7 files changed, 21 insertions, 10 deletions
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
index 3e717f162..f3ded0f22 100644
--- a/.github/workflows/sort.yml
+++ b/.github/workflows/sort.yml
@@ -5,10 +5,12 @@ on:
    branches: [ master ]
    paths:
      - 'etc/**'
+      - 'contrib/sort.py'
  pull_request:
    branches: [ master ]
    paths:
      - 'etc/**'
+      - 'contrib/sort.py'
 jobs:
  profile-sort:
diff --git a/contrib/sort.py b/contrib/sort.py
index 5df353549..9e5062c3c 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -80,7 +80,7 @@ def fix_profile(filename):
        lines = profile.read().split("\n")
        was_fixed = False
        fixed_profile = []
-        for line in lines:
+        for lineno, line in enumerate(lines):
            if line[:12] in ("private-bin ", "private-etc ", "private-lib "):
                fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}"
            elif line[:13] in ("seccomp.drop ", "seccomp.keep "):
@@ -95,6 +95,10 @@ def fix_profile(filename):
                fixed_line = line
            if fixed_line != line:
                was_fixed = True
+                print(
+                    f"{filename}:{lineno + 1}:-{line}\n"
+                    f"{filename}:{lineno + 1}:+{fixed_line}"
+                )
            fixed_profile.append(fixed_line)
        if was_fixed:
            profile.seek(0)
@@ -108,6 +112,7 @@ def fix_profile(filename):
 def main(args):
    exit_code = 0
+    print(f"sort.py: checking {len(args)} {'profiles' if len(args) != 1 else 'profile'}...")
    for filename in args:
        try:
            if exit_code not in (1, 101):
@@ -120,8 +125,8 @@ def main(args):
        except PermissionError:
            print(f"[ Error ] Can't read/write `{filename}'")
            exit_code = 1
-        except:
+        except Exception as err:
-            print(f"[ Error ] An error occurred while processing `{filename}'")
+            print(f"[ Error ] An error occurred while processing `{filename}': {err}")
            exit_code = 1
    return exit_code
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local
index f086653f8..893a1ce46 100644
--- a/etc/apparmor/firejail-local
+++ b/etc/apparmor/firejail-local
@@ -1,2 +1,5 @@
 # Site-specific additions and overrides for 'firejail-default'.
 # For more details, please see /etc/apparmor.d/local/README.
+# Uncomment to opt-in to apparmor for torbrowser-launcher
+#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix,
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile
index e5beb741a..edb7ed840 100644
--- a/etc/profile-a-l/jitsi-meet-desktop.profile
+++ b/etc/profile-a-l/jitsi-meet-desktop.profile
@@ -20,7 +20,7 @@ nowhitelist ${DOWNLOADS}
 mkdir ${HOME}/.config/Jitsi Meet
 whitelist ${HOME}/.config/Jitsi Meet
-private-bin bash,jitsi-meet-desktop
+private-bin bash,electron,electron[0-9],electron[0-9][0-9],jitsi-meet-desktop,sh
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
 # Redirect
diff --git a/etc/profile-m-z/start-tor-browser.desktop.profile b/etc/profile-m-z/start-tor-browser.desktop.profile
index 7367d906e..2f73c9fee 100644
--- a/etc/profile-m-z/start-tor-browser.desktop.profile
+++ b/etc/profile-m-z/start-tor-browser.desktop.profile
@@ -4,7 +4,7 @@
 include start-tor-browser.desktop.local
 # Persistent global definitions
 # added by included profile
-include globals.local
+#include globals.local
 noblacklist ${HOME}/.tor-browser*
@@ -72,8 +72,5 @@ whitelist ${HOME}/.tor-browser_vi
 whitelist ${HOME}/.tor-browser_zh-CN
 whitelist ${HOME}/.tor-browser_zh-TW
-# Ignoring apparmor, tor browser is installed in user home directory using the binary archive distributed by Tor Foundation
-ignore apparmor
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/start-tor-browser.profile b/etc/profile-m-z/start-tor-browser.profile
index b5c4d211e..17ceedee7 100644
--- a/etc/profile-m-z/start-tor-browser.profile
+++ b/etc/profile-m-z/start-tor-browser.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include start-tor-browser.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 # Redirect
 include start-tor-browser.desktop.profile
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index eb90f0030..1045fa02a 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -31,7 +31,10 @@ whitelist ${HOME}/.local/share/torbrowser
 include whitelist-common.inc
 include whitelist-var-common.inc
-apparmor
+# Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local.
+# IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need
+# to be uncommented too for this to work as expected.
+#apparmor
 caps.drop all
 netfilter
 nodvd