56 files changed, 395 insertions, 178 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 7fb51e92f..6c2905e43 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -43,7 +43,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
      with:
        egress-policy: block
        allowed-endpoints: >
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5eb84a843..ae1aef039 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -59,7 +59,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
      with:
        egress-policy: block
        allowed-endpoints: >
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
index 2658ce1d1..3324906f7 100644
--- a/.github/workflows/check-c.yml
+++ b/.github/workflows/check-c.yml
@@ -45,7 +45,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
      with:
        egress-policy: block
        allowed-endpoints: >
@@ -76,7 +76,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
      with:
        egress-policy: block
        allowed-endpoints: >
@@ -103,7 +103,7 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
      with:
        egress-policy: block
        allowed-endpoints: >
@@ -132,7 +132,7 @@ jobs:
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
      with:
        disable-sudo: true
        egress-policy: block
@@ -150,7 +150,7 @@ jobs:
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80
+      uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75
      with:
        languages: cpp
@@ -161,4 +161,4 @@ jobs:
      run: make -j "$(nproc)"
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80
+      uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml
index f1b69ec47..0185376a4 100644
--- a/.github/workflows/check-profiles.yml
+++ b/.github/workflows/check-profiles.yml
@@ -31,7 +31,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
      with:
        disable-sudo: true
        egress-policy: block
@@ -43,10 +43,10 @@ jobs:
      run: ./ci/printenv.sh
    - run: python3 --version
-#   - name: sort.py
+    - name: sort.py
-#     run: >
+      run: >
-#       ./ci/check/profiles/sort.py
+        ./ci/check/profiles/sort.py
-#       etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+        etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
 # Currently broken (see #5610)
 #   - name: private-etc-always-required.sh
 #     run: >
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml
index 0581da320..4425af2b7 100644
--- a/.github/workflows/check-python.yml
+++ b/.github/workflows/check-python.yml
@@ -30,7 +30,7 @@ jobs:
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
      with:
        disable-sudo: true
        egress-policy: block
@@ -50,9 +50,9 @@ jobs:
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80
+      uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75
      with:
        languages: python
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80
+      uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index 3da4411cc..f3c512c3e 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -23,7 +23,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
      with:
        egress-policy: block
        allowed-endpoints: >
@@ -38,6 +38,8 @@ jobs:
      run: sudo apt-get update -qy
    - name: install dependencies
      run: sudo apt-get install -qy codespell
+    - name: print env
+      run: ./ci/printenv.sh
    - name: configure
      run: ./configure || (cat config.log; exit 1)
    - run: codespell --version
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a63abafcb..0a6069a5c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -53,7 +53,7 @@ jobs:
      SHELL: /bin/bash
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
      with:
        egress-policy: block
        allowed-endpoints: >
@@ -100,7 +100,7 @@ jobs:
      SHELL: /bin/bash
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
      with:
        egress-policy: block
        allowed-endpoints: >
@@ -138,7 +138,7 @@ jobs:
      SHELL: /bin/bash
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
      with:
        egress-policy: block
        allowed-endpoints: >
@@ -176,7 +176,7 @@ jobs:
      SHELL: /bin/bash
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
      with:
        egress-policy: block
        allowed-endpoints: >
@@ -216,7 +216,7 @@ jobs:
      SHELL: /bin/bash
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
      with:
        egress-policy: block
        allowed-endpoints: >
diff --git a/Makefile b/Makefile
index d5ec11ea6..5b9335127 100644
--- a/Makefile
+++ b/Makefile
@@ -235,6 +235,7 @@ endif
        install -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/*
        # profiles and settings
        install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
+        install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail/firecfg.d
        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config
        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
diff --git a/README b/README
index 2514cdeeb..c9d44d9ed 100644
--- a/README
+++ b/README
@@ -125,6 +125,7 @@ Aleksey Manevich (https://github.com/manevich)
 Alexander Gerasiov (https://github.com/gerasiov)
        - read-only ~/.ssh/authorized_keys
        - profile updates
+        - fcopy: Use lstat when copy directory
 Alexander Stein (https://github.com/ajstein)
        - added profile for qutebrowser
 alkim0 (https://github.com/alkim0)
@@ -169,6 +170,8 @@ aoand (https://github.com/aoand)
        - seccomp fix: allow numeric syscalls
 Arne Welzel (https://github.com/awelzel)
        - ignore SIGTTOU during flush_stdin()
+archaon616 (https://github.com/archaon616)
+        - steam.profile: Allow Factorio
 Atrate (https://github.com/Atrate)
        - BetterDiscord support
 Austin Morton (https://github.com/apmorton)
@@ -284,6 +287,8 @@ Christian Stadelmann (https://github.com/genodeftest)
        - evolution profile fix
 Clayton Williams (https://github.com/gosre)
        - addition of RLIMIT_AS
+CodeWithMa (https://github.com/CodeWithMa)
+        - mpv.profile: add new XDG_STATE_HOME path
 corecontingency (https://https://github.com/corecontingency)
        - tighten private-bin and etc for torbrowser-launcher.profile
        - added i2prouter profile
@@ -350,6 +355,10 @@ David Hyrule (https://github.com/Svaag)
        - remove nou2f in ssh profile
 Deelvesh Bunjun (https://github.com/DeelveshBunjun)
        - added xpdf profile
+DefaultUser (https://github.com/DefaultUser)
+        - neochat: Allow netlink
+Denis Subbotin (https://github.com/mr-tron)
+        - telegram.profile: allow ~/.local/share/telegram-desktop
 Denys Havrysh (https://github.com/vutny)
        - update SkypeForLinux profile for latest version
        - removed outdated Skype profile
@@ -372,6 +381,7 @@ dmfreemon (https://github.com/dmfreemon)
        - handle malloc() failures; use gnu_basename() instead of basenaem()
 Dmitriy Chestnykh (https://github.com/chestnykh)
        - add ability to disable user profiles at compile time
+        - lookup xauth in PATH
 Dpeta (https://github.com/Dpeta)
        - add Chatterino profile
 dshmgh (https://github.com/dshmgh)
@@ -466,6 +476,9 @@ Fred-Barclay (https://github.com/Fred-Barclay)
        - added Catfish profile
 Frederik Olesen (https://github.com/Freso)
        - added many vim profiles
+Frostbyte4664 (https://github.com/Frostbyte4664)
+        - steam.profile: Allow Baba Is You
+        - blender-3.6 redirect
 g3ngr33n (https://github.com/g3ngr33n)
        - fix musl compilation
 G4JC (https://sourceforge.net/u/gaming4jc/profile/)
@@ -498,6 +511,8 @@ glitsj16 (https://github.com/glitsj16)
        - new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
        - new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
        - new profiles: masterpdfeditor
+glu8716 (https://github.com/glu8716)
+        - nicotine: support Fcitx and dconf via dbus-user filter
 gm10 (https://github.com/gm10)
        - get_user() do not use the unreliable getlogin()
 GovanifY (https://github.com/GovanifY)
@@ -515,6 +530,7 @@ GSI (https://github.com/GSI)
        - added Uzbl browser profile
 haarp (https://github.com/haarp)
        - Allow sound for hexchat
+        - discord-common.profile: harden & allow notifications 
 hamzadis (https://github.com/hamzadis)
        - added --overlay-named=name and --overlay-path=path
 Hans-Christoph Steiner (https://github.com/eighthave)
@@ -643,6 +659,8 @@ jrabe (https://github.com/jrabe)
        - Polari profile
        - qTox profile
        - X11 fixes
+jtrv (https://github.com/jtrv)
+        - tidal-hifi profile
 juan (https://github.com/nyancat18)
        - fixed Kdenlive, Shotcut profiles
        - new profiles for Cinelerra, Cliqz, Bluefish
@@ -691,6 +709,8 @@ kuesji koesnu (https://github.com/kuesji)
        - better parser for size strings
 Kunal Mehta (https://github.com/legoktm)
        - converted all links to https in manpages
+kzsa (https://github.com/kzsa)
+        - wusc: add /usr/share/locale-langpack (LC_MESSAGES)
 laniakea64 (https://github.com/laniakea64)
        - added fj-mkdeb.py script to build deb packages
 Lari Rauno (https://github.com/tuutti)
@@ -706,6 +726,8 @@ layderv (https://github.com/layderv)
 lecso7 (https://github.com/lecso7)
        - added goldendict profile
        - allow evince to read .cbz file format
+leukimi (https://github.com/leukimi)
+        - 0ad.profile: fix libmozjs error on OpenSUSE Tumbleweed
 Loïc Damien (https://github.com/dzamlo)
        - small fixes
 Liorst4 (https://github.com/Liorst4)
@@ -730,12 +752,15 @@ Madura A (https://github.com/manushanga)
 mahdi1234 (https://github.com/mahdi1234)
        - cherrytree profile
        - Seamonkey profiles
+mammo0 (https://github.com/mammo0)
+        - remove 'text/plain' from firejail-profile.lang.in
 Manuel Dipolt (https://github.com/xeniter)
        - stack alignment for the ARM Architecture
 Marek Küthe (https://github.com/marek22k)
        - allow loading plugins in gajim
        - allow bsfilter in email-common.profile
        - email-common.profile: allow clamav plugin for claws-mail
+        - VSCodium: Fix developing Arduino
 Martin Carpenter (https://github.com/mcarpenter)
        - security audit and bug fixes
        - Centos 6.x support
@@ -824,6 +849,9 @@ Nikos Chantziaras (https://github.com/realnc)
        - fix audio support for Discord
 nolanl (https://github.com/nolanl)
        - added localtime to signal-desktop's profile
+nutta-git (https://github.com/nutta-git)
+        - steam.profile: allow process_vm_readv syscall
+        - lutris.profile: allow more syscalls
 nyancat18 (https://github.com/nyancat18)
        - added ardour4, dooble, karbon, krita profiles
 nya1 (https://github.com/nya1)
@@ -1194,6 +1222,9 @@ Vadim A. Misbakh-Soloviov (https://github.com/msva)
 ValdikSS (https://github.com/ValdikSS)
        - Psi+, Corebird, Konversation profiles
        - various profile fixes
+Varun Sharma (https://github.com/varunsh-coder)
+        - update allowed endpoints
+        - build(deps): bump step-security/harden-runner from 2.5.0 to 2.5.1 
 Vasya Novikov (https://github.com/vn971)
        - Wesnoth profile
        - Hedegewars profile
diff --git a/RELNOTES b/RELNOTES
index b81ae74c4..02d9259a9 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -22,12 +22,15 @@ firejail (0.9.73) baseline; urgency=low
  * modif: improve errExit error messages (#5871)
  * modif: drop deprecated 'shell' option references (#5894)
  * modif: keep pipewire group unless nosound is used (#5992 #5993)
+  * modif: Lookup xauth in PATH (#6006 #6087)
  * bugfix: qutebrowser: links will not open in the existing instance (#5601
    #5618)
  * bugfix: fix --hostname and --hosts-file commands
  * bugfix: arp.c: ensure positive timeout on select(2) (#5806)
  * bugfix: Wrong syscall names for s390_pci_mmio_read and s390_pci_mmio_write
    (#5965 #5976)
+  * bugfix: firejail --ls reports wrong file sizes for large files (#5982
+    #6086)
  * build: auto-generate syntax files (#5627)
  * build: mark all phony targets as such (#5637)
  * build: mkdeb.sh: pass all arguments to ./configure (#5654)
@@ -46,6 +49,7 @@ firejail (0.9.73) baseline; urgency=low
  * build: firecfg.config sorting improvements (#5942)
  * build: codespell improvements (#5955)
  * build: add missing makefile dep & syntax improvements (#5956)
+  * build: sort.py: use case-sensitive sorting (#6070)
  * ci: always update the package db before installing packages (#5742)
  * ci: fix codeql unable to download its own bundle (#5783)
  * ci: split configure/build/install commands on gitlab (#5784)
@@ -57,6 +61,8 @@ firejail (0.9.73) baseline; urgency=low
  * ci: whitelist paths, reorganize workflows & speed-up tests (#5960)
  * ci: fix dependabot duplicated workflow runs (#5984)
  * ci: allow running workflows manually (#6026)
+  * contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6057
+    #6059)
  * contrib/vim: match profile files more broadly (#5850)
  * test: split individual test groups in github workflows
  * test: add chroot, appimage and network tests in github workflows
diff --git a/contrib/sort.py b/contrib/sort.py
index cdeecf99b..a827e20ba 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -15,8 +15,8 @@ Usage: {path.basename(argv[0])} [/path/to/profile ...]
 The following commands are supported:
-    private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop,
+    private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp,
-    seccomp.drop, protocol
+    seccomp.drop, seccomp.keep, protocol
 Note that this is only applicable to commands that support multiple arguments.
@@ -38,7 +38,7 @@ Exit Codes:
 def sort_alphabetical(original_items):
    items = original_items.split(",")
-    items.sort(key=str.casefold)
+    items.sort()
    return ",".join(items)
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 264fc29b2..55aabbc73 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -192,6 +192,7 @@ blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/VirtualBox VMs
 # GNOME Boxes
+blacklist ${HOME}/.cache/gnome-boxes
 blacklist ${HOME}/.config/gnome-boxes
 blacklist ${HOME}/.local/share/gnome-boxes
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index e013872df..13b4b2078 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -22,7 +22,6 @@ blacklist ${HOME}/.Steampid
 blacklist ${HOME}/.TelegramDesktop
 blacklist ${HOME}/.VSCodium
 blacklist ${HOME}/.ViberPC
-blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.WebStorm*
 blacklist ${HOME}/.Wolfram Research
 blacklist ${HOME}/.ZAP
@@ -125,7 +124,6 @@ blacklist ${HOME}/.cache/geeqie
 blacklist ${HOME}/.cache/gegl-0.4
 blacklist ${HOME}/.cache/gfeeds
 blacklist ${HOME}/.cache/gimp
-blacklist ${HOME}/.cache/gnome-boxes
 blacklist ${HOME}/.cache/gnome-builder
 blacklist ${HOME}/.cache/gnome-control-center
 blacklist ${HOME}/.cache/gnome-recipes
@@ -223,6 +221,7 @@ blacklist ${HOME}/.cache/supertuxkart
 blacklist ${HOME}/.cache/systemsettings
 blacklist ${HOME}/.cache/telepathy
 blacklist ${HOME}/.cache/thunderbird
+blacklist ${HOME}/.cache/tiny-rdm
 blacklist ${HOME}/.cache/torbrowser
 blacklist ${HOME}/.cache/transmission
 blacklist ${HOME}/.cache/ueberzugpp
@@ -347,10 +346,10 @@ blacklist ${HOME}/.config/Slack
 blacklist ${HOME}/.config/Standard Notes
 blacklist ${HOME}/.config/SubDownloader
 blacklist ${HOME}/.config/Thunar
+blacklist ${HOME}/.config/TinyRDM
 blacklist ${HOME}/.config/Twitch
 blacklist ${HOME}/.config/Unknown Organization
 blacklist ${HOME}/.config/VSCodium
-blacklist ${HOME}/.config/VirtualBox
 blacklist ${HOME}/.config/Whalebird
 blacklist ${HOME}/.config/Wire
 blacklist ${HOME}/.config/Youtube
@@ -559,7 +558,6 @@ blacklist ${HOME}/.config/mpDris2
 blacklist ${HOME}/.config/mpd
 blacklist ${HOME}/.config/mps-youtube
 blacklist ${HOME}/.config/mpv
-blacklist ${HOME}/.config/msmtp
 blacklist ${HOME}/.config/mullvad-browser-flags.conf
 blacklist ${HOME}/.config/mupen64plus
 blacklist ${HOME}/.config/mutt
@@ -939,7 +937,6 @@ blacklist ${HOME}/.local/share/geeqie
 blacklist ${HOME}/.local/share/ghostwriter
 blacklist ${HOME}/.local/share/gitg
 blacklist ${HOME}/.local/share/gnome-2048
-blacklist ${HOME}/.local/share/gnome-boxes
 blacklist ${HOME}/.local/share/gnome-builder
 blacklist ${HOME}/.local/share/gnome-chess
 blacklist ${HOME}/.local/share/gnome-klotski
@@ -1019,6 +1016,7 @@ blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
 blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
+blacklist ${HOME}/.local/share/pnpm
 blacklist ${HOME}/.local/share/profanity
 blacklist ${HOME}/.local/share/psi
 blacklist ${HOME}/.local/share/psi+
@@ -1084,7 +1082,6 @@ blacklist ${HOME}/.mp3splt-gtk
 blacklist ${HOME}/.mpd
 blacklist ${HOME}/.mpdconf
 blacklist ${HOME}/.mplayer
-blacklist ${HOME}/.msmtprc
 blacklist ${HOME}/.mullvad/mullvadbrowser
 blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.nanorc
@@ -1233,7 +1230,6 @@ blacklist ${RUNUSER}/*firefox*
 blacklist ${RUNUSER}/akonadi
 blacklist ${RUNUSER}/psd/*firefox*
 blacklist ${RUNUSER}/qutebrowser
-blacklist /etc/msmtprc
 blacklist /etc/ssmtp
 blacklist /tmp/.wine-*
 blacklist /tmp/akonadi-*
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile
index afd76282c..76db2986d 100644
--- a/etc/profile-a-l/ani-cli.profile
+++ b/etc/profile-a-l/ani-cli.profile
@@ -33,7 +33,7 @@ notv
 disable-mnt
 private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mktemp,mv,nl,nohup,patch,printf,rm,rofi,sed,sh,sort,tail,tput,tr,uname,wc
 #private-cache
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg
 private-tmp
 # Redirect
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile
index 9fc73ee55..7651c5d32 100644
--- a/etc/profile-a-l/clamtk.profile
+++ b/etc/profile-a-l/clamtk.profile
@@ -1,4 +1,5 @@
 # Firejail profile for clamtk
+# Description: Easy to use, light-weight, on-demand virus scanner for Linux systems
 # This file is overwritten after every install/update
 # Persistent local customizations
 include clamtk.local
@@ -7,15 +8,22 @@ include globals.local
 include disable-exec.inc
+# Add the below lines to your clamtk.local if you update signatures databases per-user:
+#ignore net none
+#netfilter
+#protocol inet,inet6
 caps.drop all
 ipc-namespace
 net none
 no3d
 nodvd
-nogroups
+# nogroups breaks scanning
+#nogroups
 noinput
 nonewprivs
-noroot
+# noroot breaks scanning
+#noroot
 nosound
 notv
 nou2f
@@ -25,7 +33,9 @@ seccomp
 private-dev
-dbus-user none
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
 dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile
index b67729301..acf0281d9 100644
--- a/etc/profile-a-l/discord-canary.profile
+++ b/etc/profile-a-l/discord-canary.profile
@@ -12,7 +12,7 @@ whitelist ${HOME}/.config/discordcanary
 whitelist /opt/DiscordCanary
 whitelist /opt/discord-canary
-private-bin discord-canary,DiscordCanary
+private-bin DiscordCanary,discord-canary
 # Redirect
 include discord-common.profile
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile
index a657c52b5..82b33174c 100644
--- a/etc/profile-a-l/discord-ptb.profile
+++ b/etc/profile-a-l/discord-ptb.profile
@@ -12,7 +12,7 @@ whitelist ${HOME}/.config/discordptb
 whitelist /opt/DiscordPTB
 whitelist /opt/discord
-private-bin discord-ptb,DiscordPTB
+private-bin DiscordPTB,discord-ptb
 # Redirect
 include discord-common.profile
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile
index a4fcae5b8..9776b41d5 100644
--- a/etc/profile-a-l/discord.profile
+++ b/etc/profile-a-l/discord.profile
@@ -11,8 +11,9 @@ mkdir ${HOME}/.config/discord
 whitelist ${HOME}/.config/discord
 whitelist /opt/Discord
 whitelist /opt/discord
+whitelist /usr/share/discord
-private-bin discord,Discord
+private-bin Discord,discord
 # Redirect
 include discord-common.profile
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index 40e19dfc3..53ed90e9c 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -40,7 +40,7 @@ private-bin display,python*
 private-dev
 # On Debian-based systems, display is a symlink in /etc/alternatives
 private-etc ImageMagick-6,ImageMagick-7
-private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,ImageMagick*,libfreetype.so.*,libltdl.so.*,libMagickWand-*.so.*,libXext.so.*
+private-lib ImageMagick*,gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,libMagickWand-*.so.*,libXext.so.*,libfreetype.so.*,libltdl.so.*
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile
index 93929c6ea..62e9d42ac 100644
--- a/etc/profile-a-l/enpass.profile
+++ b/etc/profile-a-l/enpass.profile
@@ -52,7 +52,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 tracelog
-private-bin dirname,Enpass,importer_enpass,readlink,sh
+private-bin Enpass,dirname,importer_enpass,readlink,sh
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
 private-opt Enpass
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile
index 434371aee..5906085de 100644
--- a/etc/profile-a-l/fbreader.profile
+++ b/etc/profile-a-l/fbreader.profile
@@ -33,7 +33,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
-private-bin fbreader,FBReader
+private-bin FBReader,fbreader
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/fluffychat.profile b/etc/profile-a-l/fluffychat.profile
index abc5979da..1c5db09e9 100644
--- a/etc/profile-a-l/fluffychat.profile
+++ b/etc/profile-a-l/fluffychat.profile
@@ -60,7 +60,7 @@ disable-mnt
 private-bin firefox,fluffychat,sh,which,zenity
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile
index 133d66f0d..f59094567 100644
--- a/etc/profile-a-l/freshclam.profile
+++ b/etc/profile-a-l/freshclam.profile
@@ -2,7 +2,7 @@
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
-include clamav.local
+include freshclam.local
 # Persistent global definitions
 include globals.local
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile
index c4085cf9c..683e1b5f7 100644
--- a/etc/profile-a-l/hugin.profile
+++ b/etc/profile-a-l/hugin.profile
@@ -38,7 +38,7 @@ novideo
 protocol unix
 seccomp
-private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,exiftool,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,perl,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize
+private-bin PTBatcherGUI,align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,exiftool,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,perl,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile
index f9dc4f60c..367f69743 100644
--- a/etc/profile-a-l/lobster.profile
+++ b/etc/profile-a-l/lobster.profile
@@ -44,7 +44,7 @@ notv
 disable-mnt
 private-bin base64,bash,cat,command,curl,cut,date,dirname,echo,ffmpeg,ffprobe,find,fzf,grep,head,hxunent,ln,lobster,ls,mkdir,mkfifo,nano,nohup,openssl,patch,pgrep,ps,rm,rofi,sed,sh,sleep,socat,tail,tee,tput,tr,ueberzugpp,uname,uuidgen,vim,wc
 #private-cache
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg
 private-tmp
 # Redirect
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index c3497c3bd..0462cb503 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/Games
 noblacklist ${HOME}/.cache/lutris
 noblacklist ${HOME}/.cache/wine
 noblacklist ${HOME}/.cache/winetricks
+noblacklist ${HOME}/.config/MangoHud
 noblacklist ${HOME}/.config/lutris
 noblacklist ${HOME}/.local/share/lutris
 #noblacklist ${HOME}/.wine
@@ -45,6 +46,7 @@ whitelist ${HOME}/Games
 whitelist ${HOME}/.cache/lutris
 whitelist ${HOME}/.cache/wine
 whitelist ${HOME}/.cache/winetricks
+whitelist ${HOME}/.config/MangoHud
 whitelist ${HOME}/.config/lutris
 whitelist ${HOME}/.local/share/lutris
 #whitelist ${HOME}/.wine
@@ -69,7 +71,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp !modify_ldt
+seccomp !clone3,!modify_ldt,!process_vm_readv,!ptrace
 seccomp.32 !modify_ldt
 # Add the next line to your lutris.local if you do not need controller support.
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index dd5639268..853b6ae52 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -72,7 +72,7 @@ seccomp
 tracelog
 disable-mnt
-private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer
+private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer
 private-cache
 private-dev
 private-etc @tls-ca
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index eed839041..e7dba9cd5 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -47,7 +47,7 @@ seccomp
 tracelog
 disable-mnt
-private-bin gio,QOwnNotes
+private-bin QOwnNotes,gio
 private-dev
 private-etc @tls-ca,host.conf
 private-tmp
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index fe1f9b877..ea7d8bfa7 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -31,7 +31,7 @@ protocol unix,inet,inet6
 seccomp !chroot
 disable-mnt
-private-bin awk,bash,dig,sh,Viber
+private-bin Viber,awk,bash,dig,sh
 private-etc @tls-ca,@x11,mailcap,proxychains.conf
 private-tmp
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile
index 97b9d2898..5b8747825 100644
--- a/etc/profile-m-z/XMind.profile
+++ b/etc/profile-m-z/XMind.profile
@@ -31,7 +31,7 @@ protocol unix,inet,inet6
 seccomp
 disable-mnt
-private-bin cp,sh,XMind
+private-bin XMind,cp,sh
 private-tmp
 private-dev
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile
index 8007b887a..1efd1e8f9 100644
--- a/etc/profile-m-z/mov-cli.profile
+++ b/etc/profile-m-z/mov-cli.profile
@@ -26,7 +26,7 @@ notv
 disable-mnt
 private-bin ffmpeg,fzf,mov-cli
 #private-cache
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg
 private-tmp
 # Redirect
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index ab1e0ab02..097ce6e83 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -127,7 +127,7 @@ tracelog
 #disable-mnt
 private-cache
 private-dev
-private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo
+private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,msmtprc,nntpserver,terminfo
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile
index b979e1aee..30dd164b6 100644
--- a/etc/profile-m-z/natron.profile
+++ b/etc/profile-m-z/natron.profile
@@ -30,7 +30,7 @@ nou2f
 protocol unix
 seccomp
-private-bin natron,Natron,NatronRenderer
+private-bin Natron,NatronRenderer,natron
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index b15e98424..51e2e43bf 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -119,7 +119,7 @@ tracelog
 #disable-mnt
 private-cache
 private-dev
-private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver
+private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,msmtprc,neomuttrc,neomuttrc.d,nntpserver
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index 4c463521c..f301196c6 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,7 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
-# Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# Note: gulp, node-gyp, npm, npx, pnpm, pnpx, semver and yarn are all node scripts
 # using the `#!/usr/bin/env node` shebang. By sandboxing node the full
 # node.js stack will be firejailed. The only exception is nvm, which is implemented
 # as a sourced shell function, not an executable binary. Hence it is not
@@ -22,6 +22,7 @@ ignore read-only ${HOME}/.npmrc
 ignore read-only ${HOME}/.nvm
 ignore read-only ${HOME}/.yarnrc
+noblacklist ${HOME}/.local/share/pnpm
 noblacklist ${HOME}/.node-gyp
 noblacklist ${HOME}/.npm
 noblacklist ${HOME}/.npmrc
@@ -43,6 +44,7 @@ include disable-xdg.inc
 # If you want whitelisting, change ${HOME}/Projects below to your node projects directory
 # and add the next lines to your nodejs-common.local.
+#mkdir ${HOME}/.local/share/pnpm
 #mkdir ${HOME}/.node-gyp
 #mkdir ${HOME}/.npm
 #mkdir ${HOME}/.npm-packages
@@ -52,6 +54,7 @@ include disable-xdg.inc
 #mkdir ${HOME}/.yarn-config
 #mkdir ${HOME}/.yarncache
 #mkfile ${HOME}/.yarnrc
+#whitelist ${HOME}/.local/share/pnpm
 #whitelist ${HOME}/.node-gyp
 #whitelist ${HOME}/.npm
 #whitelist ${HOME}/.npm-packages
diff --git a/etc/profile-m-z/pnpm.profile b/etc/profile-m-z/pnpm.profile
new file mode 100644
index 000000000..08f88be43
--- /dev/null
+++ b/etc/profile-m-z/pnpm.profile
@@ -0,0 +1,11 @@
+# Firejail profile for pnpm
+# Description: Fast, disk space efficient package manager
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pnpm.local
+# Persistent global definitions
+include globals.local
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/pnpx.profile b/etc/profile-m-z/pnpx.profile
new file mode 100644
index 000000000..a99d1232a
--- /dev/null
+++ b/etc/profile-m-z/pnpx.profile
@@ -0,0 +1,11 @@
+# Firejail profile for pnpx
+# Description: Part of the Node.js stack
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pnpx.local
+# Persistent global definitions
+include globals.local
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/postman.profile b/etc/profile-m-z/postman.profile
index c8f00584d..a74b72695 100644
--- a/etc/profile-m-z/postman.profile
+++ b/etc/profile-m-z/postman.profile
@@ -17,7 +17,7 @@ include whitelist-run-common.inc
 protocol unix,inet,inet6,netlink
-private-bin electron,electron[0-9],electron[0-9][0-9],locale,node,Postman,postman,sh
+private-bin Postman,electron,electron[0-9],electron[0-9][0-9],locale,node,postman,sh
 private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
 # private-opt breaks file-copy-limit, use a whitelist instead of draining RAM
 # https://github.com/netblue30/firejail/discussions/5307
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index da16ae912..5ae6ccf04 100644
--- a/etc/profile-m-z/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -39,7 +39,7 @@ novideo
 protocol unix,netlink
 seccomp
-private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL
+private-bin PPSSPP,PPSSPPQt,PPSSPPSDL,ppsspp
 # Add the next line to your ppsspp.local if you do not need controller support.
 #private-dev
 private-etc @tls-ca,@x11,host.conf
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index 7ce6748d1..3a3a9062e 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free
 private-cache
 private-dev
-private-etc @tls-ca,fstab,SoftMaker
+private-etc @tls-ca,SoftMaker,fstab
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 34cb3631a..41de746dd 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -163,7 +163,7 @@ protocol unix,inet,inet6,netlink
 # Add 'ignore seccomp' to your steam.local if you experience this.
 # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13
 # (see #4366).
-seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2
+seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2
 # process_vm_readv is used by GE-Proton7-18 (see #5185).
 seccomp.32 !process_vm_readv
 # tracelog breaks integrated browser
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index fa992ad1a..7ed3d98d4 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -46,7 +46,7 @@ seccomp
 seccomp.block-secondary
 disable-mnt
-private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open
+private-bin Telegram,bash,sh,telegram,telegram-desktop,xdg-open
 private-cache
 private-dev
 private-etc @tls-ca,@x11,os-release
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile
index 5babfb8d2..c0293406d 100644
--- a/etc/profile-m-z/tesseract.profile
+++ b/etc/profile-m-z/tesseract.profile
@@ -26,6 +26,7 @@ include whitelist-common.inc
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 whitelist /usr/share/tessdata
+whitelist /usr/share/tesseract-ocr
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/tiny-rdm.profile b/etc/profile-m-z/tiny-rdm.profile
new file mode 100644
index 000000000..4134d666c
--- /dev/null
+++ b/etc/profile-m-z/tiny-rdm.profile
@@ -0,0 +1,61 @@
+# Firejail profile for tiny-rdm
+# Description: A Modern Redis GUI Client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tiny-rdm.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/tiny-rdm
+noblacklist ${HOME}/.config/TinyRDM
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-proc.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/tiny-rdm
+mkdir ${HOME}/.config/TinyRDM
+whitelist ${HOME}/.cache/tiny-rdm
+whitelist ${HOME}/.config/TinyRDM
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+notv
+nou2f
+novideo
+nosound
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-bin tiny-rdm
+private-cache
+private-dev
+private-etc @network,@tls-ca,@x11
+private-tmp
+dbus-user none
+dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index 9f1f1c241..bac48805c 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -49,7 +49,7 @@ private-bin geoiplookup,geoiplookup6,transgui
 private-cache
 private-dev
 private-etc @network,@tls-ca,@x11
-private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
+private-lib libGeoIP.so*,libX11.so.*,libgdk_pixbuf-2.0.so.*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*
 private-tmp
 dbus-user none
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index a56e8a91b..84fe44d73 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -277,7 +277,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
        // don't copy it if we already have the file
        struct stat s;
-        if (stat(outfname, &s) == 0) {
+        if (lstat(outfname, &s) == 0) {
                if (first)
                        first = 0;
                else if (!arg_quiet)
@@ -286,7 +286,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
        }
        // extract mode and ownership
-        if (stat(infname, &s) != 0)
+        if (lstat(infname, &s) != 0)
                goto out;
        uid_t uid = s.st_uid;
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 19c3166fa..558fe51ed 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -834,6 +834,7 @@ thunderbird-beta
 thunderbird-wayland
 tidal-hifi
 tilp
+tiny-rdm
 tor-browser
 tor-browser-ar
 tor-browser-ca
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h
index 8f74a1198..11e3ebc67 100644
--- a/src/firecfg/firecfg.h
+++ b/src/firecfg/firecfg.h
@@ -37,6 +37,16 @@
 #include "../include/common.h"
 #define MAX_BUF 4096
+// config files
+#define FIRECFG_CFGFILE SYSCONFDIR "/firecfg.config"
+#define FIRECFG_CONF_GLOB SYSCONFDIR "/firecfg.d/*.conf"
+// programs
+#define FIREJAIL_EXEC PREFIX "/bin/firejail"
+#define FIREJAIL_WELCOME_SH LIBDIR "/firejail/firejail-welcome.sh"
+#define FZENITY_EXEC        LIBDIR "/firejail/fzenity"
+#define ZENITY_EXEC "/usr/bin/zenity"
+#define SUDO_EXEC "sudo"
 // main.c
 extern int arg_debug;
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 4ec81c5b3..604b12633 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -20,6 +20,8 @@
 #include "firecfg.h"
 #include "../include/firejail_user.h"
+#include <glob.h>
 int arg_debug = 0;
 char *arg_bindir = "/usr/local/bin";
 int arg_guide = 0;
@@ -76,10 +78,6 @@ static void list(void) {
                exit(1);
        }
-        char *firejail_exec;
-        if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
-                errExit("asprintf");
        struct dirent *entry;
        while ((entry = readdir(dir)) != NULL) {
                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
@@ -92,7 +90,7 @@ static void list(void) {
                if (is_link(fullname)) {
                        char* fname = realpath(fullname, NULL);
                        if (fname) {
-                                if (strcmp(fname, firejail_exec) == 0)
+                                if (strcmp(fname, FIREJAIL_EXEC) == 0)
                                        printf("%s\n", fullname);
                                free(fname);
                        }
@@ -101,7 +99,6 @@ static void list(void) {
        }
        closedir(dir);
-        free(firejail_exec);
 }
 static void clean(void) {
@@ -114,10 +111,6 @@ static void clean(void) {
                exit(1);
        }
-        char *firejail_exec;
-        if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
-                errExit("asprintf");
        struct dirent *entry;
        while ((entry = readdir(dir)) != NULL) {
                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
@@ -130,7 +123,7 @@ static void clean(void) {
                if (is_link(fullname)) {
                        char* fname = realpath(fullname, NULL);
                        if (fname) {
-                                if (strcmp(fname, firejail_exec) == 0) {
+                                if (strcmp(fname, FIREJAIL_EXEC) == 0) {
                                        char *ptr = strrchr(fullname, '/');
                                        assert(ptr);
                                        ptr++;
@@ -147,10 +140,43 @@ static void clean(void) {
        }
        closedir(dir);
-        free(firejail_exec);
        printf("\n");
 }
+#define ignorelist_maxlen 2048
+static const char *ignorelist[ignorelist_maxlen];
+static int ignorelist_len = 0;
+static int append_ignorelist(const char *const str) {
+        assert(str);
+        if (ignorelist_len >= ignorelist_maxlen) {
+                fprintf(stderr, "Warning: Ignore list is full (%d/%d), skipping %s\n",
+                        ignorelist_len, ignorelist_maxlen, str);
+                return 0;
+        }
+        printf("   ignoring '%s'\n", str);
+        const char *const dup = strdup(str);
+        if (!dup)
+                errExit("strdup");
+        ignorelist[ignorelist_len] = dup;
+        ignorelist_len++;
+        return 1;
+}
+static int in_ignorelist(const char *const str) {
+        assert(str);
+        int i;
+        for (i = 0; i < ignorelist_len; i++) {
+                if (strcmp(str, ignorelist[i]) == 0)
+                        return 1;
+        }
+        return 0;
+}
 static void set_file(const char *name, const char *firejail_exec) {
        if (which(name) == 0)
                return;
@@ -165,35 +191,26 @@ static void set_file(const char *name, const char *firejail_exec) {
                if (rv) {
                        fprintf(stderr, "Error: cannot create %s symbolic link\n", fname);
                        perror("symlink");
-                }
+                } else {
-                else
                        printf("   %s created\n", name);
-        }
+                }
-        else {
+        } else {
-          fprintf(stderr, "Warning: cannot create %s - already exists! Skipping...\n", fname);
+                fprintf(stderr, "Warning: cannot create %s - already exists! Skipping...\n", fname);
        }
        free(fname);
 }
-// parse /etc/firejail/firecfg.config file
+// parse a single config file
-static void set_links_firecfg(void) {
+static void set_links_firecfg(const char *cfgfile) {
-        char *cfgfile;
+        printf("Configuring symlinks in %s based on %s\n", arg_bindir, cfgfile);
-        if (asprintf(&cfgfile, "%s/firecfg.config", SYSCONFDIR) == -1)
-                errExit("asprintf");
-        char *firejail_exec;
-        if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
-                errExit("asprintf");
-        // parse /etc/firejail/firecfg.config file
        FILE *fp = fopen(cfgfile, "r");
        if (!fp) {
                perror("fopen");
                fprintf(stderr, "Error: cannot open %s\n", cfgfile);
                exit(1);
        }
-        printf("Configuring symlinks in %s based on firecfg.config\n", arg_bindir);
        char buf[MAX_BUF];
        int lineno = 0;
@@ -223,13 +240,43 @@ static void set_links_firecfg(void) {
                if (*start == '\0')
                        continue;
+                // handle ignore command
+                if (*start == '!') {
+                        append_ignorelist(start + 1);
+                        continue;
+                }
                // set link
-                set_file(start, firejail_exec);
+                if (!in_ignorelist(start))
+                        set_file(start, FIREJAIL_EXEC);
+                else
+                        printf("   %s ignored\n", start);
        }
        fclose(fp);
-        free(cfgfile);
+        printf("\n");
-        free(firejail_exec);
+}
+// parse all config files matching pattern
+static void set_links_firecfg_glob(const char *pattern) {
+        printf("Looking for config files in %s\n", pattern);
+        glob_t globbuf;
+        int globerr = glob(pattern, 0, NULL, &globbuf);
+        if (globerr == GLOB_NOMATCH) {
+                fprintf(stderr, "No matches for glob pattern %s\n", pattern);
+                goto out;
+        } else if (globerr != 0) {
+                fprintf(stderr, "Warning: Failed to match glob pattern %s: %s\n",
+                        pattern, strerror(errno));
+                goto out;
+        }
+        size_t i;
+        for (i = 0; i < globbuf.gl_pathc; i++)
+                set_links_firecfg(globbuf.gl_pathv[i]);
+out:
+        globfree(&globbuf);
 }
 // parse ~/.config/firejail/ directory
@@ -246,10 +293,6 @@ static void set_links_homedir(const char *homedir) {
                return;
        }
-        char *firejail_exec;
-        if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
-                errExit("asprintf");
        // parse ~/.config/firejail/ directory
        printf("\nConfiguring symlinks in %s based on local firejail config directory\n", arg_bindir);
@@ -260,6 +303,7 @@ static void set_links_homedir(const char *homedir) {
                free(dirname);
                return;
        }
+        free(dirname);
        struct dirent *entry;
        while ((entry = readdir(dir))) {
@@ -280,12 +324,10 @@ static void set_links_homedir(const char *homedir) {
                }
                *ptr = '\0';
-                set_file(exec, firejail_exec);
+                set_file(exec, FIREJAIL_EXEC);
                free(exec);
        }
        closedir(dir);
-        free(firejail_exec);
 }
 static const char *get_sudo_user(void) {
@@ -449,18 +491,20 @@ int main(int argc, char **argv) {
        }
        if (arg_guide) {
+                const char *zenity_exec;
+                if (arg_debug)
+                        zenity_exec = FZENITY_EXEC;
+                else
+                        zenity_exec = ZENITY_EXEC;
                char *cmd;
-if (arg_debug) {
+                if (asprintf(&cmd, "%s %s %s %s %s",
-                if (asprintf(&cmd, "sudo %s/firejail/firejail-welcome.sh /usr/lib/firejail/fzenity %s %s", LIBDIR, SYSCONFDIR, user) == -1)
+                             SUDO_EXEC, FIREJAIL_WELCOME_SH, zenity_exec, SYSCONFDIR, user) == -1)
                        errExit("asprintf");
-}
-else {
-                if (asprintf(&cmd, "sudo %s/firejail/firejail-welcome.sh /usr/bin/zenity %s %s", LIBDIR, SYSCONFDIR, user) == -1)
-                        errExit("asprintf");
-}
                int status = system(cmd);
                if (status == -1) {
-                        fprintf(stderr, "Error: cannot run firejail-welcome.sh\n");
+                        fprintf(stderr, "Error: cannot run %s\n", FIREJAIL_WELCOME_SH);
                        exit(1);
                }
                free(cmd);
@@ -474,12 +518,15 @@ else {
        // clear all symlinks
        clean();
-        // set new symlinks based on /etc/firejail/firecfg.config
+        // set new symlinks based on .conf files
-        set_links_firecfg();
+        set_links_firecfg_glob(FIRECFG_CONF_GLOB);
+        // set new symlinks based on firecfg.config
+        set_links_firecfg(FIRECFG_CFGFILE);
        if (getuid() == 0) {
                // add user to firejail access database - only for root
-                printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR);
+                printf("Adding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR);
                // temporarily set the umask, access database must be world-readable
                mode_t orig_umask = umask(022);
                firejail_user_add(user);
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index 583888e0e..b43c36c1a 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -166,8 +166,12 @@ void fslib_install_firejail(void) {
                fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user
        // bring in xauth libraries
+        char *xauth_bin = find_in_path("xauth");
        if (arg_x11_xorg)
-                fslib_mount_libs("/usr/bin/xauth", 1); // parse as user
+                fslib_mount_libs(xauth_bin, 1); // parse as user
+        free(xauth_bin);
        fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
 }
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index f2ab1c188..6dc4904fc 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -154,7 +154,7 @@ static void print_file_or_dir(const char *path, const char *fname) {
        // file size
        char *sz;
-        if (asprintf(&sz, "%d", (int) s.st_size) == -1)
+        if (asprintf(&sz, "%jd", (intmax_t) s.st_size) == -1)
                errExit("asprintf");
        // file name
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b39693af7..5bcc3a0e5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1600,7 +1600,7 @@ int main(int argc, char **argv, char **envp) {
                        arg_trace = 1;
                else if (strncmp(argv[i], "--trace=", 8) == 0) {
                        arg_trace = 1;
-                        arg_tracefile = argv[i] + 8;
+                        arg_tracefile = expand_macros(argv[i] + 8);
                        if (*arg_tracefile == '\0') {
                                fprintf(stderr, "Error: invalid trace option\n");
                                exit(1);
@@ -1610,13 +1610,6 @@ int main(int argc, char **argv, char **envp) {
                                fprintf(stderr, "Error: invalid file name %s\n", arg_tracefile);
                                exit(1);
                        }
-                        // if the filename starts with ~, expand the home directory
-                        if (*arg_tracefile == '~') {
-                                char *tmp;
-                                if (asprintf(&tmp, "%s%s", cfg.homedir, arg_tracefile + 1) == -1)
-                                        errExit("asprintf");
-                                arg_tracefile = tmp;
-                        }
                }
                else if (strcmp(argv[i], "--tracelog") == 0) {
                        if (checkcfg(CFG_TRACELOG))
@@ -1981,20 +1974,13 @@ int main(int argc, char **argv, char **envp) {
                                }
                                // extract chroot dirname
-                                cfg.chrootdir = argv[i] + 9;
+                                cfg.chrootdir = expand_macros(argv[i] + 9);
                                if (*cfg.chrootdir == '\0') {
                                        fprintf(stderr, "Error: invalid chroot option\n");
                                        exit(1);
                                }
                                invalid_filename(cfg.chrootdir, 0); // no globbing
-                                // if the directory starts with ~, expand the home directory
-                                if (*cfg.chrootdir == '~') {
-                                        char *tmp;
-                                        if (asprintf(&tmp, "%s%s", cfg.homedir, cfg.chrootdir + 1) == -1)
-                                                errExit("asprintf");
-                                        cfg.chrootdir = tmp;
-                                }
                                // check chroot directory
                                fs_check_chroot_dir();
                        }
@@ -2776,16 +2762,7 @@ int main(int argc, char **argv, char **envp) {
                else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
                        if (checkcfg(CFG_NETWORK)) {
                                arg_netfilter = 1;
-                                arg_netfilter_file = argv[i] + 12;
+                                arg_netfilter_file = expand_macros(argv[i] + 12);
-                                // expand tilde
-                                if (*arg_netfilter_file == '~') {
-                                        char *tmp;
-                                        if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter_file + 1) == -1)
-                                                errExit("asprintf");
-                                        arg_netfilter_file = tmp;
-                                }
                                check_netfilter_file(arg_netfilter_file);
                        }
                        else
@@ -2795,16 +2772,7 @@ int main(int argc, char **argv, char **envp) {
                else if (strncmp(argv[i], "--netfilter6=", 13) == 0) {
                        if (checkcfg(CFG_NETWORK)) {
                                arg_netfilter6 = 1;
-                                arg_netfilter6_file = argv[i] + 13;
+                                arg_netfilter6_file = expand_macros(argv[i] + 13);
-                                // expand tilde
-                                if (*arg_netfilter6_file == '~') {
-                                        char *tmp;
-                                        if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter6_file + 1) == -1)
-                                                errExit("asprintf");
-                                        arg_netfilter6_file = tmp;
-                                }
                                check_netfilter_file(arg_netfilter6_file);
                        }
                        else
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index e3554eb12..62d3c78e7 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -635,9 +635,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #ifdef HAVE_NETWORK
                if (checkcfg(CFG_NETWORK)) {
                        arg_netfilter = 1;
-                        arg_netfilter_file = strdup(ptr + 10);
+                        arg_netfilter_file = expand_macros(ptr + 10);
-                        if (!arg_netfilter_file)
-                                errExit("strdup");
                        check_netfilter_file(arg_netfilter_file);
                }
                else
@@ -649,9 +647,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #ifdef HAVE_NETWORK
                if (checkcfg(CFG_NETWORK)) {
                        arg_netfilter6 = 1;
-                        arg_netfilter6_file = strdup(ptr + 11);
+                        arg_netfilter6_file = expand_macros(ptr + 11);
-                        if (!arg_netfilter6_file)
-                                errExit("strdup");
                        check_netfilter_file(arg_netfilter6_file);
                }
                else
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 2eaa9bde5..3721a2c2c 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1164,7 +1164,6 @@ void x11_start(int argc, char **argv) {
 }
 #endif
 void x11_xorg(void) {
 #ifdef HAVE_X11
@@ -1175,31 +1174,38 @@ void x11_xorg(void) {
                exit(1);
        }
+        char *xauth_bin = find_in_path("xauth");
        // check xauth utility is present in the system
-        struct stat s;
+        if (!xauth_bin) {
-        if (stat("/usr/bin/xauth", &s) == -1) {
+                fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n");
-                fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n");
                fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xauth\n");
                fprintf(stderr, "   Arch: sudo pacman -S xorg-xauth\n");
                fprintf(stderr, "   Fedora: sudo dnf install xorg-x11-xauth\n");
                exit(1);
        }
+        struct stat s;
+        if (stat(xauth_bin, &s) == -1) {
+                fprintf(stderr, "Error: %s: %s\n", xauth_bin, strerror(errno));
+                exit(1);
+        }
        if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) {
-                fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n");
+                fprintf(stderr, "Error: invalid %s executable\n", xauth_bin);
                exit(1);
        }
        if (s.st_size > 1024 * 1024) {
-                fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n");
+                fprintf(stderr, "Error: %s executable is too large\n", xauth_bin);
                exit(1);
        }
-        // copy /usr/bin/xauth in the sandbox and set mode to 0711
+        // copy xauth in the sandbox and set mode to 0711
        // users are not able to trace the running xauth this way
        if (arg_debug)
-                printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE);
+                printf("Copying %s to %s\n", xauth_bin, RUN_XAUTH_FILE);
-        if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) {
-                fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n");
+        copy_file_from_user_to_root(xauth_bin, RUN_XAUTH_FILE, 0, 0, 0711);
-                exit(1);
-        }
+        free(xauth_bin);
        fmessage("Generating a new .Xauthority file\n");
        mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt
index aeac58c6a..830df058f 100644
--- a/src/fnettrace/static-ip-map.txt
+++ b/src/fnettrace/static-ip-map.txt
@@ -92,7 +92,7 @@
 8.8.4.0/24 Google DNS
 8.8.8.0/24 Google DNS
 8.20.247.20/32 Comodo DNS
-8.26.56.26/32 Comodo DNS
+8.26.56.0/24 Comodo DNS
 9.9.9.0/24 Quad9 DNS
 45.90.28.0/22 NextDNS
 45.11.45.0/24 DNS-SB
@@ -103,8 +103,7 @@
 76.76.10.0/24 ControlD DNS
 76.76.19.0/24 Alternate DNS
 76.223.122.150/32 Alternate DNS
-77.88.8.8/32 Yandex DNS
+77.88.8.0/24 Yandex DNS
-77.88.8.1/32 Yandex DNS
 80.80.80.0/24 Freenom DNS Cloud
 80.80.81.0/24 Freenom DNS Cloud
 84.200.69.80/32 DSN Watch
@@ -123,8 +122,7 @@
 205.171.3.66/32 CentyrLink DNS
 205.171.202.166/32 CentyrLink DNS
 208.67.216.0/21 OpenDNS
-216.146.35.35/32 Dyn DNS
+216.146.32.0/20 Dyn DNS
-216.146.36.36/32 Dyn DNS
 # whois
 45.88.202.0/24 Anonymize Inc WHOIS Privacy Service
@@ -288,6 +286,7 @@
 192.187.114.96/29 BitChute
 192.187.118.168/29 BitChute
 192.187.121.208/29 BitChute
+192.187.122.72/29 BitChute
 192.187.123.112/29 BitChute
 192.187.126.0/29 BitChute
 198.204.226.120/29 BitChute
diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in
index a85fbc5da..e43a573de 100644
--- a/src/man/firecfg.1.in
+++ b/src/man/firecfg.1.in
@@ -29,9 +29,13 @@ Note: The examples use \fBsudo\fR, but \fBdoas\fR is also supported.
 To set it up, run "sudo firecfg" after installing Firejail software.
 The same command should also be run after
 installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
-will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config".
+will be created.
+.PP
-For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
+To configure the list of programs used by firecfg when creating symlinks, see
+\fBFILES\fR and \fBSYNTAX\fR.
+.PP
+For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in
+\fBman 1 firejail\fR.
 .SH DEFAULT ACTIONS
 The following actions are implemented by default by running sudo firecfg:
@@ -135,8 +139,53 @@ $ sudo firecfg --clean
 /usr/local/bin/vlc removed
 .br
 [...]
+.SH FILES
+.PP
+Configuration files are searched for and parsed in the following paths:
+.PP
+.RS
+1. /etc/firejail/firecfg.d/*.conf (in alphabetical order)
+.br
+2. /etc/firejail/firecfg.config
+.RE
+.PP
+The programs that are supported by default are listed in
+/etc/firejail/firecfg.config.
+It is recommended to leave it as is and put all customizations inside
+/etc/firejail/firecfg.d/.
+.PP
+Profile files are also searched in the user configuration directory:
+.PP
+.RS
+3. ~/.config/firejail/*.profile
+.RE
+.PP
+For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a
+symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file.
+.SH SYNTAX
+Configuration file syntax:
+.PP
+A line that starts with \fB#\fR is considered a comment.
+.br
+A line that starts with \fB!PROGRAM\fR means to ignore "PROGRAM" when creating
+symlinks.
+.br
+A line that starts with anything else is considered to be the name of an
+executable and firecfg will attempt to create a symlink for it.
+.PP
+For example, to prevent firecfg from creating symlinks for "firefox" and
+"patch" while attempting to create a symlink for "myprog", the following lines
+could be added to /etc/firejail/firecfg.d/10-my.conf:
+.PP
+.RS
+!firefox
+.br
+!patch
+.br
+.br
+myprog
+.RE
 .SH LICENSE
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP