cnt = 0;
-static int dir_cnt = 0;
-
-static const char *masked_lib_dirs[] = {
-        "/usr/lib64",
-        "/lib64",
-        "/usr/lib",
-        "/lib",
-        "/usr/local/lib64",
-        "/usr/local/lib",
-        NULL,
-};
-
-// return 1 if the file is in masked_lib_dirs[]
-static int valid_full_path(const char *full_path) {
-        if (strstr(full_path, ".."))
-                return 0;
-
-        int i = 0;
-        while (masked_lib_dirs[i]) {
-                size_t len = strlen(masked_lib_dirs[i]);
-                if (strncmp(full_path, masked_lib_dirs[i], len) == 0 &&
-                    full_path[len] == '/')
-                        return 1;
-                i++;
-        }
-        return 0;
-}
-
 // return 1 if symlink to firejail executable
 int is_firejail_link(const char *fname) {
         EUID_ASSERT();
@@ -116,6 +87,36 @@ char *find_in_path(const char *program) {
         return NULL;
 }
 
+#ifdef HAVE_PRIVATE_LIB
+static int lib_cnt = 0;
+static int dir_cnt = 0;
+
+static const char *masked_lib_dirs[] = {
+        "/usr/lib64",
+        "/lib64",
+        "/usr/lib",
+        "/lib",
+        "/usr/local/lib64",
+        "/usr/local/lib",
+        NULL,
+};
+
+// return 1 if the file is in masked_lib_dirs[]
+static int valid_full_path(const char *full_path) {
+        if (strstr(full_path, ".."))
+                return 0;
+
+        int i = 0;
+        while (masked_lib_dirs[i]) {
+                size_t len = strlen(masked_lib_dirs[i]);
+                if (strncmp(full_path, masked_lib_dirs[i], len) == 0 &&
+                    full_path[len] == '/')
+                        return 1;
+                i++;
+        }
+        return 0;
+}
+
 static char *build_dest_dir(const char *full_path) {
         assert(full_path);
         if (strstr(full_path, "/x86_64-linux-gnu/"))
@@ -465,3 +466,4 @@ void fs_private_lib(void) {
         // mount lib filesystem
         mount_directories();
 }
+#endif
\ No newline at end of file
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index 540c3286f..583888e0e 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -36,6 +36,7 @@ typedef struct liblist_t {
         int len;
 } LibList;
 
+#ifdef HAVE_PRIVATE_LIB
 static LibList libc_list[] = {
         { "libselinux.so.", 0 },
         { "libpcre2-8.so.", 0 },
@@ -356,3 +357,4 @@ void fslib_install_system(void) {
                 ptr++;
         }
 }
+#endif
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 690780a0e..4787df21e 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -230,21 +230,6 @@ void fs_var_cache(void) {
         }
 }
 
-void dbg_test_dir(const char *dir) {
-        if (arg_debug) {
-                if (is_dir(dir))
-                        printf("%s is a directory\n", dir);
-                if (is_link(dir)) {
-                        char *lnk = realpath(dir, NULL);
-                        if (lnk) {
-                                printf("%s is a symbolic link to %s\n", dir, lnk);
-                                free(lnk);
-                        }
-                }
-        }
-}
-
-
 void fs_var_lock(void) {
 
         if (is_dir("/var/lock")) {
@@ -254,10 +239,8 @@ void fs_var_lock(void) {
                         errExit("mounting /lock");
                 fs_logger("tmpfs /var/lock");
         }
-        else {
+        else
                 fwarning("/var/lock not mounted\n");
-                dbg_test_dir("/var/lock");
-        }
 }
 
 void fs_var_tmp(void) {
@@ -271,10 +254,8 @@ void fs_var_tmp(void) {
                         fs_logger("tmpfs /var/tmp");
                 }
         }
-        else {
+        else
                 fwarning("/var/tmp not mounted\n");
-                dbg_test_dir("/var/tmp");
-        }
 }
 
 void fs_var_utmp(void) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 62035ff04..1835d8de2 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -369,7 +369,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 exit(0);
         }
         else if (strcmp(argv[i], "--version") == 0) {
-                print_version();
+                print_version_full();
                 exit(0);
         }
 #ifdef HAVE_OVERLAYFS
@@ -1128,7 +1128,7 @@ int main(int argc, char **argv, char **envp) {
                 EUID_USER();
                 if (rv == 0) {
                         if (check_arg(argc, argv, "--version", 1)) {
-                                print_version();
+                                print_version_full();
                                 exit(0);
                         }
 
@@ -1355,8 +1355,10 @@ int main(int argc, char **argv, char **envp) {
                         arg_debug_blacklists = 1;
                 else if (strcmp(argv[i], "--debug-whitelists") == 0)
                         arg_debug_whitelists = 1;
+#ifdef HAVE_PRIVATE_LIB
                 else if (strcmp(argv[i], "--debug-private-lib") == 0)
                         arg_debug_private_lib = 1;
+#endif
                 else if (strcmp(argv[i], "--quiet") == 0) {
                         if (!arg_debug)
                                 arg_quiet = 1;
@@ -2137,6 +2139,7 @@ int main(int argc, char **argv, char **envp) {
                         else
                                 exit_err_feature("private-bin");
                 }
+#ifdef HAVE_PRIVATE_LIB
                 else if (strncmp(argv[i], "--private-lib", 13) == 0) {
                         if (checkcfg(CFG_PRIVATE_LIB)) {
                                 // extract private lib list (if any)
@@ -2152,6 +2155,7 @@ int main(int argc, char **argv, char **envp) {
                         else
                                 exit_err_feature("private-lib");
                 }
+#endif
                 else if (strcmp(argv[i], "--private-tmp") == 0) {
                         arg_private_tmp = 1;
                 }
@@ -3006,6 +3010,11 @@ int main(int argc, char **argv, char **envp) {
         }
         EUID_ASSERT();
 
+        // Note: Only attempt to print non-debug information to stdout after
+        // all profiles have been loaded (because a profile may set arg_quiet)
+        if (!arg_quiet)
+                print_version();
+
         // block X11 sockets
         if (arg_x11_block)
                 x11_block();
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index b4deda562..32fdd6218 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -248,5 +248,5 @@ void netfilter_print(pid_t pid, int ipv6) {
                 exit(1);
         }
 
-        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-nvL");
 }
diff --git a/src/firejail/network.c b/src/firejail/network.c
index 0d2d53fca..3da51e195 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -89,30 +89,6 @@ int net_get_mtu(const char *ifname) {
         return mtu;
 }
 
-//void net_set_mtu(const char *ifname, int mtu) {
-//      if (strlen(ifname) > IFNAMSIZ) {
-//              fprintf(stderr, "Error: invalid network device name %s\n", ifname);
-//              exit(1);
-//      }
-//
-//      if (arg_debug)
-//              printf("set interface %s MTU %d.\n", ifname, mtu);
-//
-//      int s;
-//      struct ifreq ifr;
-//
-//      if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
-//              errExit("socket");
-//
-//      memset(&ifr, 0, sizeof(ifr));
-//      ifr.ifr_addr.sa_family = AF_INET;
-//      strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
-//      ifr.ifr_mtu = mtu;
-//      if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0)
-//              fwarning("cannot set mtu for interface %s\n", ifname);
-//      close(s);
-//}
-
 // return -1 if the interface was not found; if the interface was found return 0 and fill in IP address and mask
 int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu) {
         assert(bridge);
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 648fc2248..19ac8d9ec 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -949,6 +949,7 @@ int sandbox(void* sandbox_arg) {
                 }
         }
 
+#ifdef HAVE_PRIVATE_LIB
         // private-lib is disabled for appimages
         if (arg_private_lib && !arg_appimage) {
                 if (cfg.chrootdir)
@@ -959,6 +960,7 @@ int sandbox(void* sandbox_arg) {
                         fs_private_lib();
                 }
         }
+#endif
 
 #ifdef HAVE_USERTMPFS
         if (arg_private_cache) {
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 11ea5b036..59b74ec5c 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -26,6 +26,7 @@
 #include <sys/resource.h>
 #include <sys/wait.h>
 #include "../include/seccomp.h"
+#include "../include/gcov_wrapper.h"
 
 #include <fcntl.h>
 #ifndef O_PATH
@@ -131,6 +132,24 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
 #ifdef SYS_umount2
                         BLACKLIST(SYS_umount2),
 #endif
+#ifdef SYS_fsopen
+                        BLACKLIST(SYS_fsopen), // mount syscalls introduced 2019
+#endif
+#ifdef SYS_fsconfig
+                        BLACKLIST(SYS_fsconfig),
+#endif
+#ifdef SYS_fsmount
+                        BLACKLIST(SYS_fsmount),
+#endif
+#ifdef SYS_move_mount
+                        BLACKLIST(SYS_move_mount),
+#endif
+#ifdef SYS_fspick
+                        BLACKLIST(SYS_fspick),
+#endif
+#ifdef SYS_open_tree
+                        BLACKLIST(SYS_open_tree),
+#endif
 #ifdef SYS_ptrace
                         BLACKLIST(SYS_ptrace), // trace processes
 #endif
@@ -185,6 +204,9 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
 #ifdef SYS_syslog
                         BLACKLIST(SYS_syslog), // kernel printk control
 #endif
+#ifdef SYS_personality
+                        BLACKLIST(SYS_personality), // execution domain
+#endif
                         RETURN_ALLOW
                 };
 
@@ -238,6 +260,7 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
                         fprintf(stderr, "Error: %s is world writable, refusing to execute\n", arg[0]);
                         exit(1);
                 }
+                __gcov_dump();
                 fexecve(fd, arg, new_environment);
         } else {
                 assert(0);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 965d09992..e8758c807 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -19,7 +19,7 @@
 */
 #include "firejail.h"
 
-static char *usage_str =
+static const char *const usage_str =
         "Firejail is a SUID sandbox program that reduces the risk of security breaches by\n"
         "restricting the running environment of untrusted applications using Linux\n"
         "namespaces.\n"
@@ -81,7 +81,9 @@ static char *usage_str =
         "    --debug-blacklists - debug blacklisting.\n"
         "    --debug-caps - print all recognized capabilities.\n"
         "    --debug-errnos - print all recognized error numbers.\n"
+#ifdef HAVE_PRIVATE_LIB
         "    --debug-private-lib - debug for --private-lib option.\n"
+#endif
         "    --debug-protocols - print all recognized protocols.\n"
         "    --debug-syscalls - print all recognized system calls.\n"
         "    --debug-syscalls32 - print all recognized 32 bit system calls.\n"
@@ -208,6 +210,9 @@ static char *usage_str =
         "\tcommon device files.\n"
         "    --private-etc=file,directory - build a new /etc in a temporary\n"
         "\tfilesystem, and copy the files and directories in the list.\n"
+#ifdef HAVE_PRIVATE_LIB
+        "    --private-lib - create a private /lib directory\n"
+#endif
         "    --private-tmp - mount a tmpfs on top of /tmp directory.\n"
         "    --private-cwd - do not inherit working directory inside jail.\n"
         "    --private-cwd=directory - set working directory inside jail.\n"
@@ -306,11 +311,18 @@ static char *usage_str =
         "\tlist all running sandboxes\n"
         "\n"
         "License GPL version 2 or later\n"
-        "Homepage: https://firejail.wordpress.com\n"
-        "\n";
+        "Homepage: https://firejail.wordpress.com\n";
 
+void print_version(void) {
+        printf("firejail version %s\n\n", VERSION);
+}
+
+void print_version_full(void) {
+        print_version();
+        print_compiletime_support();
+}
 
 void usage(void) {
-        printf("firejail - version %s\n\n", VERSION);
+        print_version();
         puts(usage_str);
 }
diff --git a/src/firejail/util.c b/src/firejail/util.c
index cda99e432..a0af3d4bf 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -56,7 +56,8 @@ long long unsigned parse_arg_size(char *str) {
         }
 
         /* checks for is value valid positive number */
-        for (int i = 0; i < len; i++) {
+        int i;
+        for (i = 0; i < len; i++) {
                 if (!isdigit(*(str+i))) {
                         return 0;
                 }
@@ -1448,15 +1449,42 @@ static int has_link(const char *dir) {
         return 0;
 }
 
+int ascii_isalnum(unsigned char c) {
+        return (ascii_isalpha(c) || ascii_isdigit(c));
+}
+
+int ascii_isalpha(unsigned char c) {
+        return (ascii_islower(c) || ascii_isupper(c));
+}
+
+int ascii_isdigit(unsigned char c) {
+        return (c >= '0' && c <= '9');
+}
+
+int ascii_islower(unsigned char c) {
+        return (c >= 'a' && c <= 'z');
+}
+
+int ascii_isupper(unsigned char c) {
+        return (c >= 'A' && c <= 'Z');
+}
+
+int ascii_isxdigit(unsigned char c) {
+        int ret = (ascii_isdigit(c) ||
+                  (c >= 'a' && c <= 'f') ||
+                  (c >= 'A' && c <= 'F'));
+        return ret;
+}
+
 // allow strict ASCII letters and numbers; names with only numbers are rejected; spaces are rejected
 int invalid_name(const char *name) {
         const char *c = name;
 
         int only_numbers = 1;
         while (*c) {
-                if (!isalnum(*c))
+                if (!ascii_isalnum(*c))
                         return 1;
-                if (!isdigit(*c))
+                if (!ascii_isdigit(*c))
                         only_numbers = 0;
                 ++c;
         }
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 01167e555..958fa1b03 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -30,7 +30,6 @@ int arg_debug = 0;
 static int arg_route = 0;
 static int arg_arp = 0;
 static int arg_tree = 0;
-static int arg_interface = 0;
 static int arg_seccomp = 0;
 static int arg_caps = 0;
 static int arg_cpu = 0;
@@ -146,7 +145,7 @@ int main(int argc, char **argv) {
                         return 0;
                 }
                 else if (strcmp(argv[i], "--version") == 0) {
-                        printf("firemon version %s\n\n", VERSION);
+                        print_version();
                         return 0;
                 }
                 else if (strcmp(argv[i], "--debug") == 0)
@@ -178,13 +177,6 @@ int main(int argc, char **argv) {
                         arg_seccomp = 1;
                 else if (strcmp(argv[i], "--caps") == 0)
                         arg_caps = 1;
-                else if (strcmp(argv[i], "--interface") == 0) {
-                        if (getuid() != 0) {
-                                fprintf(stderr, "Error: you need to be root to run this command\n");
-                                exit(1);
-                        }
-                        arg_interface = 1;
-                }
 #ifdef HAVE_NETWORK
                 else if (strcmp(argv[i], "--route") == 0)
                         arg_route = 1;
@@ -261,13 +253,12 @@ int main(int argc, char **argv) {
 
         // if --name requested without other options, print all data
         if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor &&
-            !arg_x11 && !arg_interface && !arg_route && !arg_arp) {
+            !arg_x11  && !arg_route && !arg_arp) {
                 arg_tree = 1;
                 arg_cpu = 1;
                 arg_seccomp = 1;
                 arg_caps = 1;
                 arg_x11 = 1;
-                arg_interface = 1;
                 arg_route = 1;
                 arg_arp = 1;
                 arg_apparmor = 1;
@@ -295,10 +286,6 @@ int main(int argc, char **argv) {
                 x11((pid_t) pid, print_procs);
                 print_procs = 0;
         }
-        if (arg_interface && getuid() == 0) {
-                interface((pid_t) pid, print_procs);
-                print_procs = 0;
-        }
         if (arg_route) {
                 route((pid_t) pid, print_procs);
                 print_procs = 0;
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index dae071e89..be83352bb 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -49,6 +49,7 @@ void firemon_sleep(int st);
 void procevent(pid_t pid) __attribute__((noreturn));
 
 // usage.c
+void print_version(void);
 void usage(void);
 
 // top.c
@@ -57,9 +58,6 @@ void top(void) __attribute__((noreturn));
 // list.c
 void list(void);
 
-// interface.c
-void interface(pid_t pid, int print_procs);
-
 // arp.c
 void arp(pid_t pid, int print_procs);
 
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
deleted file mode 100644
index a8e78133b..000000000
--- a/src/firemon/interface.c
+++ /dev/null
@@ -1,175 +0,0 @@
-/*
- * Copyright (C) 2014-2023 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "firemon.h"
-#include "../include/gcov_wrapper.h"
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <netdb.h>
-#include <arpa/inet.h>
-#include <ifaddrs.h>
-#include <net/if.h>
-#include <linux/connector.h>
-#include <linux/netlink.h>
-#include <linux/if_link.h>
-#include <linux/sockios.h>
-#include <sys/ioctl.h>
-
-//#include <net/route.h>
-//#include <linux/if_bridge.h>
-
-// print IP addresses for all interfaces
-static void net_ifprint(void) {
-        uint32_t ip;
-        uint32_t mask;
-        struct ifaddrs *ifaddr, *ifa;
-
-        int fd;
-        if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
-                fprintf(stderr, "Error: cannot open AF_INET socket\n");
-                exit(1);
-        }
-
-        if (getifaddrs(&ifaddr) == -1)
-                errExit("getifaddrs");
-
-        // walk through the linked list
-        printf("  Link status:\n");
-        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
-                if (ifa->ifa_addr == NULL)
-                        continue;
-
-                if (ifa->ifa_addr->sa_family == AF_PACKET) {
-                        if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) {
-                                if (ifa->ifa_data != NULL) {
-                                        struct rtnl_link_stats *stats = ifa->ifa_data;
-
-                                        // extract mac address
-                                        struct ifreq ifr;
-                                        memset(&ifr, 0, sizeof(ifr));
-                                        strncpy(ifr.ifr_name,  ifa->ifa_name, IFNAMSIZ - 1);
-                                        int rv = ioctl (fd, SIOCGIFHWADDR, &ifr);
-
-                                        if (rv == 0)
-                                                printf("     %s UP, %02x:%02x:%02x:%02x:%02x:%02x\n",
-                                                        ifa->ifa_name, PRINT_MAC((unsigned char *) &ifr.ifr_hwaddr.sa_data));
-                                        else
-                                                printf("     %s UP\n", ifa->ifa_name);
-
-                                        printf("          tx/rx: %u/%u packets,  %u/%u bytes\n",
-                                                stats->tx_packets, stats->rx_packets,
-                                                stats->tx_bytes, stats->rx_bytes);
-                                }
-                        }
-                        else
-                                printf("     %s DOWN\n", ifa->ifa_name);
-                }
-        }
-
-
-        // walk through the linked list
-        printf("  IPv4 status:\n");
-        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
-                if (ifa->ifa_addr == NULL)
-                        continue;
-
-                if (ifa->ifa_addr->sa_family == AF_INET) {
-                        struct sockaddr_in *si = (struct sockaddr_in *) ifa->ifa_netmask;
-                        mask = ntohl(si->sin_addr.s_addr);
-                        si = (struct sockaddr_in *) ifa->ifa_addr;
-                        ip = ntohl(si->sin_addr.s_addr);
-
-                        char *status;
-                        if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
-                                status = "UP";
-                        else
-                                status = "DOWN";
-
-                        printf("     %s %s, %d.%d.%d.%d/%u\n",
-                                ifa->ifa_name, status, PRINT_IP(ip), mask2bits(mask));
-                }
-        }
-
-
-        // walk through the linked list
-        printf("  IPv6 status:\n");
-        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
-                if (ifa->ifa_addr == NULL)
-                        continue;
-
-                if (ifa->ifa_addr->sa_family == AF_INET6) {
-                        char host[NI_MAXHOST];
-                        int s = getnameinfo(ifa->ifa_addr, sizeof(struct sockaddr_in6),
-                                host, NI_MAXHOST, NULL, 0, NI_NUMERICHOST);
-                        if (s == 0) {
-                                char *ptr;
-                                if ((ptr = strchr(host, '%')) != NULL)
-                                        *ptr = '\0';
-                                char *status;
-                                if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
-                                        status = "UP";
-                                else
-                                        status = "DOWN";
-
-                                printf("     %s %s, %s\n", ifa->ifa_name, status, host);
-                        }
-                }
-        }
-
-        freeifaddrs(ifaddr);
-        close(fd);
-}
-
-static void print_sandbox(pid_t pid) {
-        pid_t child = fork();
-        if (child == -1)
-                return;
-
-        if (child == 0) {
-                int rv = join_namespace(pid, "net");
-                if (rv)
-                        return;
-                net_ifprint();
-
-                __gcov_flush();
-
-                _exit(0);
-        }
-
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-}
-
-void interface(pid_t pid, int print_procs) {
-        pid_read(pid); // a pid of 0 will include all processes
-
-        // print processes
-        int i;
-        for (i = 0; i < max_pids; i++) {
-                if (pids[i].level == 1) {
-                        if (print_procs || pid == 0)
-                                pid_print_list(i, arg_wrap);
-                        int child = find_child(i);
-                        if (child != -1) {
-                                print_sandbox(child);
-                        }
-                }
-        }
-        printf("\n");
-}
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
index 169ec9163..afd2b552a 100644
--- a/src/firemon/usage.c
+++ b/src/firemon/usage.c
@@ -19,7 +19,7 @@
 */
 #include "firemon.h"
 
-static char *help_str =
+static const char *const usage_str =
         "Usage: firemon [OPTIONS] [PID]\n\n"
         "Monitor processes started in a Firejail sandbox. Without any PID specified,\n"
         "all processes started by Firejail are monitored. Descendants of these processes\n"
@@ -75,10 +75,13 @@ static char *help_str =
         "\tUser - The owner of the sandbox.\n"
         "\n"
         "License GPL version 2 or later\n"
-        "Homepage: https://firejail.wordpress.com\n"
-        "\n";
+        "Homepage: https://firejail.wordpress.com\n";
+
+void print_version(void) {
+        printf("firemon version %s\n\n", VERSION);
+}
 
 void usage(void) {
-        printf("firemon - version %s\n", VERSION);
-        puts(help_str);
+        print_version();
+        puts(usage_str);
 }
diff --git a/src/fldd/main.c b/src/fldd/main.c
index 4b645b1b3..c28cad72e 100644
--- a/src/fldd/main.c
+++ b/src/fldd/main.c
@@ -20,6 +20,7 @@
 
 #include "../include/common.h"
 #include "../include/ldd_utils.h"
+#ifdef HAVE_PRIVATE_LIB
 
 #include <fcntl.h>
 #include <sys/mman.h>
@@ -281,12 +282,13 @@ static void walk_directory(const char *dirname) {
         }
 }
 
-
+static const char *const usage_str =
+        "Usage: fldd program_or_directory [file]\n"
+        "Print a list of libraries used by program or store it in the file.\n"
+        "Print a list of libraries used by all .so files in a directory or store it in the file.\n";
 
 static void usage(void) {
-        printf("Usage: fldd program_or_directory [file]\n");
-        printf("Print a list of libraries used by program or store it in the file.\n");
-        printf("Print a list of libraries used by all .so files in a directory or store it in the file.\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
@@ -357,3 +359,9 @@ printf("\n");
                 close(fd);
         return 0;
 }
+#else
+int main(void) {
+        printf("Sorry, private lib is disabled in this build\n");
+        return 0;
+}
+#endif
diff --git a/src/fnet/interface.c b/src/fnet/interface.c
index ca7c744ed..50e1beaa0 100644
--- a/src/fnet/interface.c
+++ b/src/fnet/interface.c
@@ -213,6 +213,23 @@ void net_ifprint(int scan) {
                         fmessage("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
                                 ifa->ifa_name, macstr, ipstr, maskstr, status);
 
+                        // print ipv6 address
+                        if (!scan) {
+                                struct ifaddrs *ptr = ifa->ifa_next;
+                                while (ptr) {
+                                        if (ptr->ifa_addr->sa_family == AF_INET6 && strcmp(ifa->ifa_name, ptr->ifa_name) == 0) {
+                                                struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)ptr->ifa_addr;
+                                                struct in6_addr *in_addr = &s6->sin6_addr;
+                                                char buf[64];
+                                                if(inet_ntop(ptr->ifa_addr->sa_family, in_addr, buf, sizeof(buf))) {
+                                                        fmessage("%-35.35s %s\n", " ", buf);
+                                                        break;
+                                                }
+                                        }
+                                        ptr = ptr->ifa_next;
+                                }
+                        }
+
                         // network scanning
                         if (!scan)                              // scanning disabled
                                 continue;
diff --git a/src/fnet/main.c b/src/fnet/main.c
index fc36ae977..d1c8170ca 100644
--- a/src/fnet/main.c
+++ b/src/fnet/main.c
@@ -35,19 +35,21 @@ void fmessage(char* fmt, ...) { // TODO: this function is duplicated in src/fire
         fflush(0);
 }
 
+static const char *const usage_str =
+        "Usage:\n"
+        "\tfnet create veth dev1 dev2 bridge child\n"
+        "\tfnet create macvlan dev parent child\n"
+        "\tfnet moveif dev proc\n"
+        "\tfnet printif\n"
+        "\tfnet printif scan\n"
+        "\tfnet config interface dev ip mask mtu\n"
+        "\tfnet config mac addr\n"
+        "\tfnet config ipv6 dev ip\n"
+        "\tfnet ifup dev\n"
+        "\tfnet waitll dev\n";
 
 static void usage(void) {
-        printf("Usage:\n");
-        printf("\tfnet create veth dev1 dev2 bridge child\n");
-        printf("\tfnet create macvlan dev parent child\n");
-        printf("\tfnet moveif dev proc\n");
-        printf("\tfnet printif\n");
-        printf("\tfnet printif scan\n");
-        printf("\tfnet config interface dev ip mask mtu\n");
-        printf("\tfnet config mac addr\n");
-        printf("\tfnet config ipv6 dev ip\n");
-        printf("\tfnet ifup dev\n");
-        printf("\tfnet waitll dev\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c
index 8c0f6c297..1b0335d68 100644
--- a/src/fnetfilter/main.c
+++ b/src/fnetfilter/main.c
@@ -45,9 +45,12 @@ static char *default_filter =
 "-A OUTPUT -p tcp --dport 3479 -j DROP\n"
 "COMMIT\n";
 
+static const char *const usage_str =
+        "Usage:\n"
+        "\tfnetfilter netfilter-command destination-file\n";
+
 static void usage(void) {
-        printf("Usage:\n");
-        printf("\tfnetfilter netfilter-command destination-file\n");
+        puts(usage_str);
 }
 
 static void err_exit_cannot_open_file(const char *fname) {
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c
index 64feec5fe..1cde1942c 100644
--- a/src/fnettrace-dns/main.c
+++ b/src/fnettrace-dns/main.c
@@ -167,13 +167,13 @@ static void run_trace(void) {
 
         close(s);
 }
-
+static const char *const usage_str =
+        "Usage: fnettrace-dns [OPTIONS]\n"
+        "Options:\n"
+        "   --help, -? - this help screen\n";
 
 static void usage(void) {
-        printf("Usage: fnettrace-dns [OPTIONS]\n");
-        printf("Options:\n");
-        printf("   --help, -? - this help screen\n");
-        printf("\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fnettrace-icmp/main.c b/src/fnettrace-icmp/main.c
index 714917547..516a9fc5b 100644
--- a/src/fnettrace-icmp/main.c
+++ b/src/fnettrace-icmp/main.c
@@ -201,11 +201,13 @@ static void run_trace(void) {
         close(s);
 }
 
+static const char *const usage_str =
+        "Usage: fnettrace-icmp [OPTIONS]\n"
+        "Options:\n"
+        "   --help, -? - this help screen\n";
+
 static void usage(void) {
-        printf("Usage: fnettrace-icmp [OPTIONS]\n");
-        printf("Options:\n");
-        printf("   --help, -? - this help screen\n");
-        printf("\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c
index b8490b4f7..e7782d656 100644
--- a/src/fnettrace-sni/main.c
+++ b/src/fnettrace-sni/main.c
@@ -204,12 +204,13 @@ static void run_trace(void) {
         close(s);
 }
 
+static const char *const usage_str =
+        "Usage: fnettrace-sni [OPTIONS]\n"
+        "Options:\n"
+        "   --help, -? - this help screen\n";
 
 static void usage(void) {
-        printf("Usage: fnettrace-sni [OPTIONS]\n");
-        printf("Options:\n");
-        printf("   --help, -? - this help screen\n");
-        printf("\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c
index 2f421562e..178ac3631 100644
--- a/src/fnettrace/main.c
+++ b/src/fnettrace/main.c
@@ -668,18 +668,20 @@ void logprintf(char *fmt, ...) {
         va_end(args);
 }
 
+static const char *const usage_str =
+        "Usage: fnettrace [OPTIONS]\n"
+        "Options:\n"
+        "   --help, -? - this help screen\n"
+        "   --log=filename - netlocker logfile\n"
+        "   --netfilter - build the firewall rules and commit them.\n"
+        "   --tail - \"tail -f\" functionality\n"
+        "Examples:\n"
+        "   # fnettrace                              - traffic trace\n"
+        "   # fnettrace --netfilter --log=logfile    - netlocker, dump output in logfile\n"
+        "   # fnettrace --tail --log=logifile        - similar to \"tail -f logfile\"\n";
+
 static void usage(void) {
-        printf("Usage: fnettrace [OPTIONS]\n");
-        printf("Options:\n");
-        printf("   --help, -? - this help screen\n");
-        printf("   --log=filename - netlocker logfile\n");
-        printf("   --netfilter - build the firewall rules and commit them.\n");
-        printf("   --tail - \"tail -f\" functionality\n");
-        printf("Examples:\n");
-        printf("   # fnettrace                              - traffic trace\n");
-        printf("   # fnettrace --netfilter --log=logfile    - netlocker, dump output in logfile\n");
-        printf("   # fnettrace --tail --log=logifile        - similar to \"tail -f logfile\"\n");
-        printf("\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c
index 0bc521c0d..38ba7c697 100644
--- a/src/fsec-optimize/main.c
+++ b/src/fsec-optimize/main.c
@@ -22,9 +22,12 @@
 
 int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill
 
+static const char *const usage_str =
+        "Usage:\n"
+        "\tfsec-optimize file - optimize seccomp filter\n";
+
 static void usage(void) {
-        printf("Usage:\n");
-        printf("\tfsec-optimize file - optimize seccomp filter\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c
index 696c6bc0c..4d3e38648 100644
--- a/src/fsec-print/main.c
+++ b/src/fsec-print/main.c
@@ -19,9 +19,12 @@
 */
 #include "fsec_print.h"
 
+static const char *const usage_str =
+        "Usage:\n"
+        "\tfsec-print file - disassemble seccomp filter\n";
+
 static void usage(void) {
-        printf("Usage:\n");
-        printf("\tfsec-print file - disassemble seccomp filter\n");
+        puts(usage_str);
 }
 
 int arg_quiet = 0;
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 57a5a6d67..e7823d3c5 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -22,34 +22,37 @@
 int arg_quiet = 0;
 int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill
 
+static const char *const usage_str =
+        "Usage:\n"
+        "\tfseccomp debug-syscalls\n"
+        "\tfseccomp debug-syscalls32\n"
+        "\tfseccomp debug-errnos\n"
+        "\tfseccomp debug-protocols\n"
+        "\tfseccomp protocol build list file\n"
+        "\tfseccomp secondary 64 file\n"
+        "\tfseccomp secondary 32 file\n"
+        "\tfseccomp secondary block file\n"
+        "\tfseccomp default file\n"
+        "\tfseccomp default file allow-debuggers\n"
+        "\tfseccomp default32 file\n"
+        "\tfseccomp default32 file allow-debuggers\n"
+        "\tfseccomp drop file1 file2 list\n"
+        "\tfseccomp drop file1 file2 list allow-debuggers\n"
+        "\tfseccomp drop32 file1 file2 list\n"
+        "\tfseccomp drop32 file1 file2 list allow-debuggers\n"
+        "\tfseccomp default drop file1 file2 list\n"
+        "\tfseccomp default drop file1 file2 list allow-debuggers\n"
+        "\tfseccomp default32 drop file1 file2 list\n"
+        "\tfseccomp default32 drop file1 file2 list allow-debuggers\n"
+        "\tfseccomp keep file1 file2 list\n"
+        "\tfseccomp keep32 file1 file2 list\n"
+        "\tfseccomp memory-deny-write-execute file\n"
+        "\tfseccomp memory-deny-write-execute.32 file\n"
+        "\tfseccomp restrict-namespaces file list\n"
+        "\tfseccomp restrict-namespaces.32 file list\n";
+
 static void usage(void) {
-        printf("Usage:\n");
-        printf("\tfseccomp debug-syscalls\n");
-        printf("\tfseccomp debug-syscalls32\n");
-        printf("\tfseccomp debug-errnos\n");
-        printf("\tfseccomp debug-protocols\n");
-        printf("\tfseccomp protocol build list file\n");
-        printf("\tfseccomp secondary 64 file\n");
-        printf("\tfseccomp secondary 32 file\n");
-        printf("\tfseccomp secondary block file\n");
-        printf("\tfseccomp default file\n");
-        printf("\tfseccomp default file allow-debuggers\n");
-        printf("\tfseccomp default32 file\n");
-        printf("\tfseccomp default32 file allow-debuggers\n");
-        printf("\tfseccomp drop file1 file2 list\n");
-        printf("\tfseccomp drop file1 file2 list allow-debuggers\n");
-        printf("\tfseccomp drop32 file1 file2 list\n");
-        printf("\tfseccomp drop32 file1 file2 list allow-debuggers\n");
-        printf("\tfseccomp default drop file1 file2 list\n");
-        printf("\tfseccomp default drop file1 file2 list allow-debuggers\n");
-        printf("\tfseccomp default32 drop file1 file2 list\n");
-        printf("\tfseccomp default32 drop file1 file2 list allow-debuggers\n");
-        printf("\tfseccomp keep file1 file2 list\n");
-        printf("\tfseccomp keep32 file1 file2 list\n");
-        printf("\tfseccomp memory-deny-write-execute file\n");
-        printf("\tfseccomp memory-deny-write-execute.32 file\n");
-        printf("\tfseccomp restrict-namespaces file list\n");
-        printf("\tfseccomp restrict-namespaces.32 file list\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/ftee/main.c b/src/ftee/main.c
index 0a492b41e..a34a76b26 100644
--- a/src/ftee/main.c
+++ b/src/ftee/main.c
@@ -180,8 +180,11 @@ static int is_link(const char *fname) {
         return 0;
 }
 
+static const char *const usage_str =
+        "Usage: ftee filename\n";
+
 static void usage(void) {
-        printf("Usage: ftee filename\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c
index 8e0aaa860..27da309ea 100644
--- a/src/jailcheck/main.c
+++ b/src/jailcheck/main.c
@@ -29,16 +29,19 @@ char *user_home_dir = NULL;
 char *user_run_dir = NULL;
 int arg_debug = 0;
 
-static char *usage_str =
+static const char *const usage_str =
         "Usage: jailcheck [options] directory [directory]\n\n"
         "Options:\n"
         "   --debug - print debug messages.\n"
         "   --help, -? - this help screen.\n"
         "   --version - print program version and exit.\n";
 
+static void print_version(void) {
+        printf("jailcheck version %s\n\n", VERSION);
+}
 
 static void usage(void) {
-        printf("firetest - version %s\n\n", VERSION);
+        print_version();
         puts(usage_str);
 }
 
@@ -62,7 +65,7 @@ int main(int argc, char **argv) {
                         return 0;
                 }
                 else if (strcmp(argv[i], "--version") == 0) {
-                        printf("firetest version %s\n\n", VERSION);
+                        print_version();
                         return 0;
                 }
                 else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c
index 39a548887..80e3b92d7 100644
--- a/src/lib/ldd_utils.c
+++ b/src/lib/ldd_utils.c
@@ -23,6 +23,7 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 
+#ifdef HAVE_PRIVATE_LIB
 // todo: resolve overlap with masked_lib_dirs[] array from fs_lib.c
 const char * const default_lib_paths[] = {
         "/usr/lib/x86_64-linux-gnu",    // Debian & friends
@@ -63,3 +64,4 @@ doexit:
         close(fd);
         return retval;
 }
+#endif
\ No newline at end of file
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 3fa07d1ee..fa294d888 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -407,12 +407,14 @@ the current user's home directory.
 All modifications are discarded when the sandbox is
 closed.
 #endif
+#ifdef HAVE_PRIVATE_LIB
 .TP
 \fBprivate-lib file,directory
 Build a new /lib directory and bring in the libraries required by the application to run.
 The files and directories in the list must be expressed as relative to
 the /lib directory.
 This feature is still under development, see \fBman 1 firejail\fR for some examples.
+#endif
 .TP
 \fBprivate-opt file,directory
 Build a new /opt in a temporary
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 6068c9ff4..586ef9852 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -684,9 +684,11 @@ Print all recognized error numbers in the current Firejail software build and ex
 Example:
 .br
 $ firejail \-\-debug-errnos
+#ifdef HAVE_PRIVATE_LIB
 .TP
 \fB\-\-debug-private-lib
 Debug messages for --private-lib option.
+#endif
 .TP
 \fB\-\-debug-protocols
 Print all recognized protocols in the current Firejail software build and exit.
@@ -2179,6 +2181,7 @@ Example:
 .br
 $ firejail \-\-private-home=.mozilla firefox
 #endif
+#ifdef HAVE_PRIVATE_LIB
 .TP
 \fB\-\-private-lib=file,directory
 This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
@@ -2234,6 +2237,7 @@ $
 .br
 Note: Support for this command is controlled in firejail.config with the
 \fBprivate-lib\fR option.
+#endif
 .TP
 \fB\-\-private-opt=file,directory
 Build a new /opt in a temporary
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 9d0785a4a..fb0cf1175 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -30,9 +30,6 @@ Print debug messages
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
 .TP
-\fB\-\-interface
-Print network interface information for each sandbox.
-.TP
 \fB\-\-list
 List all sandboxes.
 .TP
diff --git a/src/profstats/main.c b/src/profstats/main.c
index d5e57e7cc..49ed1637a 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -74,32 +74,34 @@ static int arg_restrict_namespaces = 0;
 
 static char *profile = NULL;
 
+static const char *const usage_str =
+        "profstats - print profile statistics\n"
+        "Usage: profstats [options] file[s]\n"
+        "Options:\n"
+        "   --apparmor - print profiles without apparmor\n"
+        "   --caps - print profiles without caps\n"
+        "   --dbus-system-none - print profiles without \"dbus-system none\"\n"
+        "   --dbus-user-none - print profiles without \"dbus-user none\"\n"
+        "   --ssh - print profiles without \"include disable-common.inc\"\n"
+        "   --noexec - print profiles without \"include disable-exec.inc\"\n"
+        "   --noroot - print profiles without \"noroot\"\n"
+        "   --private-bin - print profiles without private-bin\n"
+        "   --private-dev - print profiles without private-dev\n"
+        "   --private-etc - print profiles without private-etc\n"
+        "   --private-tmp - print profiles without private-tmp\n"
+        "   --print-blacklist - print all --blacklist for a profile\n"
+        "   --print-whitelist - print all --private and --whitelist for a profile\n"
+        "   --seccomp - print profiles without seccomp\n"
+        "   --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n"
+        "   --restrict-namespaces - print profiles without \"restrict-namespaces\"\n"
+        "   --whitelist-home - print profiles whitelisting home directory\n"
+        "   --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"
+        "   --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"
+        "   --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"
+        "   --debug\n";
+
 static void usage(void) {
-        printf("profstats - print profile statistics\n");
-        printf("Usage: profstats [options] file[s]\n");
-        printf("Options:\n");
-        printf("   --apparmor - print profiles without apparmor\n");
-        printf("   --caps - print profiles without caps\n");
-        printf("   --dbus-system-none - print profiles without \"dbus-system none\"\n");
-        printf("   --dbus-user-none - print profiles without \"dbus-user none\"\n");
-        printf("   --ssh - print profiles without \"include disable-common.inc\"\n");
-        printf("   --noexec - print profiles without \"include disable-exec.inc\"\n");
-        printf("   --noroot - print profiles without \"noroot\"\n");
-        printf("   --private-bin - print profiles without private-bin\n");
-        printf("   --private-dev - print profiles without private-dev\n");
-        printf("   --private-etc - print profiles without private-etc\n");
-        printf("   --private-tmp - print profiles without private-tmp\n");
-        printf("   --print-blacklist - print all --blacklist for a profile\n");
-        printf("   --print-whitelist - print all --private and --whitelist for a profile\n");
-        printf("   --seccomp - print profiles without seccomp\n");
-        printf("   --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n");
-        printf("   --restrict-namespaces - print profiles without \"restrict-namespaces\"\n");
-        printf("   --whitelist-home - print profiles whitelisting home directory\n");
-        printf("   --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
-        printf("   --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n");
-        printf("   --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n");
-        printf("   --debug\n");
-        printf("\n");
+        puts(usage_str);
 }
 
 static void process_file(char *fname) {
diff --git a/test/capabilities/capabilities.sh b/test/capabilities/capabilities.sh
new file mode 100755
index 000000000..2d345025a
--- /dev/null
+++ b/test/capabilities/capabilities.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+
+
+#if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then
+        echo "TESTING: capabilities (test/filters/caps.exp)"
+        ./caps.exp
+#else
+#       echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)"
+#fi
+
+echo "TESTING: capabilities print (test/filters/caps-print.exp)"
+./caps-print.exp
+
+echo "TESTING: capabilities join (test/filters/caps-join.exp)"
+./caps-join.exp
+
+echo "TESTING: firemon caps (test/utils/firemon-caps.exp)"
+./firemon-caps.exp
+
diff --git a/test/filters/caps-join.exp b/test/capabilities/caps-join.exp
index 1830143fb..ecb43d943 100755
--- a/test/filters/caps-join.exp
+++ b/test/capabilities/caps-join.exp
@@ -35,7 +35,7 @@ sleep 1
 
 set spawn_id $id1
 send -- "exit\r"
-after 100
+sleep 1
 
 #
 # no caps
@@ -67,7 +67,7 @@ sleep 1
 
 set spawn_id $id1
 send -- "exit\r"
-after 100
+after 500
 
 #
 # no caps
@@ -91,6 +91,6 @@ sleep 1
 
 set spawn_id $id1
 send -- "exit\r"
-after 100
+after 500
 
 puts "all done\n"
diff --git a/test/filters/caps-print.exp b/test/capabilities/caps-print.exp
index b403f9ffe..66a7e093b 100755
--- a/test/filters/caps-print.exp
+++ b/test/capabilities/caps-print.exp
@@ -68,7 +68,7 @@ expect {
         timeout {puts "TESTING ERROR 13\n";exit}
         "syslog              - disabled"
 }
-after 100
+after 500
 
 send -- "firejail --debug-caps\r"
 expect {
@@ -87,7 +87,7 @@ expect {
         timeout {puts "TESTING ERROR 9\n";exit}
         "24     - sys_resource"
 }
-after 100
+after 500
 
 send -- "firejail --caps.keep=\"bla bla bla\"\r"
 expect {
@@ -99,5 +99,5 @@ expect {
         "not found"
 }
 
-after 100
+after 500
 puts "\nall done\n"
diff --git a/test/filters/caps.exp b/test/capabilities/caps.exp
index dbd63efda..bd7ab04eb 100755
--- a/test/filters/caps.exp
+++ b/test/capabilities/caps.exp
@@ -7,14 +7,11 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --caps.keep=chown,fowner --noprofile\r"
+send -- "firejail --caps.keep=chown,fowner --noprofile cat /proc/self/status\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
-after 100
-
-send -- "cat /proc/self/status\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "CapBnd:        0000000000000009"
@@ -23,17 +20,13 @@ expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "Seccomp:"
 }
-send -- "exit\r"
-sleep 1
+after 500
 
-send -- "firejail --caps.drop=all --noprofile\r"
+send -- "firejail --caps.drop=all --noprofile cat /proc/self/status\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
-after 100
-
-send -- "cat /proc/self/status\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "CapBnd:        0000000000000000"
@@ -42,17 +35,13 @@ expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         "Seccomp:"
 }
-send -- "exit\r"
-sleep 1
+after 500
 
-send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
+send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile cat /proc/self/status\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
         -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
-after 100
-
-send -- "cat /proc/self/status\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "CapBnd:"
@@ -65,11 +54,9 @@ expect {
         timeout {puts "TESTING ERROR 10\n";exit}
         "Seccomp:"
 }
-send -- "exit\r"
-sleep 1
+after 500
 
-
-send -- "firejail --profile=caps1.profile --debug\r"
+send -- "firejail --profile=caps1.profile --debug ls\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
         "Drop CAP_SYS_MODULE"
@@ -83,10 +70,7 @@ expect {
         "Drop CAP_" {puts "TESTING ERROR 14\n";exit}
         -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
-after 100
-send -- "exit\r"
-sleep 1
-
+after 500
 
 ## tofix: possible problem with caps.keep in profile files
 ##send -- "firejail --caps.keep=chown,fowner --noprofile\r"
@@ -110,14 +94,11 @@ sleep 1
 #sleep 1
 
 #send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
-send -- "firejail --profile=caps3.profile\r"
+send -- "firejail --profile=caps3.profile cat /proc/self/status\r"
 expect {
         timeout {puts "TESTING ERROR 18\n";exit}
         -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
-after 100
-
-send -- "cat /proc/self/status\r"
 expect {
         timeout {puts "TESTING ERROR 19\n";exit}
         "CapBnd:"
@@ -130,10 +111,5 @@ expect {
         timeout {puts "TESTING ERROR 21\n";exit}
         "Seccomp:"
 }
-send -- "exit\r"
-sleep 1
-
-
-
-after 100
+after 500
 puts "\nall done\n"
diff --git a/test/filters/caps1.profile b/test/capabilities/caps1.profile
index 8b0c3b340..8b0c3b340 100644
--- a/test/filters/caps1.profile
+++ b/test/capabilities/caps1.profile
diff --git a/test/filters/caps2.profile b/test/capabilities/caps2.profile
index ad49719f1..ad49719f1 100644
--- a/test/filters/caps2.profile
+++ b/test/capabilities/caps2.profile
diff --git a/test/filters/caps3.profile b/test/capabilities/caps3.profile
index ad49719f1..ad49719f1 100644
--- a/test/filters/caps3.profile
+++ b/test/capabilities/caps3.profile
diff --git a/test/capabilities/firemon-caps.exp b/test/capabilities/firemon-caps.exp
new file mode 100755
index 000000000..905c8cba9
--- /dev/null
+++ b/test/capabilities/firemon-caps.exp
@@ -0,0 +1,47 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --name=bingo1 --noprofile --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+spawn $env(SHELL)
+send --  "firejail --name=bingo2 --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+spawn $env(SHELL)
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
+        "bingo1"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "31cffff"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "bingo2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "fffffff"
+}
+
+after 500
+
+puts "all done\n"
diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp
index eb1349112..8bdaa507c 100755
--- a/test/chroot/fs_chroot.exp
+++ b/test/chroot/fs_chroot.exp
@@ -60,11 +60,12 @@ expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "No such file or directory"
 }
-after 100
-send -- "/bin/ping 1.1.1.1\r"
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "Operation not permitted"
-}
+# FIXME: Sometimes ping works normally
+#after 100
+#send -- "/bin/ping 1.1.1.1\r"
+#expect {
+#       timeout {puts "TESTING ERROR 9\n";exit}
+#       "Operation not permitted"
+#}
 
 puts "all done\n"
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index 2d115db1b..56c97482e 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -53,22 +53,19 @@ fi
 echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)"
 ./seccomp-postexec.exp
 
-echo "TESTING: noroot (test/filters/noroot.exp)"
-./noroot.exp
 
-
-if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then
-        echo "TESTING: capabilities (test/filters/caps.exp)"
-        ./caps.exp
-else
-        echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)"
-fi
-
-echo "TESTING: capabilities print (test/filters/caps-print.exp)"
-./caps-print.exp
-
-echo "TESTING: capabilities join (test/filters/caps-join.exp)"
-./caps-join.exp
+#if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then
+#       echo "TESTING: capabilities (test/filters/caps.exp)"
+#       ./caps.exp
+#else
+#       echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)"
+#fi
+#
+#echo "TESTING: capabilities print (test/filters/caps-print.exp)"
+#./caps-print.exp
+#
+#echo "TESTING: capabilities join (test/filters/caps-join.exp)"
+#./caps-join.exp
 
 rm -f seccomp-test-file
 if [[ $(uname -m) == "x86_64" ]]; then
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp
index dc6befcfe..33a992a93 100755
--- a/test/filters/seccomp-debug.exp
+++ b/test/filters/seccomp-debug.exp
@@ -97,61 +97,4 @@ expect {
 }
 after 100
 
-# memory-deny-write-execute
-send --  "firejail --debug --memory-deny-write-execute sleep 1; echo done\r"
-expect {
-        timeout {puts "TESTING ERROR 24\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-expect {
-        timeout {puts "TESTING ERROR 25\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
-}
-expect {
-        timeout {puts "TESTING ERROR 26\n";exit}
-        "done"
-}
-
-
-# 64 bit architecture - seccomp.block-secondary
-send --  "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
-expect {
-        timeout {puts "TESTING ERROR 27\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-expect {
-        timeout {puts "TESTING ERROR 29\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
-}
-expect {
-        timeout {puts "TESTING ERROR 31\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
-}
-expect {
-        timeout {puts "TESTING ERROR 33\n";exit}
-        "done"
-}
-after 100
-
-# 64 bit architecture - seccomp.block-secondary, profile
-send --  "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
-expect {
-        timeout {puts "TESTING ERROR 33\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-expect {
-        timeout {puts "TESTING ERROR 35\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
-}
-expect {
-        timeout {puts "TESTING ERROR 37\n";exit}
-        "done"
-}
-after 100
-
 puts "all done\n"
diff --git a/test/firecfg/firecfg.exp b/test/firecfg/firecfg.exp
index 0249fb7fa..755eea3a1 100755
--- a/test/firecfg/firecfg.exp
+++ b/test/firecfg/firecfg.exp
@@ -12,7 +12,20 @@ expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "ping: symbolic link to /usr/bin/firejail"
 }
+after 100
 
+send --  "file /tmp/ttt/ping\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "ping: symbolic link to /usr/bin/firejail"
+}
+after 100
+
+send -- "firecfg --list\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "/usr/local/bin/ping"
+}
 after 100
 
 puts "\nall done\n"
diff --git a/test/firecfg/firecfg.sh b/test/firecfg/firecfg.sh
index 6b03cc841..6f2bb5244 100755
--- a/test/firecfg/firecfg.sh
+++ b/test/firecfg/firecfg.sh
@@ -7,6 +7,11 @@ export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 export LC_ALL=C
 
+sudo mkdir /tmp/ttt
 sudo firecfg
+sudo firecfg --bindir=/tmp/ttt
+
 echo "TESTING: firecfg (test/firecfg/firecfg.exp)"
 ./firecfg.exp
+
+sudo rm -fr /tmp/ttt
diff --git a/test/utils/caps-print.exp b/test/network/firemon-arp.exp
index 381f27574..87f0ddf4e 100755
--- a/test/utils/caps-print.exp
+++ b/test/network/firemon-arp.exp
@@ -7,26 +7,22 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test\r"
+send -- "firejail --name=test --net=br0 --ip=10.10.20.50\r"
 expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
+        timeout {puts "TESTING ERROR 1\n";exit}
         -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
 
 spawn $env(SHELL)
-send -- "firejail --caps.print=test\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "setgid              - disabled"
-}
+send -- "firemon --arp\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "setuid              - disabled"
+        "firejail --name=test --net=br0 --ip=10.10.20.50"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "net_raw             - disabled"
+        "ARP Table:"
 }
-after 100
+after 500
 puts "\nall done\n"
diff --git a/test/network/firemon-route.exp b/test/network/firemon-route.exp
new file mode 100755
index 000000000..2ca6f2fca
--- /dev/null
+++ b/test/network/firemon-route.exp
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --net=br0 --ip=10.10.20.50\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --route\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "firejail --name=test --net=br0 --ip=10.10.20.50"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Route table:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "0.0.0.0/0 via 10.10.20.1"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "10.10.20.0/24, dev eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "src 10.10.20.50"
+}
+after 500
+puts "\nall done\n"
diff --git a/test/utils/protocol-print.exp b/test/network/ip6_netfilter.exp
index f24afc703..6c478d9e7 100755
--- a/test/utils/protocol-print.exp
+++ b/test/network/ip6_netfilter.exp
@@ -7,18 +7,25 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test\r"
+# check default netfilter on br0
+send -- "firejail --name=test --net=br0 --netfilter6=ip6_netfilter.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 sleep 2
-
 spawn $env(SHELL)
-send -- "firejail --protocol.print=test\r"
+
+# check default netfilter no new network
+send -- "firejail --netfilter6.print=test\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "unix,inet,inet6"
+        "DROP"
 }
-after 100
-puts "\nall done\n"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "2001:db8:1f0a:3ec::2"
+}
+
+after 500
+puts "all done\n"
diff --git a/test/network/ip6_netfilter.profile b/test/network/ip6_netfilter.profile
new file mode 100644
index 000000000..cc8f22943
--- /dev/null
+++ b/test/network/ip6_netfilter.profile
@@ -0,0 +1,8 @@
+# Generated by ip6tables-save v1.4.14 on Wed Jan 13 10:53:40 2016
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -s 2001:db8:1f0a:3ec::2/128 -j DROP
+COMMIT
+# Completed on Wed Jan 13 10:53:40 2016
diff --git a/test/network/net_bandwidth.exp b/test/network/net_bandwidth.exp
new file mode 100755
index 000000000..0ec3b59ef
--- /dev/null
+++ b/test/network/net_bandwidth.exp
@@ -0,0 +1,51 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --net=br0\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --bandwidth=test set br0 10 20\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Download speed  80kbps"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Upload speed  160kbps"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "configuring tc ingress"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "configuring tc egress"
+}
+after 500
+
+send -- "firejail --bandwidth=test status\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "rate 160Kbit burst 10Kb"
+}
+after 500
+
+send -- "firejail --bandwidth=test clear br0\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Removing bandwidth limits"
+}
+sleep 1
+
+puts "\nall done\n"
diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp
index 251b55362..0cccf93a0 100755
--- a/test/network/net_ip.exp
+++ b/test/network/net_ip.exp
@@ -130,4 +130,44 @@ expect {
 }
 
 after 500
+
+send -- "firejail --profile=net_ip.profile ip addr show\r"
+expect {
+        timeout {puts "TESTING ERROR 26\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "00:11:22:33:44:55"
+}
+expect {
+        timeout {puts "TESTING ERROR 28\n";exit}
+        "10.10.20.55"
+}
+expect {
+        timeout {puts "TESTING ERROR 29\n";exit}
+        "Default gateway 10.10.20.9"
+}
+expect {
+        timeout {puts "TESTING ERROR 30\n";exit}
+        "00:11:22:33:44:55"
+}
+expect {
+        timeout {puts "TESTING ERROR 31\n";exit}
+        "10.10.20.55"
+}
+after 500
+
+send -- "firejail --profile=net_ip.profile ip route  show\r"
+expect {
+        timeout {puts "TESTING ERROR 32\n";exit}
+        "default via 10.10.20.9"
+}
+expect {
+        timeout {puts "TESTING ERROR 33\n";exit}
+        "10.10.20.0/24 dev eth0 proto kernel scope link src 10.10.20.55"
+}
+after 500
+
+
 puts "\nall done\n"
diff --git a/test/network/net_ip.profile b/test/network/net_ip.profile
new file mode 100644
index 000000000..72910d77e
--- /dev/null
+++ b/test/network/net_ip.profile
@@ -0,0 +1,6 @@
+net br0
+ip 10.10.20.55
+defaultgw 10.10.20.9
+mac 00:11:22:33:44:55
+mtu 1000
+
diff --git a/test/network/net_netfilter.exp b/test/network/net_netfilter.exp
index 56480251e..ac144e19d 100755
--- a/test/network/net_netfilter.exp
+++ b/test/network/net_netfilter.exp
@@ -20,7 +20,27 @@ spawn $env(SHELL)
 send -- "firejail --netfilter.print=test\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED"
+        "ACCEPT"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "lo"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "ACCEPT"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "state RELATED,ESTABLISHED"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "ACCEPT"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "icmptype 8"
 }
 
 after 500
diff --git a/test/network/netfilter-template.exp b/test/network/netfilter-template.exp
new file mode 100755
index 000000000..2dc50cef7
--- /dev/null
+++ b/test/network/netfilter-template.exp
@@ -0,0 +1,41 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+send -- "firejail --net=br0 --ip=10.10.30.10 --name=test1 --netfilter=/etc/firejail/blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "invalid network filter file"
+}
+after 500
+
+send -- "firejail --net=br0 --ip=10.10.20.10 --name=test1 --netfilter=/etc/firejail/tcpserver.net,5678\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --netfilter.print=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Chain INPUT"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "ACCEPT"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "tcp dpt:5678 state NEW,ESTABLISHED"
+}
+sleep 1
+
+puts "\nall done\n"
diff --git a/test/network/netstats.exp b/test/network/netstats.exp
new file mode 100755
index 000000000..d9da9cb75
--- /dev/null
+++ b/test/network/netstats.exp
@@ -0,0 +1,30 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --net=br0\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 4
+
+spawn $env(SHELL)
+send -- "firejail --netstats\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "statistics only for sandboxes using a new network namespace"
+}
+sleep 4
+
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "firejail --name=test --net=br0"
+}
+after 500
+puts "\nall done\n"
diff --git a/test/network/network.sh b/test/network/network.sh
index 877f16156..6d26e967f 100755
--- a/test/network/network.sh
+++ b/test/network/network.sh
@@ -33,8 +33,32 @@ echo "TESTING: print network (net-print.exp)"
 echo "TESTING: print dns (dns-print.exp)"
 ./dns-print.exp
 
+echo "TESTING: bandwidth (net_bandwidth.exp)"
+./net_bandwidth.exp
+
 echo "TESTING: ipv6 (ip6.exp)"
 ./ip6.exp
 
+echo "TESTING: ipv6 netfilter (ip6_netfilter.exp)"
+./ip6_netfilter.exp
+
+# this test will fail on github!
+USER=`whoami`
+if [[ $USER == "runner" ]]; then
+        echo "TESTING: skip over netstats test"
+else
+        echo "TESTING: netstats (netstats.exp)"
+        ./netstats.exp
+fi
+
+echo "TESTING: firemon arp (firemon-arp.exp)"
+./firemon-arp.exp
+
+echo "TESTING: firemon route (firemon-route.exp)"
+./firemon-route.exp
+
+echo "TESTING: netfilter-template (netfilter-template.exp)"
+./netfilter-template.exp
+
 sudo ip link set br0 down
 sudo brctl delbr br0
diff --git a/test/seccomp-extra/block-secondary.exp b/test/seccomp-extra/block-secondary.exp
new file mode 100755
index 000000000..1db512126
--- /dev/null
+++ b/test/seccomp-extra/block-secondary.exp
@@ -0,0 +1,43 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+# 64 bit architecture - seccomp.block-secondary
+send --  "firejail --debug --seccomp.block-secondary pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 4\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 6\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
+}
+after 500
+
+# 64 bit architecture - seccomp.block-secondary, profile
+send --  "firejail --debug --profile=block-secondary.profile pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 8\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 10\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+after 500
+puts "all done\n"
diff --git a/test/filters/block-secondary.profile b/test/seccomp-extra/block-secondary.profile
index e32056c3d..e32056c3d 100644
--- a/test/filters/block-secondary.profile
+++ b/test/seccomp-extra/block-secondary.profile
diff --git a/test/filters/memwrexe b/test/seccomp-extra/memwrexe
index 1173cdc07..82ea7631f 100755
--- a/test/filters/memwrexe
+++ b/test/seccomp-extra/memwrexe
diff --git a/test/filters/memwrexe.c b/test/seccomp-extra/memwrexe.c
index 548320df9..548320df9 100644
--- a/test/filters/memwrexe.c
+++ b/test/seccomp-extra/memwrexe.c
diff --git a/test/seccomp-extra/mrwx.exp b/test/seccomp-extra/mrwx.exp
new file mode 100755
index 000000000..403bc852f
--- /dev/null
+++ b/test/seccomp-extra/mrwx.exp
@@ -0,0 +1,37 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+
+# memory-deny-write-execute
+send --  "firejail --debug --memory-deny-write-execute pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
+}
+after 500
+
+send --  "firejail --debug --profile=mrwx.profile pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
+}
+after 500
+
+
+after 500
+puts "all done\n"
diff --git a/test/seccomp-extra/mrwx.profile b/test/seccomp-extra/mrwx.profile
new file mode 100644
index 000000000..46d6cedee
--- /dev/null
+++ b/test/seccomp-extra/mrwx.profile
@@ -0,0 +1 @@
+memory-deny-write-execute
diff --git a/test/filters/memwrexe.exp b/test/seccomp-extra/mrwx2.exp
index e51b3372e..4703a4014 100755
--- a/test/filters/memwrexe.exp
+++ b/test/seccomp-extra/mrwx2.exp
@@ -17,7 +17,7 @@ expect {
         "mmap successful" {puts "TESTING ERROR 2\n";exit}
         "Parent is shutting down"
 }
-after 100
+after 500
 
 send --  "firejail --memory-deny-write-execute ./memwrexe mprotect\r"
 expect {
@@ -29,7 +29,7 @@ expect {
         "mprotect successful" {puts "TESTING ERROR 12\n";exit}
         "Parent is shutting down"
 }
-after 100
+after 500
 
 send --  "firejail --memory-deny-write-execute ./memwrexe memfd_create\r"
 expect {
@@ -42,5 +42,5 @@ expect {
         "Parent is shutting down"
 }
 
-after 100
+after 500
 puts "\nall done\n"
diff --git a/test/filters/noroot.exp b/test/seccomp-extra/noroot.exp
index 8a8842cd9..eeb82833e 100755
--- a/test/filters/noroot.exp
+++ b/test/seccomp-extra/noroot.exp
@@ -132,5 +132,5 @@ expect {
 puts "\n"
 
 
-after 100
+after 500
 puts "\nall done\n"
diff --git a/test/seccomp-extra/protocol-print.exp b/test/seccomp-extra/protocol-print.exp
new file mode 100755
index 000000000..7e76e6ff6
--- /dev/null
+++ b/test/seccomp-extra/protocol-print.exp
@@ -0,0 +1,59 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test0\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+
+
+spawn $env(SHELL)
+send -- "firejail --name=test1 --profile=protocol1.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --name=test2 --profile=protocol2.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --protocol.print=test0\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "packet" {puts "TESTING ERROR 4\n";exit}
+        "unix,inet,inet6"
+}
+after 500
+
+send -- "firejail --protocol.print=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "inet" {puts "TESTING ERROR 6\n";exit}
+        "unix"
+}
+after 500
+
+send -- "firejail --protocol.print=test2\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "unix" {puts "TESTING ERROR 8\n";exit}
+        "inet6,packet"
+}
+after 500
+
+puts "\nall done\n"
diff --git a/test/filters/protocol.exp b/test/seccomp-extra/protocol.exp
index 5320dde6f..5844e1de3 100755
--- a/test/filters/protocol.exp
+++ b/test/seccomp-extra/protocol.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --noprofile --protocol=unix --debug\r"
+send -- "firejail --noprofile --protocol=unix --debug pwd\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "0009: 20 00 00 00000000"
@@ -29,11 +29,9 @@ expect {
         "0012: 06 00 00 0005005f"
 }
 
-after 100
-send -- "exit\r"
-sleep 1
+after 500
 
-send -- "firejail --noprofile --protocol=bluetooth --debug\r"
+send -- "firejail --noprofile --protocol=bluetooth --debug pwd\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
         "0009: 20 00 00 00000000"
@@ -54,12 +52,9 @@ expect {
         timeout {puts "TESTING ERROR1 5\n";exit}
         "0012: 06 00 00 0005005f"
 }
+after 500
 
-after 100
-send -- "exit\r"
-sleep 1
-
-send -- "firejail --noprofile --protocol=inet,inet6 --debug\r"
+send -- "firejail --noprofile --protocol=inet,inet6 --debug pwd\r"
 expect {
         timeout {puts "TESTING ERROR 31\n";exit}
         "0009: 20 00 00 00000000"
@@ -88,10 +83,5 @@ expect {
         timeout {puts "TESTING ERROR 37\n";exit}
         "0014: 06 00 00 0005005f"
 }
-
-after 100
-send -- "exit\r"
-
-
-after 100
+after 500
 puts "\nall done\n"
diff --git a/test/filters/protocol1.profile b/test/seccomp-extra/protocol1.profile
index 3e1ea2a29..3e1ea2a29 100644
--- a/test/filters/protocol1.profile
+++ b/test/seccomp-extra/protocol1.profile
diff --git a/test/filters/protocol2.profile b/test/seccomp-extra/protocol2.profile
index b7eb4ab91..b7eb4ab91 100644
--- a/test/filters/protocol2.profile
+++ b/test/seccomp-extra/protocol2.profile
diff --git a/test/seccomp-extra/seccomp-extra.sh b/test/seccomp-extra/seccomp-extra.sh
new file mode 100755
index 000000000..50852f7e0
--- /dev/null
+++ b/test/seccomp-extra/seccomp-extra.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+
+echo "TESTING: protocol (test/seccomp-extras/protocol-print.exp)"
+./protocol.exp
+
+echo "TESTING: protocol.print (test/seccomp-extras/protocol-print.exp)"
+./protocol-print.exp
+
+echo "TESTING: noroot (test/seccomp-extras/noroot.exp)"
+./noroot.exp
+
+echo "TESTING: mrwx (test/seccomp-extras/mrwx.exp)"
+./mrwx.exp
+
+echo "TESTING: mrwx2 (test/seccomp-extras/mrwx.exp)"
+./mrwx2.exp
+
+echo "TESTING: block-secondary (test/seccomp-extras/block-secondary.exp)"
+./block-secondary.exp
diff --git a/test/utils/caps1.profile b/test/utils/caps1.profile
deleted file mode 100644
index 78c18fc64..000000000
--- a/test/utils/caps1.profile
+++ /dev/null
@@ -1 +0,0 @@
-caps.drop chown,kill
diff --git a/test/utils/caps2.profile b/test/utils/caps2.profile
deleted file mode 100644
index e760d4cb5..000000000
--- a/test/utils/caps2.profile
+++ /dev/null
@@ -1 +0,0 @@
-caps.keep chown,kill
diff --git a/test/utils/firemon-caps.exp b/test/utils/firemon-caps.exp
deleted file mode 100755
index 621447d45..000000000
--- a/test/utils/firemon-caps.exp
+++ /dev/null
@@ -1,129 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2023 Firejail Authors
-# License GPL v2
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send --  "firejail --name=bingo1 --noprofile --caps\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 1
-
-spawn $env(SHELL)
-send --  "firejail --name=bingo2 --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 1
-
-spawn $env(SHELL)
-send --  "firejail --name=bingo3 --noprofile --caps.drop=all\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 1
-
-spawn $env(SHELL)
-send --  "firejail --noprofile --name=bingo4 --caps.drop=chown,kill\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 1
-
-spawn $env(SHELL)
-send --  "firejail --noprofile --name=bingo5 --caps.keep=chown,kill\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 1
-
-spawn $env(SHELL)
-send --  "firejail --name=bingo6 --profile=caps1.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 1
-
-spawn $env(SHELL)
-send --  "firejail --name=bingo7 --profile=caps2.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 1
-
-spawn $env(SHELL)
-send -- "firemon --caps\r"
-expect {
-        timeout {puts "TESTING ERROR 8.1\n";exit}
-        "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
-        "bingo1"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.2\n";exit}
-        "31cffff"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.3\n";exit}
-        "bingo2"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.4\n";exit}
-        "fffffff"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.5\n";exit}
-        "bingo3"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.6\n";exit}
-        "000000000000"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 8.7\n";exit}
-        "bingo4"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.8\n";exit}
-        "ffffffde"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.9\n";exit}
-        "bingo5"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.10\n";exit}
-        "0000000000000021"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 8.11\n";exit}
-        "bingo6"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.12\n";exit}
-        "ffffffde"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.13\n";exit}
-        "bingo7"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.14\n";exit}
-        "0000000000000021"
-}
-
-after 100
-
-puts "all done\n"
diff --git a/test/utils/firemon-interface.exp b/test/utils/firemon-interface.exp
deleted file mode 100755
index fc1ea9ef6..000000000
--- a/test/utils/firemon-interface.exp
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2023 Firejail Authors
-# License GPL v2
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send --  "firemon --interface\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "you need to be root"
-}
-after 100
-
-puts "\nall done\n"
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index 9f04c2625..9ff4048ef 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -61,15 +61,9 @@ echo "TESTING: fs.print (test/utils/fs-print.exp)"
 echo "TESTING: dns.print (test/utils/dns-print.exp)"
 ./dns-print.exp
 
-echo "TESTING: caps.print (test/utils/caps-print.exp)"
-./caps-print.exp
-
 echo "TESTING: seccomp.print (test/utils/seccomp-print.exp)"
 ./seccomp-print.exp
 
-echo "TESTING: protocol.print (test/utils/protocol-print.exp)"
-./protocol-print.exp
-
 echo "TESTING: shutdown (test/utils/shutdown.exp)"
 ./shutdown.exp
 
@@ -112,21 +106,11 @@ else
         echo "TESTING SKIP: seccomp already active (test/utils/firemon-seccomp.exp)"
 fi
 
-if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then
-        echo "TESTING: firemon caps (test/utils/firemon-caps.exp)"
-        ./firemon-caps.exp
-else
-        echo "TESTING SKIP: other capabilities than expected (test/utils/firemon-caps.exp)"
-fi
-
 echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)"
 ./firemon-cpu.exp
 
 echo "TESTING: firemon version (test/utils/firemon-version.exp)"
 ./firemon-version.exp
 
-echo "TESTING: firemon interface (test/utils/firemon-interface.exp)"
-./firemon-interface.exp
-
 echo "TESTING: firemon name (test/utils/firemon-name.exp)"
 ./firemon-name.exp