249 files changed, 819 insertions, 526 deletions

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 000000000..6b329f917
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+/etc/inc/*.inc linguist-language=text
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
new file mode 100644
index 000000000..951a8b8cf
--- /dev/null
+++ b/.github/workflows/profile-checks.yml
@@ -0,0 +1,31 @@
+name: Profile Checks
+
+on:
+  push:
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+      - 'ci/check/profiles/**'
+      - 'src/firecfg/firecfg.config'
+      - 'contrib/sort.py'
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+      - 'ci/check/profiles/**'
+      - 'src/firecfg/firecfg.config'
+      - 'contrib/sort.py'
+
+jobs:
+  profile-checks:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: sort.py
+      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+    - name: private-etc-always-required.sh
+      run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+    - name: sort-disable-programs.sh
+      run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc
+    - name: sort-firecfg.config.sh
+      run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
deleted file mode 100644
index cfa40d2d2..000000000
--- a/.github/workflows/sort.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-name: sort.py
-
-on:
-  push:
-    branches: [ master ]
-    paths:
-      - 'etc/**'
-      - 'contrib/sort.py'
-  pull_request:
-    branches: [ master ]
-    paths:
-      - 'etc/**'
-      - 'contrib/sort.py'
-
-jobs:
-  profile-sort:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: check profiles
-      run: ./contrib/sort.py etc/*/{*.inc,*.profile}
diff --git a/Makefile.in b/Makefile.in
index 11193122d..ddc63c1af 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -116,7 +116,7 @@ endif
         install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir)
         # libraries and plugins
         install -m 0755 -d $(DESTDIR)$(libdir)/firejail
-        install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
+        install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
         install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
         # plugins w/o read permission (non-dumpable)
         install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
@@ -135,6 +135,7 @@ endif
         install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/*
         # profiles and settings
         install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
+        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
         install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
 ifeq ($(BUSYBOX_WORKAROUND),yes)
diff --git a/README b/README
index 6a260a330..c6db6b6a5 100644
--- a/README
+++ b/README
@@ -467,6 +467,8 @@ hhzek0014 (https://github.com/hhzek0014)
         - updated bibletime.profile
 hlein (https://github.com/hlein)
         - strip out \r's from jail prober
+        - make env/arg sanity check failure messages more useful
+        - relocate firecfg.config to /etc/firejail/
 Holger Heinz (https://github.com/hheinz)
         - manpage work
 Haowei Yu (https://github.com/sfc-gh-hyu)
diff --git a/README.md b/README.md
index cf9d9563e..2bd3c9fb4 100644
--- a/README.md
+++ b/README.md
@@ -96,7 +96,7 @@ https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-loca
 
 Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.
 
-The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian buster we recommend to use the [backports](https://packages.debian.org/buster-backports/firejail) package.
+The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian stable (bullseye) we recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package.
 
 You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually:
 
@@ -150,7 +150,7 @@ PulseAudio changes.
 Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers.
 The integration applies to any program supported by default by Firejail. There are about 250 default applications
 in current Firejail version, and the number goes up with every new release.
-We keep the application list in [/usr/lib/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file.
+We keep the application list in [/etc/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file.
 
 ## Security profiles
 
@@ -248,4 +248,4 @@ $ ./profstats *.profile
 ### New profiles:
 
 clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle,
-cmake, make, meson, pip, codium
+cmake, make, meson, pip, codium, telnet, ftp
diff --git a/RELNOTES b/RELNOTES
index 3f92c89c7..9ff0bf5bb 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -10,7 +10,7 @@ firejail (0.9.67) baseline; urgency=low
   * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
   * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
   * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
-  * new profiles: make, meson, pip, codium
+  * new profiles: make, meson, pip, codium, telnet, ftp
  -- netblue30 <netblue30@yahoo.com>  Thu, 29 Jul 2021 09:00:00 -0500
 
 firejail (0.9.66) baseline; urgency=low
diff --git a/ci/check/profiles/private-etc-always-required.sh b/ci/check/profiles/private-etc-always-required.sh
new file mode 100755
index 000000000..892b15aa4
--- /dev/null
+++ b/ci/check/profiles/private-etc-always-required.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+ALWAYS_REQUIRED=(alternatives ld.so.cache ld.so.preload)
+
+error=0
+while IFS=: read -r profile private_etc; do
+        for required in "${ALWAYS_REQUIRED[@]}"; do
+                if grep -q -v -E "( |,)$required(,|$)" <<<"$private_etc"; then
+                        printf '%s misses %s\n' "$profile" "$required" >&2
+                        error=1
+                fi
+        done
+done < <(grep "^private-etc " "$@")
+
+exit "$error"
diff --git a/ci/check/profiles/sort-disable-programs.sh b/ci/check/profiles/sort-disable-programs.sh
new file mode 100755
index 000000000..d81ee75d7
--- /dev/null
+++ b/ci/check/profiles/sort-disable-programs.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+tail -n +5 "$1" | LC_ALL=C sort -c -u
diff --git a/ci/check/profiles/sort-firecfg.config.sh b/ci/check/profiles/sort-firecfg.config.sh
new file mode 100755
index 000000000..17a595350
--- /dev/null
+++ b/ci/check/profiles/sort-firecfg.config.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+tail -n +4 "$1" | sed 's/^# /#/' | LC_ALL=C sort -c -d
diff --git a/ci/check/profiles/sort.py b/ci/check/profiles/sort.py
new file mode 120000
index 000000000..e1f3f5f16
--- /dev/null
+++ b/ci/check/profiles/sort.py
@@ -0,0 +1 @@
+../../../contrib/sort.py
\ No newline at end of file
diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base
index 41e4ac2bf..6e286d4af 100644
--- a/etc/apparmor/firejail-base
+++ b/etc/apparmor/firejail-base
@@ -1,26 +1,27 @@
 #########################################
 # Firejail base abstraction drop-in
-#########################################
-
+#
 # Adds basic Firejail support to AppArmor profiles.
 # Please note: Firejail's nonewprivs and seccomp options
 # are not compatible with AppArmor profile transitions.
+# Also there is no support for Firejail chroot options.
+#########################################
 
 # Discovery of process names
-owner /{,run/firejail/mnt/oroot/}proc/@{pid}/comm r,
+owner /proc/@{pid}/comm r,
 
 ##########
 # Following paths only exist inside a Firejail sandbox
 ##########
 
 # Library preloading
-/{,run/firejail/mnt/oroot/}{,var/}run/firejail/lib/*.so mr,
+/{,var/}run/firejail/lib/*.so mr,
 
 # Supporting seccomp
-owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/seccomp/seccomp.postexec r,
+owner /{,var/}run/firejail/mnt/seccomp/seccomp.postexec r,
 
 # Supporting trace
-owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
+owner /{,var/}run/firejail/mnt/trace w,
 
 # Supporting tracelog
-/{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/fslogger r,
+/{,var/}run/firejail/mnt/fslogger r,
diff --git a/etc/ids.config b/etc/ids.config
index 09b0ae912..ff55416ca 100644
--- a/etc/ids.config
+++ b/etc/ids.config
@@ -37,6 +37,7 @@ include ids.config.local
 
 ### shells local ###
 # bash
+${HOME}/.bash_aliases
 ${HOME}/.bash_login
 ${HOME}/.bash_logout
 ${HOME}/.bash_profile
@@ -99,10 +100,24 @@ ${HOME}/.xsessionrc
 ### window/desktop manager ###
 ${HOME}/Desktop/*.desktop
 ${HOME}/.config/autostart
+${HOME}/.config/autostart-scripts
 ${HOME}/.config/lxsession/LXDE/autostart
+${HOME}/.config/openbox/autostart
+${HOME}/.config/openbox/environment
+${HOME}/.config/plasma-workspace/env
+${HOME}/.config/plasma-workspace/shutdown
 ${HOME}/.gnomerc
 ${HOME}/.gtkrc
+${HOME}/.kde/Autostart
+${HOME}/.kde/env
+${HOME}/.kde/share/autostart
+${HOME}/.kde/shutdown
+${HOME}/.kde4/Autostart
+${HOME}/.kde4/env
+${HOME}/.kde4/share/autostart
+${HOME}/.kde4/shutdown
 ${HOME}/.kderc
+${HOME}/.local/share/autostart
 
 ### security ###
 /etc/aide
@@ -123,6 +138,7 @@ ${HOME}/.kderc
 /etc/tripwire
 ${HOME}/.config/firejail
 ${HOME}/.gnupg
+${HOME}/.pam_environment
 
 ### network security ###
 /etc/ca-certificates*
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index 67c78a483..5d41e6607 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -5,4 +5,11 @@ include allow-ssh.local
 noblacklist ${HOME}/.ssh
 noblacklist /etc/ssh
 noblacklist /etc/ssh/ssh_config
+noblacklist ${PATH}/ssh
 noblacklist /tmp/ssh-*
+# Arch Linux and derivatives
+noblacklist /usr/lib/ssh
+# Debian/Ubuntu and derivatives
+noblacklist /usr/lib/openssh
+# Fedora and derivatives
+noblacklist /usr/libexec/openssh
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index ae84ee38a..04f4bf2d6 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -458,7 +458,7 @@ blacklist /sbin
 blacklist /usr/local/sbin
 blacklist /usr/sbin
 
-# system management
+# system management and various SUID executables
 blacklist ${PATH}/at
 blacklist ${PATH}/busybox
 blacklist ${PATH}/chage
@@ -493,6 +493,25 @@ blacklist ${PATH}/umount
 blacklist ${PATH}/unix_chkpwd
 blacklist ${PATH}/xev
 blacklist ${PATH}/xinput
+# from 0.9.67
+blacklist /usr/lib/openssh
+blacklist /usr/lib/ssh
+blacklist /usr/libexec/openssh
+blacklist ${PATH}/passwd
+blacklist /usr/lib/xorg/Xorg.wrap
+blacklist /usr/lib/policykit-1/polkit-agent-helper-1
+blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper
+blacklist /usr/lib/eject/dmcrypt-get-device
+blacklist /usr/lib/chromium/chrome-sandbox
+blacklist /usr/lib/vmware
+blacklist ${PATH}/suexec
+blacklist /usr/lib/squid/basic_pam_auth
+blacklist ${PATH}/slock
+blacklist ${PATH}/physlock
+blacklist ${PATH}/schroot
+blacklist ${PATH}/wshowkeys
+blacklist ${PATH}/pmount
+blacklist ${PATH}/pumount
 
 # other SUID binaries
 blacklist /usr/lib/virtualbox
@@ -563,8 +582,7 @@ blacklist ${HOME}/sent
 # kernel configuration
 blacklist /proc/config.gz
 
-# prevent DNS malware attempting to communicate with the server
-# using regular DNS tools
+# prevent DNS malware attempting to communicate with the server using regular DNS tools
 blacklist ${PATH}/dig
 blacklist ${PATH}/dlint
 blacklist ${PATH}/dns2tcp
@@ -582,8 +600,14 @@ blacklist ${PATH}/nslookup
 blacklist ${PATH}/resolvectl
 blacklist ${PATH}/unbound-host
 
+# prevent an intruder to guess passwords using regular network tools
+blacklist ${PATH}/ftp
+blacklist ${PATH}/ssh
+blacklist ${PATH}/telnet
+
 # rest of ${RUNUSER}
 blacklist ${RUNUSER}/*.lock
 blacklist ${RUNUSER}/inaccessible
 blacklist ${RUNUSER}/pk-debconf-socket
 blacklist ${RUNUSER}/update-notifier.pid
+
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 6734e220a..254d05e8e 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -51,10 +51,182 @@ blacklist ${HOME}/.blobby
 blacklist ${HOME}/.bogofilter
 blacklist ${HOME}/.bundle
 blacklist ${HOME}/.bzf
+blacklist ${HOME}/.cache/0ad
+blacklist ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.cache/Authenticator
+blacklist ${HOME}/.cache/BraveSoftware
+blacklist ${HOME}/.cache/Clementine
+blacklist ${HOME}/.cache/ENCOM/Spectral
+blacklist ${HOME}/.cache/Enox
+blacklist ${HOME}/.cache/Enpass
+blacklist ${HOME}/.cache/Ferdi
+blacklist ${HOME}/.cache/Flavio Tordini
+blacklist ${HOME}/.cache/Franz
+blacklist ${HOME}/.cache/GoldenDict
+blacklist ${HOME}/.cache/INRIA
+blacklist ${HOME}/.cache/INRIA/Natron
+blacklist ${HOME}/.cache/JetBrains/CLion*
+blacklist ${HOME}/.cache/KDE/neochat
+blacklist ${HOME}/.cache/Mendeley Ltd.
+blacklist ${HOME}/.cache/MusicBrainz
+blacklist ${HOME}/.cache/NewsFlashGTK
+blacklist ${HOME}/.cache/Otter
+blacklist ${HOME}/.cache/PawelStolowski
+blacklist ${HOME}/.cache/Psi
+blacklist ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/Quotient/quaternion
+blacklist ${HOME}/.cache/Shortwave
+blacklist ${HOME}/.cache/Tox
+blacklist ${HOME}/.cache/Zeal
+blacklist ${HOME}/.cache/agenda
+blacklist ${HOME}/.cache/akonadi*
+blacklist ${HOME}/.cache/atril
+blacklist ${HOME}/.cache/attic
+blacklist ${HOME}/.cache/babl
+blacklist ${HOME}/.cache/bnox
+blacklist ${HOME}/.cache/borg
+blacklist ${HOME}/.cache/calibre
+blacklist ${HOME}/.cache/cantata
+blacklist ${HOME}/.cache/champlain
+blacklist ${HOME}/.cache/chromium
+blacklist ${HOME}/.cache/chromium-dev
+blacklist ${HOME}/.cache/cliqz
+blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
+blacklist ${HOME}/.cache/darktable
+blacklist ${HOME}/.cache/deja-dup
+blacklist ${HOME}/.cache/discover
+blacklist ${HOME}/.cache/dnox
+blacklist ${HOME}/.cache/dolphin
+blacklist ${HOME}/.cache/dolphin-emu
+blacklist ${HOME}/.cache/ephemeral
+blacklist ${HOME}/.cache/epiphany
+blacklist ${HOME}/.cache/evolution
+blacklist ${HOME}/.cache/falkon
+blacklist ${HOME}/.cache/feedreader
+blacklist ${HOME}/.cache/firedragon
+blacklist ${HOME}/.cache/flaska.net/trojita
+blacklist ${HOME}/.cache/folks
+blacklist ${HOME}/.cache/font-manager
+blacklist ${HOME}/.cache/fossamail
+blacklist ${HOME}/.cache/fractal
+blacklist ${HOME}/.cache/freecol
+blacklist ${HOME}/.cache/gajim
+blacklist ${HOME}/.cache/geary
+blacklist ${HOME}/.cache/geeqie
+blacklist ${HOME}/.cache/gegl-0.4
+blacklist ${HOME}/.cache/gfeeds
+blacklist ${HOME}/.cache/gimp
+blacklist ${HOME}/.cache/gnome-boxes
+blacklist ${HOME}/.cache/gnome-builder
+blacklist ${HOME}/.cache/gnome-control-center
+blacklist ${HOME}/.cache/gnome-recipes
+blacklist ${HOME}/.cache/gnome-screenshot
+blacklist ${HOME}/.cache/gnome-software
+blacklist ${HOME}/.cache/gnome-twitch
+blacklist ${HOME}/.cache/godot
+blacklist ${HOME}/.cache/google-chrome
+blacklist ${HOME}/.cache/google-chrome-beta
+blacklist ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.cache/gradio
+blacklist ${HOME}/.cache/gummi
+blacklist ${HOME}/.cache/icedove
+blacklist ${HOME}/.cache/inkscape
+blacklist ${HOME}/.cache/inox
+blacklist ${HOME}/.cache/io.github.lainsce.Notejot
+blacklist ${HOME}/.cache/iridium
+blacklist ${HOME}/.cache/kcmshell5
+blacklist ${HOME}/.cache/kdenlive
+blacklist ${HOME}/.cache/keepassxc
+blacklist ${HOME}/.cache/kfind
+blacklist ${HOME}/.cache/kinfocenter
+blacklist ${HOME}/.cache/kmail2
+blacklist ${HOME}/.cache/krunner
+blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/kscreenlocker_greet
+blacklist ${HOME}/.cache/ksmserver-logout-greeter
+blacklist ${HOME}/.cache/ksplashqml
+blacklist ${HOME}/.cache/kube
+blacklist ${HOME}/.cache/kwin
+blacklist ${HOME}/.cache/libgweather
+blacklist ${HOME}/.cache/librewolf
+blacklist ${HOME}/.cache/liferea
+blacklist ${HOME}/.cache/lutris
+blacklist ${HOME}/.cache/marker
+blacklist ${HOME}/.cache/matrix-mirage
+blacklist ${HOME}/.cache/microsoft-edge-beta
+blacklist ${HOME}/.cache/microsoft-edge-dev
+blacklist ${HOME}/.cache/midori
+blacklist ${HOME}/.cache/minetest
+blacklist ${HOME}/.cache/mirage
+blacklist ${HOME}/.cache/moonchild productions/basilisk
+blacklist ${HOME}/.cache/moonchild productions/pale moon
+blacklist ${HOME}/.cache/mozilla
+blacklist ${HOME}/.cache/ms-excel-online
+blacklist ${HOME}/.cache/ms-office-online
+blacklist ${HOME}/.cache/ms-onenote-online
+blacklist ${HOME}/.cache/ms-outlook-online
+blacklist ${HOME}/.cache/ms-powerpoint-online
+blacklist ${HOME}/.cache/ms-skype-online
+blacklist ${HOME}/.cache/ms-word-online
+blacklist ${HOME}/.cache/mutt
+blacklist ${HOME}/.cache/mypaint
+blacklist ${HOME}/.cache/netsurf
+blacklist ${HOME}/.cache/nheko
+blacklist ${HOME}/.cache/okular
+blacklist ${HOME}/.cache/opera
+blacklist ${HOME}/.cache/opera-beta
+blacklist ${HOME}/.cache/org.gabmus.gfeeds
+blacklist ${HOME}/.cache/org.gnome.Books
+blacklist ${HOME}/.cache/org.gnome.Maps
+blacklist ${HOME}/.cache/pdfmod
+blacklist ${HOME}/.cache/peek
+blacklist ${HOME}/.cache/pip
+blacklist ${HOME}/.cache/pipe-viewer
+blacklist ${HOME}/.cache/plasmashell
+blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/psi
+blacklist ${HOME}/.cache/qBittorrent
+blacklist ${HOME}/.cache/quodlibet
+blacklist ${HOME}/.cache/qupzilla
+blacklist ${HOME}/.cache/qutebrowser
+blacklist ${HOME}/.cache/rednotebook
+blacklist ${HOME}/.cache/rhythmbox
+blacklist ${HOME}/.cache/shotwell
+blacklist ${HOME}/.cache/simple-scan
+blacklist ${HOME}/.cache/slimjet
+blacklist ${HOME}/.cache/smuxi
+blacklist ${HOME}/.cache/snox
+blacklist ${HOME}/.cache/spotify
+blacklist ${HOME}/.cache/straw-viewer
+blacklist ${HOME}/.cache/strawberry
+blacklist ${HOME}/.cache/supertuxkart
+blacklist ${HOME}/.cache/systemsettings
+blacklist ${HOME}/.cache/telepathy
+blacklist ${HOME}/.cache/thunderbird
+blacklist ${HOME}/.cache/torbrowser
+blacklist ${HOME}/.cache/transmission
+blacklist ${HOME}/.cache/ungoogled-chromium
+blacklist ${HOME}/.cache/vivaldi
+blacklist ${HOME}/.cache/vivaldi-snapshot
+blacklist ${HOME}/.cache/vlc
+blacklist ${HOME}/.cache/vmware
+blacklist ${HOME}/.cache/warsow-2.1
+blacklist ${HOME}/.cache/waterfox
+blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/winetricks
+blacklist ${HOME}/.cache/xmms2
+blacklist ${HOME}/.cache/xournalpp
+blacklist ${HOME}/.cache/xreader
+blacklist ${HOME}/.cache/yandex-browser
+blacklist ${HOME}/.cache/yandex-browser-beta
+blacklist ${HOME}/.cache/youtube-dl
+blacklist ${HOME}/.cache/youtube-viewer
+blacklist ${HOME}/.cache/yt-dlp
+blacklist ${HOME}/.cache/zim
 blacklist ${HOME}/.cargo
 blacklist ${HOME}/.claws-mail
-blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clion*
+blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clonk
 blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/2048-qt
@@ -93,8 +265,8 @@ blacklist ${HOME}/.config/Google Play Music Desktop Player
 blacklist ${HOME}/.config/Gpredict
 blacklist ${HOME}/.config/INRIA
 blacklist ${HOME}/.config/InSilmaril
-blacklist ${HOME}/.config/Jitsi Meet
 blacklist ${HOME}/.config/JetBrains/CLion*
+blacklist ${HOME}/.config/Jitsi Meet
 blacklist ${HOME}/.config/KDE/neochat
 blacklist ${HOME}/.config/KeePass
 blacklist ${HOME}/.config/KeePassXCrc
@@ -948,6 +1120,7 @@ blacklist ${HOME}/TeamSpeak3-Client-linux_x86
 blacklist ${HOME}/hyperrogue.ini
 blacklist ${HOME}/i2p
 blacklist ${HOME}/mps
+blacklist ${HOME}/openstego.ini
 blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/yt-dlp.conf
 blacklist ${RUNUSER}/*firefox*
@@ -958,177 +1131,3 @@ blacklist /var/games/slashem
 blacklist /var/games/vulturesclaw
 blacklist /var/games/vultureseye
 blacklist /var/lib/games/Maelstrom-Scores
-
-# ${HOME}/.cache directory
-blacklist ${HOME}/.cache/0ad
-blacklist ${HOME}/.cache/8pecxstudios
-blacklist ${HOME}/.cache/Authenticator
-blacklist ${HOME}/.cache/BraveSoftware
-blacklist ${HOME}/.cache/Clementine
-blacklist ${HOME}/.cache/ENCOM/Spectral
-blacklist ${HOME}/.cache/Enox
-blacklist ${HOME}/.cache/Enpass
-blacklist ${HOME}/.cache/Ferdi
-blacklist ${HOME}/.cache/Flavio Tordini
-blacklist ${HOME}/.cache/Franz
-blacklist ${HOME}/.cache/GoldenDict
-blacklist ${HOME}/.cache/INRIA
-blacklist ${HOME}/.cache/INRIA/Natron
-blacklist ${HOME}/.cache/KDE/neochat
-blacklist ${HOME}/.cache/Mendeley Ltd.
-blacklist ${HOME}/.cache/MusicBrainz
-blacklist ${HOME}/.cache/NewsFlashGTK
-blacklist ${HOME}/.cache/Otter
-blacklist ${HOME}/.cache/PawelStolowski
-blacklist ${HOME}/.cache/Psi
-blacklist ${HOME}/.cache/QuiteRss
-blacklist ${HOME}/.cache/Quotient/quaternion
-blacklist ${HOME}/.cache/Shortwave
-blacklist ${HOME}/.cache/Tox
-blacklist ${HOME}/.cache/Zeal
-blacklist ${HOME}/.cache/agenda
-blacklist ${HOME}/.cache/akonadi*
-blacklist ${HOME}/.cache/atril
-blacklist ${HOME}/.cache/attic
-blacklist ${HOME}/.cache/babl
-blacklist ${HOME}/.cache/bnox
-blacklist ${HOME}/.cache/borg
-blacklist ${HOME}/.cache/calibre
-blacklist ${HOME}/.cache/cantata
-blacklist ${HOME}/.cache/champlain
-blacklist ${HOME}/.cache/chromium
-blacklist ${HOME}/.cache/chromium-dev
-blacklist ${HOME}/.cache/cliqz
-blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
-blacklist ${HOME}/.cache/darktable
-blacklist ${HOME}/.cache/deja-dup
-blacklist ${HOME}/.cache/discover
-blacklist ${HOME}/.cache/dnox
-blacklist ${HOME}/.cache/dolphin
-blacklist ${HOME}/.cache/dolphin-emu
-blacklist ${HOME}/.cache/ephemeral
-blacklist ${HOME}/.cache/epiphany
-blacklist ${HOME}/.cache/evolution
-blacklist ${HOME}/.cache/falkon
-blacklist ${HOME}/.cache/feedreader
-blacklist ${HOME}/.cache/firedragon
-blacklist ${HOME}/.cache/flaska.net/trojita
-blacklist ${HOME}/.cache/folks
-blacklist ${HOME}/.cache/font-manager
-blacklist ${HOME}/.cache/fossamail
-blacklist ${HOME}/.cache/fractal
-blacklist ${HOME}/.cache/freecol
-blacklist ${HOME}/.cache/gajim
-blacklist ${HOME}/.cache/geary
-blacklist ${HOME}/.cache/geeqie
-blacklist ${HOME}/.cache/gegl-0.4
-blacklist ${HOME}/.cache/gfeeds
-blacklist ${HOME}/.cache/gimp
-blacklist ${HOME}/.cache/gnome-boxes
-blacklist ${HOME}/.cache/gnome-builder
-blacklist ${HOME}/.cache/gnome-control-center
-blacklist ${HOME}/.cache/gnome-recipes
-blacklist ${HOME}/.cache/gnome-screenshot
-blacklist ${HOME}/.cache/gnome-software
-blacklist ${HOME}/.cache/gnome-twitch
-blacklist ${HOME}/.cache/godot
-blacklist ${HOME}/.cache/google-chrome
-blacklist ${HOME}/.cache/google-chrome-beta
-blacklist ${HOME}/.cache/google-chrome-unstable
-blacklist ${HOME}/.cache/gradio
-blacklist ${HOME}/.cache/gummi
-blacklist ${HOME}/.cache/icedove
-blacklist ${HOME}/.cache/inkscape
-blacklist ${HOME}/.cache/inox
-blacklist ${HOME}/.cache/io.github.lainsce.Notejot
-blacklist ${HOME}/.cache/iridium
-blacklist ${HOME}/.cache/JetBrains/CLion*
-blacklist ${HOME}/.cache/kcmshell5
-blacklist ${HOME}/.cache/kdenlive
-blacklist ${HOME}/.cache/keepassxc
-blacklist ${HOME}/.cache/kfind
-blacklist ${HOME}/.cache/kinfocenter
-blacklist ${HOME}/.cache/kmail2
-blacklist ${HOME}/.cache/krunner
-blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
-blacklist ${HOME}/.cache/kscreenlocker_greet
-blacklist ${HOME}/.cache/ksmserver-logout-greeter
-blacklist ${HOME}/.cache/ksplashqml
-blacklist ${HOME}/.cache/kube
-blacklist ${HOME}/.cache/kwin
-blacklist ${HOME}/.cache/libgweather
-blacklist ${HOME}/.cache/librewolf
-blacklist ${HOME}/.cache/liferea
-blacklist ${HOME}/.cache/lutris
-blacklist ${HOME}/.cache/marker
-blacklist ${HOME}/.cache/matrix-mirage
-blacklist ${HOME}/.cache/microsoft-edge-beta
-blacklist ${HOME}/.cache/microsoft-edge-dev
-blacklist ${HOME}/.cache/midori
-blacklist ${HOME}/.cache/minetest
-blacklist ${HOME}/.cache/mirage
-blacklist ${HOME}/.cache/moonchild productions/basilisk
-blacklist ${HOME}/.cache/moonchild productions/pale moon
-blacklist ${HOME}/.cache/mozilla
-blacklist ${HOME}/.cache/ms-excel-online
-blacklist ${HOME}/.cache/ms-office-online
-blacklist ${HOME}/.cache/ms-onenote-online
-blacklist ${HOME}/.cache/ms-outlook-online
-blacklist ${HOME}/.cache/ms-powerpoint-online
-blacklist ${HOME}/.cache/ms-skype-online
-blacklist ${HOME}/.cache/ms-word-online
-blacklist ${HOME}/.cache/mutt
-blacklist ${HOME}/.cache/mypaint
-blacklist ${HOME}/.cache/netsurf
-blacklist ${HOME}/.cache/nheko
-blacklist ${HOME}/.cache/okular
-blacklist ${HOME}/.cache/opera
-blacklist ${HOME}/.cache/opera-beta
-blacklist ${HOME}/.cache/org.gabmus.gfeeds
-blacklist ${HOME}/.cache/org.gnome.Books
-blacklist ${HOME}/.cache/org.gnome.Maps
-blacklist ${HOME}/.cache/pdfmod
-blacklist ${HOME}/.cache/peek
-blacklist ${HOME}/.cache/pip
-blacklist ${HOME}/.cache/pipe-viewer
-blacklist ${HOME}/.cache/plasmashell
-blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
-blacklist ${HOME}/.cache/psi
-blacklist ${HOME}/.cache/qBittorrent
-blacklist ${HOME}/.cache/quodlibet
-blacklist ${HOME}/.cache/qupzilla
-blacklist ${HOME}/.cache/qutebrowser
-blacklist ${HOME}/.cache/rednotebook
-blacklist ${HOME}/.cache/rhythmbox
-blacklist ${HOME}/.cache/shotwell
-blacklist ${HOME}/.cache/simple-scan
-blacklist ${HOME}/.cache/slimjet
-blacklist ${HOME}/.cache/smuxi
-blacklist ${HOME}/.cache/snox
-blacklist ${HOME}/.cache/spotify
-blacklist ${HOME}/.cache/straw-viewer
-blacklist ${HOME}/.cache/strawberry
-blacklist ${HOME}/.cache/supertuxkart
-blacklist ${HOME}/.cache/systemsettings
-blacklist ${HOME}/.cache/telepathy
-blacklist ${HOME}/.cache/thunderbird
-blacklist ${HOME}/.cache/torbrowser
-blacklist ${HOME}/.cache/transmission
-blacklist ${HOME}/.cache/ungoogled-chromium
-blacklist ${HOME}/.cache/vivaldi
-blacklist ${HOME}/.cache/vivaldi-snapshot
-blacklist ${HOME}/.cache/vlc
-blacklist ${HOME}/.cache/vmware
-blacklist ${HOME}/.cache/warsow-2.1
-blacklist ${HOME}/.cache/waterfox
-blacklist ${HOME}/.cache/wesnoth
-blacklist ${HOME}/.cache/winetricks
-blacklist ${HOME}/.cache/xmms2
-blacklist ${HOME}/.cache/xournalpp
-blacklist ${HOME}/.cache/xreader
-blacklist ${HOME}/.cache/yandex-browser
-blacklist ${HOME}/.cache/yandex-browser-beta
-blacklist ${HOME}/.cache/youtube-dl
-blacklist ${HOME}/.cache/youtube-viewer
-blacklist ${HOME}/.cache/yt-dlp
-blacklist ${HOME}/.cache/zim
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index 256e2115a..0e7126458 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin abiword
 private-cache
 private-dev
-private-etc fonts,gtk-3.0,ld.so.preload,passwd
+private-etc alternatives,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index 8652ae5f1..dd3b2e59b 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -50,7 +50,7 @@ tracelog
 private-bin agetpkg,python3
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 9b74b4d29..5a528595b 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -53,7 +53,7 @@ disable-mnt
 # private-bin alacarte,bash,python*,sh
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index b6e931be5..f6d711b2e 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin anki,python*
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf
+private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index e96def048..8aef75cd1 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -45,7 +45,7 @@ private-bin aria2c,gzip
 # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
 #private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.cache,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
 private-lib libreadline.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
index 98ae01950..6676d42e9 100644
--- a/etc/profile-a-l/arm.profile
+++ b/etc/profile-a-l/arm.profile
@@ -43,6 +43,6 @@ tracelog
 disable-mnt
 private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,passwd,pki,ssl,tor
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
 private-tmp
 
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index adf4e16ee..254f3f571 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -56,7 +56,7 @@ disable-mnt
 private-bin artha,enchant,notify-send
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-lib libnotify.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index 272f9906d..6399bc1a3 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -13,7 +13,7 @@ include allow-perl.inc
 noroot
 
 # without login.defs atool complains and uses UID/GID 1000 by default
-private-etc alternatives,group,ld.so.preload,login.defs,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd
 private-tmp
 
 # Redirect
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index 8fefc1eb7..a8af1928b 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin authenticator-rs
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index 2080aad62..be3543b08 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -66,7 +66,7 @@ tracelog
 private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 24db11c7e..be29ce8a7 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -52,7 +52,7 @@ disable-mnt
 # private-bin bibletime,qt5ct
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index 61cd792b1..b86232860 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin bijiben
 # private-cache -- access to .cache/tracker is required
 private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index 91ce57966..f8114c71b 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -23,7 +23,7 @@ no3d
 nosound
 
 ?HAS_APPIMAGE: ignore private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 private-opt Bitwarden
 
 # Redirect
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 8d8787174..3e20ed133 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -35,7 +35,7 @@ shell none
 # private-bin bash,bless,mono,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload,mono
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,mono
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
index 7179bf4a5..d7df3bc49 100644
--- a/etc/profile-a-l/blobby.profile
+++ b/etc/profile-a-l/blobby.profile
@@ -41,7 +41,7 @@ tracelog
 disable-mnt
 private-bin blobby
 private-dev
-private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.preload,login.defs,machine-id,passwd,pulse
+private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pulse
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index 66f38b358..cc2fda3f2 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin blobwars
 private-cache
 private-dev
-private-etc ld.so.preload,machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index dbfc90996..fbc7c9056 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -6,7 +6,7 @@ include bsdtar.local
 # Persistent global definitions
 include globals.local
 
-private-etc alternatives,group,ld.so.preload,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
 
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index d3c25d451..92c455144 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -46,7 +46,7 @@ tracelog
 disable-mnt
 private-bin cameramonitor,python*
 private-cache
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index ceba03269..c7a98250e 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -39,7 +39,7 @@ disable-mnt
 private-bin cawbird
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index 7fbc82aba..713d8a5e4 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -52,7 +52,7 @@ disable-mnt
 private-bin cheese
 private-cache
 private-dev
-private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.preload
+private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index c42243e02..7bfb61688 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -11,6 +11,7 @@ include chromium-common.local
 
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist /usr/lib/chromium/chrome-sandbox
 
 # Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser
 # to have access to Gnome extensions (extensions.gnome.org) via browser connector
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 5eb2cb621..677d2b7eb 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin bash,clawsker,perl,sh,which
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
 private-tmp
 
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile
index e51dd6bed..7421debe0 100644
--- a/etc/profile-a-l/cmus.profile
+++ b/etc/profile-a-l/cmus.profile
@@ -27,4 +27,4 @@ seccomp
 shell none
 
 private-bin cmus
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 6f08bc378..27780b669 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin com.github.bleakgrey.tootle
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
 
 # Settings are immutable
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
index d33b89e7c..0e29d90de 100644
--- a/etc/profile-a-l/com.github.dahenson.agenda.profile
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -52,7 +52,7 @@ disable-mnt
 private-bin com.github.dahenson.agenda
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.preload
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index c75a09a51..24222164b 100644
--- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -55,7 +55,7 @@ disable-mnt
 private-bin com.github.johnfactotum.Foliate,gjs
 private-cache
 private-dev
-private-etc dconf,fonts,gconf,gtk-3.0,ld.so.preload
+private-etc alternatives,dconf,fonts,gconf,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 read-only ${HOME}
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
index 1d623fa09..099253b21 100644
--- a/etc/profile-a-l/coyim.profile
+++ b/etc/profile-a-l/coyim.profile
@@ -40,7 +40,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
index deb2c0ef8..ed1213687 100644
--- a/etc/profile-a-l/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -39,7 +39,7 @@ shell none
 disable-mnt
 private-bin crow
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
 private-opt none
 private-tmp
 private-srv none
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 0e754c448..c75bc756f 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin d-feet,python*
 private-cache
 private-dev
-private-etc alternatives,dbus-1,fonts,ld.so.preload,machine-id
+private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index c2532ed3b..e1b96f186 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -51,7 +51,7 @@ private
 private-bin dbus-send
 private-cache
 private-dev
-private-etc alternatives,dbus-1,ld.so.preload
+private-etc alternatives,dbus-1,ld.so.cache,ld.so.preload
 private-lib libpcre*
 private-tmp
 
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index 2b43c5ea3..8c3c22dcf 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin dconf-editor
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
index 1cbeee763..b170842c3 100644
--- a/etc/profile-a-l/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin dconf,gsettings
 private-cache
 private-dev
-private-etc alternatives,dconf,ld.so.preload
+private-etc alternatives,dconf,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 0669a5a6c..e9b8f5c47 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -45,7 +45,7 @@ tracelog
 disable-mnt
 private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr
 private-cache
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 19b6cffaf..a0f24c388 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -48,7 +48,7 @@ disable-mnt
 private-bin devilspie
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib gconv
 private-tmp
 
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index 6eff39d40..8a8d816a3 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -40,7 +40,7 @@ shell none
 private-bin display,python*
 private-dev
 # On Debian-based systems, display is a symlink in /etc/alternatives
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 253f5643e..df7be55de 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -45,7 +45,7 @@ shell none
 private-bin drawio
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index 0345f2b24..20cffae73 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -45,7 +45,7 @@ disable-mnt
 #private-bin bash,easystroke,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,group,ld.so.preload,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd
 # breaks custom shell command functionality
 #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index e472f57b6..09d14045a 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -45,7 +45,7 @@ shell none
 private-bin electron-mail
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
 private-opt ElectronMail
 private-tmp
 
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index 8cfc9f797..dfbe5cee4 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -47,7 +47,7 @@ private-bin electrum,python*
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.preload,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 8673b65ca..ac73f002f 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -66,7 +66,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 # encrypting and signing email
 writable-run-user
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
index 0a2e23996..eff0f64ea 100644
--- a/etc/profile-a-l/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -48,7 +48,7 @@ x11 none
 private-bin enchant,enchant-*
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index ddc0ce0b9..31f39e210 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -47,6 +47,6 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
index fe7b912bd..0c3b790d5 100644
--- a/etc/profile-a-l/equalx.profile
+++ b/etc/profile-a-l/equalx.profile
@@ -54,7 +54,7 @@ disable-mnt
 private-bin equalx,gs,pdflatex,pdftocairo
 private-cache
 private-dev
-private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf
+private-etc alternatives,equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.cache,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index 12c22ba5b..ae550e842 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -48,7 +48,7 @@ x11 none
 #private-bin exiftool,perl
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 03d6b30a1..321cb0145 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -47,7 +47,7 @@ disable-mnt
 # private-bin falkon
 private-cache
 private-dev
-private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 private-tmp
 
 # dbus-user filter
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index 25e1082ad..ee775566e 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -42,7 +42,7 @@ private
 private-bin bash,fdns,sh
 private-cache
 #private-dev
-private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
 # private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/feh-network.inc.profile b/etc/profile-a-l/feh-network.inc.profile
index f9b3d58c9..7293e89a8 100644
--- a/etc/profile-a-l/feh-network.inc.profile
+++ b/etc/profile-a-l/feh-network.inc.profile
@@ -5,4 +5,4 @@ include feh-network.inc.local
 ignore net none
 netfilter
 protocol unix,inet,inet6
-private-etc ca-certificates,crypto-policies,hosts,ld.so.preload,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index f2770f294..4b8d41170 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -36,7 +36,7 @@ shell none
 private-bin feh,jpegexiforient,jpegtran
 private-cache
 private-dev
-private-etc alternatives,feh,ld.so.preload
+private-etc alternatives,feh,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile
index 2284ccbe4..52abb99d4 100644
--- a/etc/profile-a-l/ffplay.profile
+++ b/etc/profile-a-l/ffplay.profile
@@ -14,7 +14,7 @@ ignore nogroups
 ignore nosound
 
 private-bin ffplay
-private-etc alsa,asound.conf,group,ld.so.preload
+private-etc alsa,alternatives,asound.conf,group,ld.so.cache,ld.so.preload
 
 # Redirect
 include ffmpeg.profile
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 54fa7dfa7..06a8f6170 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.preload,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
 # private-tmp
 
 dbus-system none
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 862ef6ab6..f80297022 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -52,7 +52,7 @@ tracelog
 disable-mnt
 private-bin flameshot
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl
 private-dev
 #private-tmp
 
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index aeed313c8..cb00ce11b 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -16,7 +16,7 @@ mkdir ${HOME}/.config/FreeTube
 whitelist ${HOME}/.config/FreeTube
 
 private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index efd5246d6..8419998de 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin frogatto,sh
 private-cache
 private-dev
-private-etc ld.so.preload,machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/ftp.profile b/etc/profile-a-l/ftp.profile
new file mode 100644
index 000000000..29470360c
--- /dev/null
+++ b/etc/profile-a-l/ftp.profile
@@ -0,0 +1,54 @@
+# Firejail profile for ftp
+# Description: standard File Access Protocol utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ftp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/ftp
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+#include disable-shell.inc
+include disable-write-mnt.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+tracelog
+
+#disable-mnt
+#private-bin PROGRAMS
+private-cache
+private-dev
+#private-etc FILES
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+noexec ${HOME}
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index c6280c488..4efe41f8d 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin galculator
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile
index a31dde21c..2947873ef 100644
--- a/etc/profile-a-l/gallery-dl.profile
+++ b/etc/profile-a-l/gallery-dl.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/gallery-dl
 noblacklist ${HOME}/.gallery-dl.conf
 
 private-bin gallery-dl
-private-etc gallery-dl.conf,ld.so.preload
+private-etc alternatives,gallery-dl.conf,ld.so.cache,ld.so.preload
 
 # Redirect
 include youtube-dl.profile
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 62f3659ea..ec5b733c8 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -49,7 +49,7 @@ private
 private-bin gapplication
 private-cache
 private-dev
-private-etc ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 # Add the next line to your gapplication.local to filter D-Bus names.
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
index 6532d85f0..a45374d4e 100644
--- a/etc/profile-a-l/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
@@ -54,7 +54,7 @@ disable-mnt
 private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2*
 private-cache
 private-dev
-private-etc alternatives,fonts,gconf,ld.so.preload
+private-etc alternatives,fonts,gconf,ld.so.cache,ld.so.preload
 private-lib GConf,libpython*,python2*
 private-tmp
 
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index b78f7e647..cececd9e9 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -70,7 +70,7 @@ tracelog
 private-bin geary
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.preload,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index 4812e1368..243b893b9 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -48,7 +48,7 @@ disable-mnt
 #private-bin bash,geekbench*,sh -- #4576
 private-cache
 private-dev
-private-etc alternatives,group,ld.so.preload,lsb-release,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,lsb-release,passwd
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
index d8ca4ae41..bc1199914 100644
--- a/etc/profile-a-l/gget.profile
+++ b/etc/profile-a-l/gget.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin gget
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
index 010cdae06..506ab7127 100644
--- a/etc/profile-a-l/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -52,7 +52,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index c13273321..6439c8821 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -70,7 +70,7 @@ tracelog
 private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 36b016e02..16358d064 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -37,7 +37,7 @@ shell none
 
 disable-mnt
 private-bin bash,env,gitter
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,pulse,resolv.conf,ssl
 private-opt Gitter
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index 0a1264888..e53297c06 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -44,7 +44,7 @@ tracelog
 disable-mnt
 #private-bin gmpc
 private-cache
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index 2c1dee50c..f9df83e2a 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -45,7 +45,7 @@ private
 private-bin gnome-calendar
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index 6261fcc27..dc9092a93 100644
--- a/etc/profile-a-l/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -50,5 +50,5 @@ disable-mnt
 private-bin fairymax,gnome-chess,gnuchess,hoichess
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.preload
+private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index 7d33ac94e..90665add6 100644
--- a/etc/profile-a-l/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -42,6 +42,6 @@ disable-mnt
 private-bin gnome-clocks,gsound-play
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 28c7e3346..ab6279608 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -42,7 +42,7 @@ private
 private-bin gnome-hexgl
 private-cache
 private-dev
-private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 1d2366365..39a6718a6 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -48,6 +48,6 @@ tracelog
 private-cache
 private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
-private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.preload,login.defs,passwd,texlive
+private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive
 
 dbus-system none
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 3d8218e99..7ee4d8b75 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -40,7 +40,7 @@ disable-mnt
 private-bin gnome-logs
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload,localtime,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 writable-var-log
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index fe8268530..7b79fa15d 100644
--- a/etc/profile-a-l/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -42,6 +42,6 @@ tracelog
 # private-bin calls a file manager - whatever is installed!
 #private-bin env,gio-launch-desktop,gnome-music,python*,yelp
 private-dev
-private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.preload,machine-id,pulse,selinux,xdg
+private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index bdc09b5ac..a96ec6f05 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin gnome-passwordsafe,python3*
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.preload,passwd
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index fb108ee97..6d30213cb 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -34,7 +34,7 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index 256a0c69f..99d569a04 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin gnome-pomodoro
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index 9a5f878fc..b2ce4a92a 100644
--- a/etc/profile-a-l/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -47,7 +47,7 @@ shell none
 disable-mnt
 private-bin gnome-recipes,tar
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,ssl
 private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index a4e4ae38a..36c6693a9 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -42,7 +42,7 @@ tracelog
 disable-mnt
 private-bin gnome-screenshot
 private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.preload,localtime,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,machine-id
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index 859d56bd9..28a0205b9 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -40,5 +40,5 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,openal,pango,pulse,xdg
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg
 private-tmp
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index addd76f7f..02b023855 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin gnome-system-log
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload,localtime,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id
 private-lib
 private-tmp
 writable-var-log
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index e7615e4f2..c6cd12250 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin gnome-todo
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.preload,localtime,passwd,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,passwd,xdg
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
index a76fbbb2c..9b4f68808 100644
--- a/etc/profile-a-l/gnome_games-common.profile
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -41,7 +41,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,pango,passwd,X11
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pango,passwd,X11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index deda06f8e..928f2c548 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin gnote
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.preload,pango,X11
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pango,X11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index e2e154216..c895b4ce9 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -43,7 +43,7 @@ private
 private-bin gnubik
 private-cache
 private-dev
-private-etc drirc,fonts,gtk-2.0,ld.so.preload
+private-etc alternatives,drirc,fonts,gtk-2.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index f33f63497..46b362db9 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -38,7 +38,7 @@ tracelog
 # private-bin godot
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.cache,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile
index 59a572319..5251ed427 100644
--- a/etc/profile-a-l/goldendict.profile
+++ b/etc/profile-a-l/goldendict.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin goldendict
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
index a37c7ad77..a35813a09 100644
--- a/etc/profile-a-l/googler-common.profile
+++ b/etc/profile-a-l/googler-common.profile
@@ -54,7 +54,7 @@ disable-mnt
 private-bin env,python3*,sh,w3m
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
index 436134e1b..26afe6e49 100644
--- a/etc/profile-a-l/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -41,7 +41,7 @@ tracelog
 private-bin gpicview
 private-cache
 private-dev
-private-etc alternatives,fonts,group,ld.so.preload,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
index e421c6a0b..511be6fcc 100644
--- a/etc/profile-a-l/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -36,6 +36,6 @@ tracelog
 
 private-bin gpredict
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
 
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
index efb6b39c6..9cc25e45c 100644
--- a/etc/profile-a-l/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin gradio
 private-cache
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index 10d41735a..d76ca105f 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -40,7 +40,7 @@ private
 private-bin gravity-beams-and-evaporating-stars
 private-cache
 private-dev
-private-etc fonts,ld.so.preload,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index e38dc5c0c..ec8a614fd 100644
--- a/etc/profile-a-l/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin gtk-update-icon-cache
 private-cache
 private-dev
-private-etc ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
index 0baebdae1..74e0faa7f 100644
--- a/etc/profile-a-l/hyperrogue.profile
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -44,7 +44,7 @@ private-bin hyperrogue
 private-cache
 private-cwd ${HOME}
 private-dev
-private-etc fonts,ld.so.preload,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index 3200d1850..6eefd2945 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -50,7 +50,7 @@ private-bin bash,ipcalc,ipcalc-ng,perl,sh
 # private-cache
 private-dev
 # empty etc directory
-private-etc ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-opt none
 private-tmp
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
index 59260dc64..6ca977512 100644
--- a/etc/profile-a-l/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -34,7 +34,7 @@ tracelog
 
 private-bin bash,jerry,sh,stockfish
 private-dev
-private-etc fonts,gtk-2.0,gtk-3.0,ld.so.preload
+private-etc alternatives,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index 8528ece7c..4a9232344 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -41,7 +41,7 @@ disable-mnt
 private-bin jumpnbump
 private-cache
 private-dev
-private-etc ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index 5253a78b0..6ad50cf14 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin kalgebra,kalgebramobile
 private-cache
 private-dev
-private-etc fonts,ld.so.preload,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index d88631005..277db1c24 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -49,7 +49,7 @@ disable-mnt
 # private-bin kazam,python*
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,pulse,selinux,X11,xdg
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,X11,xdg
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile
index 616b87d7e..5e2d6d8df 100644
--- a/etc/profile-a-l/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -41,7 +41,7 @@ tracelog
 
 private-bin keepassx,keepassx2
 private-dev
-private-etc alternatives,fonts,ld.so.preload,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
index 8b35a8946..5563aa410 100644
--- a/etc/profile-a-l/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -37,7 +37,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
index 964175274..46164403b 100644
--- a/etc/profile-a-l/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin bash,klavaro,sh,tclsh,tclsh*
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 78eb2e8f5..44da8acca 100644
--- a/etc/profile-a-l/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin ktouch
 private-cache
 private-dev
-private-etc alternatives,fonts,kde5rc,ld.so.preload,machine-id
+private-etc alternatives,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index ad6b2f5fe..718cbbf40 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -68,7 +68,7 @@ tracelog
 private-bin kube,sink_synchronizer
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index dac3eaee3..84f5dc50d 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin sh
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 # Add the next line to your links-common.local to allow external media players.
 # private-etc alsa,asound.conf,machine-id,openal,pulse
 private-tmp
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
index a590c5fb7..fde338ff0 100644
--- a/etc/profile-a-l/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
@@ -37,6 +37,6 @@ seccomp
 shell none
 
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index 3213f3674..ae2f2d434 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -32,7 +32,7 @@ apparmor
 machine-id
 
 # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
-private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
 
 # Redirect
 include latex-common.profile
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index ca7165a5d..89ca53af6 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -33,5 +33,5 @@ shell none
 
 disable-mnt
 private-bin awk,bash,dig,sh,Viber
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
 private-tmp
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
index b7cba2421..47165dd3d 100644
--- a/etc/profile-m-z/magicor.profile
+++ b/etc/profile-m-z/magicor.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin magicor,python2*
 private-cache
 private-dev
-private-etc ld.so.preload,machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index b6038cc91..9c5959091 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -58,7 +58,7 @@ disable-mnt
 #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
 private-cache
 private-dev
-private-etc alternatives,fonts,groff,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
+private-etc alternatives,fonts,groff,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
 #private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
index dc2088a18..764d040ab 100644
--- a/etc/profile-m-z/masterpdfeditor.profile
+++ b/etc/profile-m-z/masterpdfeditor.profile
@@ -36,6 +36,6 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
index cb14c6584..2be6b9af1 100644
--- a/etc/profile-m-z/mate-calc.profile
+++ b/etc/profile-m-z/mate-calc.profile
@@ -42,7 +42,7 @@ shell none
 
 disable-mnt
 private-bin mate-calc,mate-calculator
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-dev
 private-opt none
 private-tmp
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile
index 97793abd5..e16b0fc6c 100644
--- a/etc/profile-m-z/mate-color-select.profile
+++ b/etc/profile-m-z/mate-color-select.profile
@@ -33,7 +33,7 @@ shell none
 
 disable-mnt
 private-bin mate-color-select
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-dev
 private-lib
 private-tmp
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index cb0002af6..469416304 100644
--- a/etc/profile-m-z/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -37,7 +37,7 @@ shell none
 
 disable-mnt
 private-bin mate-dictionary
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-opt mate-dictionary
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile
index 87083f1e3..4c4a6aa76 100644
--- a/etc/profile-m-z/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -31,4 +31,4 @@ shell none
 
 private-bin mcabber
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,ssl
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index 618a1fd3a..bcfd59cbb 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin mdr
 private-cache
 private-dev
-private-etc ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
index 9403321e2..9bfbaf745 100644
--- a/etc/profile-m-z/mediainfo.profile
+++ b/etc/profile-m-z/mediainfo.profile
@@ -42,7 +42,7 @@ x11 none
 private-bin mediainfo
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index f9f7db3cb..ed0758a49 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -52,7 +52,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
index bcc7b232b..16ace7ce4 100644
--- a/etc/profile-m-z/mindless.profile
+++ b/etc/profile-m-z/mindless.profile
@@ -42,7 +42,7 @@ private
 private-bin mindless
 private-cache
 private-dev
-private-etc fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index 133a17350..be846ce63 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -44,7 +44,7 @@ private
 private-bin mirrormagic
 private-cache
 private-dev
-private-etc ld.so.preload,machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index 79f603f92..313d78030 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin mocp
 private-cache
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index 445691f6a..fe3c78b55 100644
--- a/etc/profile-m-z/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -37,7 +37,7 @@ tracelog
 private-bin mp3splt-gtk
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.preload,machine-id,openal,pulse
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pulse
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
index 4d6109250..c89c72ce4 100644
--- a/etc/profile-m-z/mp3splt.profile
+++ b/etc/profile-m-z/mp3splt.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin flacsplt,mp3splt,mp3wrap,oggsplt
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index 597390914..18a839363 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -49,7 +49,7 @@ shell none
 private-bin mpDris2,notify-send,python*
 private-cache
 private-dev
-private-etc alternatives,hosts,ld.so.preload,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
 private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
 private-tmp
 
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 74402a8de..efb11465b 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -74,7 +74,7 @@ seccomp.block-secondary
 shell none
 tracelog
 
-private-bin env,mpv,python*,waf,youtube-dl
+private-bin env,mpv,python*,waf,youtube-dl,yt-dlp
 # private-cache causes slow OSD, see #2838
 #private-cache
 private-dev
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index 5b5902563..3fe88ec7f 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -52,7 +52,7 @@ disable-mnt
 private-bin love,mrrescue,sh
 private-cache
 private-dev
-private-etc ld.so.preload,machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile
index 7b4a305e9..e15b14db7 100644
--- a/etc/profile-m-z/ms-office.profile
+++ b/etc/profile-m-z/ms-office.profile
@@ -35,7 +35,7 @@ tracelog
 
 disable-mnt
 private-bin bash,env,fonts,jak,ms-office,python*,sh
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile
index b95ab2194..006f64ba8 100644
--- a/etc/profile-m-z/mupdf-x11-curl.profile
+++ b/etc/profile-m-z/mupdf-x11-curl.profile
@@ -12,7 +12,7 @@ ignore net none
 netfilter
 protocol unix,inet,inet6
 
-private-etc ca-certificates,crypto-policies,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 
 # Redirect
 include mupdf.profile
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index aab2ac19d..796d7fbb0 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -33,5 +33,5 @@ seccomp !chroot
 
 disable-mnt
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.preload,machine-id,pki,pulse,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,machine-id,pki,pulse,ssl
 
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index fb923051f..d10c55549 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -134,7 +134,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile
index bf01aaa0e..74301df06 100644
--- a/etc/profile-m-z/mypaint.profile
+++ b/etc/profile-m-z/mypaint.profile
@@ -43,7 +43,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 23a30bf97..f7c1f0ff7 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -49,7 +49,7 @@ private-dev
 # Add the next lines to your nano.local if you want to edit files in /etc directly.
 #ignore private-etc
 #writable-etc
-private-etc alternatives,ld.so.preload,nanorc
+private-etc alternatives,ld.so.cache,ld.so.preload,nanorc
 # Add the next line to your nano.local if you want to edit files in /var directly.
 #writable-var
 
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 1e59a1490..f31cf9dcb 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -137,7 +137,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile
index 57f026a0b..d6ac8d5bc 100644
--- a/etc/profile-m-z/netactview.profile
+++ b/etc/profile-m-z/netactview.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin netactview,netactview_polkit
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index 34c6110cf..cf72bf802 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin gzip,lynx,newsboat,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
index 56cedec03..9966a0e1b 100644
--- a/etc/profile-m-z/newsflash.profile
+++ b/etc/profile-m-z/newsflash.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin com.gitlab.newsflash,newsflash
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
index 0bed12b1f..7ffb09e56 100644
--- a/etc/profile-m-z/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -41,5 +41,5 @@ tracelog
 #private-bin nomacs
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile
new file mode 100644
index 000000000..560ee9db3
--- /dev/null
+++ b/etc/profile-m-z/noprofile.profile
@@ -0,0 +1,28 @@
+# This is the weakest possible firejail profile.
+# If a program still fail with this profile, it is incompatible with firejail.
+# (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)
+#
+# Usage:
+#   1. download
+#   2. firejail --profile=noprofile.profile /path/to/program
+
+# Keep in mind that even with this profile some things are done
+# which can break the program.
+# - some env-vars are cleared
+# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'
+# - a new private pid-namespace is created
+# - a minimal hardcoded blacklist is applied
+# - ...
+
+noblacklist /sys/fs
+noblacklist /sys/module
+
+allow-debuggers
+allusers
+keep-config-pulse
+keep-dev-shm
+keep-var-tmp
+writable-etc
+writable-run-user
+writable-var
+writable-var-log
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index 8e51d8e78..9f23c099d 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -49,7 +49,7 @@ private
 private-bin notify-send
 private-cache
 private-dev
-private-etc ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index 9e3093ea7..9f4a6ec46 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -18,7 +18,7 @@ whitelist ${HOME}/.config/nuclear
 no3d
 
 # private-bin nuclear
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt nuclear
 
 # Redirect
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile
index 9b431d76d..653591482 100644
--- a/etc/profile-m-z/nyx.profile
+++ b/etc/profile-m-z/nyx.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin nyx,python*
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload,passwd,tor
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,passwd,tor
 private-opt none
 private-srv none
 private-tmp
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
index 7d2374ccf..de62f4114 100644
--- a/etc/profile-m-z/odt2txt.profile
+++ b/etc/profile-m-z/odt2txt.profile
@@ -38,7 +38,7 @@ x11 none
 private-bin odt2txt
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index e70e5e81e..e05e58cad 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-cache
 private-bin onboard,python*,tput
 private-dev
-private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
+private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index de334defd..c3ac097a0 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
 private-cache
 private-dev
-private-etc drirc,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg
+private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/openstego.profile b/etc/profile-m-z/openstego.profile
new file mode 100644
index 000000000..f6622b38d
--- /dev/null
+++ b/etc/profile-m-z/openstego.profile
@@ -0,0 +1,58 @@
+# Firejail profile for OpenStego
+# Description: Steganography application that provides data hiding and watermarking functionality
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openstego.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/openstego.ini
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+
+mkfile ${HOME}/openstego.ini
+whitelist ${HOME}/openstego.ini
+whitelist ${HOME}/.java
+whitelist ${PICTURES}
+whitelist ${DOCUMENTS}
+whitelist ${DESKTOP}
+whitelist /usr/share/java
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+net none
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,dirname,openstego,readlink,sh
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index 460f60beb..c016b5103 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -50,7 +50,7 @@ x11 none
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload,texlive,texmf
+private-etc alternatives,ld.so.cache,ld.so.preload,texlive,texmf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile
index a4737d388..3d380542f 100644
--- a/etc/profile-m-z/parole.profile
+++ b/etc/profile-m-z/parole.profile
@@ -27,4 +27,4 @@ shell none
 
 private-bin dbus-launch,parole
 private-cache
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.preload,machine-id,passwd,pki,pulse,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,pulse,ssl
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
index 76f1c9704..d64aab200 100644
--- a/etc/profile-m-z/pavucontrol.profile
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin pavucontrol
 private-cache
 private-dev
-private-etc alternatives,asound.conf,avahi,fonts,ld.so.preload,machine-id,pulse
+private-etc alternatives,asound.conf,avahi,fonts,ld.so.cache,ld.so.preload,machine-id,pulse
 private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
index 400fc3d77..41ec98a39 100644
--- a/etc/profile-m-z/pdfchain.profile
+++ b/etc/profile-m-z/pdfchain.profile
@@ -34,7 +34,7 @@ shell none
 
 private-bin pdfchain,pdftk,sh
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index b1c2dfb1c..9d2f2b95f 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -48,7 +48,7 @@ x11 none
 private-bin pdftotext
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index e216742a4..f5c295b5d 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -48,7 +48,7 @@ tracelog
 disable-mnt
 private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
 private-dev
-private-etc dconf,firejail,fonts,gtk-3.0,ld.so.preload,login.defs,pango,passwd,X11
+private-etc alternatives,dconf,firejail,fonts,gtk-3.0,ld.so.cache,ld.so.preload,login.defs,pango,passwd,X11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
index c0d0ae4df..80efedec7 100644
--- a/etc/profile-m-z/photoflare.profile
+++ b/etc/profile-m-z/photoflare.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin photoflare
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index fb50e66ca..69c78740d 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin pingus,pingus.bin,sh
 private-cache
 private-dev
-private-etc ld.so.preload,machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
index 23e21f347..69b954f53 100644
--- a/etc/profile-m-z/pkglog.profile
+++ b/etc/profile-m-z/pkglog.profile
@@ -44,7 +44,7 @@ private
 private-bin pkglog,python*
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-opt none
 private-tmp
 writable-var-log
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index a6b0768f1..38ccf72e8 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin plv
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-opt none
 private-tmp
 writable-var-log
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 534cc5943..6b989202f 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -47,7 +47,7 @@ x11 none
 private-bin pngquant
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile
index c9793433e..fd595c27a 100644
--- a/etc/profile-m-z/pragha.profile
+++ b/etc/profile-m-z/pragha.profile
@@ -33,6 +33,6 @@ seccomp
 shell none
 
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile
index af0ca5d8f..25a248425 100644
--- a/etc/profile-m-z/profanity.profile
+++ b/etc/profile-m-z/profanity.profile
@@ -44,7 +44,7 @@ shell none
 private-bin profanity
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile
index 4ebd556d6..555e1e41b 100644
--- a/etc/profile-m-z/qgis.profile
+++ b/etc/profile-m-z/qgis.profile
@@ -52,7 +52,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
index 89cb5baa8..4a3ce366e 100644
--- a/etc/profile-m-z/qnapi.profile
+++ b/etc/profile-m-z/qnapi.profile
@@ -47,7 +47,7 @@ tracelog
 private-bin 7z,qnapi
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-opt none
 private-tmp
 
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
index 2d9fefe40..dd3f24875 100644
--- a/etc/profile-m-z/qrencode.profile
+++ b/etc/profile-m-z/qrencode.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin qrencode
 private-cache
 private-dev
-private-etc ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib libpcre*
 private-tmp
 
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index 6b9144791..f1ce313e7 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin regextester
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib libgranite.so.*
 private-tmp
 
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index e49f10b7b..e44e55a12 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin rsync
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
index d256b2efe..70b5d844a 100644
--- a/etc/profile-m-z/scorchwentbonkers.profile
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin scorchwentbonkers
 private-cache
 private-dev
-private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index cb3378597..72d6d5cf7 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -48,7 +48,7 @@ private
 private-bin bash,dash,python*,seahorse-adventures,sh
 private-cache
 private-dev
-private-etc ld.so.preload,machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile
index f08b852db..9ef174606 100644
--- a/etc/profile-m-z/seahorse-tool.profile
+++ b/etc/profile-m-z/seahorse-tool.profile
@@ -8,7 +8,7 @@ include seahorse-tool.local
 #include globals.local
 
 # private-etc workaround for: #2877
-private-etc firejail,ld.so.preload,login.defs,passwd
+private-etc alternatives,firejail,ld.so.cache,ld.so.preload,login.defs,passwd
 private-tmp
 
 # Redirect
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 94a27da87..7382e4712 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -60,7 +60,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
 writable-run-user
 
 dbus-user filter
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
index 304a1cda2..3b569eeaf 100644
--- a/etc/profile-m-z/shotwell.profile
+++ b/etc/profile-m-z/shotwell.profile
@@ -49,7 +49,7 @@ tracelog
 private-bin shotwell
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-opt none
 private-tmp
 
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index 47468a531..099e6a2ad 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index 21a77a0d1..deaf37f52 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -42,7 +42,7 @@ shell none
 private-bin sqlitebrowser
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.preload,machine-id,passwd,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,ssl
 private-tmp
 
 # breaks proxy creation
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
index 50ecc3432..32e43f079 100644
--- a/etc/profile-m-z/strawberry.profile
+++ b/etc/profile-m-z/strawberry.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin strawberry,strawberry-tagreader
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index 65cb678d0..a9f22085b 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -44,7 +44,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index d48065c4b..464fa1b08 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -44,7 +44,7 @@ tracelog
 disable-mnt
 # private-bin supertux2
 private-cache
-private-etc ld.so.preload,machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 5b5b4aae5..473472251 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -54,7 +54,7 @@ private-bin supertuxkart
 private-cache
 # Add the next line to your supertuxkart.local if you do not need controller support.
 #private-dev
-private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.cache,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile
index cfecb6f62..c04f00cab 100644
--- a/etc/profile-m-z/surf.profile
+++ b/etc/profile-m-z/surf.profile
@@ -34,6 +34,6 @@ tracelog
 disable-mnt
 private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl
 private-tmp
 
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 388805f31..0817adda8 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -14,7 +14,7 @@ ignore include disable-shell.inc
 # all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
 
-private-etc alternatives,group,ld.so.preload,localtime,login.defs,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,login.defs,passwd
 #private-lib libfakeroot,liblzma.so.*,libreadline.so.*
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index 310c440b1..ee19bcd00 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -20,7 +20,7 @@ mkdir ${HOME}/.config/teams-for-linux
 whitelist ${HOME}/.config/teams-for-linux
 
 private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
-private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/telnet.profile b/etc/profile-m-z/telnet.profile
new file mode 100644
index 000000000..0b0510460
--- /dev/null
+++ b/etc/profile-m-z/telnet.profile
@@ -0,0 +1,54 @@
+# Firejail profile for ftp
+# Description: standard File Access Protocol utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include telnet.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/telnet
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+#include disable-shell.inc
+include disable-write-mnt.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+tracelog
+
+#disable-mnt
+#private-bin PROGRAMS
+private-cache
+private-dev
+#private-etc FILES
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+noexec ${HOME}
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile
index 07212a452..d2db44b1c 100644
--- a/etc/profile-m-z/tilp.profile
+++ b/etc/profile-m-z/tilp.profile
@@ -30,6 +30,6 @@ tracelog
 disable-mnt
 private-bin tilp
 private-cache
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
index a43e53aae..1d4ee9370 100644
--- a/etc/profile-m-z/tin.profile
+++ b/etc/profile-m-z/tin.profile
@@ -58,7 +58,7 @@ disable-mnt
 private-bin rtin,tin
 private-cache
 private-dev
-private-etc ld.so.preload,passwd,resolv.conf,terminfo,tin
+private-etc alternatives,ld.so.cache,ld.so.preload,passwd,resolv.conf,terminfo,tin
 private-lib terminfo
 private-tmp
 
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile
index 312123f59..d8cd8eb44 100644
--- a/etc/profile-m-z/tor.profile
+++ b/etc/profile-m-z/tor.profile
@@ -46,6 +46,6 @@ private
 private-bin bash,tor
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,passwd,pki,ssl,tor
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
 private-tmp
 writable-var
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index 0e23b7843..4acb8e7e8 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -45,7 +45,7 @@ tracelog
 private-bin geoiplookup,geoiplookup6,transgui
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
 private-tmp
 
diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile
index b3fab083c..8a1711e97 100644
--- a/etc/profile-m-z/transmission-cli.profile
+++ b/etc/profile-m-z/transmission-cli.profile
@@ -8,7 +8,7 @@ include transmission-cli.local
 include globals.local
 
 private-bin transmission-cli
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
index 9d91b8b81..5d28f2f10 100644
--- a/etc/profile-m-z/transmission-daemon.profile
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -17,7 +17,7 @@ caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
 protocol packet
 
 private-bin transmission-daemon
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 
 read-write /var/lib/transmission
 writable-var-log
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile
index 20d54500f..6a0f1bde3 100644
--- a/etc/profile-m-z/transmission-remote-gtk.profile
+++ b/etc/profile-m-z/transmission-remote-gtk.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/transmission-remote-gtk
 mkdir ${HOME}/.config/transmission-remote-gtk
 whitelist ${HOME}/.config/transmission-remote-gtk
 
-private-etc fonts,hostname,hosts,ld.so.preload,resolv.conf
+private-etc alternatives,fonts,hostname,hosts,ld.so.cache,ld.so.preload,resolv.conf
 # Problems with private-lib (see issue #2889)
 ignore private-lib
 
diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile
index ad4ad2172..565433d99 100644
--- a/etc/profile-m-z/transmission-remote.profile
+++ b/etc/profile-m-z/transmission-remote.profile
@@ -8,7 +8,7 @@ include transmission-remote.local
 include globals.local
 
 private-bin transmission-remote
-private-etc alternatives,hosts,ld.so.preload,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
 
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile
index 822a368da..0a5826ec4 100644
--- a/etc/profile-m-z/transmission-show.profile
+++ b/etc/profile-m-z/transmission-show.profile
@@ -8,7 +8,7 @@ include transmission-show.local
 include globals.local
 
 private-bin transmission-show
-private-etc alternatives,hosts,ld.so.preload,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
 
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 1959aee1e..60a192ac1 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -54,7 +54,7 @@ tracelog
 private-bin trojita
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index bd2f1bcf9..987a2b719 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -18,7 +18,7 @@ mkdir ${HOME}/.config/Twitch
 whitelist ${HOME}/.config/Twitch
 
 private-bin electron,electron[0-9],electron[0-9][0-9],twitch
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Twitch
 
 # Redirect
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index 685e74e25..1b82ad881 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -49,7 +49,7 @@ private-bin unf
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib gcc/*/*/libgcc_s.so.*
 private-tmp
 
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
index 761ee91c5..443d1f415 100644
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -8,7 +8,7 @@ include unrar.local
 include globals.local
 
 private-bin unrar
-private-etc alternatives,group,ld.so.preload,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
 private-tmp
 
 # Redirect
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 981826b16..97df693ba 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -10,7 +10,7 @@ include globals.local
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
 
-private-etc alternatives,group,ld.so.preload,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
 
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
index 3b38f16e0..426766e17 100644
--- a/etc/profile-m-z/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -41,7 +41,7 @@ x11 none
 private-bin uudeview
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index ed2f0103b..585a8eddb 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin viewnior
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.preload,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index a6d3eaafd..227ad83cc 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -45,7 +45,7 @@ tracelog
 #disable-mnt
 #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
 private-cache
-private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile
index b2b019ff4..278a66149 100644
--- a/etc/profile-m-z/vmware-view.profile
+++ b/etc/profile-m-z/vmware-view.profile
@@ -7,6 +7,7 @@ include vmware-view.local
 include globals.local
 
 noblacklist ${HOME}/.vmware
+noblacklist /usr/lib/vmware
 
 noblacklist /sbin
 noblacklist /usr/sbin
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 8e25daee0..57fbbae96 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${HOME}/.cache/vmware
 noblacklist ${HOME}/.vmware
+noblacklist /usr/lib/vmware
 
 include disable-common.inc
 include disable-devel.inc
@@ -38,6 +39,6 @@ tracelog
 #disable-mnt
 # Add the next line to your vmware.local to enable private-bin.
 #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
-private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index d2e30e824..c9e209142 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -62,7 +62,7 @@ disable-mnt
 private-bin perl,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
index fc59b7239..0a6f19b1e 100644
--- a/etc/profile-m-z/warmux.profile
+++ b/etc/profile-m-z/warmux.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin warmux
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index ae3944561..92ebebdae 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -21,7 +21,7 @@ whitelist ${HOME}/.config/Whalebird
 no3d
 
 private-bin electron,electron[0-9],electron[0-9][0-9],whalebird
-private-etc fonts,ld.so.preload,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 0650e41ad..afff6f587 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -47,7 +47,7 @@ private
 private-bin bash,sh,whois
 private-cache
 private-dev
-private-etc alternatives,hosts,jwhois.conf,ld.so.preload,resolv.conf,services,whois.conf
+private-etc alternatives,hosts,jwhois.conf,ld.so.cache,ld.so.preload,resolv.conf,services,whois.conf
 private-lib gconv
 private-tmp
 
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index eebad4a19..d8742cd71 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
 
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index 374290ed0..3147c2ac3 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -45,7 +45,7 @@ private
 private-bin wordwarvi
 private-cache
 private-dev
-private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index 8382e4d76..bb119996c 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -44,7 +44,7 @@ private
 private-bin xbill
 private-cache
 private-dev
-private-etc ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 21857dbe6..386ef2bd6 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin xfce4-mixer,xfconf-query
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,ld.so.preload,machine-id,pulse
+private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index ad3058ce2..d74ed5754 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -42,7 +42,7 @@ tracelog
 disable-mnt
 private-bin xfce4-screenshooter,xfconf-query
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.preload,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile
index 9b7a006d2..c7fd0799b 100644
--- a/etc/profile-m-z/xiphos.profile
+++ b/etc/profile-m-z/xiphos.profile
@@ -47,5 +47,5 @@ disable-mnt
 private-bin xiphos
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf
 private-tmp
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile
index 1c9310986..404baf607 100644
--- a/etc/profile-m-z/xlinks.profile
+++ b/etc/profile-m-z/xlinks.profile
@@ -14,7 +14,7 @@ include whitelist-common.inc
 # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
 # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
 private-bin xlinks
-private-etc fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 
 # Redirect
 include links.profile
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2
index bbf660e29..d7edd3543 100644
--- a/etc/profile-m-z/xlinks2
+++ b/etc/profile-m-z/xlinks2
@@ -14,7 +14,7 @@ include whitelist-common.inc
 # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
 # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
 private-bin xlinks2
-private-etc fonts,ld.so.preload
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 
 # Redirect
 include links2.profile
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index 2a9fbf171..e541436a4 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -38,7 +38,7 @@ disable-mnt
 private ${HOME}/.xmr-stak
 private-bin xmr-stak
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
 private-opt cuda
 private-tmp
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index fe7395078..a0e77b4e7 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin xournal
 private-cache
 private-dev
-private-etc alternatives,fonts,group,ld.so.preload,machine-id,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
 # TODO should use private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index c5e44c6b4..31a51b2c4 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -56,7 +56,7 @@ disable-mnt
 private-bin groff,man,tbl,troff,yelp
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index 3224f8fc6..80d551038 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index c7dbec968..5c4d697da 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -17,7 +17,7 @@ mkdir ${HOME}/.config/Youtube
 whitelist ${HOME}/.config/Youtube
 
 private-bin electron,electron[0-9],electron[0-9][0-9],youtube
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Youtube
 
 # Redirect
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index 35ecf059d..2b5ffeaaf 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtubemusic-nativefier-040164
 whitelist ${HOME}/.config/youtubemusic-nativefier-040164
 
 private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt youtubemusic-nativefier
 
 # Redirect
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
index bfb24b488..32e873aa5 100644
--- a/etc/profile-m-z/yt-dlp.profile
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -12,8 +12,8 @@ noblacklist ${HOME}/.cache/yt-dlp
 noblacklist ${HOME}/.config/yt-dlp
 noblacklist ${HOME}/yt-dlp.conf
 
-private-bin yt-dlp
-private-etc ld.so.preload,yt-dlp.conf
+private-bin ffprobe,yt-dlp
+private-etc alternatives,ld.so.cache,ld.so.preload,yt-dlp.conf
 
 # Redirect
 include youtube-dl.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index 84f2f3cb2..59b6e2543 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtube-music-desktop-app
 whitelist ${HOME}/.config/youtube-music-desktop-app
 
 # private-bin env,ytmdesktop
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 # private-opt
 
 # Redirect
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile
index c1c94d74f..8acfdd651 100644
--- a/etc/profile-m-z/zulip.profile
+++ b/etc/profile-m-z/zulip.profile
@@ -44,5 +44,5 @@ disable-mnt
 private-bin locale,zulip
 private-cache
 private-dev
-private-etc asound.conf,fonts,ld.so.preload,machine-id
+private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
diff --git a/gcov.sh b/gcov.sh
index 9bb2596f6..61f4b2483 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -4,7 +4,7 @@
 # License GPL v2
 
 gcov_init() {
-        USER=`whoami`
+        USER="$(whoami)"
         firejail --help > /dev/null
         firemon --help > /dev/null
         /usr/lib/firejail/fnet --help > /dev/null
@@ -20,7 +20,7 @@ gcov_init() {
         /usr/lib/firejail/faudit --help > /dev/null
         /usr/lib/firejail/fbuilder --help > /dev/null
 
-        sudo chown $USER:$USER `find .`
+        find . -exec sudo chown "$USER:$USER" '{}' +
 }
 
 generate() {
@@ -28,7 +28,7 @@ generate() {
         lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file
         rm -fr gcov-dir
         genhtml -q gcov-file --output-directory gcov-dir
-        sudo rm `find . -name *.gcda`
+        find . -name '*.gcda' -exec sudo rm '{}' +
         cp gcov-file gcov-file-old
         gcov_init
 }
diff --git a/linecnt.sh b/linecnt.sh
index 86bccbc07..c30e175ba 100755
--- a/linecnt.sh
+++ b/linecnt.sh
@@ -4,7 +4,7 @@
 # License GPL v2
 
 gcov_init() {
-        USER=`whoami`
+        USER="$(whoami)"
         firejail --help > /dev/null
         firemon --help > /dev/null
         /usr/lib/firejail/fnet --help > /dev/null
@@ -20,7 +20,7 @@ gcov_init() {
         /usr/lib/firejail/faudit --help > /dev/null
         /usr/lib/firejail/fbuilder --help > /dev/null
 
-        sudo chown $USER:$USER `find .`
+        find . -exec sudo chown "$USER:$USER" '{}' +
 }
 
 rm -fr gcov-dir
diff --git a/mkasc.sh b/mkasc.sh
index 31c3f4ffd..b41585460 100755
--- a/mkasc.sh
+++ b/mkasc.sh
@@ -5,9 +5,9 @@
 
 echo "Calculating SHA256 for all files in /transfer - firejail version $1"
 
-cd /transfer
-sha256sum * > firejail-$1-unsigned
-gpg --clearsign --digest-algo SHA256 < firejail-$1-unsigned > firejail-$1.asc
-gpg --verify firejail-$1.asc
-gpg --detach-sign --armor firejail-$1.tar.xz
-rm firejail-$1-unsigned
+cd /transfer || exit 1
+sha256sum ./* > "firejail-$1-unsigned"
+gpg --clearsign --digest-algo SHA256 < "firejail-$1-unsigned" > "firejail-$1.asc"
+gpg --verify "firejail-$1.asc"
+gpg --detach-sign --armor "firejail-$1.tar.xz"
+rm "firejail-$1-unsigned"
diff --git a/mkdeb.sh.in b/mkdeb.sh.in
index e45acf8eb..ddd6ca1ee 100755
--- a/mkdeb.sh.in
+++ b/mkdeb.sh.in
@@ -22,7 +22,7 @@ if [ -n "$HAVE_SELINUX" ]; then
     CONFIG_ARGS="$CONFIG_ARGS --enable-selinux"
 fi
 
-TOP=`pwd`
+TOP="$PWD"
 CODE_ARCHIVE="$NAME-$VERSION.tar.xz"
 CODE_DIR="$NAME-$VERSION"
 INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian"
@@ -35,9 +35,9 @@ echo "install directory: $INSTALL_DIR"
 echo "debian control directory: $DEBIAN_CTRL_DIR"
 echo "*****************************************"
 
-tar -xJvf $CODE_ARCHIVE
-#mkdir -p $INSTALL_DIR
-cd $CODE_DIR
+tar -xJvf "$CODE_ARCHIVE"
+#mkdir -p "$INSTALL_DIR"
+cd "$CODE_DIR"
 ./configure $CONFIG_ARGS
 make -j2
 mkdir debian
@@ -45,26 +45,26 @@ DESTDIR=debian make install-strip
 
 cd ..
 echo "*****************************************"
-SIZE=`du -s $INSTALL_DIR`
+SIZE="$(du -s "$INSTALL_DIR")"
 echo "install size $SIZE"
 echo "*****************************************"
 
-mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
-gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
-rm $INSTALL_DIR/usr/share/doc/firejail/COPYING
-install -m644 $CODE_DIR/platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
-mkdir -p $DEBIAN_CTRL_DIR
-sed "s/FIREJAILVER/$VERSION/g"  $CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
+mv "$INSTALL_DIR/usr/share/doc/firejail/RELNOTES" "$INSTALL_DIR/usr/share/doc/firejail/changelog.Debian"
+gzip -9 -n "$INSTALL_DIR/usr/share/doc/firejail/changelog.Debian"
+rm "$INSTALL_DIR/usr/share/doc/firejail/COPYING"
+install -m644 "$CODE_DIR/platform/debian/copyright" "$INSTALL_DIR/usr/share/doc/firejail/."
+mkdir -p "$DEBIAN_CTRL_DIR"
+sed "s/FIREJAILVER/$VERSION/g" "$CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH)" > "$DEBIAN_CTRL_DIR/control"
 
-mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/
-install -m644 $CODE_DIR/platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
+mkdir -p "$INSTALL_DIR/usr/share/lintian/overrides/"
+install -m644 "$CODE_DIR/platform/debian/firejail.lintian-overrides" "$INSTALL_DIR/usr/share/lintian/overrides/firejail"
 
-find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles
-chmod 644 $DEBIAN_CTRL_DIR/conffiles
-find $INSTALL_DIR  -type d | xargs chmod 755
-cd $CODE_DIR
+find "$INSTALL_DIR/etc" -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > "$DEBIAN_CTRL_DIR/conffiles"
+chmod 644 "$DEBIAN_CTRL_DIR/conffiles"
+find "$INSTALL_DIR" -type d -exec chmod 755 '{}' +
+cd "$CODE_DIR"
 fakeroot dpkg-deb --build debian
 lintian --no-tag-display-limit debian.deb
-mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb
+mv debian.deb "../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb"
 cd ..
-rm -fr $CODE_DIR
+rm -fr "$CODE_DIR"
diff --git a/mkman.sh b/mkman.sh
index 8767972d1..c9606c1e7 100755
--- a/mkman.sh
+++ b/mkman.sh
@@ -5,8 +5,8 @@
 
 set -e
 
-sed "s/VERSION/$1/g" $2 > $3
-MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b`
-sed -i "s/MONTH/$MONTH/g" $3
-YEAR=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y`
-sed -i "s/YEAR/$YEAR/g" $3
+sed "s/VERSION/$1/g" "$2" > "$3"
+MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)"
+sed -i "s/MONTH/$MONTH/g" "$3"
+YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)"
+sed -i "s/YEAR/$YEAR/g" "$3"
diff --git a/mkuid.sh b/mkuid.sh
index 0264628cc..47aa42acd 100755
--- a/mkuid.sh
+++ b/mkuid.sh
@@ -9,8 +9,8 @@ echo "#define FIREJAIL_UIDS_H" >> uids.h
 
 if [ -r /etc/login.defs ]
 then
-        UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
-        GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
+        UID_MIN="$(awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs)"
+        GID_MIN="$(awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs)"
 fi
 
 # use default values if not found
diff --git a/src/fids/main.c b/src/fids/main.c
index c899b55e1..8f9bc1ea0 100644
--- a/src/fids/main.c
+++ b/src/fids/main.c
@@ -210,22 +210,29 @@ static void process_config(const char *fname) {
                 exit(1);
         }
 
-        // make sure the file is owned by root
-        struct stat s;
-        if (stat(fname, &s)) {
+        fprintf(stderr, "Opening config file %s\n", fname);
+        int fd = open(fname, O_RDONLY|O_CLOEXEC);
+        if (fd < 0) {
                 if (include_level == 1) {
-                        fprintf(stderr, "Error ids: config file not found\n");
+                        fprintf(stderr, "Error ids: cannot open config file %s\n", fname);
                         exit(1);
                 }
                 return;
         }
+
+        // make sure the file is owned by root
+        struct stat s;
+        if (fstat(fd, &s)) {
+                fprintf(stderr, "Error ids: cannot stat config file %s\n", fname);
+                exit(1);
+        }
         if (s.st_uid || s.st_gid) {
                 fprintf(stderr, "Error ids: config file not owned by root\n");
                 exit(1);
         }
 
-        fprintf(stderr, "Loading %s config file\n", fname);
-        FILE *fp = fopen(fname, "r");
+        fprintf(stderr, "Loading config file %s\n", fname);
+        FILE *fp = fdopen(fd, "r");
         if (!fp) {
                 fprintf(stderr, "Error fids: cannot open config file %s\n", fname);
                 exit(1);
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 1982afdee..117c6f6ae 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -1,7 +1,6 @@
-# /usr/lib/firejail/firecfg.config - firecfg utility configuration file
+# /etc/firejail/firecfg.config - firecfg utility configuration file
 # This is the list of programs in alphabetical order handled by firecfg utility
 #
-#qemu-system-x86_64
 0ad
 2048-qt
 Books
@@ -139,8 +138,8 @@ clamdscan
 clamdtop
 clamscan
 clamtk
-claws-mail
 clawsker
+claws-mail
 clementine
 clion
 clion-eap
@@ -170,7 +169,6 @@ crow
 cryptocat
 cvlc
 cyberfox
-d-feet
 darktable
 dconf-editor
 ddgr
@@ -180,6 +178,7 @@ deluge
 desktopeditors
 devhelp
 dex2jar
+d-feet
 dia
 dig
 digikam
@@ -256,8 +255,8 @@ flacsplt
 flameshot
 flashpeak-slimjet
 flowblade
-font-manager
 fontforge
+font-manager
 fossamail
 four-in-a-row
 fractal
@@ -276,6 +275,7 @@ freetube
 freshclam
 frogatto
 frozen-bubble
+ftp
 funnyboat
 gajim
 gajim-history-manager
@@ -366,11 +366,11 @@ gradio
 gramps
 gravity-beams-and-evaporating-stars
 gthumb
+gtk2-youtube-viewer
+gtk3-youtube-viewer
 gtk-pipe-viewer
 gtk-straw-viewer
 gtk-youtube-viewer
-gtk2-youtube-viewer
-gtk3-youtube-viewer
 guayadeque
 gucharmap
 gummi
@@ -391,8 +391,8 @@ icecat
 icedove
 iceweasel
 idea
-idea.sh
 ideaIC
+idea.sh
 imagej
 img2txt
 impressive
@@ -533,6 +533,7 @@ mp3wrap
 mpDris2
 mpg123
 mpg123-alsa
+mpg123.bin
 mpg123-id3dump
 mpg123-jack
 mpg123-nas
@@ -541,7 +542,6 @@ mpg123-oss
 mpg123-portaudio
 mpg123-pulse
 mpg123-strip
-mpg123.bin
 mplayer
 mpsyt
 mpv
@@ -606,16 +606,17 @@ onboard
 onionshare-gui
 ooffice
 ooviewdoc
-open-invaders
 openarena
 openarena_ded
 opencity
 openclonk
+open-invaders
 openmw
 openmw-launcher
 openoffice.org
 openshot
 openshot-qt
+openstego
 openttd
 opera
 opera-beta
@@ -669,6 +670,7 @@ pybitmessage
 qbittorrent
 qcomicbook
 qemu-launcher
+#qemu-system-x86_64
 qgis
 qlipper
 qmmp
@@ -732,8 +734,8 @@ smuxi-frontend-gnome
 snox
 soffice
 sol
-sound-juicer
 soundconverter
+sound-juicer
 spectacle
 spectral
 spotify
@@ -746,8 +748,8 @@ steam
 steam-native
 steam-runtime
 stellarium
-straw-viewer
 strawberry
+straw-viewer
 strings
 studio.sh
 subdownloader
@@ -767,6 +769,7 @@ teamspeak3
 teeworlds
 telegram
 telegram-desktop
+telnet
 terasology
 textmaker18
 textmaker18free
@@ -775,6 +778,7 @@ thunderbird-beta
 thunderbird-wayland
 tilp
 tor-browser
+torbrowser
 tor-browser-ar
 tor-browser-ca
 tor-browser-cs
@@ -796,6 +800,7 @@ tor-browser-it
 tor-browser-ja
 tor-browser-ka
 tor-browser-ko
+torbrowser-launcher
 tor-browser-nb
 tor-browser-nl
 tor-browser-pl
@@ -806,8 +811,6 @@ tor-browser-tr
 tor-browser-vi
 tor-browser-zh-cn
 tor-browser-zh-tw
-torbrowser
-torbrowser-launcher
 torcs
 totem
 tracker
@@ -913,8 +916,8 @@ yelp
 youtube
 youtube-dl
 youtube-dl-gui
-youtube-viewer
 youtubemusic-nativefier
+youtube-viewer
 yt-dlp
 ytmdesktop
 zaproxy
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 363000e15..fafa0e635 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -171,17 +171,17 @@ static void set_file(const char *name, const char *firejail_exec) {
         free(fname);
 }
 
-// parse /usr/lib/firejail/firecfg.cfg file
+// parse /etc/firejail/firecfg.config file
 static void set_links_firecfg(void) {
         char *cfgfile;
-        if (asprintf(&cfgfile, "%s/firejail/firecfg.config", LIBDIR) == -1)
+        if (asprintf(&cfgfile, "%s/firecfg.config", SYSCONFDIR) == -1)
                 errExit("asprintf");
 
         char *firejail_exec;
         if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
                 errExit("asprintf");
 
-        // parse /usr/lib/firejail/firecfg.cfg file
+        // parse /etc/firejail/firecfg.config file
         FILE *fp = fopen(cfgfile, "r");
         if (!fp) {
                 perror("fopen");
@@ -440,7 +440,7 @@ int main(int argc, char **argv) {
         // clear all symlinks
         clean();
 
-        // set new symlinks based on /usr/lib/firejail/firecfg.cfg
+        // set new symlinks based on /etc/firejail/firecfg.config
         set_links_firecfg();
 
         if (getuid() == 0) {
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 2266fa499..bb5b29d79 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -45,10 +45,10 @@ int appimage_find_profile(const char *archive) {
         assert(archive);
         assert(strlen(archive));
 
-        // try to match the name of the archive with the list of programs in /usr/lib/firejail/firecfg.config
-        FILE *fp = fopen(LIBDIR "/firejail/firecfg.config", "r");
+        // try to match the name of the archive with the list of programs in /etc/firejail/firecfg.config
+        FILE *fp = fopen(SYSCONFDIR "/firecfg.config", "r");
         if (!fp) {
-                fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", LIBDIR "/firejail/firecfg.config");
+                fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", SYSCONFDIR "/firecfg.config");
                 exit(1);
         }
         char buf[MAXBUF];
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 9c1b889ed..f62e6404e 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -94,16 +94,7 @@ static void disable_file(OPERATION op, const char *filename) {
                 return;
         }
 
-        // if the file is not present, do nothing
         assert(fname);
-        struct stat s;
-        if (stat(fname, &s) < 0) {
-                if (arg_debug)
-                        printf("Warning (blacklisting): cannot access %s: %s\n", fname, strerror(errno));
-                free(fname);
-                return;
-        }
-
         // check for firejail executable
         // we might have a file found in ${PATH} pointing to /usr/bin/firejail
         // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
@@ -113,6 +104,24 @@ static void disable_file(OPERATION op, const char *filename) {
                 return;
         }
 
+        // if the file is not present, do nothing
+        int fd = open(fname, O_PATH|O_CLOEXEC);
+        if (fd < 0) {
+                if (arg_debug)
+                        printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno));
+                free(fname);
+                return;
+        }
+
+        struct stat s;
+        if (fstat(fd, &s) < 0) {
+                if (arg_debug)
+                        printf("Warning (blacklisting): cannot stat %s: %s\n", fname, strerror(errno));
+                free(fname);
+                close(fd);
+                return;
+        }
+
         // modify the file
         if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) {
                 // some distros put all executables under /usr/bin and make /bin a symbolic link
@@ -136,13 +145,6 @@ static void disable_file(OPERATION op, const char *filename) {
                                         printf(" - no logging\n");
                         }
 
-                        int fd = open(fname, O_PATH|O_CLOEXEC);
-                        if (fd < 0) {
-                                if (arg_debug)
-                                        printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno));
-                                free(fname);
-                                return;
-                        }
                         EUID_ROOT();
                         if (S_ISDIR(s.st_mode)) {
                                 if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0)
@@ -153,7 +155,6 @@ static void disable_file(OPERATION op, const char *filename) {
                                         errExit("disable file");
                         }
                         EUID_USER();
-                        close(fd);
 
                         if (op == BLACKLIST_FILE)
                                 fs_logger2("blacklist", fname);
@@ -180,8 +181,7 @@ static void disable_file(OPERATION op, const char *filename) {
         else if (op == MOUNT_TMPFS) {
                 if (!S_ISDIR(s.st_mode)) {
                         fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
-                        free(fname);
-                        return;
+                        goto out;
                 }
 
                 uid_t uid = getuid();
@@ -191,8 +191,7 @@ static void disable_file(OPERATION op, const char *filename) {
                             strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
                             fname[strlen(cfg.homedir)] != '/') {
                                 fwarning("you are not allowed to mount a tmpfs on %s\n", fname);
-                                free(fname);
-                                return;
+                                goto out;
                         }
                 }
 
@@ -202,6 +201,8 @@ static void disable_file(OPERATION op, const char *filename) {
         else
                 assert(0);
 
+out:
+        close(fd);
         free(fname);
 }
 
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index a4c1ff822..4c9dac0c2 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -285,24 +285,25 @@ void fs_private_bin_list(void) {
         while ((ptr = strtok(NULL, ",")) != NULL)
                 globbing(ptr);
         free(dlist);
-        fs_logger_print();
 
         // mount-bind
+        EUID_ROOT();
         int i = 0;
         while (paths[i]) {
                 struct stat s;
                 if (stat(paths[i], &s) == 0) {
                         if (arg_debug)
                                 printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]);
-                        EUID_ROOT();
                         if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0)
                                 errExit("mount bind");
-                        EUID_USER();
                         fs_logger2("tmpfs", paths[i]);
                         fs_logger2("mount", paths[i]);
                 }
                 i++;
         }
+        fs_logger_print();
+        EUID_USER();
+
         selinux_relabel_path(RUN_BIN_DIR, "/bin");
         fmessage("%d %s installed in %0.2f ms\n", prog_cnt, (prog_cnt == 1)? "program": "programs", timetrace_end());
 }
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 8d8530d81..230e9186c 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -380,12 +380,14 @@ void fs_private(void) {
                 selinux_relabel_path("/home", "/home");
                 fs_logger("tmpfs /home");
         }
+        EUID_USER();
 
         if (u != 0) {
                 if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) {
                         // create new empty /home/user directory
                         if (arg_debug)
                                 printf("Create a new user directory\n");
+                        EUID_ROOT();
                         if (mkdir(homedir, S_IRWXU) == -1) {
                                 if (mkpath_as_root(homedir) == -1)
                                         errExit("mkpath");
@@ -394,20 +396,17 @@ void fs_private(void) {
                         }
                         if (chown(homedir, u, g) < 0)
                                 errExit("chown");
+                        EUID_USER();
                         fs_logger2("mkdir", homedir);
                         fs_logger2("tmpfs", homedir);
                 }
-                else {
+                else
                         // mask user home directory
                         // the directory should be owned by the current user
-                        EUID_USER();
                         fs_tmpfs(homedir, 1);
-                        EUID_ROOT();
-                }
 
                 selinux_relabel_path(homedir, homedir);
         }
-        EUID_USER();
 
         skel(homedir);
         if (xflag)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 4bcf98035..dd36ac4b7 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -872,7 +872,7 @@ char *guess_shell(void) {
         if (shell) {
                 invalid_filename(shell, 0); // no globbing
                 if (access(shell, X_OK) == 0 && !is_dir(shell) && strstr(shell, "..") == NULL &&
-                    strcmp(shell, PATH_FIREJAIL) != 0)
+                    strcmp(gnu_basename(shell), "firejail") != 0)
                         goto found;
         }
 
@@ -936,6 +936,8 @@ static void run_builder(int argc, char **argv) {
         if (setresuid(-1, getuid(), getuid()) != 0)
                 errExit("setresuid");
 
+        if (env_get("LD_PRELOAD") != NULL)
+                fprintf(stderr, "run_builder: LD_PRELOAD is: '%s'\n", env_get("LD_PRELOAD"));
         assert(env_get("LD_PRELOAD") == NULL);
         assert(getenv("LD_PRELOAD") == NULL);
         umask(orig_umask);
@@ -1004,18 +1006,18 @@ int main(int argc, char **argv, char **envp) {
                 fprintf(stderr, "Error: argv is invalid\n");
                 exit(1);
         } else if (argc >= MAX_ARGS) {
-                fprintf(stderr, "Error: too many arguments\n");
+                fprintf(stderr, "Error: too many arguments: argc (%d) >= MAX_ARGS (%d)\n", argc, MAX_ARGS);
                 exit(1);
         }
 
         // sanity check for arguments
         for (i = 0; i < argc; i++) {
                 if (*argv[i] == 0) {
-                        fprintf(stderr, "Error: too short arguments\n");
+                        fprintf(stderr, "Error: too short arguments: argv[%d] is empty\n", i);
                         exit(1);
                 }
                 if (strlen(argv[i]) >= MAX_ARG_LEN) {
-                        fprintf(stderr, "Error: too long arguments\n");
+                        fprintf(stderr, "Error: too long arguments: argv[%d] len (%zu) >= MAX_ARG_LEN (%d)\n", i, strlen(argv[i]), MAX_ARG_LEN);
                         exit(1);
                 }
         }
@@ -1026,7 +1028,7 @@ int main(int argc, char **argv, char **envp) {
 
         // sanity check for environment variables
         if (i >= MAX_ENVS) {
-                fprintf(stderr, "Error: too many environment variables\n");
+                fprintf(stderr, "Error: too many environment variables: >= MAX_ENVS (%d)\n", MAX_ENVS);
                 exit(1);
         }
 
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index 6397418d1..14667d9eb 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -76,6 +76,8 @@ void run_symlink(int argc, char **argv, int run_as_is) {
                 a[i + 2] = argv[i + 1];
         }
         a[i + 2] = NULL;
+        if (env_get("LD_PRELOAD") != NULL)
+                fprintf(stderr, "run_symlink: LD_PRELOAD is: '%s'\n", env_get("LD_PRELOAD"));
         assert(env_get("LD_PRELOAD") == NULL);
         assert(getenv("LD_PRELOAD") == NULL);
         execvp(a[0], a);
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 3d9bf9082..e02be29f1 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -435,11 +435,11 @@ void seccomp_print_filter(pid_t pid) {
         if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_LIST) == -1)
                 errExit("asprintf");
 
-        struct stat s;
-        if (stat(fname, &s) == -1)
+        int fd = open(fname, O_RDONLY|O_CLOEXEC);
+        if (fd < 0)
                 goto errexit;
 
-        FILE *fp = fopen(fname, "re");
+        FILE *fp = fdopen(fd, "r");
         if (!fp)
                 goto errexit;
         free(fname);
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 7e0a57f92..189e9cc8d 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -27,7 +27,7 @@ desktop managers are supported in this moment
 To set it up, run "sudo firecfg" after installing Firejail software.
 The same command should also be run after
 installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
-will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config".
+will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config".
 
 For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
 .SH DEFAULT ACTIONS