372 files changed, 3192 insertions, 1432 deletions

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 0a9628d31..6c2905e43 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -1,50 +1,39 @@
-name: Build-extra CI
+# Builds the project with alternative tools.
+
+name: Build-extra
 
 on:
+  workflow_dispatch:
   push:
-    paths-ignore:
-      - '.github/ISSUE_TEMPLATE/*'
-      - 'contrib/syntax/**'
-      - 'contrib/vim/**'
-      - 'etc/**'
-      - 'src/man/*.txt'
-      - .git-blame-ignore-revs
-      - .github/dependabot.yml
-      - .github/pull_request_template.md
-      - .github/workflows/build.yml
-      - .github/workflows/codeql-analysis.yml
-      - .github/workflows/profile-checks.yml
-      - .gitignore
-      - .gitlab-ci.yml
-      - CONTRIBUTING.md
-      - COPYING
-      - README
-      - README.md
-      - RELNOTES
-      - SECURITY.md
-      - src/firecfg/firecfg.config
+    branches-ignore:
+      - 'dependabot/**'
+    paths:
+      - 'm4/**'
+      - 'src/**.c'
+      - 'src/**.h'
+      - 'src/**.mk'
+      - 'src/**Makefile'
+      - .github/workflows/build-extra.yml
+      - Makefile
+      - ci/printenv.sh
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
   pull_request:
-    paths-ignore:
-      - '.github/ISSUE_TEMPLATE/*'
-      - 'contrib/syntax/**'
-      - 'contrib/vim/**'
-      - 'etc/**'
-      - 'src/man/*.txt'
-      - .git-blame-ignore-revs
-      - .github/dependabot.yml
-      - .github/pull_request_template.md
-      - .github/workflows/build.yml
-      - .github/workflows/codeql-analysis.yml
-      - .github/workflows/profile-checks.yml
-      - .gitignore
-      - .gitlab-ci.yml
-      - CONTRIBUTING.md
-      - COPYING
-      - README
-      - README.md
-      - RELNOTES
-      - SECURITY.md
-      - src/firecfg/firecfg.config
+    paths:
+      - 'm4/**'
+      - 'src/**.c'
+      - 'src/**.h'
+      - 'src/**.mk'
+      - 'src/**Makefile'
+      - .github/workflows/build-extra.yml
+      - Makefile
+      - ci/printenv.sh
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
 
 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read
@@ -54,13 +43,17 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
       with:
         egress-policy: block
         allowed-endpoints: >
+          archive.ubuntu.com:80
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          security.ubuntu.com:80
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - name: update package information
       run: sudo apt-get update -qy
     - name: install dependencies
@@ -80,87 +73,3 @@ jobs:
       run: sudo make install
     - name: print version
       run: command -V firejail && firejail --version
-  scan-build:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
-      with:
-        egress-policy: block
-        allowed-endpoints: >
-          azure.archive.ubuntu.com:80
-          github.com:443
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-    - name: update package information
-      run: sudo apt-get update -qy
-    - name: install clang-tools-14 and dependencies
-      run: >
-        sudo apt-get install -qy
-        clang-tools-14 libapparmor-dev libselinux1-dev
-    - name: print env
-      run: ./ci/printenv.sh
-    - name: configure
-      run: >
-        CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
-        --enable-selinux
-        || (cat config.log; exit 1)
-    - name: scan-build
-      run: scan-build-14 --status-bugs make
-  cppcheck:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
-      with:
-        egress-policy: block
-        allowed-endpoints: >
-          azure.archive.ubuntu.com:80
-          github.com:443
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-    - name: update package information
-      run: sudo apt-get update -qy
-    - name: install cppcheck
-      run: sudo apt-get install -qy cppcheck
-    - run: cppcheck --version
-    - name: cppcheck
-      run: >
-        cppcheck -q --force --error-exitcode=1 --enable=warning,performance
-        -i src/firejail/checkcfg.c -i src/firejail/main.c .
-  # new cppcheck version currently chokes on checkcfg.c and main.c, therefore
-  # scan all files also with older cppcheck version from ubuntu 20.04.
-  cppcheck_old:
-    runs-on: ubuntu-20.04
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
-      with:
-        egress-policy: block
-        allowed-endpoints: >
-          azure.archive.ubuntu.com:80
-          github.com:443
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-    - name: update package information
-      run: sudo apt-get update -qy
-    - name: install cppcheck
-      run: sudo apt-get install -qy cppcheck
-    - run: cppcheck --version
-    - name: cppcheck
-      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
-  codespell:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
-      with:
-        egress-policy: block
-        allowed-endpoints: >
-          azure.archive.ubuntu.com:80
-          github.com:443
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-    - name: update package information
-      run: sudo apt-get update -qy
-    - name: install dependencies
-      run: sudo apt-get install -qy codespell
-    - run: codespell --version
-    - name: codespell
-      run: make codespell
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a53260e64..ae1aef039 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,67 +1,73 @@
-name: Build CI
+# Checks that `make dist` works and builds the project with the default
+# configuration.
 
+name: Build
+
+# Note: Keep this list in sync with DISTFILES in ../../Makefile.
 on:
+  workflow_dispatch:
   push:
-    paths-ignore:
-      - '.github/ISSUE_TEMPLATE/*'
-      - .git-blame-ignore-revs
-      - .github/dependabot.yml
-      - .github/pull_request_template.md
-      - .github/workflows/build-extra.yml
-      - .github/workflows/codeql-analysis.yml
-      - .github/workflows/profile-checks.yml
-      - .gitignore
-      - .gitlab-ci.yml
-      - CONTRIBUTING.md
+    branches-ignore:
+      - 'dependabot/**'
+    paths:
+      - 'contrib/**'
+      - 'etc/**'
+      - 'm4/**'
+      - 'platform/**'
+      - 'src/**'
+      - 'test/**'
+      - .github/workflows/build.yml
       - COPYING
+      - Makefile
       - README
-      - README.md
       - RELNOTES
-      - SECURITY.md
+      - ci/printenv.sh
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
+      - install.sh
+      - mkdeb.sh
+      - mketc.sh
   pull_request:
-    paths-ignore:
-      - '.github/ISSUE_TEMPLATE/*'
-      - .git-blame-ignore-revs
-      - .github/dependabot.yml
-      - .github/pull_request_template.md
-      - .github/workflows/build-extra.yml
-      - .github/workflows/codeql-analysis.yml
-      - .github/workflows/profile-checks.yml
-      - .gitignore
-      - .gitlab-ci.yml
-      - CONTRIBUTING.md
+    paths:
+      - 'contrib/**'
+      - 'etc/**'
+      - 'm4/**'
+      - 'platform/**'
+      - 'src/**'
+      - 'test/**'
+      - .github/workflows/build.yml
       - COPYING
+      - Makefile
       - README
-      - README.md
       - RELNOTES
-      - SECURITY.md
+      - ci/printenv.sh
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
+      - install.sh
+      - mkdeb.sh
+      - mketc.sh
 
 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read
 
 jobs:
-  build_and_test:
+  build:
     runs-on: ubuntu-22.04
-    env:
-      SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
       with:
         egress-policy: block
         allowed-endpoints: >
-          1.1.1.1:1025
           azure.archive.ubuntu.com:80
-          debian.org:80
-          dns.quad9.net:53
           github.com:443
           packages.microsoft.com:443
           ppa.launchpadcontent.net:443
-          whois.pir.org:43
-          www.debian.org:443
-          www.debian.org:80
-          yahoo.com:1025
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - name: update package information
       run: sudo apt-get update -qy
     - name: install dependencies
@@ -82,19 +88,3 @@ jobs:
       run: sudo make install
     - name: print firejail version
       run: command -V firejail && firejail --version
-    - run: make lab-setup
-    - run: make test-seccomp-extra
-    - run: make test-firecfg
-    - run: make test-capabilities
-    - run: make test-apparmor
-    - run: make test-appimage
-    - run: make test-chroot
-    - run: make test-sysutils
-    - run: make test-private-etc
-    - run: make test-profiles
-    - run: make test-fcopy
-    - run: make test-fnetfilter
-    - run: make test-fs
-    - run: make test-utils
-    - run: make test-environment
-    - run: make test-network
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
new file mode 100644
index 000000000..3324906f7
--- /dev/null
+++ b/.github/workflows/check-c.yml
@@ -0,0 +1,164 @@
+# Checks for potential issues in the source code.
+
+name: Check-C
+
+on:
+  workflow_dispatch:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+    paths:
+      - 'm4/**'
+      - 'src/**.c'
+      - 'src/**.h'
+      - 'src/**.mk'
+      - 'src/**Makefile'
+      - .github/workflows/check-c.yml
+      - Makefile
+      - ci/printenv.sh
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
+  pull_request:
+    paths:
+      - 'm4/**'
+      - 'src/**.c'
+      - 'src/**.h'
+      - 'src/**.mk'
+      - 'src/**Makefile'
+      - .github/workflows/check-c.yml
+      - Makefile
+      - ci/printenv.sh
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
+  schedule:
+    - cron: '0 7 * * 2'
+
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+jobs:
+  scan-build:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          archive.ubuntu.com:80
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          security.ubuntu.com:80
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install clang-tools-14 and dependencies
+      run: >
+        sudo apt-get install -qy
+        clang-tools-14 libapparmor-dev libselinux1-dev
+    - name: print env
+      run: ./ci/printenv.sh
+    - name: configure
+      run: >
+        CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
+        --enable-selinux
+        || (cat config.log; exit 1)
+    - name: scan-build
+      run: scan-build-14 --status-bugs make
+
+  cppcheck:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          archive.ubuntu.com:80
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          security.ubuntu.com:80
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install cppcheck
+      run: sudo apt-get install -qy cppcheck
+    - run: cppcheck --version
+    - name: cppcheck
+      run: >
+        cppcheck -q --force --error-exitcode=1 --enable=warning,performance
+        -i src/firejail/checkcfg.c -i src/firejail/main.c .
+
+  # new cppcheck version currently chokes on checkcfg.c and main.c, therefore
+  # scan all files also with older cppcheck version from ubuntu 20.04.
+  cppcheck_old:
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          archive.ubuntu.com:80
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpad.net:80
+          ppa.launchpadcontent.net:443
+          security.ubuntu.com:80
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install cppcheck
+      run: sudo apt-get install -qy cppcheck
+    - run: cppcheck --version
+    - name: cppcheck
+      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
+
+  codeql-cpp:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
+      with:
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
+          github.com:443
+          objects.githubusercontent.com:443
+          uploads.github.com:443
+
+    - name: Checkout repository
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+    - name: print env
+      run: ./ci/printenv.sh
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75
+      with:
+        languages: cpp
+
+    - name: configure
+      run: ./configure
+
+    - name: make
+      run: make -j "$(nproc)"
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/check-profiles.yml
index 8d4e5ba28..b5490c944 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/check-profiles.yml
@@ -1,18 +1,25 @@
-name: Profile Checks
+# Lints and checks for potential issues in the profiles.
+
+name: Check-Profiles
 
 on:
+  workflow_dispatch:
   push:
+    branches-ignore:
+      - 'dependabot/**'
     paths:
       - 'ci/check/profiles/**'
       - 'etc/**'
-      - .github/workflows/profile-checks.yml
+      - .github/workflows/check-profiles.yml
+      - ci/printenv.sh
       - contrib/sort.py
       - src/firecfg/firecfg.config
   pull_request:
     paths:
       - 'ci/check/profiles/**'
       - 'etc/**'
-      - .github/workflows/profile-checks.yml
+      - .github/workflows/check-profiles.yml
+      - ci/printenv.sh
       - contrib/sort.py
       - src/firecfg/firecfg.config
 
@@ -24,14 +31,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
       with:
         disable-sudo: true
         egress-policy: block
         allowed-endpoints: >
           github.com:443
 
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - name: print env
       run: ./ci/printenv.sh
     - run: python3 --version
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml
new file mode 100644
index 000000000..4425af2b7
--- /dev/null
+++ b/.github/workflows/check-python.yml
@@ -0,0 +1,58 @@
+# Lints and checks for potential issues in Python files.
+
+name: Check-Python
+
+on:
+  workflow_dispatch:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+    paths:
+      - '**.py'
+      - .github/workflows/check-python.yml
+  pull_request:
+    paths:
+      - '**.py'
+      - .github/workflows/check-python.yml
+  schedule:
+    - cron: '0 7 * * 2'
+
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+jobs:
+  codeql-python:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
+      with:
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
+          files.pythonhosted.org:443
+          github.com:443
+          objects.githubusercontent.com:443
+          pypi.org:443
+          uploads.github.com:443
+
+    - name: Checkout repository
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+    - name: print env
+      run: ./ci/printenv.sh
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75
+      with:
+        languages: python
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
deleted file mode 100644
index 4b9aaa7d6..000000000
--- a/.github/workflows/codeql-analysis.yml
+++ /dev/null
@@ -1,121 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-name: "CodeQL"
-
-on:
-  push:
-    paths-ignore:
-      - '.github/ISSUE_TEMPLATE/*'
-      - 'contrib/syntax/**'
-      - 'contrib/vim/**'
-      - 'etc/**'
-      - 'src/man/*.txt'
-      - .git-blame-ignore-revs
-      - .github/dependabot.yml
-      - .github/pull_request_template.md
-      - .github/workflows/build-extra.yml
-      - .github/workflows/build.yml
-      - .github/workflows/profile-checks.yml
-      - .gitignore
-      - .gitlab-ci.yml
-      - CONTRIBUTING.md
-      - COPYING
-      - README
-      - README.md
-      - RELNOTES
-      - SECURITY.md
-      - src/firecfg/firecfg.config
-  pull_request:
-    paths-ignore:
-      - '.github/ISSUE_TEMPLATE/*'
-      - 'contrib/syntax/**'
-      - 'contrib/vim/**'
-      - 'etc/**'
-      - 'src/man/*.txt'
-      - .git-blame-ignore-revs
-      - .github/dependabot.yml
-      - .github/pull_request_template.md
-      - .github/workflows/build-extra.yml
-      - .github/workflows/build.yml
-      - .github/workflows/profile-checks.yml
-      - .gitignore
-      - .gitlab-ci.yml
-      - CONTRIBUTING.md
-      - COPYING
-      - README
-      - README.md
-      - RELNOTES
-      - SECURITY.md
-      - src/firecfg/firecfg.config
-  schedule:
-    - cron: '0 7 * * 2'
-
-permissions:  # added using https://github.com/step-security/secure-workflows
-  contents: read
-
-jobs:
-  analyze:
-    permissions:
-      actions: read  # for github/codeql-action/init to get workflow details
-      contents: read  # for actions/checkout to fetch code
-      security-events: write  # for github/codeql-action/autobuild to send a status report
-    name: Analyze
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'cpp', 'python' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
-        # Learn more:
-        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
-
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
-      with:
-        disable-sudo: true
-        egress-policy: block
-        allowed-endpoints: >
-          api.github.com:443
-          github.com:443
-          objects.githubusercontent.com:443
-          uploads.github.com:443
-
-    - name: Checkout repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-
-    - name: print env
-      run: ./ci/printenv.sh
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@0ba4244466797eb048eb91a6cd43d5c03ca8bd05
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
new file mode 100644
index 000000000..f3c512c3e
--- /dev/null
+++ b/.github/workflows/codespell.yml
@@ -0,0 +1,47 @@
+# Checks the spelling on all non-third-party files.
+
+name: Codespell
+
+on:
+  workflow_dispatch:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+    paths-ignore:
+      - 'm4/**'
+      - COPYING
+  pull_request:
+    paths-ignore:
+      - 'm4/**'
+      - COPYING
+
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+jobs:
+  codespell:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          archive.ubuntu.com:80
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          security.ubuntu.com:80
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install dependencies
+      run: sudo apt-get install -qy codespell
+    - name: print env
+      run: ./ci/printenv.sh
+    - name: configure
+      run: ./configure || (cat config.log; exit 1)
+    - run: codespell --version
+    - name: codespell
+      run: make codespell
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 000000000..0a6069a5c
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,258 @@
+# Checks that the tests are passing.
+
+name: Test
+
+on:
+  workflow_dispatch:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+    paths:
+      - 'm4/**'
+      - 'src/**.c'
+      - 'src/**.h'
+      - 'src/**.mk'
+      - 'src/**Makefile'
+      - 'test/**'
+      - .github/workflows/test.yml
+      - Makefile
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
+      - etc/profile-a-l/default.profile
+      - src/firecfg/firecfg.config
+  pull_request:
+    paths:
+      - 'm4/**'
+      - 'src/**.c'
+      - 'src/**.h'
+      - 'src/**.mk'
+      - 'src/**Makefile'
+      - 'test/**'
+      - .github/workflows/test.yml
+      - Makefile
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
+      - etc/profile-a-l/default.profile
+      - src/firecfg/firecfg.config
+
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+#
+# Faster tests
+#
+
+jobs:
+  test-main:
+    runs-on: ubuntu-22.04
+    env:
+      SHELL: /bin/bash
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install dependencies
+      run: >
+        sudo apt-get install -qy
+        gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
+    - name: print env
+      run: ./ci/printenv.sh
+    - name: configure
+      run: >
+        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
+        --enable-analyzer --enable-apparmor --enable-selinux
+        || (cat config.log; exit 1)
+    - name: make
+      run: make -j "$(nproc)"
+    - name: make install
+      run: sudo make install
+    - name: print firejail version
+      run: command -V firejail && firejail --version
+    - run: make lab-setup
+    - run: make test-seccomp-extra
+    - run: make test-firecfg
+    - run: make test-capabilities
+    - run: make test-apparmor
+    - run: make test-appimage
+    - run: make test-chroot
+    - run: make test-fcopy
+
+#
+# Slower tests
+#
+
+  test-fs:
+    runs-on: ubuntu-22.04
+    env:
+      SHELL: /bin/bash
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install dependencies
+      run: >
+        sudo apt-get install -qy
+        gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
+    - name: print env
+      run: ./ci/printenv.sh
+    - name: configure
+      run: >
+        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
+        --enable-analyzer --enable-apparmor --enable-selinux
+        || (cat config.log; exit 1)
+    - name: make
+      run: make -j "$(nproc)"
+    - name: make install
+      run: sudo make install
+    - name: print firejail version
+      run: command -V firejail && firejail --version
+    - run: make lab-setup
+    - run: make test-private-etc
+    - run: make test-fs
+
+  test-environment:
+    runs-on: ubuntu-22.04
+    env:
+      SHELL: /bin/bash
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install dependencies
+      run: >
+        sudo apt-get install -qy
+        gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
+    - name: print env
+      run: ./ci/printenv.sh
+    - name: configure
+      run: >
+        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
+        --enable-analyzer --enable-apparmor --enable-selinux
+        || (cat config.log; exit 1)
+    - name: make
+      run: make -j "$(nproc)"
+    - name: make install
+      run: sudo make install
+    - name: print firejail version
+      run: command -V firejail && firejail --version
+    - run: make lab-setup
+    - run: make test-environment
+    - run: make test-profiles
+
+  test-utils:
+    runs-on: ubuntu-22.04
+    env:
+      SHELL: /bin/bash
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          debian.org:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          www.debian.org:443
+          www.debian.org:80
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install dependencies
+      run: >
+        sudo apt-get install -qy
+        gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
+    - name: print env
+      run: ./ci/printenv.sh
+    - name: configure
+      run: >
+        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
+        --enable-analyzer --enable-apparmor --enable-selinux
+        || (cat config.log; exit 1)
+    - name: make
+      run: make -j "$(nproc)"
+    - name: make install
+      run: sudo make install
+    - name: print firejail version
+      run: command -V firejail && firejail --version
+    - run: make lab-setup
+    - run: make test-utils
+
+  test-network:
+    runs-on: ubuntu-22.04
+    env:
+      SHELL: /bin/bash
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          1.1.1.1:1025
+          azure.archive.ubuntu.com:80
+          debian.org:80
+          dns.quad9.net:53
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          whois.pir.org:43
+          www.debian.org:443
+          www.debian.org:80
+          yahoo.com:1025
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install dependencies
+      run: >
+        sudo apt-get install -qy
+        gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois
+        bridge-utils
+    - name: print env
+      run: ./ci/printenv.sh
+    - name: configure
+      run: >
+        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
+        --enable-analyzer --enable-apparmor --enable-selinux
+        || (cat config.log; exit 1)
+    - name: make
+      run: make -j "$(nproc)"
+    - name: make install
+      run: sudo make install
+    - name: print firejail version
+      run: command -V firejail && firejail --version
+    - run: make lab-setup
+    - run: make test-fnetfilter
+    - run: make test-sysutils
+    - run: make test-network
diff --git a/Makefile b/Makefile
index c25e9f501..5b9335127 100644
--- a/Makefile
+++ b/Makefile
@@ -64,31 +64,31 @@ $(MYDIRS):
 
 .PHONY: filters
 filters: $(SECCOMP_FILTERS)
-seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
+seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize Makefile
         src/fseccomp/fseccomp default seccomp
         src/fsec-optimize/fsec-optimize seccomp
 
-seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
+seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize Makefile
         src/fseccomp/fseccomp default seccomp.debug allow-debuggers
         src/fsec-optimize/fsec-optimize seccomp.debug
 
-seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
+seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize Makefile
         src/fseccomp/fseccomp secondary 32 seccomp.32
         src/fsec-optimize/fsec-optimize seccomp.32
 
-seccomp.block_secondary: src/fseccomp/fseccomp
+seccomp.block_secondary: src/fseccomp/fseccomp Makefile
         src/fseccomp/fseccomp secondary block seccomp.block_secondary
 
-seccomp.mdwx: src/fseccomp/fseccomp
+seccomp.mdwx: src/fseccomp/fseccomp Makefile
         src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
 
-seccomp.mdwx.32: src/fseccomp/fseccomp
+seccomp.mdwx.32: src/fseccomp/fseccomp Makefile
         src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
 
-seccomp.namespaces: src/fseccomp/fseccomp
+seccomp.namespaces: src/fseccomp/fseccomp Makefile
         src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces cgroup,ipc,net,mnt,pid,time,user,uts
 
-seccomp.namespaces.32: src/fseccomp/fseccomp
+seccomp.namespaces.32: src/fseccomp/fseccomp Makefile
         src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces.32 cgroup,ipc,net,mnt,pid,time,user,uts
 
 .PHONY: man
@@ -103,58 +103,65 @@ contrib: syntax
 syntax: $(SYNTAX_FILES)
 
 # TODO: include/rlimit are false positives
-contrib/syntax/lists/profile_commands_arg0.list: src/firejail/profile.c
+contrib/syntax/lists/profile_commands_arg0.list: src/firejail/profile.c Makefile
+        @printf 'Generating %s from %s\n' $@ $<
         @sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' $< | \
-        grep -Ev '^(include|rlimit)$$' | sed 's/\./\\./' | LC_ALL=C sort -u >$@
+        grep -Ev '^(include|rlimit)$$' | LC_ALL=C sort -u >$@
 
 # TODO: private-lib is special-cased in the code and doesn't match the regex
-contrib/syntax/lists/profile_commands_arg1.list: src/firejail/profile.c
-        @{ sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' $<; echo private-lib; } | \
-        LC_ALL=C sort -u >$@
+contrib/syntax/lists/profile_commands_arg1.list: src/firejail/profile.c Makefile
+        @printf 'Generating %s from %s\n' $@ $<
+        @{ sed -En 's/.*strn?cmp\(ptr, "([^"]+) .*/\1/p' $<; \
+           echo private-lib; } | LC_ALL=C sort -u >$@
 
-contrib/syntax/lists/profile_conditionals.list: src/firejail/profile.c
+contrib/syntax/lists/profile_conditionals.list: src/firejail/profile.c Makefile
+        @printf 'Generating %s from %s\n' $@ $<
         @awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$$/ {process=1;} \
                 /\t*\{"[^"]+".*/ \
                 { if (process) {print gensub(/^\t*\{"([^"]+)".*$$/, "\\1", 1);} } \
                 /^\t\{ NULL, NULL \}$$/ {process=0;}' \
                 $< | LC_ALL=C sort -u >$@
 
-contrib/syntax/lists/profile_macros.list: src/firejail/macros.c
+contrib/syntax/lists/profile_macros.list: src/firejail/macros.c Makefile
+        @printf 'Generating %s from %s\n' $@ $<
         @sed -En 's/.*\$$\{([^}]+)\}.*/\1/p' $< | LC_ALL=C sort -u >$@
 
-contrib/syntax/lists/syscall_groups.list: src/lib/syscall.c
+contrib/syntax/lists/syscall_groups.list: src/lib/syscall.c Makefile
+        @printf 'Generating %s from %s\n' $@ $<
         @sed -En 's/.*"@([^",]+).*/\1/p' $< | LC_ALL=C sort -u >$@
 
-contrib/syntax/lists/syscalls.list: $(SYSCALL_HEADERS)
+contrib/syntax/lists/syscalls.list: $(SYSCALL_HEADERS) Makefile
+        @printf 'Generating %s\n' $@
         @sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' $(SYSCALL_HEADERS) | \
         LC_ALL=C sort -u >$@
 
-contrib/syntax/lists/system_errnos.list: src/lib/errno.c
+contrib/syntax/lists/system_errnos.list: src/lib/errno.c Makefile
+        @printf 'Generating %s from %s\n' $@ $<
         @sed -En 's/.*"(E[^"]+).*/\1/p' $< | LC_ALL=C sort -u >$@
 
-pipe_fromlf = { tr '\n' '|' | sed 's/|$$//'; }
-space_fromlf = { tr '\n' ' ' | sed 's/ $$//'; }
+regex_fromlf = { tr '\n' '|' | sed -e 's/|$$//' -e 's/\./\\\\./g'; }
+space_fromlf = { tr '\n' ' ' | sed -e 's/ $$//'; }
 edit_syntax_file = sed \
         -e "s/@make_input@/$$(basename $@).  Generated from $$(basename $<) by make./" \
-        -e "s/@FJ_PROFILE_COMMANDS_ARG0@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg0.list)/" \
-        -e "s/@FJ_PROFILE_COMMANDS_ARG1@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg1.list)/" \
-        -e "s/@FJ_PROFILE_CONDITIONALS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_conditionals.list)/" \
-        -e "s/@FJ_PROFILE_MACROS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_macros.list)/" \
+        -e "s/@FJ_PROFILE_COMMANDS_ARG0@/$$($(regex_fromlf) <contrib/syntax/lists/profile_commands_arg0.list)/" \
+        -e "s/@FJ_PROFILE_COMMANDS_ARG1@/$$($(regex_fromlf) <contrib/syntax/lists/profile_commands_arg1.list)/" \
+        -e "s/@FJ_PROFILE_CONDITIONALS@/$$($(regex_fromlf) <contrib/syntax/lists/profile_conditionals.list)/" \
+        -e "s/@FJ_PROFILE_MACROS@/$$($(regex_fromlf) <contrib/syntax/lists/profile_macros.list)/" \
         -e "s/@FJ_SYSCALLS@/$$($(space_fromlf) <contrib/syntax/lists/syscalls.list)/" \
-        -e "s/@FJ_SYSCALL_GROUPS@/$$($(pipe_fromlf) <contrib/syntax/lists/syscall_groups.list)/" \
-        -e "s/@FJ_SYSTEM_ERRNOS@/$$($(pipe_fromlf) <contrib/syntax/lists/system_errnos.list)/"
+        -e "s/@FJ_SYSCALL_GROUPS@/$$($(regex_fromlf) <contrib/syntax/lists/syscall_groups.list)/" \
+        -e "s/@FJ_SYSTEM_ERRNOS@/$$($(regex_fromlf) <contrib/syntax/lists/system_errnos.list)/"
 
-contrib/syntax/files/example: contrib/syntax/files/example.in $(SYNTAX_LISTS)
+contrib/syntax/files/example: contrib/syntax/files/example.in $(SYNTAX_LISTS) Makefile
         @printf 'Generating %s from %s\n' $@ $<
         @$(edit_syntax_file) $< >$@
 
 # gtksourceview language-specs
-contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in $(SYNTAX_LISTS)
+contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in $(SYNTAX_LISTS) Makefile
         @printf 'Generating %s from %s\n' $@ $<
         @$(edit_syntax_file) $< >$@
 
 # vim syntax files
-contrib/syntax/files/%.vim: contrib/syntax/files/%.vim.in $(SYNTAX_LISTS)
+contrib/syntax/files/%.vim: contrib/syntax/files/%.vim.in $(SYNTAX_LISTS) Makefile
         @printf 'Generating %s from %s\n' $@ $<
         @$(edit_syntax_file) $< >$@
 
@@ -293,6 +300,7 @@ uninstall: config.mk
         rm -f $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang
         @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
 
+# Note: Keep this list in sync with `paths` in .github/workflows/build.yml.
 DISTFILES = \
         COPYING \
         Makefile \
@@ -367,9 +375,16 @@ cppcheck: clean
 scan-build: clean
         scan-build $(MAKE)
 
+# TODO: Old codespell versions (such as v2.1.0 in CI) have issues with
+# contrib/syscalls.sh
 .PHONY: codespell
-codespell: clean
-        codespell --ignore-regex "UE|creat|doas|shotcut|ether" src test
+codespell:
+        @printf 'Running %s...\n' $@
+        @codespell --ignore-regex 'UE|als|chage|creat|doas|ether|isplay|readby|[Ss]hotcut' \
+          -S *.gz,*.o,*.so \
+          -S COPYING,m4 \
+          -S ./contrib/syscalls.sh \
+          .
 
 .PHONY: print-env
 print-env:
diff --git a/README b/README
index 174530cc6..607ce1bee 100644
--- a/README
+++ b/README
@@ -125,6 +125,7 @@ Aleksey Manevich (https://github.com/manevich)
 Alexander Gerasiov (https://github.com/gerasiov)
         - read-only ~/.ssh/authorized_keys
         - profile updates
+        - fcopy: Use lstat when copy directory
 Alexander Stein (https://github.com/ajstein)
         - added profile for qutebrowser
 alkim0 (https://github.com/alkim0)
@@ -169,6 +170,8 @@ aoand (https://github.com/aoand)
         - seccomp fix: allow numeric syscalls
 Arne Welzel (https://github.com/awelzel)
         - ignore SIGTTOU during flush_stdin()
+archaon616 (https://github.com/archaon616)
+        - steam.profile: Allow Factorio
 Atrate (https://github.com/Atrate)
         - BetterDiscord support
 Austin Morton (https://github.com/apmorton)
@@ -283,6 +286,8 @@ Christian Stadelmann (https://github.com/genodeftest)
         - evolution profile fix
 Clayton Williams (https://github.com/gosre)
         - addition of RLIMIT_AS
+CodeWithMa (https://github.com/CodeWithMa)
+        - mpv.profile: add new XDG_STATE_HOME path
 corecontingency (https://https://github.com/corecontingency)
         - tighten private-bin and etc for torbrowser-launcher.profile
         - added i2prouter profile
@@ -349,6 +354,10 @@ David Hyrule (https://github.com/Svaag)
         - remove nou2f in ssh profile
 Deelvesh Bunjun (https://github.com/DeelveshBunjun)
         - added xpdf profile
+DefaultUser (https://github.com/DefaultUser)
+        - neochat: Allow netlink
+Denis Subbotin (https://github.com/mr-tron)
+        - telegram.profile: allow ~/.local/share/telegram-desktop
 Denys Havrysh (https://github.com/vutny)
         - update SkypeForLinux profile for latest version
         - removed outdated Skype profile
@@ -371,6 +380,7 @@ dmfreemon (https://github.com/dmfreemon)
         - handle malloc() failures; use gnu_basename() instead of basenaem()
 Dmitriy Chestnykh (https://github.com/chestnykh)
         - add ability to disable user profiles at compile time
+        - lookup xauth in PATH
 Dpeta (https://github.com/Dpeta)
         - add Chatterino profile
 dshmgh (https://github.com/dshmgh)
@@ -465,6 +475,9 @@ Fred-Barclay (https://github.com/Fred-Barclay)
         - added Catfish profile
 Frederik Olesen (https://github.com/Freso)
         - added many vim profiles
+Frostbyte4664 (https://github.com/Frostbyte4664)
+        - steam.profile: Allow Baba Is You
+        - blender-3.6 redirect
 g3ngr33n (https://github.com/g3ngr33n)
         - fix musl compilation
 G4JC (https://sourceforge.net/u/gaming4jc/profile/)
@@ -497,6 +510,8 @@ glitsj16 (https://github.com/glitsj16)
         - new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
         - new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
         - new profiles: masterpdfeditor
+glu8716 (https://github.com/glu8716)
+        - nicotine: support Fcitx and dconf via dbus-user filter
 gm10 (https://github.com/gm10)
         - get_user() do not use the unreliable getlogin()
 GovanifY (https://github.com/GovanifY)
@@ -514,6 +529,7 @@ GSI (https://github.com/GSI)
         - added Uzbl browser profile
 haarp (https://github.com/haarp)
         - Allow sound for hexchat
+        - discord-common.profile: harden & allow notifications 
 hamzadis (https://github.com/hamzadis)
         - added --overlay-named=name and --overlay-path=path
 Hans-Christoph Steiner (https://github.com/eighthave)
@@ -642,6 +658,8 @@ jrabe (https://github.com/jrabe)
         - Polari profile
         - qTox profile
         - X11 fixes
+jtrv (https://github.com/jtrv)
+        - tidal-hifi profile
 juan (https://github.com/nyancat18)
         - fixed Kdenlive, Shotcut profiles
         - new profiles for Cinelerra, Cliqz, Bluefish
@@ -690,6 +708,8 @@ kuesji koesnu (https://github.com/kuesji)
         - better parser for size strings
 Kunal Mehta (https://github.com/legoktm)
         - converted all links to https in manpages
+kzsa (https://github.com/kzsa)
+        - wusc: add /usr/share/locale-langpack (LC_MESSAGES)
 laniakea64 (https://github.com/laniakea64)
         - added fj-mkdeb.py script to build deb packages
 Lari Rauno (https://github.com/tuutti)
@@ -705,6 +725,8 @@ layderv (https://github.com/layderv)
 lecso7 (https://github.com/lecso7)
         - added goldendict profile
         - allow evince to read .cbz file format
+leukimi (https://github.com/leukimi)
+        - 0ad.profile: fix libmozjs error on OpenSUSE Tumbleweed
 Loïc Damien (https://github.com/dzamlo)
         - small fixes
 Liorst4 (https://github.com/Liorst4)
@@ -729,12 +751,15 @@ Madura A (https://github.com/manushanga)
 mahdi1234 (https://github.com/mahdi1234)
         - cherrytree profile
         - Seamonkey profiles
+mammo0 (https://github.com/mammo0)
+        - remove 'text/plain' from firejail-profile.lang.in
 Manuel Dipolt (https://github.com/xeniter)
         - stack alignment for the ARM Architecture
 Marek Küthe (https://github.com/marek22k)
         - allow loading plugins in gajim
         - allow bsfilter in email-common.profile
         - email-common.profile: allow clamav plugin for claws-mail
+        - VSCodium: Fix developing Arduino
 Martin Carpenter (https://github.com/mcarpenter)
         - security audit and bug fixes
         - Centos 6.x support
@@ -823,6 +848,9 @@ Nikos Chantziaras (https://github.com/realnc)
         - fix audio support for Discord
 nolanl (https://github.com/nolanl)
         - added localtime to signal-desktop's profile
+nutta-git (https://github.com/nutta-git)
+        - steam.profile: allow process_vm_readv syscall
+        - lutris.profile: allow more syscalls
 nyancat18 (https://github.com/nyancat18)
         - added ardour4, dooble, karbon, krita profiles
 nya1 (https://github.com/nya1)
@@ -1193,6 +1221,9 @@ Vadim A. Misbakh-Soloviov (https://github.com/msva)
 ValdikSS (https://github.com/ValdikSS)
         - Psi+, Corebird, Konversation profiles
         - various profile fixes
+Varun Sharma (https://github.com/varunsh-coder)
+        - update allowed endpoints
+        - build(deps): bump step-security/harden-runner from 2.5.0 to 2.5.1 
 Vasya Novikov (https://github.com/vn971)
         - Wesnoth profile
         - Hedegewars profile
diff --git a/README.md b/README.md
index 781304451..c51137808 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,13 @@
 # Firejail
 
-[![Build CI (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines)
-[![Build CI (GitHub)](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22)
-[![CodeQL CI](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL)
+[![Build (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines)
+[![Build (GitHub)](https://github.com/netblue30/firejail/workflows/Build/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild)
+[![Build-extra](https://github.com/netblue30/firejail/workflows/Build-extra/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild-extra)
+[![Test](https://github.com/netblue30/firejail/workflows/Test/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ATest)
+[![Check-C](https://github.com/netblue30/firejail/workflows/Check-C/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-C)
+[![Check-Profiles](https://github.com/netblue30/firejail/workflows/Check-Profiles/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-Profiles)
+[![Check-Python](https://github.com/netblue30/firejail/workflows/Check-Python/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-Python)
+[![Codespell](https://github.com/netblue30/firejail/workflows/Codespell/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodespell)
 [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions)
 
 Firejail is a SUID sandbox program that reduces the risk of security breaches
diff --git a/RELNOTES b/RELNOTES
index d6ffdc3b2..02d9259a9 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -21,10 +21,16 @@ firejail (0.9.73) baseline; urgency=low
   * modif: Improve --version/--help & print version on startup (#5829)
   * modif: improve errExit error messages (#5871)
   * modif: drop deprecated 'shell' option references (#5894)
+  * modif: keep pipewire group unless nosound is used (#5992 #5993)
+  * modif: Lookup xauth in PATH (#6006 #6087)
   * bugfix: qutebrowser: links will not open in the existing instance (#5601
     #5618)
   * bugfix: fix --hostname and --hosts-file commands
   * bugfix: arp.c: ensure positive timeout on select(2) (#5806)
+  * bugfix: Wrong syscall names for s390_pci_mmio_read and s390_pci_mmio_write
+    (#5965 #5976)
+  * bugfix: firejail --ls reports wrong file sizes for large files (#5982
+    #6086)
   * build: auto-generate syntax files (#5627)
   * build: mark all phony targets as such (#5637)
   * build: mkdeb.sh: pass all arguments to ./configure (#5654)
@@ -40,6 +46,10 @@ firejail (0.9.73) baseline; urgency=low
   * build: fix hardcoded make & remove unnecessary distclean targets (#5911)
   * build: dist and asc improvements (#5916)
   * build: fix some shellcheck issues & use config.sh in more scripts (#5927)
+  * build: firecfg.config sorting improvements (#5942)
+  * build: codespell improvements (#5955)
+  * build: add missing makefile dep & syntax improvements (#5956)
+  * build: sort.py: use case-sensitive sorting (#6070)
   * ci: always update the package db before installing packages (#5742)
   * ci: fix codeql unable to download its own bundle (#5783)
   * ci: split configure/build/install commands on gitlab (#5784)
@@ -48,6 +58,11 @@ firejail (0.9.73) baseline; urgency=low
   * ci: run for every branch instead of just master (#5815)
   * ci: upgrade debian:stretch to debian:buster (#5818)
   * ci: standardize apt-get update/install & misc improvements (#5857)
+  * ci: whitelist paths, reorganize workflows & speed-up tests (#5960)
+  * ci: fix dependabot duplicated workflow runs (#5984)
+  * ci: allow running workflows manually (#6026)
+  * contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6057
+    #6059)
   * contrib/vim: match profile files more broadly (#5850)
   * test: split individual test groups in github workflows
   * test: add chroot, appimage and network tests in github workflows
@@ -58,6 +73,9 @@ firejail (0.9.73) baseline; urgency=low
   * docs: add uninstall instructions to README.md (#5812)
   * legal: selinux.c: Split Copyright notice & use same license as upstream
     (#5667)
+  * profiles: standardize commented code and eol comments (#5987)
+  * profiles: replace private-opt with whitelist & document private-opt issues
+    (#6021)
   * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater
  -- netblue30 <netblue30@yahoo.com>  Mon, 17 Jan 2023 09:00:00 -0500
 
@@ -363,7 +381,7 @@ firejail (0.9.62) baseline; urgency=low
   * whitelisting /usr/share in a large number of profiles
   * new scripts in contrib: gdb-firejail.sh and sort.py
   * enhancement: whitelist /usr/share in some profiles
-  * added signal mediation ot apparmor profile
+  * added signal mediation to apparmor profile
   * new conditions: HAS_X11, HAS_NET
   * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
   * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
@@ -758,7 +776,7 @@ firejail (0.9.44.4) baseline; urgency=low
 
 firejail (0.9.44.2) baseline; urgency=low
   * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
-  * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
+  * security: TOCTOU exploit for --get and --put found by Daniel Hodson
   * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122)
   * security: several security enhancements
   * bugfix: crashing VLC by pressing Ctrl-O
diff --git a/ci/check/profiles/sort-firecfg.config.sh b/ci/check/profiles/sort-firecfg.config.sh
index 17a595350..dbfbf24f5 100755
--- a/ci/check/profiles/sort-firecfg.config.sh
+++ b/ci/check/profiles/sort-firecfg.config.sh
@@ -1,2 +1,5 @@
 #!/bin/sh
-tail -n +4 "$1" | sed 's/^# /#/' | LC_ALL=C sort -c -d
+# See ../../../src/firecfg/firecfg.config
+
+sed -E -e '/^#$/d' -e '/^# /d' -e 's/^#([^ ])/\1/' "$1" |
+LC_ALL=C sort -c -u
diff --git a/contrib/jail_prober.py b/contrib/jail_prober.py
index fcfe90eb7..070079e09 100755
--- a/contrib/jail_prober.py
+++ b/contrib/jail_prober.py
@@ -151,8 +151,8 @@ def run_firejail(program, all_args):
         if arg:
             myargs.insert(-1, arg)
         subprocess.call(myargs)
-        ans = input('Did %s run correctly? [y]/n ' % program)
-        if ans in ['n', 'N']:
+        answer = input('Did %s run correctly? [y]/n ' % program)
+        if answer in ['n', 'N']:
             bad_args.append(arg)
         elif arg:
             good_args.insert(-1, arg)
diff --git a/contrib/sort.py b/contrib/sort.py
index cdeecf99b..a827e20ba 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -15,8 +15,8 @@ Usage: {path.basename(argv[0])} [/path/to/profile ...]
 
 The following commands are supported:
 
-    private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop,
-    seccomp.drop, protocol
+    private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp,
+    seccomp.drop, seccomp.keep, protocol
 
 Note that this is only applicable to commands that support multiple arguments.
 
@@ -38,7 +38,7 @@ Exit Codes:
 
 def sort_alphabetical(original_items):
     items = original_items.split(",")
-    items.sort(key=str.casefold)
+    items.sort()
     return ",".join(items)
 
 
diff --git a/contrib/syntax/files/firejail-profile.lang.in b/contrib/syntax/files/firejail-profile.lang.in
index acd5c86ce..a5deceb2c 100644
--- a/contrib/syntax/files/firejail-profile.lang.in
+++ b/contrib/syntax/files/firejail-profile.lang.in
@@ -7,7 +7,7 @@
 -->
 <language id="firejail-profile" name="Firejail Profile" version="2.0" _section="Other">
   <metadata>
-    <property name="mimetypes">text/plain;text/x-firejail-profile</property>
+    <property name="mimetypes">text/x-firejail-profile</property>
     <property name="globs">*.profile;*.local;*.inc</property>
     <property name="line-comment-start">#</property>
   </metadata>
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list
index fd1bdb401..e7fecef4b 100644
--- a/contrib/syntax/lists/profile_commands_arg0.list
+++ b/contrib/syntax/lists/profile_commands_arg0.list
@@ -41,7 +41,7 @@ private-tmp
 quiet
 restrict-namespaces
 seccomp
-seccomp\.block-secondary
+seccomp.block-secondary
 tab
 tracelog
 writable-etc
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list
index 28913542f..5862f16ac 100644
--- a/contrib/syntax/lists/profile_commands_arg1.list
+++ b/contrib/syntax/lists/profile_commands_arg1.list
@@ -5,11 +5,13 @@ blacklist-nolog
 caps.drop
 caps.keep
 cpu
+dbus-system
 dbus-system.broadcast
 dbus-system.call
 dbus-system.own
 dbus-system.see
 dbus-system.talk
+dbus-user
 dbus-user.broadcast
 dbus-user.call
 dbus-user.own
@@ -74,4 +76,5 @@ tmpfs
 veth-name
 whitelist
 whitelist-ro
+x11
 xephyr-screen
diff --git a/etc-fixes/0.9.38/firefox.profile b/etc-fixes/0.9.38/firefox.profile
index 00244aaa4..3b8264e75 100644
--- a/etc-fixes/0.9.38/firefox.profile
+++ b/etc-fixes/0.9.38/firefox.profile
@@ -7,7 +7,7 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 
 #seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
-seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,switch_endian,vm86,vm86old,lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext,delete_module,finit_module,init_module,_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver,ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,switch_endian,vm86,vm86old,lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext,delete_module,finit_module,init_module,_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver,ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_pci_mmio_read,s390_pci_mmio_write,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 
 protocol unix,inet,inet6,netlink
 netfilter
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 9576239f3..8083ef1a8 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -2,6 +2,10 @@
 # Persistent customizations should go in a .local file.
 include allow-common-devel.local
 
+# Arduino
+noblacklist ${HOME}/.arduino15
+noblacklist ${HOME}/Arduino
+
 # Git
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
@@ -26,6 +30,9 @@ noblacklist ${HOME}/.yarn-config
 noblacklist ${HOME}/.yarncache
 noblacklist ${HOME}/.yarnrc
 
+# PlatformIO
+noblacklist ${HOME}/.platformio
+
 # Python
 noblacklist ${HOME}/.pylint.d
 noblacklist ${HOME}/.python-history
@@ -37,3 +44,4 @@ noblacklist ${HOME}/.bundle
 
 # Rust
 noblacklist ${HOME}/.cargo
+noblacklist ${HOME}/.rustup
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index 024d87be7..6b2c5846e 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -6,7 +6,7 @@ noblacklist ${HOME}/.ssh
 noblacklist /etc/ssh
 noblacklist /etc/ssh/ssh_config
 noblacklist /etc/ssh/ssh_config.d
-noblacklist ${PATH}/ssh
+noblacklist ${PATH}/ssh*
 noblacklist /tmp/ssh-*
 # Arch Linux and derivatives
 noblacklist /usr/lib/ssh
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index ce4f08958..55aabbc73 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -33,7 +33,8 @@ blacklist-nolog ${HOME}/.viminfo
 blacklist-nolog /tmp/clipmenu*
 
 # X11 session autostart
-# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
+# this will kill --x11=xpra cmdline option for all programs
+#blacklist ${HOME}/.xpra
 blacklist ${HOME}/.Xsession
 blacklist ${HOME}/.blackbox
 blacklist ${HOME}/.config/autostart
@@ -170,7 +171,7 @@ blacklist ${RUNUSER}/gsconnect
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
 blacklist ${PATH}/systemctl
-blacklist ${PATH}/systemd-run
+blacklist ${PATH}/systemd*
 blacklist ${RUNUSER}/systemd
 blacklist /etc/credstore*
 blacklist /etc/systemd/network
@@ -191,6 +192,7 @@ blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/VirtualBox VMs
 
 # GNOME Boxes
+blacklist ${HOME}/.cache/gnome-boxes
 blacklist ${HOME}/.config/gnome-boxes
 blacklist ${HOME}/.local/share/gnome-boxes
 
@@ -241,8 +243,9 @@ blacklist /var/lib/mysql/mysql.sock
 blacklist /var/lib/mysqld/mysql.sock
 blacklist /var/lib/pacman
 blacklist /var/lib/upower
-# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
-# every sandbox, unless --writable-var-log switch is activated
+# a virtual /var/log directory (mostly empty) is build up by default for every
+# sandbox, unless --writable-var-log switch is activated
+#blacklist /var/log
 blacklist /var/mail
 blacklist /var/opt
 blacklist /var/run/acpid.socket
@@ -319,7 +322,7 @@ read-only ${HOME}/.zshenv
 read-only ${HOME}/.zshrc
 read-only ${HOME}/.zshrc.local
 
-# Remote access
+# Remote access (used only by sshd; should always be blacklisted)
 blacklist ${HOME}/.rhosts
 blacklist ${HOME}/.shosts
 blacklist ${HOME}/.ssh/authorized_keys
@@ -327,13 +330,12 @@ blacklist ${HOME}/.ssh/authorized_keys2
 blacklist ${HOME}/.ssh/environment
 blacklist ${HOME}/.ssh/rc
 blacklist /etc/hosts.equiv
-read-only ${HOME}/.ssh/config
-read-only ${HOME}/.ssh/config.d
 
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
 read-only ${HOME}/.cargo/env
 read-only ${HOME}/.config/mpv
+read-only ${HOME}/.config/msmtp
 read-only ${HOME}/.config/nano
 read-only ${HOME}/.config/nvim
 read-only ${HOME}/.config/pkcs11
@@ -360,6 +362,8 @@ read-only ${HOME}/.nanorc
 read-only ${HOME}/.npmrc
 read-only ${HOME}/.pythonrc.py
 read-only ${HOME}/.reportbugrc
+read-only ${HOME}/.ssh/config
+read-only ${HOME}/.ssh/config.d
 read-only ${HOME}/.tmux.conf
 read-only ${HOME}/.vim
 read-only ${HOME}/.viminfo
@@ -422,6 +426,7 @@ blacklist /etc/group-
 blacklist /etc/gshadow
 blacklist /etc/gshadow+
 blacklist /etc/gshadow-
+blacklist /etc/msmtprc
 blacklist /etc/passwd+
 blacklist /etc/passwd-
 blacklist /etc/shadow
@@ -444,6 +449,7 @@ blacklist ${HOME}/.cargo/credentials.toml
 blacklist ${HOME}/.cert
 blacklist ${HOME}/.config/hub
 blacklist ${HOME}/.config/keybase
+blacklist ${HOME}/.config/msmtp
 blacklist ${HOME}/.davfs2/secrets
 blacklist ${HOME}/.ecryptfs
 blacklist ${HOME}/.fetchmailrc
@@ -502,6 +508,7 @@ blacklist /usr/sbin
 
 # system management and various SUID executables
 blacklist ${PATH}/at
+blacklist ${PATH}/bmon
 blacklist ${PATH}/busybox
 blacklist ${PATH}/chage
 blacklist ${PATH}/chfn
@@ -510,69 +517,96 @@ blacklist ${PATH}/crontab
 blacklist ${PATH}/doas
 blacklist ${PATH}/evtest
 blacklist ${PATH}/expiry
-blacklist ${PATH}/fusermount
+blacklist ${PATH}/fping
+blacklist ${PATH}/fping6
+blacklist ${PATH}/fusermount*
 blacklist ${PATH}/gksu
 blacklist ${PATH}/gksudo
 blacklist ${PATH}/gpasswd
+blacklist ${PATH}/groupmems
+blacklist ${PATH}/hostname
+#blacklist ${PATH}/ip # breaks --ip=dhcp
 blacklist ${PATH}/kdesudo
 blacklist ${PATH}/ksu
 blacklist ${PATH}/mount
-blacklist ${PATH}/mount.ecryptfs_private
+blacklist ${PATH}/mount.*
+blacklist ${PATH}/mountpoint
+blacklist ${PATH}/mtr
+blacklist ${PATH}/mtr-packet
 blacklist ${PATH}/nc
+blacklist ${PATH}/nc.openbsd
+blacklist ${PATH}/nc.traditional
 blacklist ${PATH}/ncat
-blacklist ${PATH}/nmap
+blacklist ${PATH}/netstat
+blacklist ${PATH}/networkctl
 blacklist ${PATH}/newgidmap
 blacklist ${PATH}/newgrp
 blacklist ${PATH}/newuidmap
+blacklist ${PATH}/nm-online
+blacklist ${PATH}/nmap
+blacklist ${PATH}/nmcli
+blacklist ${PATH}/nmtui
+blacklist ${PATH}/nmtui-connect
+blacklist ${PATH}/nmtui-edit
+blacklist ${PATH}/nmtui-hostname
 blacklist ${PATH}/ntfs-3g
+blacklist ${PATH}/passwd
+blacklist ${PATH}/physlock
 blacklist ${PATH}/pkexec
+blacklist ${PATH}/plocate
+blacklist ${PATH}/pmount
 blacklist ${PATH}/procmail
+blacklist ${PATH}/pumount
+blacklist ${PATH}/schroot
 blacklist ${PATH}/sg
+blacklist ${PATH}/slock
+blacklist ${PATH}/ss
+blacklist ${PATH}/ssmtp
 blacklist ${PATH}/strace
 blacklist ${PATH}/su
 blacklist ${PATH}/sudo
+blacklist ${PATH}/suexec
 blacklist ${PATH}/tcpdump
+blacklist ${PATH}/traceroute
 blacklist ${PATH}/umount
 blacklist ${PATH}/unix_chkpwd
+blacklist ${PATH}/wall
+blacklist ${PATH}/write
+blacklist ${PATH}/wshowkeys
 blacklist ${PATH}/xev
 blacklist ${PATH}/xinput
-# from 0.9.67
-blacklist /usr/lib/openssh
-blacklist /usr/lib/ssh
-blacklist /usr/libexec/openssh
-blacklist ${PATH}/passwd
-blacklist /usr/lib/xorg/Xorg.wrap
-blacklist /usr/lib/policykit-1/polkit-agent-helper-1
+blacklist /usr/lib/chromium/chrome-sandbox
 blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper
 blacklist /usr/lib/eject/dmcrypt-get-device
-blacklist /usr/lib/chromium/chrome-sandbox
+blacklist /usr/lib/openssh
 blacklist /usr/lib/opera/opera_sandbox
-blacklist /usr/lib/vmware
-blacklist ${PATH}/suexec
+blacklist /usr/lib/policykit-1/polkit-agent-helper-1
 blacklist /usr/lib/squid/basic_pam_auth
-blacklist ${PATH}/slock
-blacklist ${PATH}/physlock
-blacklist ${PATH}/schroot
-blacklist ${PATH}/wshowkeys
-blacklist ${PATH}/pmount
-blacklist ${PATH}/pumount
-blacklist ${PATH}/bmon
-blacklist ${PATH}/fping
-blacklist ${PATH}/fping6
-blacklist ${PATH}/hostname
-# blacklist ${PATH}/ip - breaks --ip=dhcp
-blacklist ${PATH}/mtr
-blacklist ${PATH}/mtr-packet
-blacklist ${PATH}/netstat
-blacklist ${PATH}/nm-online
-blacklist ${PATH}/nmcli
-blacklist ${PATH}/nmtui
-blacklist ${PATH}/nmtui-connect
-blacklist ${PATH}/nmtui-edit
-blacklist ${PATH}/nmtui-hostname
-blacklist ${PATH}/networkctl
-blacklist ${PATH}/ss
-blacklist ${PATH}/traceroute
+blacklist /usr/lib/ssh
+blacklist /usr/lib/vmware
+blacklist /usr/lib/xorg/Xorg.wrap
+blacklist /usr/libexec/openssh
+# since firejail version 0.9.73
+blacklist ${PATH}/dpkg*
+blacklist ${PATH}/apt*
+blacklist ${PATH}/dumpcap
+blacklist ${PATH}/efibootdump
+blacklist ${PATH}/efibootmgr
+blacklist ${PATH}/passmass
+blacklist ${PATH}/proxy
+blacklist ${PATH}/aa-*
+blacklist ${PATH}/airscan-discover
+blacklist ${PATH}/avahi*
+blacklist ${PATH}/dbus-*
+blacklist ${PATH}/debconf*
+blacklist ${PATH}/grub-*
+blacklist ${PATH}/kernel-install  # from systemd package
+
+# binaries installed by firejail
+blacklist ${PATH}/firemon
+blacklist ${PATH}/firecfg
+blacklist ${PATH}/jailcheck
+blacklist ${PATH}/firetools
 
 # other SUID binaries
 blacklist /opt/microsoft/msedge*/msedge-sandbox
@@ -585,11 +619,13 @@ blacklist /tmp/.lxterminal-socket*
 blacklist /tmp/tmux-*
 
 # disable terminals running as server resulting in sandbox escape
+blacklist ${PATH}/foot
+blacklist ${PATH}/footserver
 blacklist ${PATH}/gnome-terminal
 blacklist ${PATH}/gnome-terminal.wrapper
 blacklist ${PATH}/kgx
-# blacklist ${PATH}/konsole
 # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
+#blacklist ${PATH}/konsole
 blacklist ${PATH}/lilyterm
 blacklist ${PATH}/lxterminal
 blacklist ${PATH}/mate-terminal
@@ -653,10 +689,13 @@ blacklist ${HOME}/sent
 blacklist /proc/config.gz
 
 # prevent DNS malware attempting to communicate with the server using regular DNS tools
+blacklist ${PATH}/delv
 blacklist ${PATH}/dig
 blacklist ${PATH}/dlint
 blacklist ${PATH}/dns2tcp
 blacklist ${PATH}/dnssec-*
+blacklist ${PATH}/dnstap-read
+blacklist ${PATH}/mdig
 blacklist ${PATH}/dnswalk
 blacklist ${PATH}/drill
 blacklist ${PATH}/host
@@ -667,12 +706,14 @@ blacklist ${PATH}/knsupdate
 blacklist ${PATH}/ldns-*
 blacklist ${PATH}/ldnsd
 blacklist ${PATH}/nslookup
+blacklist ${PATH}/nsupdate
+blacklist ${PATH}/nstat
 blacklist ${PATH}/resolvectl
 blacklist ${PATH}/unbound-host
 
 # prevent an intruder to guess passwords using regular network tools
 blacklist ${PATH}/ftp
-blacklist ${PATH}/ssh
+blacklist ${PATH}/ssh*
 blacklist ${PATH}/telnet
 
 # rest of ${RUNUSER}
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index 360077936..ae64f456e 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -4,32 +4,72 @@ include disable-devel.local
 
 # development tools
 
+# autoconf/automake
+blacklist ${PATH}/aclocal*
+blacklist ${PATH}/autoconf
+blacklist ${PATH}/autoheader
+blacklist ${PATH}/autom4te
+blacklist ${PATH}/automake*
+blacklist ${PATH}/autoreconf
+blacklist ${PATH}/autoscan
+blacklist ${PATH}/autoupdate
+blacklist ${PATH}/ifnames
+blacklist ${PATH}/m4
+
+# patch
+blacklist ${PATH}/elfedit
+blacklist ${PATH}/espdiff
+blacklist ${PATH}/patch
+blacklist ${PATH}/patchview
+
+# packaging
+blacklist ${PATH}/dh_*
+blacklist ${PATH}/fakeroot*
+blacklist ${PATH}/lintian
+
+# expect
+blacklist ${PATH}/autoexpect
+blacklist ${PATH}/expect*
+
 # clang/llvm
+blacklist ${PATH}/analyze-build*
+blacklist ${PATH}/asan_symbolize*
+blacklist ${PATH}/bugpoint*
+blacklist ${PATH}/c-index-test*
 blacklist ${PATH}/clang*
+blacklist ${PATH}/llc*
 blacklist ${PATH}/lldb*
+blacklist ${PATH}/lli*
 blacklist ${PATH}/llvm*
+blacklist ${PATH}/scan-build
 # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
-# blacklist /usr/lib/llvm*
+#blacklist /usr/lib/llvm*
 
 # GCC
+blacklist ${PATH}/*-g++*
+blacklist ${PATH}/*-g++*
+blacklist ${PATH}/*-gcc*
+blacklist ${PATH}/*-gcc*
 blacklist ${PATH}/as
-blacklist ${PATH}/cc
 blacklist ${PATH}/c++*
 blacklist ${PATH}/c8*
 blacklist ${PATH}/c9*
+blacklist ${PATH}/cc
 blacklist ${PATH}/cpp*
+blacklist ${PATH}/elfedit
 blacklist ${PATH}/g++*
 blacklist ${PATH}/gcc*
+blacklist ${PATH}/gcov*
 blacklist ${PATH}/gdb
+blacklist ${PATH}/gmake
 blacklist ${PATH}/ld
-blacklist ${PATH}/*-gcc*
-blacklist ${PATH}/*-g++*
-blacklist ${PATH}/*-gcc*
-blacklist ${PATH}/*-g++*
+blacklist ${PATH}/make
+blacklist ${PATH}/make-first-existing-target
+blacklist ${PATH}/x86_64-linux-gnu-*
 # seems to create problems on Gentoo
 #blacklist /usr/lib/gcc
 
-#Go
+# Go
 blacklist ${PATH}/gccgo
 blacklist ${PATH}/go
 blacklist ${PATH}/gofmt
@@ -48,15 +88,14 @@ blacklist ${PATH}/scala3-compiler
 blacklist ${PATH}/scala3-repl
 blacklist ${PATH}/scalac
 
-#OpenSSL
+# OpenSSL
 blacklist ${PATH}/openssl
 blacklist ${PATH}/openssl-1.0
 
-#Rust
+# Rust
 blacklist ${PATH}/rust-gdb
 blacklist ${PATH}/rust-lldb
 blacklist ${PATH}/rustc
-blacklist ${HOME}/.rustup
 
 # tcc - Tiny C Compiler
 blacklist ${PATH}/tcc
@@ -68,7 +107,7 @@ blacklist ${PATH}/valgrind*
 blacklist /usr/lib/valgrind
 
 # Source-Code
-blacklist /usr/src
-blacklist /usr/local/src
 blacklist /usr/include
 blacklist /usr/local/include
+blacklist /usr/local/src
+blacklist /usr/src
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index d2ae55867..13b4b2078 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -22,7 +22,6 @@ blacklist ${HOME}/.Steampid
 blacklist ${HOME}/.TelegramDesktop
 blacklist ${HOME}/.VSCodium
 blacklist ${HOME}/.ViberPC
-blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.WebStorm*
 blacklist ${HOME}/.Wolfram Research
 blacklist ${HOME}/.ZAP
@@ -112,6 +111,7 @@ blacklist ${HOME}/.cache/falkon
 blacklist ${HOME}/.cache/feedreader
 blacklist ${HOME}/.cache/firedragon
 blacklist ${HOME}/.cache/flaska.net/trojita
+blacklist ${HOME}/.cache/floorp
 blacklist ${HOME}/.cache/folks
 blacklist ${HOME}/.cache/font-manager
 blacklist ${HOME}/.cache/fossamail
@@ -124,7 +124,6 @@ blacklist ${HOME}/.cache/geeqie
 blacklist ${HOME}/.cache/gegl-0.4
 blacklist ${HOME}/.cache/gfeeds
 blacklist ${HOME}/.cache/gimp
-blacklist ${HOME}/.cache/gnome-boxes
 blacklist ${HOME}/.cache/gnome-builder
 blacklist ${HOME}/.cache/gnome-control-center
 blacklist ${HOME}/.cache/gnome-recipes
@@ -142,6 +141,7 @@ blacklist ${HOME}/.cache/inkscape
 blacklist ${HOME}/.cache/inox
 blacklist ${HOME}/.cache/io.github.lainsce.Notejot
 blacklist ${HOME}/.cache/iridium
+blacklist ${HOME}/.cache/journal-viewer
 blacklist ${HOME}/.cache/kcmshell5
 blacklist ${HOME}/.cache/kdenlive
 blacklist ${HOME}/.cache/keepassxc
@@ -156,6 +156,7 @@ blacklist ${HOME}/.cache/ksplashqml
 blacklist ${HOME}/.cache/kube
 blacklist ${HOME}/.cache/kwin
 blacklist ${HOME}/.cache/lbry-viewer
+blacklist ${HOME}/.cache/lettura
 blacklist ${HOME}/.cache/libgweather
 blacklist ${HOME}/.cache/librewolf
 blacklist ${HOME}/.cache/liferea
@@ -171,6 +172,7 @@ blacklist ${HOME}/.cache/mirage
 blacklist ${HOME}/.cache/moonchild productions/basilisk
 blacklist ${HOME}/.cache/moonchild productions/pale moon
 blacklist ${HOME}/.cache/mozilla
+blacklist ${HOME}/.cache/mpv
 blacklist ${HOME}/.cache/ms-excel-online
 blacklist ${HOME}/.cache/ms-office-online
 blacklist ${HOME}/.cache/ms-onenote-online
@@ -219,6 +221,7 @@ blacklist ${HOME}/.cache/supertuxkart
 blacklist ${HOME}/.cache/systemsettings
 blacklist ${HOME}/.cache/telepathy
 blacklist ${HOME}/.cache/thunderbird
+blacklist ${HOME}/.cache/tiny-rdm
 blacklist ${HOME}/.cache/torbrowser
 blacklist ${HOME}/.cache/transmission
 blacklist ${HOME}/.cache/ueberzugpp
@@ -343,10 +346,10 @@ blacklist ${HOME}/.config/Slack
 blacklist ${HOME}/.config/Standard Notes
 blacklist ${HOME}/.config/SubDownloader
 blacklist ${HOME}/.config/Thunar
+blacklist ${HOME}/.config/TinyRDM
 blacklist ${HOME}/.config/Twitch
 blacklist ${HOME}/.config/Unknown Organization
 blacklist ${HOME}/.config/VSCodium
-blacklist ${HOME}/.config/VirtualBox
 blacklist ${HOME}/.config/Whalebird
 blacklist ${HOME}/.config/Wire
 blacklist ${HOME}/.config/Youtube
@@ -383,6 +386,7 @@ blacklist ${HOME}/.config/borg
 blacklist ${HOME}/.config/brasero
 blacklist ${HOME}/.config/brave
 blacklist ${HOME}/.config/brave-flags.conf
+blacklist ${HOME}/.config/breezy
 blacklist ${HOME}/.config/caja
 blacklist ${HOME}/.config/calibre
 blacklist ${HOME}/.config/cantata
@@ -404,6 +408,7 @@ blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/cointop
 blacklist ${HOME}/.config/com.github.bleakgrey.tootle
+blacklist ${HOME}/.config/com.lettura.dev
 blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/coyim
 blacklist ${HOME}/.config/d-feet
@@ -713,8 +718,10 @@ blacklist ${HOME}/.emacs.d
 blacklist ${HOME}/.equalx
 blacklist ${HOME}/.ethereum
 blacklist ${HOME}/.etr
+blacklist ${HOME}/.factorio
 blacklist ${HOME}/.filezilla
 blacklist ${HOME}/.firedragon
+blacklist ${HOME}/.floorp
 blacklist ${HOME}/.flowblade
 blacklist ${HOME}/.fltk
 blacklist ${HOME}/.fossamail
@@ -830,6 +837,7 @@ blacklist ${HOME}/.klatexformula
 blacklist ${HOME}/.klei
 blacklist ${HOME}/.kodi
 blacklist ${HOME}/.lastpass
+blacklist ${HOME}/.lettura
 blacklist ${HOME}/.librewolf
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.links
@@ -841,6 +849,7 @@ blacklist ${HOME}/.local/lib/vivaldi
 blacklist ${HOME}/.local/share/0ad
 blacklist ${HOME}/.local/share/3909/PapersPlease
 blacklist ${HOME}/.local/share/Anki2
+blacklist ${HOME}/.local/share/Baba_Is_You
 blacklist ${HOME}/.local/share/Colossal Order
 blacklist ${HOME}/.local/share/Dredmor
 blacklist ${HOME}/.local/share/Empathy
@@ -900,6 +909,8 @@ blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/chatterino
 blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
+blacklist ${HOME}/.local/share/com.lettura.dev
+blacklist ${HOME}/.local/share/com.vmingueza.journal-viewer
 blacklist ${HOME}/.local/share/contacts
 blacklist ${HOME}/.local/share/cor-games
 blacklist ${HOME}/.local/share/data/Mendeley Ltd.
@@ -917,6 +928,7 @@ blacklist ${HOME}/.local/share/evolution
 blacklist ${HOME}/.local/share/feedreader
 blacklist ${HOME}/.local/share/feral-interactive
 blacklist ${HOME}/.local/share/five-or-more
+blacklist ${HOME}/.local/share/fluffychat
 blacklist ${HOME}/.local/share/freecol
 blacklist ${HOME}/.local/share/gajim
 blacklist ${HOME}/.local/share/gdfuse
@@ -925,7 +937,6 @@ blacklist ${HOME}/.local/share/geeqie
 blacklist ${HOME}/.local/share/ghostwriter
 blacklist ${HOME}/.local/share/gitg
 blacklist ${HOME}/.local/share/gnome-2048
-blacklist ${HOME}/.local/share/gnome-boxes
 blacklist ${HOME}/.local/share/gnome-builder
 blacklist ${HOME}/.local/share/gnome-chess
 blacklist ${HOME}/.local/share/gnome-klotski
@@ -1005,6 +1016,7 @@ blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
 blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
+blacklist ${HOME}/.local/share/pnpm
 blacklist ${HOME}/.local/share/profanity
 blacklist ${HOME}/.local/share/psi
 blacklist ${HOME}/.local/share/psi+
@@ -1027,6 +1039,7 @@ blacklist ${HOME}/.local/share/strawberry
 blacklist ${HOME}/.local/share/supertux2
 blacklist ${HOME}/.local/share/supertuxkart
 blacklist ${HOME}/.local/share/swell-foop
+blacklist ${HOME}/.local/share/telegram-desktop
 blacklist ${HOME}/.local/share/telepathy
 blacklist ${HOME}/.local/share/terasology
 blacklist ${HOME}/.local/share/torbrowser
@@ -1069,7 +1082,6 @@ blacklist ${HOME}/.mp3splt-gtk
 blacklist ${HOME}/.mpd
 blacklist ${HOME}/.mpdconf
 blacklist ${HOME}/.mplayer
-blacklist ${HOME}/.msmtprc
 blacklist ${HOME}/.mullvad/mullvadbrowser
 blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.nanorc
@@ -1112,6 +1124,7 @@ blacklist ${HOME}/.pinerc
 blacklist ${HOME}/.pinercex
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
+blacklist ${HOME}/.platformio
 blacklist ${HOME}/.prey
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.pylint.d
@@ -1126,6 +1139,7 @@ blacklist ${HOME}/.repo_.gitconfig.json
 blacklist ${HOME}/.repoconfig
 blacklist ${HOME}/.retroshare
 blacklist ${HOME}/.ripperXrc
+blacklist ${HOME}/.rustup
 blacklist ${HOME}/.sbt
 blacklist ${HOME}/.scorched3d
 blacklist ${HOME}/.scribus
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index dcf941004..03653cc16 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -40,6 +40,7 @@ whitelist /usr/share/kxmlgui5
 whitelist /usr/share/libdrm
 whitelist /usr/share/libthai
 whitelist /usr/share/locale
+whitelist /usr/share/locale-langpack
 whitelist /usr/share/mime
 whitelist /usr/share/misc
 whitelist /usr/share/Modules
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index 48a2afdf2..9ec2f2ad1 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/0ad
 noblacklist ${HOME}/.config/0ad
 noblacklist ${HOME}/.local/share/0ad
 
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
 blacklist /usr/libexec
 
 include disable-common.inc
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index a0eed24ca..dcd1259cf 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -44,7 +44,7 @@ private-dev
 private-etc @x11
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index 184036f24..275ff41ef 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -34,7 +34,7 @@ include whitelist-var-common.inc
 # disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
 # this affects ubuntu and debian currently
 
-# apparmor
+#apparmor
 caps.drop all
 ipc-namespace
 netfilter
@@ -42,17 +42,17 @@ no3d
 nodvd
 nogroups
 noinput
-# nonewprivs
+#nonewprivs
 noroot
 nosound
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6,netlink
-# seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
+#protocol unix,inet,inet6,netlink
+#seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
 tracelog
 
 private-dev
-# private-tmp - breaks programs that depend on akonadi
+#private-tmp # breaks programs that depend on akonadi
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
index d88a1fcad..9de992a76 100644
--- a/etc/profile-a-l/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -49,4 +49,4 @@ private-dev
 private-tmp
 
 deterministic-shutdown
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 22a303cdd..14c425cc6 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -49,7 +49,7 @@ seccomp.block-secondary
 tracelog
 
 disable-mnt
-# private-bin alacarte,bash,python*,sh
+#private-bin alacarte,bash,python*,sh
 private-cache
 private-dev
 private-etc @tls-ca,@x11,mime.types
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index 389aae602..0c78ab20d 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -26,11 +26,11 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-# seccomp
+#seccomp
 
-# private-bin amarok
+#private-bin amarok
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user filter
@@ -45,4 +45,4 @@ dbus-user.talk org.freedesktop.Notifications
 #dbus-user.talk org.kde.knotify
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
index 3dfa0f95a..09289ace1 100644
--- a/etc/profile-a-l/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@@ -36,7 +36,7 @@ protocol unix,inet,inet6
 seccomp
 
 private-cache
-# private-tmp
+#private-tmp
 
 # noexec /tmp breaks 'Android Profiler'
 #noexec /tmp
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile
index 613f74ce5..76db2986d 100644
--- a/etc/profile-a-l/ani-cli.profile
+++ b/etc/profile-a-l/ani-cli.profile
@@ -10,6 +10,7 @@ include ani-cli.local
 
 noblacklist ${HOME}/.cache/ani-cli
 noblacklist ${HOME}/.local/state/ani-cli
+noblacklist ${PATH}/patch
 
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -30,9 +31,9 @@ noprinters
 notv
 
 disable-mnt
-private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohup,patch,printf,rm,rofi,sed,sh,sort,tail,tput,tr,uname,wc
+private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mktemp,mv,nl,nohup,patch,printf,rm,rofi,sed,sh,sort,tail,tput,tr,uname,wc
 #private-cache
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg
 private-tmp
 
 # Redirect
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index 2d0bfcb6c..acf52509c 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -55,4 +55,4 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile
index 85ea76939..a925e223f 100644
--- a/etc/profile-a-l/arduino.profile
+++ b/etc/profile-a-l/arduino.profile
@@ -21,7 +21,7 @@ caps.drop all
 netfilter
 no3d
 nodvd
-# nogroups
+#nogroups
 nonewprivs
 noroot
 nosound
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index 7f9463c4f..65ffdfa1b 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -39,7 +39,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
 
-# disable-mnt
+#disable-mnt
 # Add your custom event hook commands to 'private-bin' in your aria2c.local.
 private-bin aria2c,gzip
 # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
index 272e06219..65e965248 100644
--- a/etc/profile-a-l/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -42,7 +42,7 @@ private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,
 private-dev
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index 897140857..f6369eb86 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -35,7 +35,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - breaks on Ubuntu
+#net none # breaks on Ubuntu
 no3d
 nodvd
 nogroups
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile
index c09ad7936..601ef5c13 100644
--- a/etc/profile-a-l/asunder.profile
+++ b/etc/profile-a-l/asunder.profile
@@ -26,7 +26,7 @@ apparmor
 caps.drop all
 netfilter
 no3d
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
@@ -44,5 +44,5 @@ dbus-user none
 dbus-system none
 
 # mdwe is disabled due to breaking hardware accelerated decoding
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index 8e8f8515f..f21a8c34a 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -26,7 +26,7 @@ noblacklist ${HOME}/.config/Atom
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
 
-# net none
+#net none
 nosound
 
 # Redirect
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index d0513d2a7..26b978158 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -22,7 +22,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
-# apparmor
+#apparmor
 caps.drop all
 machine-id
 no3d
@@ -44,7 +44,7 @@ private-dev
 private-etc
 # atril uses webkit gtk to display epub files
 # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
-#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
+#private-lib webkit2gtk-4.0 # problems on Arch with the new version of WebKit
 private-tmp
 
 # webkit gtk killed by memory-deny-write-execute
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index 6abd87c92..6d1a07e2d 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -36,7 +36,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
 
-# private-bin audacious
+#private-bin audacious
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index c2a482b61..e70215891 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -54,7 +54,7 @@ private-etc @x11
 private-tmp
 
 # problems on Fedora 27
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index deba11a47..816852a71 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -41,7 +41,7 @@ seccomp
 tracelog
 
 disable-mnt
-# private-bin audio-recorder
+#private-bin audio-recorder
 private-cache
 private-etc
 private-tmp
@@ -50,5 +50,5 @@ dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 96c70a838..cbd97449d 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 
-# apparmor
+#apparmor
 caps.drop all
 netfilter
 no3d
@@ -31,19 +31,19 @@ noroot
 nosound
 notv
 nou2f
-# novideo
+#novideo
 protocol unix,inet,inet6
 seccomp
 
 disable-mnt
-# private-bin authenticator,python*
+#private-bin authenticator,python*
 private-dev
 private-etc @tls-ca
 private-tmp
 
 # makes settings immutable
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
index 834eac11a..bc47b26a9 100644
--- a/etc/profile-a-l/autokey-common.profile
+++ b/etc/profile-a-l/autokey-common.profile
@@ -38,5 +38,5 @@ private-cache
 private-dev
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index 084b7c702..de4004724 100644
--- a/etc/profile-a-l/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
@@ -7,10 +7,10 @@ include globals.local
 
 # Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo
 # Note: Baloo will not be able to update the "first run" key in its configuration files.
-# mkdir ${HOME}/.local/share/baloo
-# read-only ${HOME}
-# read-write ${HOME}/.local/share/baloo
-# ignore read-write
+#mkdir ${HOME}/.local/share/baloo
+#read-only ${HOME}
+#read-write ${HOME}/.local/share/baloo
+#ignore read-write
 
 noblacklist ${HOME}/.config/baloofilerc
 noblacklist ${HOME}/.kde/share/config/baloofilerc
@@ -31,7 +31,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 no3d
 nodvd
@@ -46,7 +46,7 @@ novideo
 protocol unix
 # blacklisting of ioprio_set system calls breaks baloo_file
 seccomp !ioprio_set
-# x11 xorg
+#x11 xorg
 
 private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
 private-cache
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
index 31ef66a58..942d82941 100644
--- a/etc/profile-a-l/baobab.profile
+++ b/etc/profile-a-l/baobab.profile
@@ -6,13 +6,13 @@ include baobab.local
 # Persistent global definitions
 include globals.local
 
-# include disable-common.inc
+#include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 include disable-shell.inc
-# include disable-xdg.inc
+#include disable-xdg.inc
 
 include whitelist-runuser-common.inc
 
@@ -37,8 +37,8 @@ private-bin baobab
 private-dev
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
index d566b94e8..c0e024445 100644
--- a/etc/profile-a-l/bcompare.profile
+++ b/etc/profile-a-l/bcompare.profile
@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 # Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
-#include disable-shell.inc - breaks launch
+#include disable-shell.inc # breaks launch
 include disable-write-mnt.inc
 
 apparmor
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 3fb2a82c3..dcef2bff1 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -48,7 +48,7 @@ protocol unix,inet,inet6,netlink
 seccomp !chroot
 
 disable-mnt
-# private-bin bibletime
+#private-bin bibletime
 private-cache
 private-dev
 private-etc @tls-ca,sword,sword.conf
@@ -57,4 +57,4 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index 53d212e34..e596ec9d2 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -48,7 +48,7 @@ tracelog
 
 disable-mnt
 private-bin bijiben
-# private-cache -- access to .cache/tracker is required
+#private-cache # access to .cache/tracker is required
 private-dev
 private-etc @x11
 private-tmp
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
index 988a1479e..0f10c7ce0 100644
--- a/etc/profile-a-l/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
@@ -10,7 +10,7 @@ ignore noexec ${HOME}
 
 noblacklist /sbin
 noblacklist /usr/sbin
-# noblacklist /var/log
+#noblacklist /var/log
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index 56bb871e7..1572ca572 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -17,6 +17,7 @@ include disable-shell.inc
 
 mkdir ${HOME}/.config/Bitwarden
 whitelist ${HOME}/.config/Bitwarden
+whitelist /opt/Bitwarden
 
 machine-id
 no3d
@@ -24,7 +25,6 @@ nosound
 
 ?HAS_APPIMAGE: ignore private-dev
 private-etc @tls-ca
-private-opt Bitwarden
 
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile
index 52d970d89..cd1b059b4 100644
--- a/etc/profile-a-l/bleachbit.profile
+++ b/etc/profile-a-l/bleachbit.profile
@@ -18,7 +18,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 
 caps.drop all
 net none
@@ -36,11 +36,11 @@ protocol unix
 seccomp
 
 private-dev
-# private-tmp
+#private-tmp
 
 dbus-user none
 dbus-system none
 
 # memory-deny-write-execute breaks some systems, see issue #1850
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/blender-3.6.profile b/etc/profile-a-l/blender-3.6.profile
new file mode 100644
index 000000000..4e32c1f6d
--- /dev/null
+++ b/etc/profile-a-l/blender-3.6.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for blender
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blender-3.6.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include blender.profile
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 6dd540943..85f232751 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -31,7 +31,7 @@ novideo
 protocol unix
 seccomp
 
-# private-bin bash,bless,mono,sh
+#private-bin bash,bless,mono,sh
 private-cache
 private-dev
 private-etc mono
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile
index a483c2b0a..684504937 100644
--- a/etc/profile-a-l/brackets.profile
+++ b/etc/profile-a-l/brackets.profile
@@ -32,4 +32,4 @@ seccomp !chroot,!ioperm
 private-cache
 private-dev
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile
index 12d7062ab..92184ef18 100644
--- a/etc/profile-a-l/brasero.profile
+++ b/etc/profile-a-l/brasero.profile
@@ -29,9 +29,9 @@ protocol unix
 seccomp
 tracelog
 
-# private-bin brasero
+#private-bin brasero
 private-cache
-# private-dev
-# private-tmp
+#private-dev
+#private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/brz.profile b/etc/profile-a-l/brz.profile
new file mode 100644
index 000000000..dcc7af54b
--- /dev/null
+++ b/etc/profile-a-l/brz.profile
@@ -0,0 +1,14 @@
+# Firejail profile for brz
+# Description: Distributed VCS with support for Bazaar and Git file formats
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include brz.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/breezy
+
+# Redirect
+include git.profile
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
index cf5f462ae..8616996d2 100644
--- a/etc/profile-a-l/build-systems-common.profile
+++ b/etc/profile-a-l/build-systems-common.profile
@@ -39,7 +39,7 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 machine-id
-# net none
+#net none
 netfilter
 no3d
 nodvd
diff --git a/etc/profile-a-l/bzr.profile b/etc/profile-a-l/bzr.profile
new file mode 100644
index 000000000..61c1aae38
--- /dev/null
+++ b/etc/profile-a-l/bzr.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for bzr
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bzr.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include brz.profile
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile
index b347941d7..cb9c92ffb 100644
--- a/etc/profile-a-l/calibre.profile
+++ b/etc/profile-a-l/calibre.profile
@@ -36,4 +36,4 @@ seccomp !chroot
 private-dev
 private-tmp
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
index c2972f902..ffb83b2ed 100644
--- a/etc/profile-a-l/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 
 caps.drop all
 ipc-namespace
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -32,9 +32,9 @@ seccomp.block-secondary
 private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4
 private-dev
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-# noexec ${HOME}
+#noexec ${HOME}
 noexec /tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index df94ac859..4f8fd7187 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -48,8 +48,8 @@ private-cache
 private-etc
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile
index 7cb56efee..36c7c1091 100644
--- a/etc/profile-a-l/cantata.profile
+++ b/etc/profile-a-l/cantata.profile
@@ -22,7 +22,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-# apparmor
+#apparmor
 caps.drop all
 ipc-namespace
 netfilter
@@ -34,7 +34,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
 
-# private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
+#private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
 private-bin cantata,mpd,perl
 private-dev
 
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile
index e2df341e9..037f6ee40 100644
--- a/etc/profile-a-l/catfish.profile
+++ b/etc/profile-a-l/catfish.profile
@@ -15,10 +15,10 @@ noblacklist ${HOME}/.config/catfish
 include allow-python2.inc
 include allow-python3.inc
 
-# include disable-common.inc
-# include disable-devel.inc
+#include disable-common.inc
+#include disable-devel.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 
 whitelist /var/lib/mlocate
 include whitelist-var-common.inc
@@ -40,9 +40,9 @@ tracelog
 
 # These options work but are disabled in case
 # a users wants to search in these directories.
-# private-bin bash,catfish,env,locate,ls,mlocate,python*
-# private-dev
-# private-tmp
+#private-bin bash,catfish,env,locate,ls,mlocate,python*
+#private-dev
+#private-tmp
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index 17887b6cc..7fdbc3881 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -41,7 +41,7 @@ private-dev
 private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
-# dbus-user none
+#dbus-user none
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile
index 2df03b10b..2a77b6fd6 100644
--- a/etc/profile-a-l/chatterino.profile
+++ b/etc/profile-a-l/chatterino.profile
@@ -12,11 +12,13 @@ include globals.local
 #whitelist ${MUSIC}
 
 # Also allow access to mpv/vlc, they're usable via streamlink.
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/pulse
 noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.local/share/chatterino
 noblacklist ${HOME}/.local/share/vlc
+noblacklist ${HOME}/.local/state/mpv
 
 # Allow Lua for mpv (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
index 8803a4d9d..67a3a43af 100644
--- a/etc/profile-a-l/chromium-browser-privacy.profile
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -13,7 +13,7 @@ mkdir ${HOME}/.config/ungoogled-chromium
 whitelist ${HOME}/.cache/ungoogled-chromium
 whitelist ${HOME}/.config/ungoogled-chromium
 
-# private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
+#private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
 
 # Redirect
 include chromium.profile
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 878e0fe1d..37bfa0bfe 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -33,13 +33,15 @@ include whitelist-run-common.inc
 ?BROWSER_DISABLE_U2F: nou2f
 
 ?BROWSER_DISABLE_U2F: private-dev
-#private-tmp - issues when using multiple browser sessions
+#private-tmp # issues when using multiple browser sessions
 
 blacklist ${PATH}/curl
 blacklist ${PATH}/wget
 blacklist ${PATH}/wget2
 
-#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
+# This prevents access to passwords saved in GNOME Keyring and KWallet, also
+# breaks Gnome connector.
+#dbus-user none
 
 # The file dialog needs to work without d-bus.
 ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
index 14f1bbe64..8c43aac9c 100644
--- a/etc/profile-a-l/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
@@ -17,7 +17,7 @@ whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.config/chromium-flags.conf
 whitelist /usr/share/chromium
 
-# private-bin chromium,chromium-browser,chromedriver
+#private-bin chromium,chromium-browser,chromedriver
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/clac.profile b/etc/profile-a-l/clac.profile
new file mode 100644
index 000000000..cd2b2522d
--- /dev/null
+++ b/etc/profile-a-l/clac.profile
@@ -0,0 +1,63 @@
+# Firejail profile for clac
+# Description: Simple command-line calculator
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include clac.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+#include disable-X11.inc # x11 none
+include disable-xdg.inc
+
+#include whitelist-common.inc # see #903
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+# block socket syscall to simulate empty protocol option (see #639)
+seccomp socket
+seccomp.block-secondary
+tracelog
+x11 none
+
+disable-mnt
+private
+private-bin clac
+#private-cache
+private-dev
+private-etc
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile
index 9fc73ee55..7651c5d32 100644
--- a/etc/profile-a-l/clamtk.profile
+++ b/etc/profile-a-l/clamtk.profile
@@ -1,4 +1,5 @@
 # Firejail profile for clamtk
+# Description: Easy to use, light-weight, on-demand virus scanner for Linux systems
 # This file is overwritten after every install/update
 # Persistent local customizations
 include clamtk.local
@@ -7,15 +8,22 @@ include globals.local
 
 include disable-exec.inc
 
+# Add the below lines to your clamtk.local if you update signatures databases per-user:
+#ignore net none
+#netfilter
+#protocol inet,inet6
+
 caps.drop all
 ipc-namespace
 net none
 no3d
 nodvd
-nogroups
+# nogroups breaks scanning
+#nogroups
 noinput
 nonewprivs
-noroot
+# noroot breaks scanning
+#noroot
 nosound
 notv
 nou2f
@@ -25,7 +33,9 @@ seccomp
 
 private-dev
 
-dbus-user none
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 7fefc68b1..53db480a4 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -18,7 +18,7 @@ whitelist ${HOME}/.claws-mail
 
 whitelist /usr/share/doc/claws-mail
 
-# private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
+#private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
 
 # Redirect
 include email-common.profile
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 3b8eb7bbd..37d9e9e3a 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile
index ee01fa653..3e9363bb4 100644
--- a/etc/profile-a-l/clementine.profile
+++ b/etc/profile-a-l/clementine.profile
@@ -37,6 +37,6 @@ private-dev
 private-tmp
 
 dbus-system none
-# dbus-user none
+#dbus-user none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
index 652809f1b..0cea1c7d4 100644
--- a/etc/profile-a-l/clion.profile
+++ b/etc/profile-a-l/clion.profile
@@ -37,7 +37,7 @@ seccomp
 
 private-cache
 private-dev
-# private-tmp
+#private-tmp
 
 noexec /tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index 3f3748e1a..2657876b8 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -46,7 +46,7 @@ private-dev
 private-tmp
 
 # 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it.
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile
index 19862bc92..1b69effc3 100644
--- a/etc/profile-a-l/code.profile
+++ b/etc/profile-a-l/code.profile
@@ -35,7 +35,7 @@ nosound
 # Disabling noexec ${HOME} for now since it will
 # probably interfere with running some programmes
 # in VS Code
-# noexec ${HOME}
+#noexec ${HOME}
 noexec /tmp
 
 # Redirect
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 180282869..b1275e96b 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -48,9 +48,9 @@ private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
 # Settings are immutable
-# dbus-user filter
-# dbus-user.own com.github.bleakgrey.tootle
-# dbus-user.talk ca.desrt.dconf
+#dbus-user filter
+#dbus-user.own com.github.bleakgrey.tootle
+#dbus-user.talk ca.desrt.dconf
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index 9b05b4416..c280cf22a 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -19,8 +19,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 # This profile could be significantly strengthened by adding the following to cower.local
-# whitelist ${HOME}/<Your Build Folder>
-# whitelist ${HOME}/.config/cower
+#whitelist ${HOME}/<Your Build Folder>
+#whitelist ${HOME}/.config/cower
 
 caps.drop all
 ipc-namespace
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index bfe8764d5..42ade7ce9 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -50,10 +50,10 @@ protocol inet,inet6
 seccomp
 tracelog
 
-# private-bin curl
+#private-bin curl
 private-cache
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
 private-etc @tls-ca
 private-tmp
 
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
index a303c5979..c7a42e0eb 100644
--- a/etc/profile-a-l/cyberfox.profile
+++ b/etc/profile-a-l/cyberfox.profile
@@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/8pecxstudios
 whitelist /usr/share/8pecxstudios
 whitelist /usr/share/cyberfox
 
-# private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
+#private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
 # private-etc must first be enabled in firefox-common.profile
 #private-etc cyberfox
 
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 7dd5ca260..75338eb6d 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -31,7 +31,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - breaks on Ubuntu
+#net none # breaks on Ubuntu
 no3d
 nodvd
 nogroups
@@ -52,5 +52,5 @@ private-dev
 private-etc dbus-1
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/daisy.profile b/etc/profile-a-l/daisy.profile
index 4f1c80f23..40b29a1f5 100644
--- a/etc/profile-a-l/daisy.profile
+++ b/etc/profile-a-l/daisy.profile
@@ -15,7 +15,7 @@ include disable-interpreters.inc
 include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
-#include disable-X11.inc - x11 none
+#include disable-X11.inc # x11 none
 include disable-xdg.inc
 
 include whitelist-common.inc
@@ -47,7 +47,6 @@ tracelog
 x11 none
 
 disable-mnt
-private
 private-bin daisy
 private-cache
 private-dev
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 80790bb0c..70bd7370d 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -19,7 +19,7 @@ include disable-shell.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -28,8 +28,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
-# Breaks abstract sockets
-#net none
+#net none # breaks abstract sockets
 netfilter
 no3d
 nodvd
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index e2e2492bc..e8acd60b7 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-# net none - breaks application on older versions
+#net none # breaks application on older versions
 no3d
 nodvd
 nogroups
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 9811c90d6..0fa88f232 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 41794d173..c071da4b7 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -9,54 +9,54 @@ include globals.local
 # depending on your usage, you can enable some of the commands below:
 
 include disable-common.inc
-# include disable-devel.inc
-# include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-devel.inc
+#include disable-exec.inc
+#include disable-interpreters.inc
 include disable-programs.inc
-# include disable-shell.inc
-# include disable-write-mnt.inc
-# include disable-xdg.inc
+#include disable-shell.inc
+#include disable-write-mnt.inc
+#include disable-xdg.inc
 
-# include whitelist-common.inc
-# include whitelist-runuser-common.inc
-# include whitelist-usr-share-common.inc
-# include whitelist-var-common.inc
+#include whitelist-common.inc
+#include whitelist-runuser-common.inc
+#include whitelist-usr-share-common.inc
+#include whitelist-var-common.inc
 
-# apparmor
+#apparmor
 caps.drop all
-# ipc-namespace
-# machine-id
-# net none
+#ipc-namespace
+#machine-id
+#net none
 netfilter
-# no3d
-# nodvd
-# nogroups
+#no3d
+#nodvd
+#nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
-# nou2f
+#nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# tracelog
+#tracelog
 
-# disable-mnt
-# private
-# private-bin program
-# private-cache
-# private-dev
+#disable-mnt
+#private
+#private-bin program
+#private-cache
+private-dev
 # see /usr/share/doc/firejail/profile.template for more common private-etc paths.
-# private-etc alternatives,fonts,machine-id
-# private-lib
-# private-opt none
-# private-tmp
+#private-etc alternatives,fonts,machine-id
+#private-lib
+#private-opt none
+private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-# deterministic-shutdown
-# memory-deny-write-execute
-# read-only ${HOME}
+#deterministic-shutdown
+#memory-deny-write-execute
+#read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile
index ebc751e1a..b257f9a4c 100644
--- a/etc/profile-a-l/deluge.profile
+++ b/etc/profile-a-l/deluge.profile
@@ -13,7 +13,7 @@ include allow-python2.inc
 include allow-python3.inc
 
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index 066cdc8b0..7b5e692a0 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -23,7 +23,7 @@ include whitelist-usr-share-common.inc
 
 apparmor
 caps.drop all
-# net none - makes settings immutable
+#net none # makes settings immutable
 nodvd
 nogroups
 noinput
@@ -45,9 +45,9 @@ private-etc @tls-ca,@x11
 private-tmp
 
 # makes settings immutable
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index 7c0fee9c3..781dfdcbc 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -14,13 +14,13 @@ blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-#mkfile ${HOME}/.digrc - see #903
+#mkfile ${HOME}/.digrc # see #903
 whitelist ${HOME}/.digrc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
index 05f0dfba8..34d4081d4 100644
--- a/etc/profile-a-l/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -37,11 +37,13 @@ protocol unix,inet,inet6,netlink
 # QtWebengine needs chroot to set up its own sandbox
 seccomp !chroot
 
-# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+# private-dev prevents libdc1394 from loading; this lib is used to connect to a
+# camera device
+#private-dev
+#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index fe2b59a1e..44a3f0846 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -40,7 +40,8 @@ tracelog
 disable-mnt
 private-bin dino
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection
+# breaks server connection
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile
index 245b07b8d..acf0281d9 100644
--- a/etc/profile-a-l/discord-canary.profile
+++ b/etc/profile-a-l/discord-canary.profile
@@ -9,9 +9,10 @@ noblacklist ${HOME}/.config/discordcanary
 
 mkdir ${HOME}/.config/discordcanary
 whitelist ${HOME}/.config/discordcanary
+whitelist /opt/DiscordCanary
+whitelist /opt/discord-canary
 
-private-bin discord-canary,DiscordCanary
-private-opt discord-canary,DiscordCanary
+private-bin DiscordCanary,discord-canary
 
 # Redirect
 include discord-common.profile
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index 83fca8772..b7744a83c 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -7,15 +7,7 @@ include discord-common.local
 #include globals.local
 
 # Disabled until someone reported positive feedback
-ignore include disable-interpreters.inc
-ignore include disable-xdg.inc
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
 ignore apparmor
-ignore disable-mnt
-ignore private-cache
-ignore dbus-user none
-ignore dbus-system none
 
 ignore noexec ${HOME}
 ignore novideo
@@ -26,6 +18,11 @@ whitelist ${HOME}/.local/share/betterdiscordctl
 private-bin awk,bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,which,xdg-mime,xdg-open,zsh
 private-etc @tls-ca
 
+# allow D-Bus notifications
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+ignore dbus-user none
+
 join-or-start discord
 
 # Redirect
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile
index 265bf5615..82b33174c 100644
--- a/etc/profile-a-l/discord-ptb.profile
+++ b/etc/profile-a-l/discord-ptb.profile
@@ -9,9 +9,10 @@ noblacklist ${HOME}/.config/discordptb
 
 mkdir ${HOME}/.config/discordptb
 whitelist ${HOME}/.config/discordptb
+whitelist /opt/DiscordPTB
+whitelist /opt/discord
 
-private-bin discord-ptb,DiscordPTB
-private-opt discord-ptb,DiscordPTB
+private-bin DiscordPTB,discord-ptb
 
 # Redirect
 include discord-common.profile
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile
index 02d1c65cd..9776b41d5 100644
--- a/etc/profile-a-l/discord.profile
+++ b/etc/profile-a-l/discord.profile
@@ -9,9 +9,11 @@ noblacklist ${HOME}/.config/discord
 
 mkdir ${HOME}/.config/discord
 whitelist ${HOME}/.config/discord
+whitelist /opt/Discord
+whitelist /opt/discord
+whitelist /usr/share/discord
 
-private-bin discord,Discord
-private-opt discord,Discord
+private-bin Discord,discord
 
 # Redirect
 include discord-common.profile
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index bf77828be..53ed90e9c 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -34,13 +34,13 @@ notv
 nou2f
 protocol unix
 seccomp
-# x11 xorg - problems on kubuntu 17.04
+#x11 xorg # problems on kubuntu 17.04
 
 private-bin display,python*
 private-dev
 # On Debian-based systems, display is a symlink in /etc/alternatives
 private-etc ImageMagick-6,ImageMagick-7
-private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,ImageMagick*,libfreetype.so.*,libltdl.so.*,libMagickWand-*.so.*,libXext.so.*
+private-lib ImageMagick*,gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,libMagickWand-*.so.*,libXext.so.*,libfreetype.so.*,libltdl.so.*
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index 9743ebfbd..0ae09ce7e 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -36,7 +36,7 @@ apparmor
 caps.drop all
 ipc-namespace
 # Add the next line to your dolphin-emu.local if you do not need NetPlay support.
-# net none
+#net none
 netfilter
 # Add the next line to your dolphin-emu.local if you do not need disc support.
 #nodvd
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 79366b8ee..c9daa939a 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -39,7 +39,7 @@ nou2f
 novideo
 protocol unix
 seccomp !chroot
-# tracelog - breaks on Arch
+#tracelog # breaks on Arch
 
 private-bin drawio
 private-cache
@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
-# restrict-namespaces
+#memory-deny-write-execute # breaks on Arch
+#restrict-namespaces
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
index bd6fb6dcc..63dfd6c0d 100644
--- a/etc/profile-a-l/drill.profile
+++ b/etc/profile-a-l/drill.profile
@@ -13,13 +13,13 @@ blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index 40fd8be7c..3fd5578e6 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -49,8 +49,8 @@ private-etc
 #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 766fe523b..544756877 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -18,6 +18,7 @@ include disable-shell.inc
 
 mkdir ${HOME}/.config/electron-mail
 whitelist ${HOME}/.config/electron-mail
+whitelist /opt/ElectronMail
 
 # The lines below are needed to find the default Firefox profile name, to allow
 # opening links in an existing instance of Firefox (note that it still fails if
@@ -29,7 +30,6 @@ machine-id
 nosound
 
 private-etc @tls-ca,@x11
-private-opt ElectronMail
 
 dbus-user filter
 dbus-user.talk org.freedesktop.Notifications
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index 48ce0aa22..d73ed9092 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -49,7 +49,7 @@ private-dev
 private-etc @tls-ca,@x11
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index 7b4994a85..1af2884b6 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -15,8 +15,6 @@ mkdir ${HOME}/.config/Element
 whitelist ${HOME}/.config/Element
 whitelist /opt/Element
 
-private-opt Element
-
 dbus-user filter
 dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.secrets
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 8eee662ad..cffa85fd5 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -75,7 +75,7 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-# disable-mnt
+#disable-mnt
 private-cache
 private-dev
 private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index e1d107dc7..24e4f8a0e 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -35,9 +35,9 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-# private-bin engrampa
+#private-bin engrampa
 private-dev
-# private-tmp
+#private-tmp
 
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile
index 45a1125b4..62e9d42ac 100644
--- a/etc/profile-a-l/enpass.profile
+++ b/etc/profile-a-l/enpass.profile
@@ -52,11 +52,11 @@ protocol unix,inet,inet6,netlink
 seccomp
 tracelog
 
-private-bin dirname,Enpass,importer_enpass,readlink,sh
+private-bin Enpass,dirname,importer_enpass,readlink,sh
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
 private-opt Enpass
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index 8b32d08b1..795128418 100644
--- a/etc/profile-a-l/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -59,7 +59,7 @@ private-cache
 private-tmp
 
 # breaks preferences
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index 5b9892af3..4789afee6 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -48,7 +48,7 @@ disable-mnt
 private-bin etr
 private-cache
 private-dev
-# private-etc alternatives,drirc,machine-id,openal,passwd
+#private-etc alternatives,drirc,machine-id,openal,passwd
 private-etc @games,@x11
 private-tmp
 
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 75a3958ad..06a4a64b1 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -34,7 +34,7 @@ include whitelist-var-common.inc
 
 caps.drop all
 machine-id
-# net none - breaks AppArmor on Ubuntu systems
+#net none # breaks AppArmor on Ubuntu systems
 netfilter
 no3d
 nodvd
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index d805766eb..2a30d2e23 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -41,17 +41,17 @@ nou2f
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks falkon
 seccomp !chroot
-# tracelog
+#tracelog
 
 disable-mnt
-# private-bin falkon
+#private-bin falkon
 private-cache
 private-dev
 private-etc @tls-ca,@x11,adobe,mailcap,mime.types
 private-tmp
 
-# dbus-user filter
-# dbus-user.own org.kde.Falkon
+#dbus-user filter
+#dbus-user.own org.kde.Falkon
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile
index 434371aee..5906085de 100644
--- a/etc/profile-a-l/fbreader.profile
+++ b/etc/profile-a-l/fbreader.profile
@@ -33,7 +33,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 
-private-bin fbreader,FBReader
+private-bin FBReader,fbreader
 private-dev
 private-tmp
 
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index fe7f88a75..e9d5709ec 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -24,7 +24,7 @@ include disable-xdg.inc
 apparmor /usr/bin/fdns
 caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot
 ipc-namespace
-# netfilter /etc/firejail/webserver.net
+#netfilter /etc/firejail/webserver.net
 no3d
 nodvd
 nogroups
@@ -43,7 +43,7 @@ private-bin bash,fdns,sh
 private-cache
 #private-dev
 private-etc @tls-ca,fdns
-# private-lib
+#private-lib
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile
index 6aa24cc86..7b205a917 100644
--- a/etc/profile-a-l/feedreader.profile
+++ b/etc/profile-a-l/feedreader.profile
@@ -29,13 +29,13 @@ include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
index 3a044542f..27920620a 100644
--- a/etc/profile-a-l/ferdi.profile
+++ b/etc/profile-a-l/ferdi.profile
@@ -45,4 +45,4 @@ disable-mnt
 private-dev
 private-tmp
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index b7d54f05d..af9d556db 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -53,5 +53,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# memory-deny-write-execute - it breaks old versions of ffmpeg
+#memory-deny-write-execute # it breaks old versions of ffmpeg
 restrict-namespaces
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 78e2751b3..cc1a290ef 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -6,6 +6,8 @@ include file-roller.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${PATH}/dpkg*
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -22,7 +24,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none - breaks on older Ubuntu versions
+#net none # breaks on older Ubuntu versions
 netfilter
 no3d
 nodvd
@@ -40,11 +42,11 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
+private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg*,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
 private-cache
 private-dev
 private-etc @x11
-# private-tmp
+#private-tmp
 
 dbus-user filter
 dbus-user.own org.gnome.ArchiveManager1
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index f12750fda..566e88bf8 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -11,6 +11,7 @@ ignore include whitelist-runuser-common.inc
 
 ignore private-cache
 
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.cache/youtube-dl
 noblacklist ${HOME}/.config/kgetrc
 noblacklist ${HOME}/.config/mpv
@@ -32,9 +33,11 @@ noblacklist ${HOME}/.local/share/kget
 noblacklist ${HOME}/.local/share/kxmlgui5/okular
 noblacklist ${HOME}/.local/share/okular
 noblacklist ${HOME}/.local/share/qpdfview
+noblacklist ${HOME}/.local/state/mpv
 noblacklist ${HOME}/.netrc
 
 whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/mpv
 whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
 whitelist ${HOME}/.config/gnome-mplayer
 whitelist ${HOME}/.config/kgetrc
@@ -62,6 +65,7 @@ whitelist ${HOME}/.local/share/kxmlgui5/okular
 whitelist ${HOME}/.local/share/okular
 whitelist ${HOME}/.local/share/qpdfview
 whitelist ${HOME}/.local/share/tridactyl
+whitelist ${HOME}/.local/state/mpv
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/.pentadactyl
 whitelist ${HOME}/.pentadactylrc
diff --git a/etc/profile-a-l/floorp.profile b/etc/profile-a-l/floorp.profile
new file mode 100644
index 000000000..49caed107
--- /dev/null
+++ b/etc/profile-a-l/floorp.profile
@@ -0,0 +1,45 @@
+# Firejail profile for floorp
+# Description: A customisable Firefox fork with excellent privacy protection
+# This file is overwritten after every install/update
+# Persistent local customizations
+include floorp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/floorp
+noblacklist ${HOME}/.floorp
+
+mkdir ${HOME}/.cache/floorp
+mkdir ${HOME}/.floorp
+whitelist ${HOME}/.cache/floorp
+whitelist ${HOME}/.floorp
+
+# Add the next lines to your floorp.local if you want to use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# To enable KeePassXC Plugin add one of the following lines to your floorp.local.
+# Note: Start KeePassXC before floorp and keep it open to allow communication between them.
+#whitelist ${RUNUSER}/kpxc_server
+#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
+
+dbus-user filter
+dbus-user.own org.mozilla.floorp.*
+# Add the next line to your floorp.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your floorp.local to allow inhibiting screensavers.
+#dbus-user.talk org.freedesktop.ScreenSaver
+# Add the next lines to your floorp.local for plasma browser integration.
+#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kuiserver
+# Add the next line to your floorp.local to allow screensharing under Wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
+# Also add the next line to your floorp.local if screensharing does not work with
+# the above lines (depends on the portal implementation).
+#ignore noroot
+ignore apparmor
+ignore dbus-user none
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/fluffychat.profile b/etc/profile-a-l/fluffychat.profile
new file mode 100644
index 000000000..1c5db09e9
--- /dev/null
+++ b/etc/profile-a-l/fluffychat.profile
@@ -0,0 +1,73 @@
+# Firejail profile for fluffychat
+# Description: Easy to use matrix messenger
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fluffychat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/fluffychat
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
+mkdir ${HOME}/.local/share/fluffychat
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.local/share/fluffychat
+whitelist /opt/fluffychat
+whitelist /usr/share/fluffychat
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin firefox,fluffychat,sh,which,zenity
+private-cache
+private-dev
+private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
+dbus-system filter
+dbus-system.talk org.freedesktop.NetworkManager
+
+restrict-namespaces
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile
index 88ae56c82..5b9603243 100644
--- a/etc/profile-a-l/font-manager.profile
+++ b/etc/profile-a-l/font-manager.profile
@@ -33,7 +33,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none - issues on older versions
+#net none # issues on older versions
 no3d
 nodvd
 nogroups
@@ -53,5 +53,5 @@ private-bin font-manager,python*,yelp
 private-dev
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile
index e21789d73..664773b77 100644
--- a/etc/profile-a-l/franz.profile
+++ b/etc/profile-a-l/franz.profile
@@ -45,4 +45,4 @@ disable-mnt
 private-dev
 private-tmp
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile
index 9bf5a14be..80958d305 100644
--- a/etc/profile-a-l/freemind.profile
+++ b/etc/profile-a-l/freemind.profile
@@ -9,6 +9,8 @@ include globals.local
 noblacklist ${DOCUMENTS}
 noblacklist ${HOME}/.freemind
 
+noblacklist ${PATH}/dpkg*
+
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
 
@@ -40,7 +42,7 @@ seccomp
 tracelog
 
 disable-mnt
-private-bin bash,cp,dirname,dpkg,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which
+private-bin bash,cp,dirname,dpkg*,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which
 private-cache
 private-dev
 #private-etc alternatives,fonts,java*
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile
index 133d66f0d..f59094567 100644
--- a/etc/profile-a-l/freshclam.profile
+++ b/etc/profile-a-l/freshclam.profile
@@ -2,7 +2,7 @@
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
-include clamav.local
+include freshclam.local
 # Persistent global definitions
 include globals.local
 
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index f162a4a31..98f473654 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -41,7 +41,7 @@ seccomp
 tracelog
 
 disable-mnt
-# private-bin frozen-bubble
+#private-bin frozen-bubble
 private-dev
 private-etc @games,@x11
 private-tmp
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
index 8ca349d1c..bd790cab4 100644
--- a/etc/profile-a-l/funnyboat.profile
+++ b/etc/profile-a-l/funnyboat.profile
@@ -16,7 +16,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-# include disable-shell.inc
+#include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.funnyboat
@@ -41,7 +41,7 @@ notv
 novideo
 protocol unix,inet,inet6
 seccomp
-# tracelog
+#tracelog
 
 disable-mnt
 private-cache
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 44d62cc86..aa1b96c41 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -48,5 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index baf8f614e..2d0511cf6 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index ba0837780..da240c36a 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -53,7 +53,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-#ipc-namespace - may cause issues with X11
+#ipc-namespace # may cause issues with X11
 #machine-id
 netfilter
 no3d
@@ -71,7 +71,7 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-# disable-mnt
+#disable-mnt
 #private-bin geary,sh
 private-cache
 private-dev
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index dbb3ab971..bc265a509 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -13,18 +13,18 @@ noblacklist ${HOME}/.config/gedit
 include allow-common-devel.inc
 
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 machine-id
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -40,14 +40,14 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-# private-bin gedit
+#private-bin gedit
 private-dev
 # private-lib breaks python plugins - add the next line to your gedit.local if you don't use them.
 #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
 
 # makes settings immutable
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index e8d4c013f..387ec615f 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -43,7 +43,7 @@ seccomp
 tracelog
 
 disable-mnt
-#private-bin bash,geekbench*,sh -- #4576
+#private-bin bash,geekbench*,sh # #4576
 private-cache
 private-dev
 private-etc lsb-release
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index f81a49e4f..6cd28f25d 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -32,7 +32,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 
-# private-bin geeqie
+#private-bin geeqie
 private-dev
 
 restrict-namespaces
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index 1c97ad21c..007658138 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -58,7 +58,7 @@ tracelog
 
 disable-mnt
 private-bin gfeeds,python3*
-# private-cache -- feeds are stored in ~/.cache
+#private-cache # feeds are stored in ~/.cache
 private-dev
 private-etc @tls-ca,@x11,dbus-1,gconf,host.conf,mime.types,rpc,services
 private-tmp
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index dabf0dd7f..2023ca9f0 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -45,7 +45,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp !chroot
 seccomp.block-secondary
-#tracelog -- breaks
+#tracelog # breaks
 
 private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
 private-cache
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index ced1aa190..88134b363 100644
--- a/etc/profile-a-l/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -29,14 +29,14 @@ noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 
-# no3d
+#no3d
 nosound
 
-# private-bin github-desktop
+#private-bin github-desktop
 ?HAS_APPIMAGE: ignore private-dev
-# private-lib
+#private-lib
 
-# memory-deny-write-execute
+#memory-deny-write-execute
 
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index e3cf87c87..54f2923ba 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -18,6 +18,7 @@ mkdir ${HOME}/.config/Gitter
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/autostart
 whitelist ${HOME}/.config/Gitter
+whitelist /opt/Gitter
 include whitelist-var-common.inc
 
 caps.drop all
@@ -37,7 +38,6 @@ seccomp
 disable-mnt
 private-bin bash,env,gitter
 private-etc @tls-ca
-private-opt Gitter
 private-dev
 private-tmp
 
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile
index bd332a6d5..cad261365 100644
--- a/etc/profile-a-l/gjs.profile
+++ b/etc/profile-a-l/gjs.profile
@@ -38,9 +38,9 @@ protocol unix,inet,inet6
 seccomp
 tracelog
 
-# private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
+#private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index f3e045000..4d4a0d50e 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -47,8 +47,9 @@ private-etc
 private-tmp
 writable-run-user
 
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.talk org.mpris.MediaPlayer2.mpd
+dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
index 812923b2d..962b8b30f 100644
--- a/etc/profile-a-l/gnome-books.profile
+++ b/etc/profile-a-l/gnome-books.profile
@@ -39,7 +39,7 @@ protocol unix
 seccomp
 tracelog
 
-# private-bin gjs,gnome-books
+#private-bin gjs,gnome-books
 private-dev
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index e5c6022e8..40f799693 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -24,7 +24,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
-#net none -- breaks currency conversion
+#net none # breaks currency conversion
 netfilter
 no3d
 nodvd
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index ddfe57879..e6fe27774 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -15,7 +15,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/libgweather
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index 9e9730e53..9f592722c 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -52,8 +52,8 @@ private-etc @x11,gconf,mime.types
 private-tmp
 
 # Add the next lines to your gnome-characters.local if you don't need access to recently used chars.
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index 2326115c3..25a906c69 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -21,7 +21,7 @@ include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-#no3d - breaks on Arch
+#no3d # breaks on Arch
 nodvd
 noinput
 nonewprivs
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index 45b6fd880..aa0a7f4cc 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -55,7 +55,7 @@ private-dev
 #private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security
 private-tmp
 
-# dbus-user none
+#dbus-user none
 dbus-system none
 
 memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 61f4f4107..4d2681fbc 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -6,49 +6,15 @@ include gnome-logs.local
 # Persistent global definitions
 include globals.local
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
+whitelist /usr/share/gnome-logs
 
-whitelist /var/log/journal
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-ipc-namespace
-net none
-no3d
-nodvd
-noinput
-nonewprivs
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-tracelog
-
-disable-mnt
 private-bin gnome-logs
-private-cache
-private-dev
-private-etc
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
-private-tmp
-writable-var-log
 
 dbus-user filter
 dbus-user.own org.gnome.Logs
 dbus-user.talk ca.desrt.dconf
-dbus-system none
+ignore dbus-user none
 
-# Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}.
-read-only ${HOME}
-restrict-namespaces
+# Redirect
+include system-log-common.profile
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index 17f52e588..40c264c86 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -61,7 +61,7 @@ tracelog
 
 disable-mnt
 private-bin gjs,gnome-maps
-# private-cache -- gnome-maps cache all maps/satelite-images
+#private-cache # gnome-maps cache all maps/satelite-images
 private-dev
 private-etc @tls-ca,@x11,clutter-1.0,gconf,host.conf,mime.types,pkcs11,rpc,services
 private-tmp
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
index 052e9ba9c..5315cbec6 100644
--- a/etc/profile-a-l/gnome-mplayer.profile
+++ b/etc/profile-a-l/gnome-mplayer.profile
@@ -26,7 +26,7 @@ nou2f
 protocol unix,inet,inet6
 seccomp
 
-# private-bin gnome-mplayer,mplayer
+#private-bin gnome-mplayer,mplayer
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
index 7a9a0e336..7a8338cd7 100644
--- a/etc/profile-a-l/gnome-nettool.profile
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -14,7 +14,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 whitelist /usr/share/gnome-nettool
-#include whitelist-common.inc -- see #903
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 1d0291aa2..4d2a3913f 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -36,7 +36,7 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-# private-bin gjs,gnome-photos
+#private-bin gjs,gnome-photos
 private-dev
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index ac0fb555d..dff6032d1 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -16,7 +16,7 @@ include disable-exec.inc
 
 caps.drop all
 ipc-namespace
-# net none - breaks dbus
+#net none # breaks dbus
 no3d
 nodvd
 nogroups
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile
index 8f2ab7fd6..898cdf1f8 100644
--- a/etc/profile-a-l/gnome-ring.profile
+++ b/etc/profile-a-l/gnome-ring.profile
@@ -27,7 +27,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 
 disable-mnt
-# private-dev
+#private-dev
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
index b71d77621..33f22136e 100644
--- a/etc/profile-a-l/gnome-schedule.profile
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -46,7 +46,7 @@ apparmor
 caps.keep chown,dac_override,setgid,setuid
 ipc-namespace
 machine-id
-#net none - breaks on Ubuntu
+#net none # breaks on Ubuntu
 no3d
 nodvd
 nogroups
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index f4e985342..0d6116f4f 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -6,51 +6,13 @@ include gnome-system-log.local
 # Persistent global definitions
 include globals.local
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
+# 'net none' breaks dbus
+ignore net none
 
-whitelist /var/log
-include whitelist-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-ipc-namespace
-# net none - breaks dbus
-no3d
-nodvd
-# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
-# put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local.
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-
-disable-mnt
 private-bin gnome-system-log
-private-cache
-private-dev
-private-etc
 private-lib
-private-tmp
-writable-var-log
-
-# dbus-user none
-# dbus-system none
 
 memory-deny-write-execute
-# Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}.
-read-only ${HOME}
-restrict-namespaces
+
+# Redirect
+include system-log-common.profile
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index 147b84a19..8637f5019 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -41,9 +41,9 @@ seccomp.block-secondary
 tracelog
 
 disable-mnt
-# private-bin gjs,gnome-weather
+#private-bin gjs,gnome-weather
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index 025cb74b6..0c4ca35ac 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -15,7 +15,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/gnubik
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index 5e41384ab..96bbffc41 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -34,7 +34,7 @@ seccomp
 tracelog
 
 
-# private-bin godot
+#private-bin godot
 private-cache
 private-dev
 private-etc @games,@tls-ca,@x11,mono
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile
index 8807a239d..96b72230d 100644
--- a/etc/profile-a-l/goobox.profile
+++ b/etc/profile-a-l/goobox.profile
@@ -28,9 +28,9 @@ protocol unix,inet,inet6
 seccomp
 tracelog
 
-# private-bin goobox
+#private-bin goobox
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
-# private-tmp
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+#private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
index 4af6ce36b..1087b3d6e 100644
--- a/etc/profile-a-l/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
@@ -18,6 +18,7 @@ mkdir ${HOME}/.config/Google
 mkdir ${HOME}/.googleearth
 whitelist ${HOME}/.config/Google
 whitelist ${HOME}/.googleearth
+whitelist /opt/google
 include whitelist-common.inc
 
 caps.drop all
@@ -37,6 +38,5 @@ seccomp
 disable-mnt
 private-bin bash,dirname,google-earth,grep,ls,sed,sh
 private-dev
-private-opt google
 
 restrict-namespaces
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
index c2a7d89fd..1218631d8 100644
--- a/etc/profile-a-l/google-play-music-desktop-player.profile
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
@@ -17,8 +17,8 @@ include disable-interpreters.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/Google Play Music Desktop Player
-# whitelist ${HOME}/.config/pulse
-# whitelist ${HOME}/.pulse
+#whitelist ${HOME}/.config/pulse
+#whitelist ${HOME}/.pulse
 whitelist ${HOME}/.config/Google Play Music Desktop Player
 include whitelist-common.inc
 
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile
index e05cdf424..25498d89e 100644
--- a/etc/profile-a-l/gpa.profile
+++ b/etc/profile-a-l/gpa.profile
@@ -28,7 +28,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
 
-# private-bin gpa,gpg
+#private-bin gpa,gpg
 private-dev
 
 restrict-namespaces
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
index f4cd85e3a..3b623a338 100644
--- a/etc/profile-a-l/gpg-agent.profile
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -46,7 +46,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
 
-# private-bin gpg-agent
+#private-bin gpg-agent
 private-cache
 private-dev
 
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile
index 60690852a..bf4a1c60b 100644
--- a/etc/profile-a-l/gpg.profile
+++ b/etc/profile-a-l/gpg.profile
@@ -42,7 +42,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
 
-# private-bin gpg
+#private-bin gpg
 private-cache
 private-dev
 
diff --git a/etc/profile-a-l/gpg2.profile b/etc/profile-a-l/gpg2.profile
index b831b0f62..a9d928f17 100644
--- a/etc/profile-a-l/gpg2.profile
+++ b/etc/profile-a-l/gpg2.profile
@@ -7,7 +7,7 @@ include gpg2.local
 # added by included profile
 #include globals.local
 
-# private-bin gpg2
+#private-bin gpg2
 
 # Redirect
 include gpg.profile
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index 19af7c0b9..5ccce8447 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -15,7 +15,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/gravity-beams-and-evaporating-stars
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index ef4aad4da..93db304da 100644
--- a/etc/profile-a-l/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-#net none - breaks dbus
+#net none # breaks dbus
 no3d
 nodvd
 nogroups
@@ -47,8 +47,8 @@ private-lib
 private-tmp
 
 # breaks state saving
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index 4be71f6d3..bc4084a38 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.kde/share/apps/gwenview
 noblacklist ${HOME}/.kde/share/config/gwenviewrc
 noblacklist ${HOME}/.kde4/share/apps/gwenview
 noblacklist ${HOME}/.kde4/share/config/gwenviewrc
+noblacklist ${HOME}/.local/share/Trash
 noblacklist ${HOME}/.local/share/gwenview
 noblacklist ${HOME}/.local/share/kxmlgui5/gwenview
 noblacklist ${HOME}/.local/share/org.kde.gwenview
@@ -30,7 +31,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -42,14 +43,14 @@ nou2f
 novideo
 protocol unix
 seccomp
-# tracelog
+#tracelog
 
 private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
 private-dev
 private-etc @x11,gimp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index df7f8f3a3..def7bf25f 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -32,7 +32,7 @@ include whitelist-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
-#machine-id -- breaks sound
+#machine-id # breaks sound
 netfilter
 no3d
 nodvd
@@ -51,8 +51,8 @@ disable-mnt
 # debug note: private-bin requires perl, python, etc on some systems
 private-bin hexchat,python*,sh
 private-dev
-#private-lib - python problems
+#private-lib # python problems
 private-tmp
 
-# memory-deny-write-execute - breaks python
+#memory-deny-write-execute # breaks python
 restrict-namespaces
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index ccbb66333..d36cf0f46 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -28,7 +28,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 nodvd
 no3d
@@ -55,5 +55,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile
index c4085cf9c..683e1b5f7 100644
--- a/etc/profile-a-l/hugin.profile
+++ b/etc/profile-a-l/hugin.profile
@@ -38,7 +38,7 @@ novideo
 protocol unix
 seccomp
 
-private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,exiftool,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,perl,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize
+private-bin PTBatcherGUI,align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,exiftool,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,perl,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,sh,tca_correct,uname,verdandi,vig_optimize
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
index 82cba7887..47c341333 100644
--- a/etc/profile-a-l/iagno.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -43,7 +43,7 @@ private-dev
 private-etc @x11,gconf
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index 31f65962f..2b4c68a4d 100644
--- a/etc/profile-a-l/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
@@ -36,7 +36,7 @@ seccomp
 
 private-cache
 private-dev
-# private-tmp
+#private-tmp
 
 noexec /tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile
index ee341423a..8091a4c9e 100644
--- a/etc/profile-a-l/img2txt.profile
+++ b/etc/profile-a-l/img2txt.profile
@@ -41,7 +41,7 @@ seccomp
 tracelog
 x11 none
 
-# private-bin img2txt
+#private-bin img2txt
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index c4fc16c87..ced7a285f 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -61,7 +61,7 @@ protocol unix
 seccomp
 tracelog
 
-# private-bin inkscape,potrace,python* - problems on Debian stretch
+#private-bin inkscape,potrace,python* # problems on Debian stretch
 private-cache
 private-dev
 private-etc @x11,ImageMagick*,python*
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index 7eabbca84..369519947 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -14,11 +14,11 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-# include disable-shell.inc
+#include disable-shell.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
 
-# include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -26,7 +26,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# machine-id
+#machine-id
 net none
 netfilter
 no3d
@@ -39,14 +39,14 @@ nosound
 notv
 nou2f
 novideo
-# protocol unix
+#protocol unix
 seccomp
-# tracelog
+#tracelog
 
 disable-mnt
 private
 private-bin bash,ipcalc,ipcalc-ng,perl,sh
-# private-cache
+#private-cache
 private-dev
 # empty etc directory
 private-etc
@@ -57,6 +57,6 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# memory-deny-write-execute
-# read-only ${HOME}
+#memory-deny-write-execute
+#read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/journal-viewer.profile b/etc/profile-a-l/journal-viewer.profile
new file mode 100644
index 000000000..eb007b765
--- /dev/null
+++ b/etc/profile-a-l/journal-viewer.profile
@@ -0,0 +1,24 @@
+# Firejail profile for journal-viewer
+# Description: Visualize systemd logs
+# This file is overwritten after every install/update
+# Persistent local customizations
+include journal-viewer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/journal-viewer
+noblacklist ${HOME}/.local/share/com.vmingueza.journal-viewer
+
+mkdir ${HOME}/.cache/journal-viewer
+mkdir ${HOME}/.local/share/com.vmingueza.journal-viewer
+whitelist ${HOME}/.cache/journal-viewer
+whitelist ${HOME}/.local/share/com.vmingueza.journal-viewer
+
+private-bin journal-viewer
+private-lib webkit2gtk-*
+
+read-write ${HOME}/.cache/journal-viewer
+read-write ${HOME}/.local/share/com.vmingueza.journal-viewer
+
+# Redirect
+include system-log-common.profile
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
index 81d4f3458..9fb609151 100644
--- a/etc/profile-a-l/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -21,19 +21,19 @@ include disable-xdg.inc
 include whitelist-var-common.inc
 
 caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource
-# net none
+#net none
 netfilter
 no3d
-# nonewprivs - breaks privileged helpers
+#nonewprivs # breaks privileged helpers
 noinput
-# noroot - breaks privileged helpers
+#noroot # breaks privileged helpers
 nosound
 notv
 novideo
-# protocol unix - breaks privileged helpers
-# seccomp - breaks privileged helpers
+#protocol unix # breaks privileged helpers
+#seccomp # breaks privileged helpers
 
 private-dev
-# private-tmp
+#private-tmp
 
-# restrict-namespaces - breaks privileged helpers
+#restrict-namespaces # breaks privileged helpers
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index 73417bf11..b84d144bd 100644
--- a/etc/profile-a-l/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
@@ -36,7 +36,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 
-# private-bin kaffeine
+#private-bin kaffeine
 private-dev
 private-tmp
 
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index a4e67cf6b..359c02b38 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -35,7 +35,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp !chroot
-# tracelog
+#tracelog
 
 disable-mnt
 private-bin kalgebra,kalgebramobile
@@ -47,4 +47,4 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
index 152f73d5d..f141a25e1 100644
--- a/etc/profile-a-l/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -28,17 +28,17 @@ noblacklist ${HOME}/.local/share/kxmlgui5/katesearch
 include allow-common-devel.inc
 
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 
 include whitelist-run-common.inc
 include whitelist-var-common.inc
 
-# apparmor
+#apparmor
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -52,13 +52,13 @@ novideo
 protocol unix
 seccomp
 
-# private-bin kate,kbuildsycoca4,kdeinit4
+#private-bin kate,kbuildsycoca4,kdeinit4
 private-dev
-# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
+#private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
 join-or-start kate
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 70414eeea..5a19d2f50 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -45,7 +45,7 @@ seccomp
 tracelog
 
 disable-mnt
-# private-bin kazam,python*
+#private-bin kazam,python*
 private-cache
 private-dev
 private-etc @x11
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index cfb756c43..9f10039df 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -60,7 +60,7 @@ private-bin kcalc
 private-cache
 private-dev
 private-etc
-# private-lib - problems on Arch
+#private-lib # problems on Arch
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile
index 2f426e191..dce189c59 100644
--- a/etc/profile-a-l/kdeinit4.profile
+++ b/etc/profile-a-l/kdeinit4.profile
@@ -22,7 +22,7 @@ no3d
 nogroups
 noinput
 nonewprivs
-# nosound - disabled for knotify
+#nosound # disabled for knotify
 noroot
 nou2f
 novideo
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
index d4933d816..717bfa8d6 100644
--- a/etc/profile-a-l/kdenlive.profile
+++ b/etc/profile-a-l/kdenlive.profile
@@ -21,7 +21,7 @@ include disable-programs.inc
 
 apparmor
 caps.drop all
-# net none
+#net none
 nodvd
 nogroups
 noinput
@@ -34,9 +34,9 @@ seccomp
 
 private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
 private-dev
-# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
+#private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile
index c70030a38..115f785eb 100644
--- a/etc/profile-a-l/kfind.profile
+++ b/etc/profile-a-l/kfind.profile
@@ -9,21 +9,21 @@ include globals.local
 # searching in blacklisted or masked paths fails silently
 # adjust filesystem restrictions as necessary
 
-# noblacklist ${HOME}/.cache/kfind - disable-programs.inc is disabled, see below
-# noblacklist ${HOME}/.config/kfindrc
-# noblacklist ${HOME}/.kde/share/config/kfindrc
-# noblacklist ${HOME}/.kde4/share/config/kfindrc
+#noblacklist ${HOME}/.cache/kfind # disable-programs.inc is disabled, see below
+#noblacklist ${HOME}/.config/kfindrc
+#noblacklist ${HOME}/.kde/share/config/kfindrc
+#noblacklist ${HOME}/.kde4/share/config/kfindrc
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 no3d
 nodvd
@@ -38,11 +38,11 @@ novideo
 protocol unix
 seccomp
 
-# private-bin kbuildsycoca4,kdeinit4,kfind
+#private-bin kbuildsycoca4,kdeinit4,kfind
 private-dev
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
index dd45c1889..892577117 100644
--- a/etc/profile-a-l/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -40,5 +40,5 @@ seccomp
 private-dev
 private-tmp
 
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 2e369b945..9f41f41db 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -27,13 +27,13 @@ apparmor
 caps.drop all
 ipc-namespace
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
@@ -49,4 +49,4 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 9724f4963..20d2c01d6 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -41,7 +41,7 @@ include disable-programs.inc
 include whitelist-run-common.inc
 include whitelist-var-common.inc
 
-# apparmor
+#apparmor
 caps.drop all
 netfilter
 nodvd
@@ -56,11 +56,11 @@ novideo
 protocol unix,inet,inet6,netlink
 # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
 seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
-# tracelog
+#tracelog
 
 private-dev
-# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
+#private-tmp # interrupts connection to akonadi, breaks opening of email attachments
 # writable-run-user is needed for signing and encrypting emails
 writable-run-user
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
index 992b312ee..7615f00c4 100644
--- a/etc/profile-a-l/kmplayer.profile
+++ b/etc/profile-a-l/kmplayer.profile
@@ -33,7 +33,7 @@ nou2f
 protocol unix,inet,inet6,netlink
 seccomp
 
-# private-bin kmplayer,mplayer
+#private-bin kmplayer,mplayer
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
index e4781fea3..10a823c89 100644
--- a/etc/profile-a-l/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -42,5 +42,5 @@ private-cache
 private-dev
 private-tmp
 
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile
index a04376430..f61bf36a8 100644
--- a/etc/profile-a-l/krita.profile
+++ b/etc/profile-a-l/krita.profile
@@ -28,7 +28,7 @@ include disable-xdg.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -46,7 +46,7 @@ private-cache
 private-dev
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index a0244ef47..8af3657d1 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -10,19 +10,19 @@ include globals.local
 # When a file is opened in krunner, the file viewer runs in its own sandbox
 # with its own profile, if it is sandboxed automatically.
 
-# noblacklist ${HOME}/.cache/krunner
-# noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
-# noblacklist ${HOME}/.config/chromium
+#noblacklist ${HOME}/.cache/krunner
+#noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
+#noblacklist ${HOME}/.config/chromium
 noblacklist ${HOME}/.config/krunnerrc
 noblacklist ${HOME}/.kde/share/config/krunnerrc
 noblacklist ${HOME}/.kde4/share/config/krunnerrc
-# noblacklist ${HOME}/.local/share/baloo
-# noblacklist ${HOME}/.mozilla
+#noblacklist ${HOME}/.local/share/baloo
+#noblacklist ${HOME}/.mozilla
 
 include disable-common.inc
-# include disable-devel.inc
-# include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-devel.inc
+#include disable-interpreters.inc
+#include disable-programs.inc
 
 include whitelist-var-common.inc
 
@@ -34,6 +34,6 @@ noroot
 protocol unix,inet,inet6
 seccomp
 
-# private-cache
+#private-cache
 
 restrict-namespaces
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index da267b962..63bdc0b83 100644
--- a/etc/profile-a-l/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -62,9 +62,9 @@ seccomp
 
 private-bin kbuildsycoca4,kdeinit4,ktmagnetdownloader,ktorrent,ktupnptest
 private-dev
-# private-lib - problems on Arch
+#private-lib # problems on Arch
 private-tmp
 
 deterministic-shutdown
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 82336969d..1f8757edb 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -65,7 +65,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
 
-# disable-mnt
+#disable-mnt
 # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
 private-bin kube,sink_synchronizer
 private-cache
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index 589811643..da430377e 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -5,7 +5,7 @@ include kwin_x11.local
 # Persistent global definitions
 include globals.local
 
-# fix automatical kwin_x11 sandboxing:
+# fix automatic kwin_x11 sandboxing:
 # echo KDEWM=kwin_x11 >> ~/.pam_environment
 
 noblacklist ${HOME}/.cache/kwin
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 34fe2ace6..efc6b7c56 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -29,14 +29,14 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound - KWrite is using ALSA!
+#nosound # KWrite is using ALSA!
 notv
 nou2f
 novideo
@@ -49,8 +49,8 @@ private-dev
 private-etc @x11
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
 join-or-start kwrite
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
index 6efe23ade..661c0594a 100644
--- a/etc/profile-a-l/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -36,8 +36,8 @@ x11 none
 
 # The user can have a custom coloring script configured in ${HOME}/.lessfilter.
 # Enable private-bin and private-lib if you are not using any filter.
-# private-bin less
-# private-lib
+#private-bin less
+#private-lib
 private-cache
 private-dev
 writable-var-log
diff --git a/etc/profile-a-l/lettura.profile b/etc/profile-a-l/lettura.profile
new file mode 100644
index 000000000..94a455355
--- /dev/null
+++ b/etc/profile-a-l/lettura.profile
@@ -0,0 +1,76 @@
+# Firejail profile for lettura
+# Description: Another free and open-source feed reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lettura.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/lettura
+noblacklist ${HOME}/.config/com.lettura.dev
+noblacklist ${HOME}/.lettura
+noblacklist ${HOME}/.local/share/com.lettura.dev
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/lettura
+mkdir ${HOME}/.config/com.lettura.dev
+mkdir ${HOME}/.lettura
+mkdir ${HOME}/.local/share/com.lettura.dev
+whitelist ${HOME}/.cache/lettura
+whitelist ${HOME}/.config/com.lettura.dev
+whitelist ${HOME}/.lettura
+whitelist ${HOME}/.local/share/com.lettura.dev
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+#nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin lettura
+private-cache
+private-dev
+private-etc @network,@sound,@tls-ca,@x11,mime.types
+private-tmp
+
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
+dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index b0e9015ee..739d2cc1e 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -33,13 +33,13 @@ include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index 838d619b7..636560789 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -52,7 +52,7 @@ private-cache
 private-dev
 private-etc @tls-ca
 # Add the next line to your links-common.local to allow external media players.
-# private-etc alsa,asound.conf,machine-id,openal,pulse
+#private-etc alsa,asound.conf,machine-id,openal,pulse
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile
index 6ca8b8103..e900c0914 100644
--- a/etc/profile-a-l/linuxqq.profile
+++ b/etc/profile-a-l/linuxqq.profile
@@ -17,6 +17,7 @@ mkdir ${HOME}/.config/QQ
 whitelist ${HOME}/.config/QQ
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${DESKTOP}
+whitelist /opt/QQ
 
 ignore apparmor
 noprinters
@@ -24,7 +25,6 @@ noprinters
 # If you don't need/want to save anything to disk you can add `private` to your linuxqq.local.
 #private
 private-etc @tls-ca,@x11,host.conf,os-release
-private-opt QQ
 
 dbus-user filter
 dbus-user.talk org.freedesktop.Notifications
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile
index 4daa1d010..367f69743 100644
--- a/etc/profile-a-l/lobster.profile
+++ b/etc/profile-a-l/lobster.profile
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.config/ueberzugpp
 noblacklist ${HOME}/.local/share/applications/lobster
 noblacklist ${HOME}/.local/share/lobster
 noblacklist ${PATH}/openssl
+noblacklist ${PATH}/patch
 
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -43,7 +44,7 @@ notv
 disable-mnt
 private-bin base64,bash,cat,command,curl,cut,date,dirname,echo,ffmpeg,ffprobe,find,fzf,grep,head,hxunent,ln,lobster,ls,mkdir,mkfifo,nano,nohup,openssl,patch,pgrep,ps,rm,rofi,sed,sh,sleep,socat,tail,tee,tput,tr,ueberzugpp,uname,uuidgen,vim,wc
 #private-cache
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg
 private-tmp
 
 # Redirect
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 2658c5373..226bc8dde 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.cache/wine
 noblacklist ${HOME}/.cache/winetricks
 noblacklist ${HOME}/.config/lutris
 noblacklist ${HOME}/.local/share/lutris
-# noblacklist ${HOME}/.wine
+#noblacklist ${HOME}/.wine
 noblacklist /tmp/.wine-*
 # Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
 # Lutris won't even start.
@@ -39,7 +39,7 @@ mkdir ${HOME}/.cache/wine
 mkdir ${HOME}/.cache/winetricks
 mkdir ${HOME}/.config/lutris
 mkdir ${HOME}/.local/share/lutris
-# mkdir ${HOME}/.wine
+#mkdir ${HOME}/.wine
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/Games
 whitelist ${HOME}/.cache/lutris
@@ -47,7 +47,7 @@ whitelist ${HOME}/.cache/wine
 whitelist ${HOME}/.cache/winetricks
 whitelist ${HOME}/.config/lutris
 whitelist ${HOME}/.local/share/lutris
-# whitelist ${HOME}/.wine
+#whitelist ${HOME}/.wine
 whitelist /usr/share/lutris
 whitelist /usr/share/wine
 include whitelist-common.inc
@@ -55,11 +55,11 @@ include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
-# allow-debuggers
-# apparmor
+#allow-debuggers
+#apparmor
 caps.drop all
 ipc-namespace
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -69,7 +69,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp !modify_ldt
+seccomp !clone3,!modify_ldt,!process_vm_readv,!ptrace
 seccomp.32 !modify_ldt
 
 # Add the next line to your lutris.local if you do not need controller support.
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index caf8de104..248061b3f 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -34,10 +34,10 @@ protocol unix,inet,inet6
 seccomp
 tracelog
 
-# private-bin lynx
+#private-bin lynx
 private-cache
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index c3366acef..d210333c3 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -31,7 +31,7 @@ include whitelist-usr-share-common.inc
 apparmor
 machine-id
 
-# private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
+#private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
 private-etc @x11,lyx,mime.types,texmf
 
 # Redirect
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
index e75de80ac..a6a9ba6bc 100644
--- a/etc/profile-m-z/PCSX2.profile
+++ b/etc/profile-m-z/PCSX2.profile
@@ -40,8 +40,8 @@ notv
 nou2f
 novideo
 protocol unix,netlink
-#seccomp - breaks loading with no logs
-#tracelog - 32/64 bit incompatibility
+#seccomp # breaks loading with no logs
+#tracelog # 32/64 bit incompatibility
 
 private-bin PCSX2
 private-cache
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index f8b5cec13..853b6ae52 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.config/QMediathekView
 noblacklist ${HOME}/.local/share/QMediathekView
 
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/smplayer
 noblacklist ${HOME}/.config/totem
@@ -16,6 +17,7 @@ noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.config/xplayer
 noblacklist ${HOME}/.local/share/totem
 noblacklist ${HOME}/.local/share/xplayer
+noblacklist ${HOME}/.local/state/mpv
 noblacklist ${HOME}/.mplayer
 noblacklist ${VIDEOS}
 
@@ -35,6 +37,7 @@ whitelist ${HOME}/.local/share/QMediathekView
 whitelist ${DOWNLOADS}
 whitelist ${VIDEOS}
 
+whitelist ${HOME}/.cache/mpv
 whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.config/smplayer
 whitelist ${HOME}/.config/totem
@@ -42,6 +45,7 @@ whitelist ${HOME}/.config/vlc
 whitelist ${HOME}/.config/xplayer
 whitelist ${HOME}/.local/share/totem
 whitelist ${HOME}/.local/share/xplayer
+whitelist ${HOME}/.local/state/mpv
 whitelist ${HOME}/.mplayer
 whitelist /usr/share/qtchooser
 include whitelist-common.inc
@@ -53,7 +57,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
@@ -68,7 +72,7 @@ seccomp
 tracelog
 
 disable-mnt
-private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer
+private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer
 private-cache
 private-dev
 private-etc @tls-ca
@@ -77,5 +81,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index eed839041..e7dba9cd5 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -47,7 +47,7 @@ seccomp
 tracelog
 
 disable-mnt
-private-bin gio,QOwnNotes
+private-bin QOwnNotes,gio
 private-dev
 private-etc @tls-ca,host.conf
 private-tmp
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index 34d500bb1..ea7d8bfa7 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -31,8 +31,8 @@ protocol unix,inet,inet6
 seccomp !chroot
 
 disable-mnt
-private-bin awk,bash,dig,sh,Viber
+private-bin Viber,awk,bash,dig,sh
 private-etc @tls-ca,@x11,mailcap,proxychains.conf
 private-tmp
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile
index 97b9d2898..5b8747825 100644
--- a/etc/profile-m-z/XMind.profile
+++ b/etc/profile-m-z/XMind.profile
@@ -31,7 +31,7 @@ protocol unix,inet,inet6
 seccomp
 
 disable-mnt
-private-bin cp,sh,XMind
+private-bin XMind,cp,sh
 private-tmp
 private-dev
 
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index 2fc1d1b8a..aae1808dd 100644
--- a/etc/profile-m-z/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
@@ -16,7 +16,7 @@ include globals.local
 #
 
 whitelist /var/lib/xkb
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 
 caps.drop all
 # Xephyr needs to be allowed access to the abstract Unix socket namespace.
@@ -25,7 +25,7 @@ nogroups
 noinput
 nonewprivs
 # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
-# noroot
+#noroot
 nosound
 notv
 nou2f
@@ -35,10 +35,10 @@ seccomp
 disable-mnt
 # using a private home directory
 private
-# private-bin sh,Xephyr,xkbcomp
-# private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp
+#private-bin sh,Xephyr,xkbcomp
+#private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp
 private-dev
-# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
+#private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
 #private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index ee19fa3b0..052ea520d 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -19,7 +19,7 @@ include globals.local
 #
 
 whitelist /var/lib/xkb
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 
 caps.drop all
 # Xvfb needs to be allowed access to the abstract Unix socket namespace.
@@ -39,8 +39,8 @@ seccomp
 disable-mnt
 # using a private home directory
 private
-# private-bin sh,xkbcomp,Xvfb
-# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
+#private-bin sh,xkbcomp,Xvfb
+#private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
 private-dev
 private-etc gai.conf,host.conf
 private-tmp
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index 266d00395..b6afbad59 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -14,8 +14,8 @@ blacklist ${RUNUSER}/wayland-*
 # for potential issues and their solutions when Firejailing makepkg
 
 # This profile could be significantly strengthened by adding the following to makepkg.local
-# whitelist ${HOME}/<Your Build Folder>
-# whitelist ${HOME}/.gnupg
+#whitelist ${HOME}/<Your Build Folder>
+#whitelist ${HOME}/.gnupg
 
 # Enable severely restricted access to ${HOME}/.gnupg
 noblacklist ${HOME}/.gnupg
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile
index 19ce6fcd1..ef0c8bcc9 100644
--- a/etc/profile-m-z/mediathekview.profile
+++ b/etc/profile-m-z/mediathekview.profile
@@ -6,6 +6,7 @@ include mediathekview.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/smplayer
 noblacklist ${HOME}/.config/totem
@@ -13,6 +14,7 @@ noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.config/xplayer
 noblacklist ${HOME}/.local/share/totem
 noblacklist ${HOME}/.local/share/xplayer
+noblacklist ${HOME}/.local/state/mpv
 noblacklist ${HOME}/.mediathek3
 noblacklist ${HOME}/.mplayer
 noblacklist ${VIDEOS}
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
index 6843c11c7..e07bbe6e5 100644
--- a/etc/profile-m-z/microsoft-edge-beta.profile
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -14,10 +14,7 @@ mkdir ${HOME}/.cache/microsoft-edge-beta
 mkdir ${HOME}/.config/microsoft-edge-beta
 whitelist ${HOME}/.cache/microsoft-edge-beta
 whitelist ${HOME}/.config/microsoft-edge-beta
-
 whitelist /opt/microsoft/msedge-beta
-# private-opt might break the file-copy-limit, see #5307
-#private-opt microsoft
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile
index d1655fabb..fcc4845df 100644
--- a/etc/profile-m-z/midori.profile
+++ b/etc/profile-m-z/midori.profile
@@ -13,8 +13,8 @@ noblacklist ${HOME}/.cache/midori
 noblacklist ${HOME}/.config/midori
 noblacklist ${HOME}/.local/share/midori
 noblacklist ${HOME}/.local/share/pki
-# noblacklist ${HOME}/.local/share/webkit
-# noblacklist ${HOME}/.local/share/webkitgtk
+#noblacklist ${HOME}/.local/share/webkit
+#noblacklist ${HOME}/.local/share/webkitgtk
 noblacklist ${HOME}/.pki
 
 noblacklist ${HOME}/.cache/gnome-mplayer
@@ -54,7 +54,7 @@ caps.drop all
 netfilter
 nodvd
 nonewprivs
-# noroot - problems on Ubuntu 14.04
+#noroot # problems on Ubuntu 14.04
 notv
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index 4943a80af..a8c6e3533 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -39,7 +39,6 @@ seccomp
 tracelog
 
 disable-mnt
-private
 private-bin mirrormagic
 private-cache
 private-dev
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index 2ba03ec97..0a5e4255a 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -10,15 +10,24 @@ include globals.local
 noblacklist ${HOME}/.moc
 noblacklist ${MUSIC}
 
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-include whitelist-usr-share-common.inc
+mkdir ${HOME}/.moc
+whitelist ${HOME}/.moc
+whitelist ${MUSIC}
+include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -30,18 +39,20 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6,netlink
+protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 tracelog
 
 private-bin mocp
 private-cache
 private-dev
-private-etc @tls-ca
+private-etc @network,@tls-ca
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile
index 8007b887a..1efd1e8f9 100644
--- a/etc/profile-m-z/mov-cli.profile
+++ b/etc/profile-m-z/mov-cli.profile
@@ -26,7 +26,7 @@ notv
 disable-mnt
 private-bin ffmpeg,fzf,mov-cli
 #private-cache
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg
 private-tmp
 
 # Redirect
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index a9631733c..ab1c93eaf 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -52,7 +52,11 @@ private-etc
 private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+dbus-user filter
+dbus-user.own org.mpris.MediaPlayer2.mpd
+dbus-system none
+
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile
index d1c4bd24f..6bf881faf 100644
--- a/etc/profile-m-z/mpd.profile
+++ b/etc/profile-m-z/mpd.profile
@@ -41,4 +41,8 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user filter
+dbus-user.talk org.mpris.MediaPlayer2.mpd
+dbus-system none
+
 restrict-namespaces
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index 7d9ff39ad..bdb9fa51d 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -24,9 +24,9 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-# net none - mplayer can be used for streaming.
+#net none # mplayer can be used for streaming.
 netfilter
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
index e73e3142c..e4f76855e 100644
--- a/etc/profile-m-z/mpsyt.profile
+++ b/etc/profile-m-z/mpsyt.profile
@@ -6,9 +6,11 @@ include mpsyt.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.config/mps-youtube
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.local/state/mpv
 noblacklist ${HOME}/.mplayer
 noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/mps
@@ -32,13 +34,13 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/mps-youtube
-mkdir ${HOME}/.config/mpv
-mkdir ${HOME}/.config/youtube-dl
 mkdir ${HOME}/.mplayer
 mkdir ${HOME}/mps
+whitelist ${HOME}/.cache/mpv
 whitelist ${HOME}/.config/mps-youtube
 whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.local/state/mpv
 whitelist ${HOME}/.mplayer
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/mps
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index d1bbdd167..af8f00c0c 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -24,6 +24,7 @@ include globals.local
 #include allow-bin-sh.inc
 #private-bin sh
 
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.config/yt-dlp
@@ -50,9 +51,11 @@ include disable-programs.inc
 include disable-shell.inc
 
 read-only ${DESKTOP}
+mkdir ${HOME}/.cache/mpv
 mkdir ${HOME}/.config/mpv
 mkdir ${HOME}/.local/state/mpv
 mkfile ${HOME}/.netrc
+whitelist ${HOME}/.cache/mpv
 whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.config/youtube-dl
 whitelist ${HOME}/.config/yt-dlp
diff --git a/etc/profile-m-z/mullvad-browser.profile b/etc/profile-m-z/mullvad-browser.profile
index b9eb57743..6706386aa 100644
--- a/etc/profile-m-z/mullvad-browser.profile
+++ b/etc/profile-m-z/mullvad-browser.profile
@@ -73,13 +73,12 @@ novideo
 protocol unix,inet,inet6
 seccomp !chroot
 seccomp.block-secondary
-#tracelog - may cause issues, see #1930
+#tracelog # may cause issues, see #1930
 
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity
 private-dev
 private-etc @tls-ca
-#private-opt mullvad-browser - can cause slow startup
 private-tmp
 
 blacklist ${PATH}/curl
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile
index 73107680c..41f82bd07 100644
--- a/etc/profile-m-z/multimc5.profile
+++ b/etc/profile-m-z/multimc5.profile
@@ -41,12 +41,12 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-# seccomp
+#seccomp
 
 disable-mnt
 # private-bin works, but causes weirdness
-# private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper
+#private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper
 private-dev
 private-tmp
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile
index ef09e6fca..52dc46800 100644
--- a/etc/profile-m-z/mumble.profile
+++ b/etc/profile-m-z/mumble.profile
@@ -41,5 +41,5 @@ disable-mnt
 private-bin mumble
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile
index ca951f70c..b62674ad6 100644
--- a/etc/profile-m-z/musescore.profile
+++ b/etc/profile-m-z/musescore.profile
@@ -37,7 +37,7 @@ protocol unix,inet,inet6
 seccomp !chroot
 tracelog
 
-# private-bin musescore,mscore
+#private-bin musescore,mscore
 private-tmp
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index 7ce7fbd19..d67cd24bd 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -35,4 +35,4 @@ disable-mnt
 private-dev
 private-etc @tls-ca
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 288ffedf1..097ce6e83 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -13,6 +13,7 @@ noblacklist ${DOCUMENTS}
 noblacklist ${HOME}/.Mail
 noblacklist ${HOME}/.bogofilter
 noblacklist ${HOME}/.cache/mutt
+noblacklist ${HOME}/.config/msmtp
 noblacklist ${HOME}/.config/mutt
 noblacklist ${HOME}/.config/nano
 noblacklist ${HOME}/.elinks
@@ -35,6 +36,7 @@ noblacklist ${HOME}/Mail
 noblacklist ${HOME}/mail
 noblacklist ${HOME}/postponed
 noblacklist ${HOME}/sent
+noblacklist /etc/msmtprc
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
@@ -69,6 +71,7 @@ whitelist ${DOWNLOADS}
 whitelist ${HOME}/.Mail
 whitelist ${HOME}/.bogofilter
 whitelist ${HOME}/.cache/mutt
+whitelist ${HOME}/.config/msmtp
 whitelist ${HOME}/.config/mutt
 whitelist ${HOME}/.config/nano
 whitelist ${HOME}/.elinks
@@ -121,10 +124,10 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-# disable-mnt
+#disable-mnt
 private-cache
 private-dev
-private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo
+private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,msmtprc,nntpserver,terminfo
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 6b4074dfb..ba63b2067 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -41,7 +41,7 @@ seccomp
 tracelog
 x11 none
 
-# disable-mnt
+#disable-mnt
 private-bin nano,rnano
 private-cache
 private-dev
diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile
index b979e1aee..30dd164b6 100644
--- a/etc/profile-m-z/natron.profile
+++ b/etc/profile-m-z/natron.profile
@@ -30,7 +30,7 @@ nou2f
 protocol unix
 seccomp
 
-private-bin natron,Natron,NatronRenderer
+private-bin Natron,NatronRenderer,natron
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile
index 09687199b..5cfd8290a 100644
--- a/etc/profile-m-z/ncdu.profile
+++ b/etc/profile-m-z/ncdu.profile
@@ -29,7 +29,7 @@ seccomp
 x11 none
 
 private-dev
-# private-tmp
+#private-tmp
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index 80e28a5e5..d1a36e079 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -45,7 +45,7 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 seccomp.block-secondary
 tracelog
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 5bd1e7cba..51e2e43bf 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -10,6 +10,7 @@ include globals.local
 noblacklist ${DOCUMENTS}
 noblacklist ${HOME}/.Mail
 noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.config/msmtp
 noblacklist ${HOME}/.config/mutt
 noblacklist ${HOME}/.config/nano
 noblacklist ${HOME}/.config/neomutt
@@ -34,6 +35,7 @@ noblacklist ${HOME}/Mail
 noblacklist ${HOME}/mail
 noblacklist ${HOME}/postponed
 noblacklist ${HOME}/sent
+noblacklist /etc/msmtprc
 noblacklist /var/mail
 noblacklist /var/spool/mail
 
@@ -59,6 +61,7 @@ whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.Mail
 whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.config/msmtp
 whitelist ${HOME}/.config/mutt
 whitelist ${HOME}/.config/nano
 whitelist ${HOME}/.config/neomutt
@@ -113,10 +116,10 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-# disable-mnt
+#disable-mnt
 private-cache
 private-dev
-private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver
+private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,msmtprc,neomuttrc,neomuttrc.d,nntpserver
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index 568899eea..d1680e666 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -43,7 +43,6 @@ noinput
 nonewprivs
 noprinters
 noroot
-nosound
 notv
 nou2f
 novideo
@@ -57,7 +56,9 @@ private-cache
 private-dev
 private-tmp
 
-dbus-user none
+dbus-user filter
+dbus-user.own org.nicotine_plus.Nicotine
+dbus-user.talk ca.desrt.dconf
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index 7a97ca825..254eb789a 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -42,11 +42,11 @@ private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,ni
 private-cache
 private-dev
 private-etc @tls-ca,@x11
-# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
+#private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index 4c463521c..f301196c6 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,7 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
 
-# Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# Note: gulp, node-gyp, npm, npx, pnpm, pnpx, semver and yarn are all node scripts
 # using the `#!/usr/bin/env node` shebang. By sandboxing node the full
 # node.js stack will be firejailed. The only exception is nvm, which is implemented
 # as a sourced shell function, not an executable binary. Hence it is not
@@ -22,6 +22,7 @@ ignore read-only ${HOME}/.npmrc
 ignore read-only ${HOME}/.nvm
 ignore read-only ${HOME}/.yarnrc
 
+noblacklist ${HOME}/.local/share/pnpm
 noblacklist ${HOME}/.node-gyp
 noblacklist ${HOME}/.npm
 noblacklist ${HOME}/.npmrc
@@ -43,6 +44,7 @@ include disable-xdg.inc
 
 # If you want whitelisting, change ${HOME}/Projects below to your node projects directory
 # and add the next lines to your nodejs-common.local.
+#mkdir ${HOME}/.local/share/pnpm
 #mkdir ${HOME}/.node-gyp
 #mkdir ${HOME}/.npm
 #mkdir ${HOME}/.npm-packages
@@ -52,6 +54,7 @@ include disable-xdg.inc
 #mkdir ${HOME}/.yarn-config
 #mkdir ${HOME}/.yarncache
 #mkfile ${HOME}/.yarnrc
+#whitelist ${HOME}/.local/share/pnpm
 #whitelist ${HOME}/.node-gyp
 #whitelist ${HOME}/.npm
 #whitelist ${HOME}/.npm-packages
diff --git a/etc/profile-m-z/notable.profile b/etc/profile-m-z/notable.profile
index 9fbbf94c0..4bd3d45ac 100644
--- a/etc/profile-m-z/notable.profile
+++ b/etc/profile-m-z/notable.profile
@@ -14,11 +14,12 @@ include globals.local
 noblacklist ${HOME}/.config/Notable
 noblacklist ${HOME}/.notable
 
+whitelist /opt/Notable
+
 net none
 nosound
 
 ?HAS_APPIMAGE: ignore private-dev
-private-opt Notable
 
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index f0f2cca2e..5ec81c2ac 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index dec48c827..6d1e3cd8a 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -14,12 +14,12 @@ include disable-shell.inc
 
 mkdir ${HOME}/.config/nuclear
 whitelist ${HOME}/.config/nuclear
+whitelist /opt/nuclear
 
 no3d
 
-# private-bin nuclear
+#private-bin nuclear
 private-etc @tls-ca,@x11,host.conf,mime.types
-private-opt nuclear
 
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 830483bd4..3fe5a4712 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -25,6 +25,7 @@ whitelist ${HOME}/.cache/ocenaudio
 whitelist ${HOME}/.local/share/ocenaudio
 whitelist ${DOWNLOADS}
 whitelist ${MUSIC}
+whitelist /opt/ocenaudio
 include whitelist-common.inc
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
@@ -54,7 +55,6 @@ private-bin ocenaudio,ocenvst
 private-cache
 private-dev
 private-etc @tls-ca,@x11,mime.types
-private-opt ocenaudio
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index 8e0758c37..ac573dc47 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -44,7 +44,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -62,12 +62,13 @@ tracelog
 private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
 private-dev
 private-etc @x11,cups
-# private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
+# on KDE we need access to the real /tmp for data exchange with email clients
+#private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-# memory-deny-write-execute
+#memory-deny-write-execute
 
 restrict-namespaces
 join-or-start okular
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index 47ac9fc05..3338cadf5 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -50,7 +50,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 seccomp.block-secondary
-#tracelog - may cause issues, see #1930
+#tracelog # may cause issues, see #1930
 
 disable-mnt
 private-bin onionshare,onionshare-cli,onionshare-gui,python*,tor*
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 3449ac686..e10f6011b 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -24,7 +24,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - networked game
+#net none # networked game
 netfilter
 nodvd
 nogroups
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile
index fa16c05e2..c4849b958 100644
--- a/etc/profile-m-z/orage.profile
+++ b/etc/profile-m-z/orage.profile
@@ -24,7 +24,7 @@ nogroups
 noinput
 nonewprivs
 noroot
-# nosound - calendar application, It must be able to play sound to wake you up.
+#nosound # calendar application, It must be able to play sound to wake you up.
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index a1c0462ba..76d4a2c52 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -57,4 +57,4 @@ private-tmp
 
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
index ab4e24595..8917a9bc5 100644
--- a/etc/profile-m-z/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/moonchild productions/pale moon
 mkdir ${HOME}/.moonchild productions
 whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
+whitelist /opt/palemoon
 whitelist /usr/share/moonchild productions
 whitelist /usr/share/palemoon
 
@@ -22,7 +23,6 @@ ignore seccomp
 #private-bin palemoon
 # private-etc must first be enabled in firefox-common.profile
 #private-etc palemoon
-#private-opt palemoon
 
 restrict-namespaces
 ignore restrict-namespaces
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 5a0f69f79..23e734b43 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -10,6 +10,7 @@ include globals.local
 blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
+noblacklist ${PATH}/patch
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pavucontrol-qt.profile b/etc/profile-m-z/pavucontrol-qt.profile
index f96ba14d2..79ed8777d 100644
--- a/etc/profile-m-z/pavucontrol-qt.profile
+++ b/etc/profile-m-z/pavucontrol-qt.profile
@@ -9,8 +9,9 @@ include pavucontrol-qt.local
 
 noblacklist ${HOME}/.config/pavucontrol-qt
 
-mkdir ${HOME}/.config/pavucontrol-qt
-whitelist ${HOME}/.config/pavucontrol-qt
+# whitelisting in ${HOME} is broken, see #3112
+#mkdir ${HOME}/.config/pavucontrol-qt
+#whitelist ${HOME}/.config/pavucontrol-qt
 
 private-bin pavucontrol-qt
 ignore private-lib
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index a852a2a18..5bc0bd700 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -40,7 +40,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 tracelog
 
-# private-bin pidgin
+#private-bin pidgin
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index 4520ac2fa..c3aa0a501 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-X11.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -55,7 +55,7 @@ tracelog
 
 disable-mnt
 private
-#private-bin ping - has mammoth problems with execvp: "No such file or directory"
+#private-bin ping # has mammoth problems with execvp: "No such file or directory"
 private-cache
 private-dev
 private-etc @tls-ca
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile
index efcdaa661..6e56208d5 100644
--- a/etc/profile-m-z/pluma.profile
+++ b/etc/profile-m-z/pluma.profile
@@ -21,10 +21,10 @@ include disable-shell.inc
 
 include whitelist-var-common.inc
 
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 machine-id
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -45,8 +45,8 @@ private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma
 private-tmp
 
 # makes settings immutable
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
 join-or-start pluma
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 34e18cbd7..38fa01553 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -53,7 +53,7 @@ writable-var-log
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks opening file-chooser
+#memory-deny-write-execute # breaks opening file-chooser
 read-only ${HOME}
 read-write ${HOME}/.config/PacmanLogViewer
 read-only /var/log/pacman.log
diff --git a/etc/profile-m-z/pnpm.profile b/etc/profile-m-z/pnpm.profile
new file mode 100644
index 000000000..08f88be43
--- /dev/null
+++ b/etc/profile-m-z/pnpm.profile
@@ -0,0 +1,11 @@
+# Firejail profile for pnpm
+# Description: Fast, disk space efficient package manager
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pnpm.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/pnpx.profile b/etc/profile-m-z/pnpx.profile
new file mode 100644
index 000000000..a99d1232a
--- /dev/null
+++ b/etc/profile-m-z/pnpx.profile
@@ -0,0 +1,11 @@
+# Firejail profile for pnpx
+# Description: Part of the Node.js stack
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pnpx.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/postman.profile b/etc/profile-m-z/postman.profile
index c8f00584d..a74b72695 100644
--- a/etc/profile-m-z/postman.profile
+++ b/etc/profile-m-z/postman.profile
@@ -17,7 +17,7 @@ include whitelist-run-common.inc
 
 protocol unix,inet,inet6,netlink
 
-private-bin electron,electron[0-9],electron[0-9][0-9],locale,node,Postman,postman,sh
+private-bin Postman,electron,electron[0-9],electron[0-9][0-9],locale,node,postman,sh
 private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
 # private-opt breaks file-copy-limit, use a whitelist instead of draining RAM
 # https://github.com/netblue30/firejail/discussions/5307
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index da16ae912..5ae6ccf04 100644
--- a/etc/profile-m-z/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -39,7 +39,7 @@ novideo
 protocol unix,netlink
 seccomp
 
-private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL
+private-bin PPSSPP,PPSSPPQt,PPSSPPSDL,ppsspp
 # Add the next line to your ppsspp.local if you do not need controller support.
 #private-dev
 private-etc @tls-ca,@x11,host.conf
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
index af117c3b5..7a735bba7 100644
--- a/etc/profile-m-z/psi-plus.profile
+++ b/etc/profile-m-z/psi-plus.profile
@@ -43,4 +43,4 @@ disable-mnt
 private-dev
 private-tmp
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index a1a0606b9..1417a87c9 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -62,7 +62,7 @@ novideo
 nou2f
 protocol unix,inet,inet6,netlink
 seccomp !chroot
-#tracelog - breaks on Arch
+#tracelog # breaks on Arch
 
 disable-mnt
 # Add the next line to your psi.local to enable GPG support.
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile
index 875b83e8e..fa307fc88 100644
--- a/etc/profile-m-z/pycharm-community.profile
+++ b/etc/profile-m-z/pycharm-community.profile
@@ -34,8 +34,8 @@ nou2f
 novideo
 tracelog
 
-# private-etc alternatives,fonts,passwd - minimal required to run but will probably break
-# program!
+# minimum required to run but will probably break the program!
+#private-etc alternatives,fonts,passwd
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
index 9605da3ac..ae0a2cdf1 100644
--- a/etc/profile-m-z/qbittorrent.profile
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -55,12 +55,12 @@ seccomp
 
 private-bin python*,qbittorrent
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
 private-tmp
 
 # See https://github.com/netblue30/firejail/issues/3707 for tray-icon
 dbus-user none
 dbus-system none
 
-# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
+#memory-deny-write-execute # problems on Arch, see #1690 on GitHub repo
 restrict-namespaces
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile
index ecd62a7d1..66c8f3238 100644
--- a/etc/profile-m-z/qmmp.profile
+++ b/etc/profile-m-z/qmmp.profile
@@ -18,7 +18,7 @@ include disable-xdg.inc
 
 caps.drop all
 netfilter
-# no3d
+#no3d
 nogroups
 noinput
 nonewprivs
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
index 4caa0917f..784d2fafd 100644
--- a/etc/profile-m-z/qpdfview.profile
+++ b/etc/profile-m-z/qpdfview.profile
@@ -41,7 +41,7 @@ private-dev
 private-tmp
 
 # needs D-Bus when started from a file manager
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index ab0f9425a..20c84c5a8 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -48,5 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/quassel.profile b/etc/profile-m-z/quassel.profile
index 4589c9e4a..4ec990e95 100644
--- a/etc/profile-m-z/quassel.profile
+++ b/etc/profile-m-z/quassel.profile
@@ -25,4 +25,4 @@ seccomp !chroot
 private-cache
 private-tmp
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile
index a59f01f85..4102b1ea0 100644
--- a/etc/profile-m-z/quiterss.profile
+++ b/etc/profile-m-z/quiterss.profile
@@ -50,6 +50,6 @@ tracelog
 disable-mnt
 private-bin quiterss
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
+#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
 
 restrict-namespaces
diff --git a/etc/profile-m-z/reader.profile b/etc/profile-m-z/reader.profile
index 050c46d53..31c45fe84 100644
--- a/etc/profile-m-z/reader.profile
+++ b/etc/profile-m-z/reader.profile
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile
index 405ab818d..603ec8ff4 100644
--- a/etc/profile-m-z/rpcs3.profile
+++ b/etc/profile-m-z/rpcs3.profile
@@ -54,7 +54,8 @@ tracelog
 
 disable-mnt
 #private-cache
-#private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk
+# seems to need awk
+#private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/rssguard.profile b/etc/profile-m-z/rssguard.profile
index 81381c205..ce455baba 100644
--- a/etc/profile-m-z/rssguard.profile
+++ b/etc/profile-m-z/rssguard.profile
@@ -31,13 +31,13 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/rtv-addons.profile b/etc/profile-m-z/rtv-addons.profile
index cc6db5043..3098cf0a0 100644
--- a/etc/profile-m-z/rtv-addons.profile
+++ b/etc/profile-m-z/rtv-addons.profile
@@ -11,13 +11,17 @@ ignore nosound
 ignore private-bin
 ignore dbus-user none
 
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.local/state/mpv
 noblacklist ${HOME}/.mailcap
 noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/.w3m
 
+whitelist ${HOME}/.cache/mpv
 whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
 whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.local/state/mpv
 whitelist ${HOME}/.mailcap
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/.w3m
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile
index 34cf783fe..8e25375b0 100644
--- a/etc/profile-m-z/scribus.profile
+++ b/etc/profile-m-z/scribus.profile
@@ -55,7 +55,7 @@ protocol unix
 seccomp
 tracelog
 
-# private-bin gimp*,gs,scribus
+#private-bin gimp*,gs,scribus
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index 5985e0da3..49d98d9f5 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -23,7 +23,7 @@ include disable-xdg.inc
 
 whitelist /usr/share/seahorse-adventures
 whitelist /usr/share/games/seahorse-adventures
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
index c2dbbc2c6..1171a52f0 100644
--- a/etc/profile-m-z/seamonkey.profile
+++ b/etc/profile-m-z/seamonkey.profile
@@ -55,7 +55,7 @@ seccomp
 tracelog
 
 disable-mnt
-# private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
+#private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
 writable-run-user
 
 restrict-namespaces
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 667f9c557..74587c992 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -34,36 +34,36 @@ include globals.local
 noblacklist /sbin
 noblacklist /usr/sbin
 noblacklist /etc/init.d
-# noblacklist /var/opt
+#noblacklist /var/opt
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
 include disable-common.inc
-# include disable-devel.inc
-# include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-devel.inc
+#include disable-exec.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
 
-# include whitelist-runuser-common.inc
-# include whitelist-usr-share-common.inc
-# include whitelist-var-common.inc
+#include whitelist-runuser-common.inc
+#include whitelist-usr-share-common.inc
+#include whitelist-var-common.inc
 
 # people use to install servers all over the place!
 # apparmor runs executable only from default system locations
-# apparmor
+#apparmor
 caps
-# ipc-namespace
+#ipc-namespace
 machine-id
-# netfilter /etc/firejail/webserver.net
+#netfilter /etc/firejail/webserver.net
 no3d
 nodvd
-# nogroups
+#nogroups
 noinput
 nonewprivs
-# noroot
+#noroot
 nosound
 notv
 nou2f
@@ -74,22 +74,22 @@ tab # allow tab completion
 
 disable-mnt
 private
-# private-bin program
-# private-cache
+#private-bin program
+#private-cache
 private-dev
 # see /usr/share/doc/firejail/profile.template for more common private-etc paths.
-# private-etc alternatives
-# private-lib
-# private-opt none
+#private-etc alternatives
+#private-lib
+#private-opt none
 private-tmp
-# writable-run-user
-# writable-var
-# writable-var-log
+#writable-run-user
+#writable-var
+#writable-var-log
 
 dbus-user none
-# dbus-system none
+#dbus-system none
 
-# deterministic-shutdown
-# memory-deny-write-execute
-# read-only ${HOME}
-# restrict-namespaces
+#deterministic-shutdown
+#memory-deny-write-execute
+#read-only ${HOME}
+#restrict-namespaces
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile
index 96e4cf283..154e29ccf 100644
--- a/etc/profile-m-z/silentarmy.profile
+++ b/etc/profile-m-z/silentarmy.profile
@@ -7,7 +7,7 @@ include globals.local
 
 
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile
index 14846cf58..f8bcd3c6e 100644
--- a/etc/profile-m-z/simple-scan.profile
+++ b/etc/profile-m-z/simple-scan.profile
@@ -28,15 +28,15 @@ nonewprivs
 noroot
 nosound
 notv
-# novideo
+#novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks simple-scan
 seccomp !ioperm
 tracelog
 
-# private-bin simple-scan
-# private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
-# private-tmp
+#private-bin simple-scan
+#private-dev
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+#private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile
index f88ae65c8..995b59538 100644
--- a/etc/profile-m-z/simutrans.profile
+++ b/etc/profile-m-z/simutrans.profile
@@ -33,7 +33,7 @@ novideo
 protocol unix
 seccomp
 
-# private-bin simutrans
+#private-bin simutrans
 private-dev
 private-etc @games,@x11
 private-tmp
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile
index 6b73b2289..3b78f7fd2 100644
--- a/etc/profile-m-z/skanlite.profile
+++ b/etc/profile-m-z/skanlite.profile
@@ -22,16 +22,16 @@ nonewprivs
 noroot
 nosound
 notv
-# novideo
+#novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks skanlite
 seccomp !ioperm
 
-# private-bin kbuildsycoca4,kdeinit4,skanlite
-# private-dev
-# private-tmp
+#private-bin kbuildsycoca4,kdeinit4,skanlite
+#private-dev
+#private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 9dd41fd27..ece191b73 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -36,7 +36,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
@@ -49,7 +49,7 @@ private-dev
 private-tmp
 
 # problems with KDE
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-m-z/smtube.profile b/etc/profile-m-z/smtube.profile
index b617444af..7debd4057 100644
--- a/etc/profile-m-z/smtube.profile
+++ b/etc/profile-m-z/smtube.profile
@@ -6,12 +6,14 @@ include smtube.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/mpv
+noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/smplayer
 noblacklist ${HOME}/.config/smtube
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.mplayer
 noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.local/share/vlc
+noblacklist ${HOME}/.local/state/mpv
+noblacklist ${HOME}/.mplayer
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 
diff --git a/etc/profile-m-z/sniffnet.profile b/etc/profile-m-z/sniffnet.profile
index eb18c1f01..940c35b2e 100644
--- a/etc/profile-m-z/sniffnet.profile
+++ b/etc/profile-m-z/sniffnet.profile
@@ -29,8 +29,8 @@ netfilter
 nodvd
 nogroups
 noinput
-# nonewprivs - breaks network traffic capture for unprivileged users
-# noroot
+#nonewprivs # breaks network traffic capture for unprivileged users
+#noroot
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index 7ce6748d1..3a3a9062e 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free
 private-cache
 private-dev
-private-etc @tls-ca,fstab,SoftMaker
+private-etc @tls-ca,SoftMaker,fstab
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile
index e2be4e9e0..07f9b0094 100644
--- a/etc/profile-m-z/sol.profile
+++ b/etc/profile-m-z/sol.profile
@@ -21,13 +21,13 @@ apparmor
 caps.drop all
 ipc-namespace
 net none
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
@@ -43,5 +43,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
index f5ac6c739..5c5763538 100644
--- a/etc/profile-m-z/sound-juicer.profile
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -38,7 +38,7 @@ private-cache
 private-dev
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index c893a92fb..63c2c5086 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -26,6 +26,7 @@ whitelist ${HOME}/.cache/spotify
 whitelist ${HOME}/.config/spotify
 whitelist ${HOME}/.config/spotify-adblock
 whitelist ${HOME}/.local/share/spotify
+whitelist /opt/spotify
 include whitelist-common.inc
 include whitelist-var-common.inc
 
@@ -48,7 +49,6 @@ private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
 private-dev
 # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local.
 private-etc @tls-ca,host.conf,spotify-adblock
-private-opt spotify
 private-srv none
 private-tmp
 
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index ce356367f..013c7ac13 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -46,8 +46,8 @@ private-etc @tls-ca
 private-tmp
 
 # breaks proxy creation
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index a7956a76e..fde85be64 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -32,10 +32,10 @@ nodvd
 nogroups
 noinput
 nonewprivs
-# noroot - see issue #1543
+#noroot # see issue #1543
 nosound
 notv
-# nou2f - OpenSSH >= 8.2 supports U2F
+#nou2f # OpenSSH >= 8.2 supports U2F
 novideo
 protocol unix,inet,inet6
 seccomp
@@ -43,7 +43,7 @@ tracelog
 
 private-cache
 private-dev
-# private-tmp # Breaks when exiting
+#private-tmp # Breaks when exiting
 writable-run-user
 
 dbus-user none
diff --git a/etc/profile-m-z/ssmtp.profile b/etc/profile-m-z/ssmtp.profile
index 1a224e7b0..b87f514f9 100644
--- a/etc/profile-m-z/ssmtp.profile
+++ b/etc/profile-m-z/ssmtp.profile
@@ -16,6 +16,7 @@ noblacklist /sbin
 noblacklist /usr/sbin
 
 noblacklist ${DOCUMENTS}
+noblacklist ${PATH}/ssmtp
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 3fe0963a9..fe4e4b6d7 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -47,4 +47,4 @@ private-etc @tls-ca,@x11,host.conf
 dbus-user none
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 99317c9dc..41de746dd 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -12,10 +12,12 @@ noblacklist ${HOME}/.config/MangoHud
 noblacklist ${HOME}/.config/ModTheSpire
 noblacklist ${HOME}/.config/RogueLegacy
 noblacklist ${HOME}/.config/RogueLegacyStorageContainer
+noblacklist ${HOME}/.factorio
 noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.klei
 noblacklist ${HOME}/.local/share/3909/PapersPlease
 noblacklist ${HOME}/.local/share/aspyr-media
+noblacklist ${HOME}/.local/share/Baba_Is_You
 noblacklist ${HOME}/.local/share/bohemiainteractive
 noblacklist ${HOME}/.local/share/cdprojektred
 noblacklist ${HOME}/.local/share/Colossal Order
@@ -64,10 +66,12 @@ mkdir ${HOME}/.config/MangoHud
 mkdir ${HOME}/.config/ModTheSpire
 mkdir ${HOME}/.config/RogueLegacy
 mkdir ${HOME}/.config/unity3d
+mkdir ${HOME}/.factorio
 mkdir ${HOME}/.killingfloor
 mkdir ${HOME}/.klei
 mkdir ${HOME}/.local/share/3909/PapersPlease
 mkdir ${HOME}/.local/share/aspyr-media
+mkdir ${HOME}/.local/share/Baba_Is_You
 mkdir ${HOME}/.local/share/bohemiainteractive
 mkdir ${HOME}/.local/share/cdprojektred
 mkdir ${HOME}/.local/share/Colossal Order
@@ -100,10 +104,12 @@ whitelist ${HOME}/.config/ModTheSpire
 whitelist ${HOME}/.config/RogueLegacy
 whitelist ${HOME}/.config/RogueLegacyStorageContainer
 whitelist ${HOME}/.config/unity3d
+whitelist ${HOME}/.factorio
 whitelist ${HOME}/.killingfloor
 whitelist ${HOME}/.klei
 whitelist ${HOME}/.local/share/3909/PapersPlease
 whitelist ${HOME}/.local/share/aspyr-media
+whitelist ${HOME}/.local/share/Baba_Is_You
 whitelist ${HOME}/.local/share/bohemiainteractive
 whitelist ${HOME}/.local/share/cdprojektred
 whitelist ${HOME}/.local/share/Colossal Order
@@ -157,7 +163,7 @@ protocol unix,inet,inet6,netlink
 # Add 'ignore seccomp' to your steam.local if you experience this.
 # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13
 # (see #4366).
-seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2
+seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2
 # process_vm_readv is used by GE-Proton7-18 (see #5185).
 seccomp.32 !process_vm_readv
 # tracelog breaks integrated browser
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index 6de288c46..8b5d7e253 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -49,5 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 2ad107f1a..65aea6667 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -41,7 +41,7 @@ seccomp.block-secondary
 tracelog
 
 disable-mnt
-# private-bin supertux2
+#private-bin supertux2
 private-cache
 private-etc
 private-dev
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile
index 7b6a87b31..728db012e 100644
--- a/etc/profile-m-z/sushi.profile
+++ b/etc/profile-m-z/sushi.profile
@@ -13,7 +13,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 include disable-shell.inc
 
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 5fb35aa04..7cef394c2 100644
--- a/etc/profile-m-z/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
@@ -13,7 +13,7 @@ whitelist ${HOME}/.sylpheed-2.0
 
 whitelist /usr/share/sylpheed
 
-# private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
+#private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
 
 # Redirect
 include email-common.profile
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index 726baf336..b0a80fc27 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -59,11 +59,11 @@ seccomp
 tracelog
 
 disable-mnt
-#private-bin sysprof - breaks help menu
+#private-bin sysprof # breaks help menu
 private-cache
 private-dev
 private-etc @tls-ca
-# private-lib - breaks help menu
+#private-lib # breaks help menu
 #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
 private-tmp
 
@@ -73,5 +73,5 @@ dbus-user.own org.gnome.Yelp
 dbus-user.own org.gnome.Sysprof3
 dbus-user.talk ca.desrt.dconf
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-m-z/system-log-common.profile b/etc/profile-m-z/system-log-common.profile
new file mode 100644
index 000000000..dda8bdc47
--- /dev/null
+++ b/etc/profile-m-z/system-log-common.profile
@@ -0,0 +1,60 @@
+# Firejail profile for system-log-common
+# Description: Common profile for GUI system log viewers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include system-log-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /run/log/journal
+whitelist /var/log/journal
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+#nogroups
+noinput
+nonewprivs
+noprinters
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
+# Add 'ignore read-only ${HOME}' to your system-log-common.local
+# if you export logs to a file under your ${HOME}.
+read-only ${HOME}
+writable-var-log
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
index 41da4ee13..06b547b3d 100644
--- a/etc/profile-m-z/teamspeak3.profile
+++ b/etc/profile-m-z/teamspeak3.profile
@@ -39,4 +39,4 @@ disable-mnt
 private-dev
 private-tmp
 
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index ba915c2d4..7ed3d98d4 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -7,6 +7,7 @@ include globals.local
 
 noblacklist ${HOME}/.TelegramDesktop
 noblacklist ${HOME}/.local/share/TelegramDesktop
+noblacklist ${HOME}/.local/share/telegram-desktop
 
 # Allow opening hyperlinks
 include allow-bin-sh.inc
@@ -21,8 +22,10 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.TelegramDesktop
 mkdir ${HOME}/.local/share/TelegramDesktop
+mkdir ${HOME}/.local/share/telegram-desktop
 whitelist ${HOME}/.TelegramDesktop
 whitelist ${HOME}/.local/share/TelegramDesktop
+whitelist ${HOME}/.local/share/telegram-desktop
 whitelist ${DOWNLOADS}
 whitelist /usr/share/TelegramDesktop
 include whitelist-common.inc
@@ -43,7 +46,7 @@ seccomp
 seccomp.block-secondary
 
 disable-mnt
-private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open
+private-bin Telegram,bash,sh,telegram,telegram-desktop,xdg-open
 private-cache
 private-dev
 private-etc @tls-ca,@x11,os-release
diff --git a/etc/profile-m-z/termshark.profile b/etc/profile-m-z/termshark.profile
new file mode 100644
index 000000000..630d5dda6
--- /dev/null
+++ b/etc/profile-m-z/termshark.profile
@@ -0,0 +1,15 @@
+# Firejail profile for termshark
+# Description: Terminal UI for tshark, inspired by Wireshark
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include termshark.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+# Redirect
+include wireshark.profile
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile
index 5babfb8d2..c0293406d 100644
--- a/etc/profile-m-z/tesseract.profile
+++ b/etc/profile-m-z/tesseract.profile
@@ -26,6 +26,7 @@ include whitelist-common.inc
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 whitelist /usr/share/tessdata
+whitelist /usr/share/tesseract-ocr
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile
index 46a1e57c8..e01a9d2d8 100644
--- a/etc/profile-m-z/thunderbird-beta.profile
+++ b/etc/profile-m-z/thunderbird-beta.profile
@@ -6,7 +6,7 @@ include thunderbird-beta.local
 # added by included profile
 #include globals.local
 
-private-opt thunderbird-beta
+whitelist /opt/thunderbird-beta
 
 # Redirect
 include thunderbird.profile
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 17e2f0856..979971ac2 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -35,7 +35,7 @@ whitelist ${HOME}/.mozilla/firefox/profiles.ini
 
 noblacklist ${HOME}/.cache/thunderbird
 noblacklist ${HOME}/.gnupg
-# noblacklist ${HOME}/.icedove
+#noblacklist ${HOME}/.icedove
 noblacklist ${HOME}/.thunderbird
 
 include disable-xdg.inc
@@ -46,11 +46,11 @@ include disable-xdg.inc
 # See https://github.com/netblue30/firejail/issues/2357
 mkdir ${HOME}/.cache/thunderbird
 mkdir ${HOME}/.gnupg
-# mkdir ${HOME}/.icedove
+#mkdir ${HOME}/.icedove
 mkdir ${HOME}/.thunderbird
 whitelist ${HOME}/.cache/thunderbird
 whitelist ${HOME}/.gnupg
-# whitelist ${HOME}/.icedove
+#whitelist ${HOME}/.icedove
 whitelist ${HOME}/.thunderbird
 
 whitelist /usr/share/gnupg
diff --git a/etc/profile-m-z/tidal-hifi.profile b/etc/profile-m-z/tidal-hifi.profile
new file mode 100644
index 000000000..d2e23239e
--- /dev/null
+++ b/etc/profile-m-z/tidal-hifi.profile
@@ -0,0 +1,39 @@
+# Firejail profile for tidal-hifi
+# Description: The web version of Tidal running in electron with hifi support thanks to widevine.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tidal-hifi.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.config/tidal-hifi
+
+include disable-proc.inc
+include disable-shell.inc
+
+whitelist ${HOME}/.config/tidal-hifi
+
+caps.drop all
+no3d
+nonewprivs
+noprinters
+noroot
+protocol unix,inet,inet6
+seccomp !chroot
+seccomp.block-secondary
+tracelog
+
+private-bin chrome-sandbox,tidal-hifi
+private-etc @network,@sound,@tls-ca,@xdg
+private-opt tidal-hifi
+
+ignore dbus-user none
+dbus-user filter
+dbus-user.own org.mpris.MediaPlayer2.tidal-hifi
+dbus-user.talk org.freedesktop.Notifications
+
+join-or-start tidal-hifi
+
+include electron-common.profile
diff --git a/etc/profile-m-z/tiny-rdm.profile b/etc/profile-m-z/tiny-rdm.profile
new file mode 100644
index 000000000..4134d666c
--- /dev/null
+++ b/etc/profile-m-z/tiny-rdm.profile
@@ -0,0 +1,61 @@
+# Firejail profile for tiny-rdm
+# Description: A Modern Redis GUI Client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tiny-rdm.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/tiny-rdm
+noblacklist ${HOME}/.config/TinyRDM
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-proc.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/tiny-rdm
+mkdir ${HOME}/.config/TinyRDM
+whitelist ${HOME}/.cache/tiny-rdm
+whitelist ${HOME}/.config/TinyRDM
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+notv
+nou2f
+novideo
+nosound
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin tiny-rdm
+private-cache
+private-dev
+private-etc @network,@tls-ca,@x11
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile
index a855ff839..ddd2aa85f 100644
--- a/etc/profile-m-z/tmux.profile
+++ b/etc/profile-m-z/tmux.profile
@@ -12,10 +12,10 @@ blacklist ${RUNUSER}
 
 noblacklist /tmp/tmux-*
 
-# include disable-common.inc
-# include disable-devel.inc
-# include disable-exec.inc
-# include disable-programs.inc
+#include disable-common.inc
+#include disable-devel.inc
+#include disable-exec.inc
+#include disable-programs.inc
 
 caps.drop all
 ipc-namespace
@@ -36,9 +36,9 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-# private-cache
+#private-cache
 private-dev
-# private-tmp
+#private-tmp
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 86746c7f1..b9fdcf92c 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -56,13 +56,12 @@ novideo
 protocol unix,inet,inet6
 seccomp !chroot
 seccomp.block-secondary
-#tracelog - may cause issues, see #1930
+#tracelog # may cause issues, see #1930
 
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
 private-dev
 private-etc @tls-ca
-#private-opt tor-browser - can cause slow startup
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index a4cb49171..73d3b0b6f 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -35,7 +35,7 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 netfilter
 nogroups
@@ -55,7 +55,7 @@ private-etc @tls-ca,@x11,python*
 private-tmp
 
 # makes settings immutable
-# dbus-user none
+#dbus-user none
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile
index f30b0aef6..c46b00fc9 100644
--- a/etc/profile-m-z/tracker.profile
+++ b/etc/profile-m-z/tracker.profile
@@ -33,8 +33,8 @@ protocol unix
 seccomp
 tracelog
 
-# private-bin tracker
-# private-dev
-# private-tmp
+#private-bin tracker
+#private-dev
+#private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index 645c55c3b..bac48805c 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -12,6 +12,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -19,7 +20,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/transgui
 whitelist ${HOME}/.config/transgui
 whitelist ${DOWNLOADS}
+whitelist /usr/share/transgui
 include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -44,8 +48,8 @@ tracelog
 private-bin geoiplookup,geoiplookup6,transgui
 private-cache
 private-dev
-private-etc
-private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
+private-etc @network,@tls-ca,@x11
+private-lib libGeoIP.so*,libX11.so.*,libgdk_pixbuf-2.0.so.*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 2578eb0be..5e9e7f127 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -52,7 +52,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 tracelog
 
-# disable-mnt
+#disable-mnt
 private-bin trojita
 private-cache
 private-dev
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile
index 3f5a9647e..f2273e6a7 100644
--- a/etc/profile-m-z/tshark.profile
+++ b/etc/profile-m-z/tshark.profile
@@ -7,5 +7,8 @@ include tshark.local
 # added by included profile
 #include globals.local
 
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
 # Redirect
 include wireshark.profile
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
index 55e4a4392..f0a0cacaf 100644
--- a/etc/profile-m-z/tutanota-desktop.profile
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -22,6 +22,7 @@ mkdir ${HOME}/.config/tuta_integration
 mkdir ${HOME}/.config/tutanota-desktop
 whitelist ${HOME}/.config/tuta_integration
 whitelist ${HOME}/.config/tutanota-desktop
+whitelist /opt/tutanota-desktop
 
 # The lines below are needed to find the default Firefox profile name, to allow
 # opening links in an existing instance of Firefox (note that it still fails if
@@ -34,7 +35,6 @@ nosound
 
 ?HAS_APPIMAGE: ignore private-dev
 private-etc @tls-ca
-private-opt tutanota-desktop
 
 dbus-user filter
 dbus-user.talk org.freedesktop.Notifications
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
index 518dc95c7..16162f989 100644
--- a/etc/profile-m-z/tvbrowser.profile
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -1,5 +1,5 @@
 # Firejail profile for tvbrowser
-# Description: java tv programm form tvbrowser.org
+# Description: java tv program form tvbrowser.org
 # This file is overwritten after every install/update
 # Persistent local customizations
 include tvbrowser.local
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index d53acdaf7..55106d622 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -1,5 +1,5 @@
 # Firejail profile for twitch
-# Description: Unofficial electron based desktop warpper for Twitch
+# Description: Unofficial electron based desktop wrapper for Twitch
 # This file is overwritten after every install/update
 # Persistent local customizations
 include twitch.local
@@ -16,10 +16,10 @@ include disable-shell.inc
 
 mkdir ${HOME}/.config/Twitch
 whitelist ${HOME}/.config/Twitch
+whitelist /opt/Twitch
 
 private-bin electron,electron[0-9],electron[0-9][0-9],twitch
 private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
-private-opt Twitch
 
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile
index c182326bb..175ae4591 100644
--- a/etc/profile-m-z/udiskie.profile
+++ b/etc/profile-m-z/udiskie.profile
@@ -36,8 +36,8 @@ tracelog
 
 private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop
 # add your configured file browser in udiskie.local, e. g.
-# private-bin nautilus
-# private-bin thunar
+#private-bin nautilus
+#private-bin thunar
 private-cache
 private-dev
 private-etc @x11,mime.types
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
index 3e2b28dec..4e7dc3705 100644
--- a/etc/profile-m-z/unknown-horizons.profile
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -34,11 +34,11 @@ protocol unix,inet,inet6,netlink
 seccomp
 
 disable-mnt
-# private-bin unknown-horizons
+#private-bin unknown-horizons
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
 
 # doesn't work - maybe all Tcl/Tk programs have this problem
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index aa8199442..8c6efaa1c 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -49,5 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808)
+#memory-deny-write-execute # breaks on Arch (see issues #1803 and #1808)
 restrict-namespaces
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index ae8afbbf1..b768a635a 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -9,7 +9,7 @@ include globals.local
 noblacklist ${HOME}/.VirtualBox
 noblacklist ${HOME}/.config/VirtualBox
 noblacklist ${HOME}/VirtualBox VMs
-# noblacklist /usr/bin/virtualbox
+#noblacklist /usr/bin/virtualbox
 noblacklist /usr/lib/virtualbox
 noblacklist /usr/lib64/virtualbox
 
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 79ba41d44..a7b0f5f1d 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -15,7 +15,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-#include disable-shell.inc - problems on Debian 11
+#include disable-shell.inc # problems on Debian 11
 
 mkdir ${HOME}/.local/share/warzone2100
 mkdir ${HOME}/.local/share/warzone2100-3.3.0
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 1e2b164b9..33f404464 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -20,23 +20,23 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
 
-# whitelist /usr/share/wine
-# include whitelist-usr-share-common.inc
+#whitelist /usr/share/wine
+#include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 # Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this.
 allow-debuggers
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
-# novideo
+#novideo
 seccomp
 
 private-dev
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
index d1b757a25..55c4e6ac7 100644
--- a/etc/profile-m-z/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.config/wireshark
 noblacklist ${HOME}/.wireshark
 noblacklist ${DOCUMENTS}
+noblacklist ${PATH}/dumpcap
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -25,29 +26,30 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
-# caps.drop all
+#caps.drop all
 caps.keep dac_override,dac_read_search,net_admin,net_raw
 netfilter
 no3d
-# nogroups - breaks network traffic capture for unprivileged users
+#nogroups # breaks network traffic capture for unprivileged users
 noinput
-# nonewprivs - breaks network traffic capture for unprivileged users
-# noroot
+#nonewprivs # breaks network traffic capture for unprivileged users
+#noroot
 nodvd
 nosound
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols
+# commented out in case they bring in new protocols
+#protocol unix,inet,inet6,netlink,packet,bluetooth
 #seccomp
 tracelog
 
-# private-bin wireshark
+#private-bin wireshark
 private-cache
 # private-dev prevents (some) interfaces from being shown.
 # Add the below line to your wirehsark.local if you only want to inspect pcap files.
 #private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index 310e8b470..970063f93 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -40,7 +40,6 @@ seccomp
 tracelog
 
 disable-mnt
-private
 private-bin wordwarvi
 private-cache
 private-dev
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index e85bb9f18..46e3e81bc 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -16,7 +16,7 @@ include disable-xdg.inc
 
 whitelist /usr/share/xbill
 whitelist /var/games/xbill/scores
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile
index dda803bd5..b47437e2d 100644
--- a/etc/profile-m-z/xed.profile
+++ b/etc/profile-m-z/xed.profile
@@ -23,10 +23,10 @@ include disable-shell.inc
 
 include whitelist-var-common.inc
 
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 machine-id
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -46,9 +46,9 @@ private-dev
 private-tmp
 
 # makes settings immutable
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 # xed uses python plugins, memory-deny-write-execute breaks python
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile
index 141fda909..96edc15ab 100644
--- a/etc/profile-m-z/xfburn.profile
+++ b/etc/profile-m-z/xfburn.profile
@@ -25,8 +25,8 @@ protocol unix
 seccomp
 tracelog
 
-# private-bin xfburn
-# private-dev
-# private-tmp
+#private-bin xfburn
+#private-dev
+#private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 9c4fa8293..6c3a5812b 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -53,5 +53,5 @@ dbus-user.own org.xfce.xfce4-mixer
 dbus-user.talk org.xfce.Xfconf
 dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index 4d841b35c..9094a7872 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -47,5 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# memory-deny-write-execute -- see #3790
+#memory-deny-write-execute # see #3790
 restrict-namespaces
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index b8bf0ae96..06f0b5833 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -16,6 +16,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.xmr-stak
+whitelist /opt/cuda
 include whitelist-var-common.inc
 
 caps.drop all
@@ -39,7 +40,6 @@ private-bin xmr-stak
 private-dev
 private-etc @tls-ca
 #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
-private-opt cuda
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index a673d6aa3..9741888f0 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -27,7 +27,7 @@ include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-var-common.inc
 
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 netfilter
 nogroups
@@ -41,11 +41,11 @@ tracelog
 
 private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 private-tmp
 
 # makes settings immutable
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile
index 05c12b9a2..b00307394 100644
--- a/etc/profile-m-z/xpra.profile
+++ b/etc/profile-m-z/xpra.profile
@@ -45,11 +45,11 @@ seccomp
 
 disable-mnt
 # private home directory doesn't work on some distros, so we go for a regular home
-# private
+#private
 # older Xpra versions also use Xvfb
-# private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
+#private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
 private-dev
-# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
+#private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index 6edbf9357..cad836fdc 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -18,9 +18,9 @@ include disable-programs.inc
 include disable-xdg.inc
 
 # Breaks xreader on Mint 18.3
-# include whitelist-var-common.inc
+#include whitelist-var-common.inc
 
-# apparmor
+#apparmor
 caps.drop all
 no3d
 nodvd
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile
index 6c31df4a9..575c1bf68 100644
--- a/etc/profile-m-z/xviewer.profile
+++ b/etc/profile-m-z/xviewer.profile
@@ -19,9 +19,9 @@ include disable-shell.inc
 
 include whitelist-var-common.inc
 
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -42,8 +42,8 @@ private-lib
 private-tmp
 
 # makes settings immutable
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index f5dd0c309..f957954dd 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -33,16 +33,14 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-# machine-id breaks sound - add the next line to your yelp.local if you don't need sound support.
-#machine-id
+#machine-id # add this to your yelp.local if you don't need sound support.
 net none
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound - add the next line to your yelp.local if you don't need sound support.
-#nosound
+#nosound # add this to your yelp.local if you don't need sound support.
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index c9d2ea53b..5950c3639 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -7,8 +7,10 @@ include youtube-viewers-common.local
 # added by caller profile
 #include globals.local
 
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.cache/youtube-dl
 noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.local/state/mpv
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index 4d1e9a063..0fb87f747 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -1,5 +1,5 @@
 # Firejail profile for youtube
-# Description: Unofficial electron based desktop warpper for YouTube
+# Description: Unofficial electron based desktop wrapper for YouTube
 # This file is overwritten after every install/update
 # Persistent local customizations
 include youtube.local
@@ -15,10 +15,10 @@ include disable-shell.inc
 
 mkdir ${HOME}/.config/Youtube
 whitelist ${HOME}/.config/Youtube
+whitelist /opt/Youtube
 
 private-bin electron,electron[0-9],electron[0-9][0-9],youtube
 private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
-private-opt Youtube
 
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index cfee8c426..e5ece41bc 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -1,8 +1,8 @@
 # Firejail profile for youtubemusic-nativefier
-# Description: Unofficial electron based desktop warpper for YouTube Music
+# Description: Unofficial electron based desktop wrapper for YouTube Music
 # This file is overwritten after every install/update
 # Persistent local customizations
-include youtube.local
+include youtubemusic-nativefier.local
 # Persistent global definitions
 include globals.local
 
@@ -12,10 +12,10 @@ include disable-shell.inc
 
 mkdir ${HOME}/.config/youtubemusic-nativefier-040164
 whitelist ${HOME}/.config/youtubemusic-nativefier-040164
+whitelist /opt/youtubemusic-nativefier
 
 private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier
 private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
-private-opt youtubemusic-nativefier
 
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index de07e3ddf..ccf5f1e63 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -13,9 +13,9 @@ noblacklist ${HOME}/.config/youtube-music-desktop-app
 mkdir ${HOME}/.config/youtube-music-desktop-app
 whitelist ${HOME}/.config/youtube-music-desktop-app
 
-# private-bin env,ytmdesktop
+#private-bin env,ytmdesktop
 private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
-# private-opt
+#private-opt
 
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index 09a1d37a3..d576dbefd 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -67,5 +67,5 @@ dbus-user.talk org.mozilla.*
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 9329fe297..6299d42cd 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -196,6 +196,13 @@ include globals.local
 #    Extra: gai.conf,proxychains.conf
 #  Qt: Trolltech.conf
 ##private-lib LIBS
+## Note: private-opt copies the entire path(s) to RAM, which may break
+## file-copy-limit in firejail.config (see firejail(1)).
+## For sizeable apps (if in doubt, do this):
+##  - never use 'private-opt NAME'
+##  - place 'whitelist /opt/NAME' in the whitelist section above
+## For acceptable apps:
+##  - use 'private-opt NAME'
 ##private-opt NAME
 #private-tmp
 ##writable-etc
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index c33e6d602..569509534 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -47,7 +47,7 @@ Definition of groups
 @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
 @privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup
 @process=arch_prctl,capget,clone,clone3,execveat,fork,getrusage,kill,pidfd_open,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
-@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
+@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_pci_mmio_read,s390_pci_mmio_write
 @reboot=kexec_load,kexec_file_load,reboot
 @resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy
 @setuid=setgid,setgid32,setgroups,setgroups32,setregid,setregid32,setresgid,setresgid32,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index a56e8a91b..84fe44d73 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -277,7 +277,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
 
         // don't copy it if we already have the file
         struct stat s;
-        if (stat(outfname, &s) == 0) {
+        if (lstat(outfname, &s) == 0) {
                 if (first)
                         first = 0;
                 else if (!arg_quiet)
@@ -286,7 +286,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
         }
 
         // extract mode and ownership
-        if (stat(infname, &s) != 0)
+        if (lstat(infname, &s) != 0)
                 goto out;
 
         uid_t uid = s.st_uid;
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index a89add9d0..558fe51ed 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -1,6 +1,8 @@
 # /etc/firejail/firecfg.config - firecfg utility configuration file
 # This is the list of programs in alphabetical order handled by firecfg utility
 #
+# Note: Normal comment lines should start with `# ` and commented code lines
+# should start with just `#` (no spaces).
 0ad
 1password
 2048-qt
@@ -51,7 +53,7 @@ ani-cli
 anydesk
 apktool
 apostrophe
-# ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#ar # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 arch-audit
 archaudit-report
 ardour4
@@ -63,9 +65,9 @@ arm
 artha
 assogiate
 asunder
-# atom
-# atom-beta
-# atool - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#atom
+#atom-beta
+#atool # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 atril
 atril-previewer
 atril-thumbnailer
@@ -99,6 +101,7 @@ bitwarden
 bleachbit
 blender
 blender-2.8
+blender-3.6
 bless
 blobby
 blobwars
@@ -112,10 +115,10 @@ brave-browser-beta
 brave-browser-dev
 brave-browser-nightly
 brave-browser-stable
-# bunzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# bzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#bunzip2 # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#bzcat # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 bzflag
-# bzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#bzip2 # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 cachy-browser
 calibre
 calligra
@@ -145,12 +148,13 @@ chromium-freeworld
 cin
 cinelerra
 cinelerra-gg
+clac
 clamdscan
 clamdtop
 clamscan
 clamtk
-clawsker
 claws-mail
+clawsker
 clementine
 clion
 clion-eap
@@ -182,6 +186,7 @@ crow
 cryptocat
 cvlc
 cyberfox
+d-feet
 daisy
 darktable
 dconf-editor
@@ -192,7 +197,6 @@ deluge
 desktopeditors
 devhelp
 dex2jar
-d-feet
 dia
 dig
 digikam
@@ -236,14 +240,14 @@ enpass
 eog
 eom
 ephemeral
-#epiphany - see #2995
+#epiphany # see #2995
 equalx
 et
 etr
 evince
 evince-previewer
 evince-thumbnailer
-#evolution - see #3647
+#evolution # see #3647
 exfalso
 exiftool
 falkon
@@ -271,8 +275,9 @@ flacsplt
 flameshot
 flashpeak-slimjet
 flowblade
-fontforge
+fluffychat
 font-manager
+fontforge
 fossamail
 four-in-a-row
 fractal
@@ -319,7 +324,7 @@ git-cola
 gitg
 github-desktop
 gitter
-# gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
+#gjs # https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
 gl-117
 glaxium
 globaltime
@@ -384,12 +389,12 @@ gradio
 gramps
 gravity-beams-and-evaporating-stars
 gthumb
-gtk2-youtube-viewer
-gtk3-youtube-viewer
 gtk-lbry-viewer
 gtk-pipe-viewer
 gtk-straw-viewer
 gtk-youtube-viewer
+gtk2-youtube-viewer
+gtk3-youtube-viewer
 guayadeque
 gucharmap
 gummi
@@ -410,8 +415,8 @@ icecat
 icedove
 iceweasel
 idea
-ideaIC
 idea.sh
+ideaIC
 imagej
 img2txt
 impressive
@@ -430,6 +435,7 @@ jdownloader
 jerry
 jitsi
 jitsi-meet-desktop
+journal-viewer
 jumpnbump
 jumpnbump-menu
 k3b
@@ -440,7 +446,7 @@ karbon
 kate
 kazam
 kcalc
-# kdeinit4
+#kdeinit4
 kdenlive
 kdiff3
 keepass
@@ -450,7 +456,7 @@ keepassx2
 keepassxc
 keepassxc-cli
 keepassxc-proxy
-# kfind
+#kfind
 kget
 kid3
 kid3-cli
@@ -467,15 +473,16 @@ kodi
 konversation
 kopete
 krita
-# krunner
+#krunner
 ktorrent
 ktouch
 kube
-# kwin_x11
+#kwin_x11
 kwrite
 lbry-viewer
 leafpad
-# less - breaks man
+#less # breaks man
+lettura
 librecad
 libreoffice
 librewolf
@@ -500,12 +507,12 @@ lollypop
 lomath
 loweb
 lowriter
-# lrunzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrz - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrztar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrzuntar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrunzip # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrz # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrzcat # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrzip # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrztar # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrzuntar # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 luminance-hdr
 lximage-qt
 lxmusic
@@ -559,7 +566,6 @@ mp3wrap
 mpDris2
 mpg123
 mpg123-alsa
-mpg123.bin
 mpg123-id3dump
 mpg123-jack
 mpg123-nas
@@ -568,6 +574,7 @@ mpg123-oss
 mpg123-portaudio
 mpg123-pulse
 mpg123-strip
+mpg123.bin
 mplayer
 mpsyt
 mpv
@@ -636,11 +643,11 @@ onionshare-cli
 onionshare-gui
 ooffice
 ooviewdoc
+open-invaders
 openarena
 openarena_ded
 opencity
 openclonk
-open-invaders
 openmw
 openmw-launcher
 openoffice.org
@@ -697,9 +704,9 @@ profanity
 psi
 psi-plus
 pybitmessage
-# pycharm-community - FB note: may enable later
-# pycharm-professional
-# pzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#pycharm-community # FB note: may enable later
+#pycharm-professional
+#pzstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 qbittorrent
 qcomicbook
 qemu-launcher
@@ -780,22 +787,22 @@ sniffnet
 snox
 soffice
 sol
-soundconverter
 sound-juicer
+soundconverter
 spectacle
 spectral
 spotify
 sqlitebrowser
 ssh
-# ssh-agent - problems on Arch with Fish shell (#1568)
+#ssh-agent # problems on Arch with Fish shell (#1568)
 standardnotes-desktop
 start-tor-browser
 steam
 steam-native
 steam-runtime
 stellarium
-strawberry
 straw-viewer
+strawberry
 strings
 studio.sh
 subdownloader
@@ -818,15 +825,17 @@ telegram
 telegram-desktop
 telnet
 terasology
+termshark
 tesseract
 textmaker18
 textmaker18free
 thunderbird
 thunderbird-beta
 thunderbird-wayland
+tidal-hifi
 tilp
+tiny-rdm
 tor-browser
-torbrowser
 tor-browser-ar
 tor-browser-ca
 tor-browser-cs
@@ -848,7 +857,6 @@ tor-browser-it
 tor-browser-ja
 tor-browser-ka
 tor-browser-ko
-torbrowser-launcher
 tor-browser-nb
 tor-browser-nl
 tor-browser-pl
@@ -859,6 +867,8 @@ tor-browser-tr
 tor-browser-vi
 tor-browser-zh-cn
 tor-browser-zh-tw
+torbrowser
+torbrowser-launcher
 torcs
 totem
 tracker
@@ -888,7 +898,7 @@ uget-gtk
 unbound
 unf
 unknown-horizons
-# unzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#unzstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 url-eater
 utox
 uudeview
@@ -901,10 +911,10 @@ vivaldi-beta
 vivaldi-snapshot
 vivaldi-stable
 vlc
-#vmplayer - unable to install kernel modules (see #5861)
-#vmware - unable to install kernel modules (see #5861)
-#vmware-player - unable to install kernel modules (see #5861)
-#vmware-workstation - unable to install kernel modules (see #5861)
+#vmplayer # unable to install kernel modules (see #5861)
+#vmware # unable to install kernel modules (see #5861)
+#vmware-player # unable to install kernel modules (see #5861)
+#vmware-workstation # unable to install kernel modules (see #5861)
 vscodium
 vulturesclaw
 vultureseye
@@ -968,8 +978,8 @@ yelp
 youtube
 youtube-dl
 youtube-dl-gui
-youtubemusic-nativefier
 youtube-viewer
+youtubemusic-nativefier
 yt-dlp
 ytmdesktop
 zaproxy
@@ -979,10 +989,10 @@ zeal
 zim
 zlib-flate
 zoom
-# zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstdcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstdgrep - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstdless - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstdmt - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zpaq # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstdcat # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstdgrep # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstdless # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstdmt # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 zulip
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index a4f727c0a..bb20a0da6 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -43,6 +43,16 @@ int appimage_find_profile(const char *archive) {
         assert(archive);
         assert(strlen(archive));
 
+        // extract the name of the appimage from a full path
+        // example: archive = /opt/kdenlive-20.12.2-x86_64.appimage
+        const char *arc = strrchr(archive, '/');
+        if (arc)
+                arc++;
+        else
+                arc = archive;
+        if (arg_debug)
+                printf("Looking for a %s profile\n", arc);
+
         // try to match the name of the archive with the list of programs in /etc/firejail/firecfg.config
         FILE *fp = fopen(SYSCONFDIR "/firecfg.config", "r");
         if (!fp) {
@@ -56,7 +66,8 @@ int appimage_find_profile(const char *archive) {
                 char *ptr = strchr(buf, '\n');
                 if (ptr)
                         *ptr = '\0';
-                if (strcasestr(archive, buf)) {
+                char *found = strcasestr(arc, buf);
+                if (found == arc) {
                         fclose(fp);
                         return profile_find_firejail(buf, 1);
                 }
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 182f26e53..28fecfb98 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -281,6 +281,8 @@ void fs_blacklist(void) {
         if (!entry)
                 return;
 
+        timetrace_start();
+
         size_t noblacklist_c = 0;
         size_t noblacklist_m = 32;
         char **noblacklist = calloc(noblacklist_m, sizeof(*noblacklist));
@@ -463,6 +465,8 @@ void fs_blacklist(void) {
         for (i = 0; i < noblacklist_c; i++)
                 free(noblacklist[i]);
         free(noblacklist);
+
+        fmessage("Base filesystem installed in %0.2f ms\n", timetrace_end());
 }
 
 //***********************************************
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index 583888e0e..b43c36c1a 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -166,8 +166,12 @@ void fslib_install_firejail(void) {
                 fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user
 
         // bring in xauth libraries
+
+        char *xauth_bin = find_in_path("xauth");
         if (arg_x11_xorg)
-                fslib_mount_libs("/usr/bin/xauth", 1); // parse as user
+                fslib_mount_libs(xauth_bin, 1); // parse as user
+
+        free(xauth_bin);
 
         fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
 }
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index f2ab1c188..6dc4904fc 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -154,7 +154,7 @@ static void print_file_or_dir(const char *path, const char *fname) {
 
         // file size
         char *sz;
-        if (asprintf(&sz, "%d", (int) s.st_size) == -1)
+        if (asprintf(&sz, "%jd", (intmax_t) s.st_size) == -1)
                 errExit("asprintf");
 
         // file name
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b0d5dac17..0c9c80137 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -420,7 +420,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         exit_err_feature("x11");
         }
 #endif
-#ifdef HAVE_NETWORK
         else if (strcmp(argv[i], "--nettrace") == 0) {
                 if (checkcfg(CFG_NETWORK)) {
                         if (getuid() != 0) {
@@ -524,8 +523,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 exit(0);
         }
 
-
-
+#ifdef HAVE_NETWORK
         else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
                 if (checkcfg(CFG_NETWORK)) {
                         logargs(argc, argv);
@@ -3217,13 +3215,18 @@ int main(int argc, char **argv, char **envp) {
 
                 gid_t g;
                 if (!arg_nogroups || !check_can_drop_all_groups()) {
-                        // add audio group
+                        // add audio groups
                         if (!arg_nosound) {
                                 g = get_group_id("audio");
                                 if (g) {
                                         sprintf(ptr, "%d %d 1\n", g, g);
                                         ptr += strlen(ptr);
                                 }
+                                g = get_group_id("pipewire");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
                         }
 
                         // add video group
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
index 6bc6230f0..fea842d93 100644
--- a/src/firejail/paths.c
+++ b/src/firejail/paths.c
@@ -47,6 +47,16 @@ static void init_paths(void) {
                 errExit("calloc");
         memset(paths, 0, path_cnt * sizeof(char *)); // get rid of false positive error from GCC static analyzer
 
+        // lots of distros set /bin as a symlink to /usr/bin;
+        // we remove /bin form the path to speed up path-based operations such as blacklist
+        int bin_symlink = 0;
+        p = realpath("/bin", NULL);
+        if (p) {
+                if (strcmp(p, "/usr/bin") == 0)
+                        bin_symlink = 1;
+        }
+        free(p);
+
         // fill in 'paths' with pointers to elements of 'path'
         unsigned int i = 0, j;
         unsigned int len;
@@ -62,6 +72,14 @@ static void init_paths(void) {
                 if (len == 0)
                         goto skip;
 
+                //deal with /bin - /usr/bin symlink
+                if (bin_symlink > 0) {
+                        if (strcmp(elt, "/bin") == 0 || strcmp(elt, "/usr/bin") == 0)
+                                bin_symlink++;
+                        if (bin_symlink == 3)
+                                goto skip;
+                }
+
                 // filter out duplicate entries
                 for (j = 0; j < i; j++)
                         if (strcmp(elt, paths[j]) == 0)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index bdaaed433..8cc5c1166 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -484,7 +484,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 0;
         }
-        else if (strncmp("dbus-user ", ptr, 10) == 0) {
+        else if (strncmp(ptr, "dbus-user ", 10) == 0) {
 #ifdef HAVE_DBUSPROXY
                 ptr += 10;
                 if (strcmp("filter", ptr) == 0) {
@@ -551,7 +551,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 1;
         }
-        else if (strncmp("dbus-system ", ptr, 12) == 0) {
+        else if (strncmp(ptr, "dbus-system ", 12) == 0) {
 #ifdef HAVE_DBUSPROXY
                 ptr += 12;
                 if (strcmp("filter", ptr) == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 538f5be67..827be5d85 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -878,7 +878,8 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // appimage
         //****************************
-        appimage_mount();
+        if (arg_appimage)
+                appimage_mount();
 
         //****************************
         // private mode
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 87b771867..bd32181b5 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -207,6 +207,8 @@ static void clean_supplementary_groups(gid_t gid) {
         if (!arg_nosound) {
                 copy_group_ifcont("audio", groups, ngroups,
                                   new_groups, &new_ngroups, MAX_GROUPS);
+                copy_group_ifcont("pipewire", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
         }
 
         if (!arg_novideo) {
@@ -1474,7 +1476,7 @@ int ascii_isxdigit(unsigned char c) {
         return ret;
 }
 
-// Note: Keep this in sync with NAME VALIDATION in src/man/firejail.txt.
+// Note: Keep this in sync with NAME VALIDATION in src/man/firejail.1.in.
 //
 // Allow only ASCII letters, digits and a few special characters; names with
 // only numbers are rejected; spaces and control characters are rejected.
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 2eaa9bde5..3721a2c2c 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1164,7 +1164,6 @@ void x11_start(int argc, char **argv) {
 }
 #endif
 
-
 void x11_xorg(void) {
 #ifdef HAVE_X11
 
@@ -1175,31 +1174,38 @@ void x11_xorg(void) {
                 exit(1);
         }
 
+        char *xauth_bin = find_in_path("xauth");
+
         // check xauth utility is present in the system
-        struct stat s;
-        if (stat("/usr/bin/xauth", &s) == -1) {
-                fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n");
+        if (!xauth_bin) {
+                fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n");
                 fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xauth\n");
                 fprintf(stderr, "   Arch: sudo pacman -S xorg-xauth\n");
                 fprintf(stderr, "   Fedora: sudo dnf install xorg-x11-xauth\n");
                 exit(1);
         }
+
+        struct stat s;
+        if (stat(xauth_bin, &s) == -1) {
+                fprintf(stderr, "Error: %s: %s\n", xauth_bin, strerror(errno));
+                exit(1);
+        }
         if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) {
-                fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n");
+                fprintf(stderr, "Error: invalid %s executable\n", xauth_bin);
                 exit(1);
         }
         if (s.st_size > 1024 * 1024) {
-                fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n");
+                fprintf(stderr, "Error: %s executable is too large\n", xauth_bin);
                 exit(1);
         }
-        // copy /usr/bin/xauth in the sandbox and set mode to 0711
+        // copy xauth in the sandbox and set mode to 0711
         // users are not able to trace the running xauth this way
         if (arg_debug)
-                printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE);
-        if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) {
-                fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n");
-                exit(1);
-        }
+                printf("Copying %s to %s\n", xauth_bin, RUN_XAUTH_FILE);
+
+        copy_file_from_user_to_root(xauth_bin, RUN_XAUTH_FILE, 0, 0, 0711);
+
+        free(xauth_bin);
 
         fmessage("Generating a new .Xauthority file\n");
         mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 77739c1f3..63d69d1cd 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -185,7 +185,7 @@ static int procevent_netlink_setup(void) {
                 if (getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &bsize, &blen) == -1)
                         fprintf(stderr, "Error: cannot read rx buffer size\n");
                 else
-                        printf("rx buffer size %d\n", bsize / 2); // the value returned is duble the real one, see man 7 socket
+                        printf("rx buffer size %d\n", bsize / 2); // the value returned is double the real one, see man 7 socket
         }
 
         // send monitoring message
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c
index 6324a17db..38222fe2e 100644
--- a/src/fnettrace-dns/main.c
+++ b/src/fnettrace-dns/main.c
@@ -66,7 +66,7 @@ void print_dns(uint32_t ip_src, unsigned char *pkt) {
 
         // filter output
         char tmp[sizeof(last)];
-        snprintf(tmp, sizeof(last), "%02d:%02d:%02d  %-15s  %s (type %u)%s",
+        snprintf(tmp, sizeof(last), "%02d:%02d:%02d  %-15s  DNS %s (type %u)%s",
                 t->tm_hour, t->tm_min, t->tm_sec, ip, pkt + 12 + 1,
                 type, (nxdomain)? " NXDOMAIN": "");
         if (strcmp(tmp, last)) {
diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c
index d4fbf703a..d0a4f115a 100644
--- a/src/fnettrace-sni/main.c
+++ b/src/fnettrace-sni/main.c
@@ -32,16 +32,15 @@ static char last[512] = {'\0'};
 static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) {
         assert(pkt);
 
+        // expecting a handshake packet and client hello
+        if (pkt[0] != 0x16 || pkt[5] != 0x01)
+                return;
+
         char ip[30];
         sprintf(ip, "%d.%d.%d.%d", PRINT_IP(ip_dest));
         time_t seconds = time(NULL);
         struct tm *t = localtime(&seconds);
 
-        // expecting a handshake packet and client hello
-        if (pkt[0] != 0x16 || pkt[5] != 0x01)
-                goto errout;
-
-
         // look for server name indication
         unsigned char *ptr = pkt;
         unsigned int i = 0;
@@ -74,7 +73,7 @@ static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) {
         if (name) {
                 // filter output
                 char tmp[sizeof(last)];
-                snprintf(tmp, sizeof(last), "%02d:%02d:%02d  %-15s  %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name);
+                snprintf(tmp, sizeof(last), "%02d:%02d:%02d  %-15s  SNI %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name);
                 if (strcmp(tmp, last)) {
                         printf("%s\n", tmp);
                         fflush(0);
@@ -85,11 +84,6 @@ static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) {
                 goto nosni;
         return;
 
-errout:
-        printf("%02d:%02d:%02d  %-15s  Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
-        fflush(0);
-        return;
-
 nosni:
         printf("%02d:%02d:%02d  %-15s  no SNI\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
         return;
diff --git a/src/fnettrace/event.c b/src/fnettrace/event.c
new file mode 100644
index 000000000..f4ccf5360
--- /dev/null
+++ b/src/fnettrace/event.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2014-2023 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnettrace.h"
+
+typedef struct event_t {
+        struct event_t *next;
+        char *record;
+} Event;
+
+static Event *event = NULL;
+static Event *last_event = NULL;
+int ev_cnt = 0;
+
+void ev_clear(void) {
+        ev_cnt = 0;
+        Event *ev = event;
+        while (ev) {
+                Event *next = ev->next;
+                free(ev->record);
+                free(ev);
+                ev = next;
+        }
+        event = NULL;
+}
+
+void ev_add(char *record) {
+        assert(record);
+
+        // braking recursivity
+        if (*record == '\0')
+                return;
+
+        char *ptr = strchr(record, '\n');
+        if (ptr)
+                *ptr = '\0';
+
+        // filter out duplicates
+        if (event && strcmp(event->record, record) == 0)
+                return;
+
+        Event *ev = malloc(sizeof(Event));
+        if (!ev)
+                errExit("malloc");
+        memset(ev, 0, sizeof(Event));
+
+        ev->record = strdup(record);
+        if (!ev->record)
+                errExit("strdup");
+
+        if (event == NULL) {
+                event = ev;
+                last_event = ev;
+        }
+        else {
+                last_event->next = ev;
+                last_event = ev;
+        }
+        ev_cnt++;
+
+        // recursivity
+        if (ptr)
+                ev_add(++ptr);
+}
+
+void ev_print(FILE *fp) {
+        assert(fp);
+
+        Event *ev = event;
+        while (ev) {
+                fprintf(fp, "   ");
+                if (strstr(ev->record, "NXDOMAIN")) {
+                        if (fp == stdout)
+                                ansi_red(ev->record);
+                        else
+                                fprintf(fp, "%s", ev->record);
+                }
+                else if (strstr(ev->record, "SSH connection")) {
+                        if (fp == stdout)
+                                ansi_red(ev->record);
+                        else
+                                fprintf(fp, "%s", ev->record);
+                }
+                else
+                        fprintf(fp, "%s", ev->record);
+                fprintf(fp, "\n");
+                ev = ev->next;
+        }
+}
diff --git a/src/fnettrace/fnettrace.h b/src/fnettrace/fnettrace.h
index b4a8f26c7..9b4973235 100644
--- a/src/fnettrace/fnettrace.h
+++ b/src/fnettrace/fnettrace.h
@@ -53,6 +53,27 @@ static inline void ansi_clrscr(void) {
         fflush(0);
 }
 
+static inline void ansi_bold(const char *str) {
+        char str1[] = {0x1b, '[', '1', 'm', '\0'};
+        char str2[] = {0x1b, '[', '0', 'm', '\0'};
+        printf("%s%s%s", str1, str, str2);
+        fflush(0);
+}
+
+static inline void ansi_faint(const char *str) {
+        char str1[] = {0x1b, '[', '2', 'm', '\0'};
+        char str2[] = {0x1b, '[', '0', 'm', '\0'};
+        printf("%s%s%s", str1, str, str2);
+        fflush(0);
+}
+
+static inline void ansi_red(const char *str) {
+        char str1[] = {0x1b, '[', '9', '1', 'm', '\0'};
+        char str2[] = {0x1b, '[', '0', 'm', '\0'};
+        printf("%s%s%s", str1, str, str2);
+        fflush(0);
+}
+
 static inline uint8_t hash(uint32_t ip) {
         uint8_t *ptr = (uint8_t *) &ip;
         // simple byte xor
@@ -78,4 +99,11 @@ void terminal_restore(void);
 // runprog.c
 int runprog(const char *program);
 
+// event.c
+extern int ev_cnt;
+void ev_clear(void);
+void ev_add(char *record);
+void ev_print(FILE *fp);
+
+
 #endif
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c
index 3bafd9090..4db8e7478 100644
--- a/src/fnettrace/main.c
+++ b/src/fnettrace/main.c
@@ -27,6 +27,12 @@
 
 static char *arg_log = NULL;
 
+// only 0 or negative values; positive values as defined in RFC
+#define PROTOCOL_ICMP 0
+#define PROTOCOL_SSH -1
+
+
+
 //*****************************************************************
 // packet stats
 //*****************************************************************
@@ -42,41 +48,18 @@ uint32_t stats_tor = 0;
 uint32_t stats_http = 0;
 uint32_t stats_ssh = 0;
 
-//*****************************************************************
-// sni/dns log storage
-//*****************************************************************
-typedef struct lognode_t {
-#define LOG_RECORD_LEN 255
-        char record[LOG_RECORD_LEN + 1];
-} LogNode;
-// circular list of SNI log records
-#define SNIMAX 64
-LogNode sni_table[SNIMAX] = {0};
-int sni_index = 0;
-
-// circular list of SNI log records
-#define DNSMAX 64
-LogNode dns_table[SNIMAX] = {0};
-int dns_index = 0;
-
-static void print_sni(void) {
-        int i;
-        for (i = sni_index; i < SNIMAX; i++)
-                if (*sni_table[i].record)
-                        printf("   %s", sni_table[i].record);
-        for (i = 0; i < sni_index; i++)
-                if (*sni_table[i].record)
-                        printf("   %s", sni_table[i].record);
-}
-
-static void print_dns(void) {
-        int i;
-        for (i = dns_index; i < DNSMAX; i++)
-                if (*dns_table[i].record)
-                        printf("   %s", dns_table[i].record);
-        for (i = 0; i < dns_index; i++)
-                if (*dns_table[i].record)
-                        printf("   %s", dns_table[i].record);
+static void clear_stats(void) {
+        stats_pkts = 0;
+        stats_icmp_echo = 0;
+        stats_dns = 0;
+        stats_dns_dot = 0;
+        stats_dns_doh = 0;
+        stats_dns_doq = 0;
+        stats_tls = 0;
+        stats_quic = 0;
+        stats_tor = 0;
+        stats_http = 0;
+        stats_ssh = 0;
 }
 
 //*****************************************************************
@@ -92,7 +75,7 @@ typedef struct hnode_t {
         uint32_t  bytes;        // number of bytes received in the last display interval
         uint32_t pkts;  // number of packets received in the last display interval
         uint16_t port_src;
-        uint8_t protocol;
+        int protocol;
 
         // the firewall is build based on source address, and in the linked list
         // we could have elements with the same address but different ports
@@ -135,7 +118,7 @@ void hfree(HNode *ptr) {
 }
 
 // using protocol 0 and port 0 for ICMP
-static void hnode_add(uint32_t ip_src, uint8_t protocol, uint16_t port_src, uint32_t bytes) {
+static void hnode_add(uint32_t ip_src, int protocol, uint16_t port_src, uint32_t bytes) {
         uint8_t h = hash(ip_src);
 
         // find
@@ -325,6 +308,8 @@ static inline const char *common_port(uint16_t port) {
                         return "Tor";
                 else if (port == 9030)
                         return "Tor";
+                else if (port == 9040)
+                        return "Tor";
                 else if (port == 9050)
                         return "Tor";
                 else if (port == 9051)
@@ -383,7 +368,9 @@ static void hnode_print(unsigned bw) {
         else
                 sprintf(stats, "%u KB/s ", bw / (1024 * DISPLAY_INTERVAL));
 //      int len = snprintf(line, LINE_MAX, "%32s geoip %d, IP database %d\n", stats, geoip_calls, radix_nodes);
-        int len = snprintf(line, LINE_MAX, "%32s address:port (protocol) network\n", stats);
+        char faint1[] = {0x1b, '[', '2', 'm', '\0'};
+        char faint2[] = {0x1b, '[', '0', 'm', '\0'};
+        int len = snprintf(line, LINE_MAX, "%32s %saddress:port (protocol) network%s\n", stats, faint1, faint2);
         adjust_line(line, len, cols);
         printf("%s", line);
 
@@ -461,10 +448,14 @@ static void hnode_print(unsigned bw) {
                                 protocol = "UDP";
                         else if (ptr->protocol == 0x06)
                                 protocol = "TCP";
+                        else if (ptr->protocol == PROTOCOL_SSH) {
+                                protocol = "SSH";
+                                stats_ssh += ptr->pkts;
+                        }
 
                         if (protocol == NULL)
                                 protocol = "";
-                        if (ptr->port_src == 0)
+                        if (ptr->port_src == PROTOCOL_ICMP)
                                 len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d (ICMP) %s\n",
                                                bytes, bwline, PRINT_IP(ptr->ip_src), ptr->rnode->name);
                         else
@@ -490,7 +481,7 @@ static void hnode_print(unsigned bw) {
 
                 ptr = next;
         }
-        printf("press any key to access stats\n");
+        ansi_faint("(D)isplay, (S)ave, (C)lear, e(X)it\n");
 
 #ifdef DEBUG
         {
@@ -505,10 +496,34 @@ static void hnode_print(unsigned bw) {
 #endif
 }
 
+static void print_stats(FILE *fp) {
+        assert(fp);
+
+        fprintf(fp, "Stats: %u packets\n", stats_pkts);
+        fprintf(fp, "   encrypted: TLS %u, QUIC %u, Tor %u\n",
+                stats_tls, stats_quic, stats_tor);
+        fprintf(fp, "   unencrypted: HTTP %u\n", stats_http);
+        fprintf(fp, "   C&C backchannel: SSH %u, PING %u, DNS %u, DoH %u, DoT %u, DoQ %u\n",
+                stats_ssh, stats_icmp_echo, stats_dns, stats_dns_doh, stats_dns_dot, stats_dns_doq);
+
+        fprintf(fp, "\n\nIP map");
+        if (fp == stdout)
+                ansi_faint("  - network (packets)\n");
+        else
+                fprintf(fp, "  - network (packets)\n");
+        radix_print(fp, 1);
+
+        fprintf(fp, "\n\nEvents %d", ev_cnt);
+        if (fp == stdout)
+                ansi_faint(" - time address data\n");
+        else
+                fprintf(fp, " - time address data\n");
+        ev_print(fp);
 
-void print_stats(void) {
 }
 
+
+
 // trace rx traffic coming in
 static void run_trace(void) {
         // trace only rx ipv4 tcp and upd
@@ -523,7 +538,7 @@ static void run_trace(void) {
         if (p1 != -1)
                 printf("loading snitrace...");
 
-        int p2 = runprog(LIBDIR "/firejail/fnettrace-dns --nolocal");
+        int p2 = runprog(LIBDIR "/firejail/fnettrace-dns");
         if (p2 != -1)
                 printf("loading dnstrace...");
         unsigned last_print_traces = 0;
@@ -575,40 +590,67 @@ static void run_trace(void) {
                 int icmp = 0;
 
                 if (FD_ISSET(0, &rfds)) {
-                        getchar();
-                        printf("\n\nStats: %u packets\n", stats_pkts);
-                        printf("   encrypted: TLS %u, QUIC %u, SSH %u, Tor %u\n",
-                                stats_tls, stats_quic, stats_ssh, stats_tor);
-                        printf("   unencrypted: HTTP %u\n", stats_http);
-                        printf("   C&C backchannel: PING %u, DNS %u, DoH %u, DoT %u, DoQ %u\n",
-                                stats_icmp_echo, stats_dns, stats_dns_doh, stats_dns_dot, stats_dns_doq);
-                        printf("press any key to continue...");
-                        fflush(0);
-
-                        getchar();
-                        printf("\n\nSNI log - time server-address SNI\n");
-                        print_sni();
-                        printf("press any key to continue...");
-                        fflush(0);
-
-                        getchar();
-                        printf("\n\nDNS log - time server-address domain\n");
-                        print_dns();
-                        printf("press any key to continue...");
-                        fflush(0);
-
-                        getchar();
-                        printf("\n\nIP table: %d addresses - server-address network (packets)\n", radix_nodes);
-                        radix_print(1);
-                        printf("press any key to continue...");
-                        fflush(0);
-
-                        getchar();
+                        int c = getchar();
+                        if (c == 'c' || c == 'C') {
+                                clear_stats();
+                                ev_clear();
+                                radix_clear_data();
+                                continue;
+                        }
+                        else if (c == 'd' || c == 'D') {
+                                printf("\n\n");
+                                ansi_bold("__________________________________________________________________________\n");
+                                print_stats(stdout);
+                                ansi_bold("__________________________________________________________________________\n");
+                                ansi_faint("press any key to continue...");
+                                fflush(0);
+
+                                getchar();
+                                continue;
+                        }
+                        if (c == 's' || c == 'S') {
+                                printf("The file is saved in /tmp directory. Please enter the file name: ");
+                                fflush(0);
+
+                                char buf[LINE_MAX + 5]; // eave some room to add /tmp/
+                                strcpy(buf, "/tmp/");
+                                terminal_restore();
+                                if (fgets(buf + 5, LINE_MAX, stdin) == NULL)
+                                        errExit("fgets");
+                                terminal_set();
+
+                                // remove '\n' and open the file
+                                char *ptr = strchr(buf, '\n');
+                                if (!ptr) { // we should have a '\n'
+                                        printf("Error: invalid file name\n");
+                                        sleep(5);
+                                        continue;
+                                }
+                                *ptr = '\0';
+
+                                FILE *fp = fopen(buf, "w");
+                                if (!fp) {
+                                        printf("Error: cannot open file %s\n", buf);
+                                        perror("fopen");
+                                        sleep(5);
+                                        continue;
+                                }
+
+                                printf("Saving stats in %s file...\n", buf);
+                                print_stats(fp);
+                                fclose(fp);
+                                int rv = chmod(buf, 0600);
+                                (void) rv;
+                                sleep(1);
+                                continue;
+                        }
+                        else if (c == 'x' || c == 'X')
+                                break;
                         continue;
                 }
                 else if (FD_ISSET(p1, &rfds)) {
-                        char buf[1024];
-                        ssize_t sz = read(p1, buf, 1024 - 1);
+                        char buf[LINE_MAX];
+                        ssize_t sz = read(p1, buf, LINE_MAX - 1);
                         if (sz == -1)
                                 errExit("error reading snitrace");
                         if (sz == 0) {
@@ -618,19 +660,13 @@ static void run_trace(void) {
                         if (strncmp(buf, "SNI trace", 9) == 0)
                                 continue;
 
-                        if (sz > LOG_RECORD_LEN)
-                                sz = LOG_RECORD_LEN;
                         buf[sz] = '\0';
-                        strcpy(sni_table[sni_index].record, buf);
-                        if (++sni_index >= SNIMAX) {
-                                sni_index = 0;
-                                *sni_table[sni_index].record = '\0';
-                        }
+                        ev_add(buf);
                         continue;
                 }
                 else if (FD_ISSET(p2, &rfds)) {
-                        char buf[1024];
-                        ssize_t sz = read(p2, buf, 1024 - 1);
+                        char buf[LINE_MAX];
+                        ssize_t sz = read(p2, buf, LINE_MAX - 1);
                         if (sz == -1)
                                 errExit("error reading dnstrace");
                         if (sz == 0) {
@@ -640,16 +676,11 @@ static void run_trace(void) {
                         if (strncmp(buf, "DNS trace", 9) == 0)
                                 continue;
 
-                        if (sz > LOG_RECORD_LEN)
-                                sz = LOG_RECORD_LEN;
                         buf[sz] = '\0';
-                        strcpy(dns_table[dns_index].record, buf);
-                        if (++dns_index >= DNSMAX) {
-                                dns_index = 0;
-                                *dns_table[dns_index].record = '\0';
-                        }
+                        ev_add(buf);
                         continue;
                 }
+                // by default we assume TCP
                 else if (FD_ISSET(s2, &rfds))
                         sock = s2;
                 else if (FD_ISSET(s3, &rfds)) {
@@ -658,7 +689,7 @@ static void run_trace(void) {
                 }
 
                 unsigned bytes = recvfrom(sock, buf, MAX_BUF_SIZE, 0, NULL, NULL);
-                if (bytes >= 20) { // size of IP header
+                if (bytes >= 20) { // minimum size of IP packet
 #ifdef DEBUG
                         {
                                 uint32_t ip_src;
@@ -682,12 +713,30 @@ static void run_trace(void) {
                                 uint8_t hlen = (buf[0] & 0x0f) * 4;
                                 uint16_t port_src = 0;
                                 if (icmp)
-                                        hnode_add(ip_src, 0, 0, bytes + 14);
-                                else {
+                                        hnode_add(ip_src, PROTOCOL_ICMP, 0, bytes + 14);
+                                else { // itcp or udp
                                         memcpy(&port_src, buf + hlen, 2);
                                         port_src = ntohs(port_src);
-
-                                        uint8_t protocol = buf[9];
+                                        int protocol = (int) buf[9];
+
+                                        // detect ssh on a standard or not so standard port (22)
+                                        if (protocol == 6) { // tcp
+                                                uint8_t dataoffset = *(buf + hlen + 12);
+                                                uint8_t tcphlen = (dataoffset >> 2);
+                                                if (memcmp(buf + hlen + tcphlen, "SSH-", 4) == 0) {
+                                                        time_t seconds = time(NULL);
+                                                        struct tm *t = localtime(&seconds);
+                                                        char ip[30];
+                                                        sprintf(ip, "%d.%d.%d.%d", PRINT_IP(ip_src));
+                                                        char *msg;
+                                                        if (asprintf(&msg, "%02d:%02d:%02d  %-15s  SSH connection",
+                                                                t->tm_hour, t->tm_min, t->tm_sec, ip) == -1)
+                                                                errExit("asprintf");
+                                                        ev_add(msg);
+                                                        free(msg);
+                                                        protocol = PROTOCOL_SSH;
+                                                }
+                                        }
                                         hnode_add(ip_src, protocol, port_src, bytes + 14);
                                 }
 
@@ -705,7 +754,10 @@ static void run_trace(void) {
         close(s1);
         close(s2);
         close(s3);
-        print_stats();
+        if (p1 != -1)
+                close(p1);
+        if (p2 != -1)
+                close(p2);
 }
 
 
@@ -765,7 +817,7 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--print-map") == 0) {
                         char *fname = "static-ip-map.txt";
                         load_hostnames(fname);
-                        radix_print(0);
+                        radix_print(stdout, 0);
                         return 0;
                 }
                 else if (strncmp(argv[i], "--squash-map=", 13) == 0) {
@@ -787,7 +839,7 @@ int main(int argc, char **argv) {
                         printf("# License GPLv2\n");
                         printf("#\n");
 
-                        radix_print(0);
+                        radix_print(stdout, 0);
                         printf("\n#\n#\n# input %d, output %d\n#\n#\n", in, radix_nodes);
                         fprintf(stderr, "static ip map: input %d, output %d\n", in, radix_nodes);
                         return 0;
diff --git a/src/fnettrace/radix.c b/src/fnettrace/radix.c
index 322ee2643..9dfa725a2 100644
--- a/src/fnettrace/radix.c
+++ b/src/fnettrace/radix.c
@@ -151,21 +151,22 @@ RNode *radix_longest_prefix_match(uint32_t ip) {
 }
 
 static uint32_t sum;
-static void print(RNode *ptr, int level, int pkts) {
+static void print(FILE *fp, RNode *ptr, int level, int pkts) {
+        assert(fp);
         if (!ptr)
                 return;
         if (ptr->name) {
                 if (pkts) {
                         if (ptr->pkts) {
-                                printf("   %d.%d.%d.%d/%d ", PRINT_IP(sum << (32 - level)), level);
-                                printf("%s", ptr->name);
-                                printf(" (%u)\n", ptr->pkts);
+                                fprintf(fp, "   %d.%d.%d.%d/%d ", PRINT_IP(sum << (32 - level)), level);
+                                fprintf(fp, "%s", ptr->name);
+                                fprintf(fp, " (%u)\n", ptr->pkts);
                         }
                 }
                 else {
-                        printf("%d.%d.%d.%d/%d ", PRINT_IP(sum << (32 - level)), level);
-                        printf("%s", ptr->name);
-                        printf("\n");
+                        fprintf(fp, "%d.%d.%d.%d/%d ", PRINT_IP(sum << (32 - level)), level);
+                        fprintf(fp, "%s", ptr->name);
+                        fprintf(fp, "\n");
                 }
         }
 
@@ -174,21 +175,21 @@ static void print(RNode *ptr, int level, int pkts) {
 
         level++;
         sum <<= 1;
-        print(ptr->zero, level, pkts);
+        print(fp, ptr->zero, level, pkts);
         sum++;
-        print(ptr->one, level, pkts);
+        print(fp, ptr->one, level, pkts);
         sum--;
         sum >>= 1;
 }
 
-void radix_print(int pkts) {
+void radix_print(FILE *fp, int pkts) {
         if (!head)
                 return;
         sum = 0;
-        print(head->zero, 1, pkts);
+        print(fp, head->zero, 1, pkts);
         assert(sum == 0);
         sum = 1;
-        print(head->one, 1, pkts);
+        print(fp, head->one, 1, pkts);
         assert(sum == 1);
 }
 
@@ -241,3 +242,18 @@ void radix_squash(void) {
         assert(sum == 1);
 
 }
+
+static void clear_data(RNode *ptr) {
+        if (!ptr)
+                return;
+        ptr->pkts = 0;
+        clear_data(ptr->zero);
+        clear_data(ptr->one);
+}
+
+void radix_clear_data(void) {
+        if (!head)
+                return;
+        clear_data(head->zero);
+        clear_data(head->one);
+}
diff --git a/src/fnettrace/radix.h b/src/fnettrace/radix.h
index 358524723..686d60ace 100644
--- a/src/fnettrace/radix.h
+++ b/src/fnettrace/radix.h
@@ -30,7 +30,8 @@ typedef struct rnode_t {
 extern int radix_nodes;
 RNode *radix_longest_prefix_match(uint32_t ip);
 RNode*radix_add(uint32_t ip, uint32_t mask, char *name);
-void radix_print(int pkts);
+void radix_print(FILE *fp, int pkts);
 void radix_squash(void);
+void radix_clear_data(void);
 
 #endif
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt
index eb66df73f..830df058f 100644
--- a/src/fnettrace/static-ip-map.txt
+++ b/src/fnettrace/static-ip-map.txt
@@ -92,7 +92,7 @@
 8.8.4.0/24 Google DNS
 8.8.8.0/24 Google DNS
 8.20.247.20/32 Comodo DNS
-8.26.56.26/32 Comodo DNS
+8.26.56.0/24 Comodo DNS
 9.9.9.0/24 Quad9 DNS
 45.90.28.0/22 NextDNS
 45.11.45.0/24 DNS-SB
@@ -103,8 +103,7 @@
 76.76.10.0/24 ControlD DNS
 76.76.19.0/24 Alternate DNS
 76.223.122.150/32 Alternate DNS
-77.88.8.8/32 Yandex DNS
-77.88.8.1/32 Yandex DNS
+77.88.8.0/24 Yandex DNS
 80.80.80.0/24 Freenom DNS Cloud
 80.80.81.0/24 Freenom DNS Cloud
 84.200.69.80/32 DSN Watch
@@ -123,8 +122,7 @@
 205.171.3.66/32 CentyrLink DNS
 205.171.202.166/32 CentyrLink DNS
 208.67.216.0/21 OpenDNS
-216.146.35.35/32 Dyn DNS
-216.146.36.36/32 Dyn DNS
+216.146.32.0/20 Dyn DNS
 
 # whois
 45.88.202.0/24 Anonymize Inc WHOIS Privacy Service
@@ -167,12 +165,9 @@
 66.211.176.0/20 eBay
 66.218.64.0/19 Yahoo
 66.220.144.0/20 Facebook
-69.30.200.200/29 BitChute
 69.53.224.0/19 Netflix
 69.171.224.0/19 Facebook
-69.197.182.184/29 BitChute
 74.6.0.0/16 Yahoo
-74.91.29.208/29 BitChute
 87.250.254.0/24 Yandex
 91.105.192.0/23 Telegram
 91.108.4.0/22 Telegram
@@ -185,22 +180,16 @@
 91.189.94.0/24 Ubuntu One
 95.161.64.0/20 Telegram
 99.181.64.0/18 Twitch
-69.197.138.24/29 BitChute
 103.10.124.0/23 Steam
 103.28.54.0/24 Steam
 103.53.48.0/23 Twitch
 104.244.40.0/21 Twitter
-107.150.32.0/19 BitChute
-107.150.35.192/29 BitChute
-107.150.45.120/29 BitChute
 108.160.160.0/20 Dropbox
 108.175.32.0/20 Netflix
+129.144.0.0/12 Oracle
 129.134.0.0/16 Facebook
 140.82.112.0/20 GitHub
-142.54.180.104/29 BitChute
-142.54.181.184/29 BitChute
-142.54.189.192/29 BitChute
-143.55.64.0/20 Github
+143.55.64.0/20 GitHub
 146.66.152.0/24 Steam
 146.66.155.0/24 Steam
 149.154.160.0/20 Telegram
@@ -219,10 +208,6 @@
 162.213.32.0/22 Ubuntu One
 162.254.192.0/21 Steam
 172.98.56.0/22 Rumble
-173.208.154.8/29 BitChute
-173.208.154.160/29 BitChute
-173.208.185.200/29 BitChute
-173.208.219.112/29 BitChute
 178.154.131.0/24 Yandex
 185.2.220.0/22 Netflix
 185.9.188.0/22 Netflix
@@ -235,7 +220,6 @@
 185.125.188.0/22 Ubuntu One
 185.199.108.0/22 GitHub
 185.205.69.0/24 Tutanota
-185.238.113.0/24 Bitchute
 188.64.224.0/21 Twitter
 190.217.33.0/24 Steam
 192.0.64.0/18 Wordpress
@@ -243,24 +227,15 @@
 192.30.252.0/22 GitHub
 192.69.96.0/22 Steam
 192.108.239.0/24 Twitch
-192.151.158.136/29 BitChute
 192.173.64.0/18 Netflix
-192.187.97.88/29 BitChute
-192.187.114.96/29 BitChute
-192.187.123.112/29 BitChute
-192.187.126.0/29 BitChute
 192.189.200.0/23 Dropbox
 194.169.254.0/24 Ubuntu One
 198.38.96.0/19 Netflix
 198.45.48.0/20 Netflix
-198.204.226.120/29 BitChute
-198.204.245.88/29 BitChute
 198.252.206.0/24 Stack Exchange
 199.9.248.0/21 Twitch
 199.16.156.0/22 Twitter
 199.59.148.0/22 Twitter
-199.168.96.24/29 BitChute
-204.12.194.176/29 BitChute
 205.185.194.0/24 Steam
 205.196.6.0/24 Steam
 207.45.72.0/22 Netflix
@@ -270,9 +245,77 @@
 208.75.76.0/22 Netflix
 208.78.164.0/22 Steam
 208.80.152.0/22 Wikipedia
-208.110.68.56/29 BitChute
 209.140.128.0/18 eBay
 
+# BitChute
+63.141.247.168/29 BitChute
+63.141.247.240/29 BitChute
+69.30.200.200/29 BitChute
+69.30.230.64/29 BitChute
+69.30.241.40/29 BitChute
+69.30.241.48/29 BitChute
+69.30.243.168/29 BitChute
+69.30.245.232/29 BitChute
+69.30.253.16/29 BitChute
+69.197.182.184/29 BitChute
+74.91.28.208/29 BitChute
+74.91.29.208/29 BitChute
+69.197.138.24/29 BitChute
+107.150.32.0/19 BitChute
+107.150.35.192/29 BitChute
+107.150.45.120/29 BitChute
+142.54.180.104/29 BitChute
+142.54.181.184/29 BitChute
+142.54.188.112/29 BitChute
+142.54.189.192/29 BitChute
+173.208.154.8/29 BitChute
+173.208.154.160/29 BitChute
+173.208.176.128/29 BitChute
+173.208.185.200/29 BitChute
+173.208.203.224/29 BitChute
+173.208.203.248/29 BitChute
+173.208.211.224/29 BitChute
+173.208.216.40/29 BitChute
+173.208.219.112/29 BitChute
+173.208.246.160/29 BitChute
+185.238.113.0/24 BitChute
+192.151.147.16/29 BitChute
+192.151.158.136/29 BitChute
+192.187.97.88/29 BitChute
+192.187.114.16/29 BitChute
+192.187.114.96/29 BitChute
+192.187.118.168/29 BitChute
+192.187.121.208/29 BitChute
+192.187.122.72/29 BitChute
+192.187.123.112/29 BitChute
+192.187.126.0/29 BitChute
+198.204.226.120/29 BitChute
+198.204.228.48/29 BitChute
+198.204.235.88/29 BitChute
+198.204.235.216/29 BitChute
+198.204.245.32/29 BitChute
+198.204.245.88/29 BitChute
+198.204.250.208/29 BitChute
+198.204.253.64/29 BitChute
+198.204.253.184/29 BitChute
+199.168.96.24/29 BitChute
+199.168.96.64/29 BitChute
+204.12.220.136/29 BitChute
+204.12.194.176/29 BitChute
+204.12.194.248/29 BitChute
+204.12.220.232/29 BitChute
+208.110.68.56/29 BitChute
+
+# WholeSale Internet
+69.30.192.0/18 WholeSale Internet
+69.197.128.0/18 WholeSale Internet
+142.54.160.0/19 WholeSale Internet
+173.208.128.0/17 WholeSale Internet
+204.12.192.0/18 WholeSale Internet
+208.67.0.0/21 WholeSale Internet
+208.110.64.0/19 WholeSale Internet
+208.110.91.0/24 WholeSale Internet
+
 # Imperva
 199.83.128.0/21 Imperva
 198.143.32.0/19 Imperva
@@ -297,6 +340,7 @@
 66.243.0.0/17 Level 3
 66.243.128.0/18 Level 3
 66.251.192.0/19 Level 3
+74.202.0.0/15 Level 3
 205.128.0.0/14 Level 3
 205.180.0.0/14 Level 3
 205.184.0.0/19 Level 3
@@ -325,6 +369,7 @@
 69.16.173.0/24 StackPath
 69.16.174.0/23 StackPath
 69.16.176.0/20 StackPath
+74.209.128.0/20 StackPath
 151.139.0.0/16 StackPath
 205.185.194.0/23 StackPath
 205.185.196.0/23 StackPath
@@ -354,6 +399,7 @@
 45.79.0.0/16 Linode
 50.116.0.0/18 Linode
 66.175.208.0/20 Linode
+74.207.224.0/19 Linode
 103.29.68.0/22 Linode
 104.200.16.0/21 Linode
 104.200.24.0/22 Linode
@@ -461,6 +507,8 @@
 23.72.0.0/13 Akamai
 23.192.0.0/11 Akamai
 72.246.0.0/15 Akamai
+74.121.124.0/22 Akamai
+92.122.160.0/20 Akamai
 96.6.0.0/15 Akamai
 96.16.0.0/15 Akamai
 104.64.0.0/10 Akamai
@@ -533,6 +581,7 @@
 20.48.0.0/12 Microsoft
 20.128.0.0/16 Microsoft
 20.192.0.0/10 Microsoft
+23.96.0.0/13 Microsoft
 40.76.0.0/14 Microsoft
 40.96.0.0/12 Microsoft
 40.112.0.0/13 Microsoft
@@ -541,11 +590,38 @@
 40.80.0.0/12 Microsoft
 40.120.0.0/14 Microsoft
 40.125.0.0/17 Microsoft
+51.4.0.0/15 Microsoft
+51.8.0.0/16 Microsoft
+51.10.0.0/14 Microsoft
+51.51.0.0/16 Microsoft
+51.53.0.0/16 Microsoft
+51.103.0.0/16 Microsoft
+51.107.0.0/16 Microsoft
+51.116.0.0/16 Microsoft
+51.120.0.0/16 Microsoft
+51.124.0.0/16 Microsoft
+51.132.0.0/16 Microsoft
+51.136.0.0/16 Microsoft
+51.140.0.0/15 Microsoft
+52.96.0.0/12 Microsoft
+52.112.0.0/14 Microsoft
+52.120.0.0/14 Microsoft
+52.125.0.0/16 Microsoft
+52.126.0.0/15 Microsoft
+52.132.0.0/14 Microsoft
+52.136.0.0/13 Microsoft
 52.145.0.0/16 Microsoft
+52.146.0.0/15 Microsoft
 52.148.0.0/14 Microsoft
 52.152.0.0/13 Microsoft
-52.146.0.0/15 Microsoft
 52.160.0.0/11 Microsoft
+52.224.0.0/11 Microsoft
+74.160.0.0/14 Microsoft
+74.176.0.0/14 Microsoft
+74.224.0.0/14 Microsoft
+74.234.0.0/15 Microsoft
+74.240.0.0/14 Microsoft
+74.248.0.0/15 Microsoft
 168.61.0.0/16 Microsoft
 168.62.0.0/15 Microsoft
 
@@ -561,6 +637,7 @@
 206.190.32.0/19 Yahoo
 209.73.160.0/19 Yahoo
 209.191.64.0/18 Yahoo
+212.82.100.0/22 Yahoo
 216.115.96.0/20 Yahoo
 
 # Google
@@ -570,6 +647,18 @@
 8.35.192.0/20 Google
 23.236.48.0/20 Google
 23.251.128.0/19 Google
+34.4.16.0/20 Google
+34.4.64.0/18 Google
+34.4.6.0/23 Google
+34.16.0.0/12 Google
+34.32.0.0/11 Google
+34.4.128.0/17 Google
+34.8.0.0/13 Google
+34.4.8.0/21 Google
+34.5.0.0/16 Google
+34.6.0.0/15 Google
+34.4.32.0/19 Google
+34.4.5.0/24 Google
 34.64.0.0/10 Google
 34.128.0.0/10 Google
 35.184.0.0/13 Google
@@ -1820,6 +1909,7 @@
 34.192.0.0/12 Amazon
 34.208.0.0/12 Amazon
 34.224.0.0/12 Amazon
+34.225.127.72/10 Amazon
 34.240.0.0/13 Amazon
 34.248.0.0/13 Amazon
 35.71.64.0/22 Amazon
@@ -3368,7 +3458,7 @@
 54.93.0.0/16 Amazon
 54.94.0.0/16 Amazon
 54.95.0.0/16 Amazon
-54.144.0.0/14 Amazon
+54.144.0.0/12 Amazon
 54.148.0.0/15 Amazon
 54.150.0.0/16 Amazon
 54.151.0.0/17 Amazon
@@ -3379,7 +3469,7 @@
 54.154.0.0/16 Amazon
 54.155.0.0/16 Amazon
 54.156.0.0/14 Amazon
-54.160.0.0/13 Amazon
+54.160.0.0/11 Amazon
 54.168.0.0/16 Amazon
 54.169.0.0/16 Amazon
 54.170.0.0/15 Amazon
@@ -3392,7 +3482,7 @@
 54.182.0.0/16 Amazon
 54.183.0.0/16 Amazon
 54.184.0.0/13 Amazon
-54.192.0.0/16 Amazon
+54.192.0.0/12 Amazon
 54.193.0.0/16 Amazon
 54.194.0.0/15 Amazon
 54.196.0.0/15 Amazon
@@ -3403,12 +3493,12 @@
 54.204.0.0/15 Amazon
 54.206.0.0/16 Amazon
 54.207.0.0/16 Amazon
-54.208.0.0/15 Amazon
+54.208.0.0/13 Amazon
 54.210.0.0/15 Amazon
 54.212.0.0/15 Amazon
 54.214.0.0/16 Amazon
 54.215.0.0/16 Amazon
-54.216.0.0/15 Amazon
+54.216.0.0/14 Amazon
 54.218.0.0/16 Amazon
 54.219.0.0/16 Amazon
 54.220.0.0/16 Amazon
@@ -3668,6 +3758,10 @@
 72.21.192.0/19 Amazon
 72.41.0.0/20 Amazon
 72.44.32.0/19 Amazon
+74.127.0.0/18 Amazon
+74.190.0.0/16 Amazon
+74.230.0.0/16 Amazon
+74.250.0.0/16 Amazon
 75.2.0.0/17 Amazon
 75.101.128.0/17 Amazon
 76.223.0.0/17 Amazon
@@ -5649,3 +5743,374 @@
 64.120.69.0/24 Leaseweb
 69.147.236.0/24 Leaseweb
 70.32.34.0/24 Leaseweb
+
+
+
+# GoDaddy
+103.1.172.0/22 GoDaddy
+103.1.172.0/24 GoDaddy
+103.1.174.0/24 GoDaddy
+103.1.175.0/24 GoDaddy
+104.238.64.0/18 GoDaddy
+104.238.64.0/19 GoDaddy
+104.238.64.0/22 GoDaddy
+104.238.64.0/24 GoDaddy
+107.180.0.0/17 GoDaddy
+107.180.0.0/18 GoDaddy
+107.180.100.0/22 GoDaddy
+107.180.104.0/22 GoDaddy
+107.180.108.0/22 GoDaddy
+107.180.120.0/22 GoDaddy
+107.180.64.0/19 GoDaddy
+118.139.160.0/19 GoDaddy
+118.139.160.0/21 GoDaddy
+132.148.0.0/16 GoDaddy
+132.148.16.0/20 GoDaddy
+132.148.16.0/22 GoDaddy
+132.148.164.0/22 GoDaddy
+132.148.184.0/21 GoDaddy
+132.148.192.0/20 GoDaddy
+132.148.20.0/22 GoDaddy
+132.148.24.0/22 GoDaddy
+132.148.32.0/21 GoDaddy
+148.66.128.0/19 GoDaddy
+148.66.128.0/22 GoDaddy
+148.66.136.0/22 GoDaddy
+148.66.140.0/22 GoDaddy
+148.66.144.0/21 GoDaddy
+148.72.0.0/17 GoDaddy
+148.72.16.0/22 GoDaddy
+148.72.204.0/22 GoDaddy
+148.72.204.0/24 GoDaddy
+148.72.206.0/23 GoDaddy
+148.72.208.0/21 GoDaddy
+148.72.220.0/22 GoDaddy
+148.72.224.0/19 GoDaddy
+148.72.224.0/20 GoDaddy
+148.72.240.0/22 GoDaddy
+148.72.244.0/22 GoDaddy
+148.72.32.0/21 GoDaddy
+148.72.32.0/23 GoDaddy
+148.72.34.0/24 GoDaddy
+148.72.36.0/24 GoDaddy
+148.72.4.0/22 GoDaddy
+148.72.44.0/22 GoDaddy
+148.72.88.0/22 GoDaddy
+160.153.32.0/19 GoDaddy
+160.153.64.0/18 GoDaddy
+160.153.64.0/19 GoDaddy
+160.153.96.0/19 GoDaddy
+166.62.0.0/19 GoDaddy
+166.62.0.0/22 GoDaddy
+166.62.0.0/24 GoDaddy
+166.62.100.0/22 GoDaddy
+166.62.10.0/23 GoDaddy
+166.62.1.0/24 GoDaddy
+166.62.112.0/20 GoDaddy
+166.62.116.0/22 GoDaddy
+166.62.120.0/22 GoDaddy
+166.62.12.0/22 GoDaddy
+166.62.12.0/24 GoDaddy
+166.62.13.0/24 GoDaddy
+166.62.15.0/24 GoDaddy
+166.62.16.0/22 GoDaddy
+166.62.17.0/24 GoDaddy
+166.62.20.0/22 GoDaddy
+166.62.2.0/24 GoDaddy
+166.62.23.0/24 GoDaddy
+166.62.24.0/22 GoDaddy
+166.62.24.0/24 GoDaddy
+166.62.25.0/24 GoDaddy
+166.62.26.0/23 GoDaddy
+166.62.28.0/22 GoDaddy
+166.62.3.0/24 GoDaddy
+166.62.32.0/19 GoDaddy
+166.62.32.0/22 GoDaddy
+166.62.36.0/22 GoDaddy
+166.62.40.0/22 GoDaddy
+166.62.4.0/22 GoDaddy
+166.62.4.0/24 GoDaddy
+166.62.44.0/22 GoDaddy
+166.62.5.0/24 GoDaddy
+166.62.52.0/22 GoDaddy
+166.62.56.0/22 GoDaddy
+166.62.60.0/22 GoDaddy
+166.62.6.0/23 GoDaddy
+166.62.64.0/18 GoDaddy
+166.62.64.0/19 GoDaddy
+166.62.80.0/22 GoDaddy
+166.62.8.0/22 GoDaddy
+166.62.8.0/24 GoDaddy
+166.62.84.0/22 GoDaddy
+166.62.88.0/22 GoDaddy
+166.62.9.0/24 GoDaddy
+
+# IBM cloud service
+# https://cloud.ibm.com/docs/cloud-infrastructure?topic=cloud-infrastructure-ibm-cloud-ip-ranges
+# last update Aug 2023
+159.8.198.0/23 IBM
+169.38.118.0/23 IBM
+173.192.118.0/23 IBM
+192.255.18.0/24 IBM
+198.23.118.0/23 IBM
+169.46.118.0/23 IBM
+169.47.118.0/23 IBM
+169.48.118.0/24 IBM
+159.122.118.0/23 IBM
+161.156.118.0/24 IBM
+149.81.118.0/23 IBM
+5.10.118.0/23 IBM
+158.175.127.0/24 IBM
+141.125.118.0/23 IBM
+158.176.118.0/23 IBM
+159.122.138.0/23 IBM
+169.54.118.0/23 IBM
+163.68.118.0/24 IBM
+163.69.118.0/24 IBM
+163.73.118.0/24 IBM
+159.8.118.0/23 IBM
+169.57.138.0/23 IBM
+50.23.118.0/23 IBM
+169.45.118.0/23 IBM
+169.62.118.0/24 IBM
+174.133.118.0/23 IBM
+168.1.18.0/23 IBM
+130.198.118.0/23 IBM
+135.90.118.0/23 IBM
+161.202.118.0/23 IBM
+128.168.118.0/23 IBM
+165.192.118.0/23 IBM
+158.85.118.0/23 IBM
+163.74.118.0/23 IBM
+163.75.118.0/23 IBM
+208.43.118.0/23 IBM
+192.255.38.0/24 IBM
+169.55.118.0/23 IBM
+169.60.118.0/23 IBM
+169.61.118.0/23 IBM
+159.8.197.0/24 IBM
+169.38.117.0/24 IBM
+50.23.203.0/24 IBM
+108.168.157.0/24 IBM
+173.192.117.0/24 IBM
+192.155.205.0/24 IBM
+169.46.187.0/24 IBM
+198.23.117.0/24 IBM
+169.46.117.0/24 IBM
+169.47.117.0/24 IBM
+169.48.117.0/24 IBM
+159.122.117.0/24 IBM
+161.156.117.0/24 IBM
+149.81.117.0/24 IBM
+5.10.117.0/24 IBM
+158.175.117.0/24 IBM
+141.125.117.0/24 IBM
+158.176.117.0/24 IBM
+159.122.137.0/24 IBM
+169.54.117.0/24 IBM
+159.8.117.0/24 IBM
+169.57.137.0/24 IBM
+50.23.117.0/24 IBM
+169.45.117.0/24 IBM
+174.133.117.0/24 IBM
+168.1.17.0/24 IBM
+130.198.117.0/24 IBM
+135.90.117.0/24 IBM
+161.202.117.0/24 IBM
+128.168.117.0/24 IBM
+165.192.117.0/24 IBM
+158.85.117.0/24 IBM
+50.22.248.0/25 IBM
+169.54.27.0/24 IBM
+198.11.250.0/24 IBM
+208.43.117.0/24 IBM
+169.55.117.0/24 IBM
+169.60.117.0/24 IBM
+169.61.117.0/24 IBM
+12.96.160.0/24 IBM
+66.98.240.192/26 IBM
+67.18.139.0/24 IBM
+67.19.0.0/24 IBM
+70.84.160.0/24 IBM
+70.85.125.0/24 IBM
+75.125.126.8/32 IBM
+209.85.4.0/26 IBM
+216.12.193.9/32 IBM
+216.40.193.0/24 IBM
+216.234.234.0/24 IBM
+
+# Hetzner
+116.202.0.0/16 Hetzner
+116.203.0.0/16 Hetzner
+128.140.0.0/17 Hetzner
+135.181.0.0/16 Hetzner
+142.132.128.0/17 Hetzner
+157.90.0.0/16 Hetzner
+159.69.0.0/16 Hetzner
+162.55.0.0/16 Hetzner
+167.233.0.0/16 Hetzner
+167.235.0.0/16 Hetzner
+168.119.0.0/16 Hetzner
+176.9.0.0/16 Hetzner
+178.63.0.0/16 Hetzner
+188.34.128.0/17 Hetzner
+188.40.0.0/16 Hetzner
+195.201.0.0/16 Hetzner
+213.239.192.0/18 Hetzner
+23.88.0.0/17 Hetzner
+37.27.0.0/16 Hetzner
+46.4.0.0/16 Hetzner
+49.12.0.0/16 Hetzner
+49.13.0.0/16 Hetzner
+5.75.128.0/17 Hetzner
+5.9.0.0/16 Hetzner
+65.108.0.0/16 Hetzner
+65.109.0.0/16 Hetzner
+65.21.0.0/16 Hetzner
+78.46.0.0/15 Hetzner
+85.10.192.0/18 Hetzner
+88.198.0.0/16 Hetzner
+88.99.0.0/16 Hetzner
+91.107.128.0/17 Hetzner
+94.130.0.0/16 Hetzner
+95.216.0.0/16 Hetzner
+95.217.0.0/16 Hetzner
+
+# Liquid Web
+159.135.48.0/20 Liquid Web
+162.212.134.0/24 Liquid Web
+162.252.104.0/22 Liquid Web
+172.255.59.0/24 Liquid Web
+173.199.128.0/18 Liquid Web
+184.106.55.0/24 Liquid Web
+192.126.88.0/22 Liquid Web
+192.133.82.0/24 Liquid Web
+192.138.16.0/21 Liquid Web
+192.190.220.0/22 Liquid Web
+192.251.32.0/24 Liquid Web
+199.189.224.0/22 Liquid Web
+199.195.118.0/24 Liquid Web
+205.174.24.0/22 Liquid Web
+207.246.248.0/21 Liquid Web
+208.75.148.0/22 Liquid Web
+208.79.232.0/21 Liquid Web
+208.86.152.0/21 Liquid Web
+209.124.89.0/24 Liquid Web
+209.188.80.0/20 Liquid Web
+209.59.128.0/18 Liquid Web
+50.28.0.0/18 Liquid Web
+50.28.5.0/24 Liquid Web
+50.28.64.0/19 Liquid Web
+50.57.240.0/20 Liquid Web
+64.50.144.0/20 Liquid Web
+64.50.144.0/23 Liquid Web
+64.50.148.0/22 Liquid Web
+64.50.152.0/21 Liquid Web
+64.91.224.0/19 Liquid Web
+67.225.128.0/17 Liquid Web
+67.227.128.0/17 Liquid Web
+67.43.0.0/20 Liquid Web
+68.66.211.0/24 Liquid Web
+69.160.56.0/24 Liquid Web
+69.16.192.0/18 Liquid Web
+69.16.222.0/23 Liquid Web
+69.167.128.0/18 Liquid Web
+72.52.128.0/17 Liquid Web
+96.30.0.0/18 Liquid Web
+
+# OVH
+107.189.64.0/18 OVH
+135.125.0.0/17 OVH
+135.125.128.0/17 OVH
+135.148.0.0/17 OVH
+135.148.128.0/17 OVH
+137.74.0.0/16 OVH
+139.99.0.0/17 OVH
+139.99.128.0/17 OVH
+141.94.0.0/16 OVH
+141.95.0.0/17 OVH
+141.95.128.0/17 OVH
+142.4.192.0/19 OVH
+142.44.128.0/17 OVH
+144.217.0.0/16 OVH
+145.239.0.0/16 OVH
+146.59.0.0/16 OVH
+146.59.0.0/17 OVH
+147.135.0.0/17 OVH
+147.135.128.0/17 OVH
+148.113.0.0/18 OVH
+148.113.128.0/17 OVH
+149.202.0.0/16 OVH
+149.56.0.0/16 OVH
+151.80.0.0/16 OVH
+15.204.0.0/17 OVH
+15.204.128.0/17 OVH
+152.228.128.0/17 OVH
+15.235.0.0/17 OVH
+15.235.128.0/17 OVH
+158.69.0.0/16 OVH
+162.19.0.0/17 OVH
+162.19.128.0/17 OVH
+164.132.0.0/16 OVH
+167.114.0.0/17 OVH
+167.114.128.0/18 OVH
+167.114.192.0/19 OVH
+176.31.0.0/16 OVH
+178.32.0.0/15 OVH
+185.15.68.0/22 OVH
+185.45.160.0/22 OVH
+188.165.0.0/16 OVH
+192.240.152.0/21 OVH
+192.95.0.0/18 OVH
+192.99.0.0/16 OVH
+193.70.0.0/17 OVH
+198.100.144.0/20 OVH
+198.244.128.0/17 OVH
+198.245.48.0/20 OVH
+198.27.64.0/18 OVH
+198.27.92.0/24 OVH
+198.50.128.0/17 OVH
+213.186.32.0/19 OVH
+213.251.128.0/18 OVH
+213.32.0.0/17 OVH
+217.182.0.0/16 OVH
+23.92.224.0/19 OVH
+37.187.0.0/16 OVH
+37.59.0.0/16 OVH
+40.160.0.0/17 OVH
+46.105.0.0/16 OVH
+46.105.198.0/24 OVH
+46.105.199.0/24 OVH
+46.105.200.0/24 OVH
+46.105.201.0/24 OVH
+46.105.202.0/24 OVH
+46.105.203.0/24 OVH
+46.105.204.0/24 OVH
+46.105.206.0/24 OVH
+46.105.207.0/24 OVH
+46.244.32.0/20 OVH
+51.161.0.0/17 OVH
+51.161.128.0/17 OVH
+
+# Ionos
+74.208.0.0/16 Ionos
+
+# WPEngine
+141.193.213.0/24 WPEngine
+
+# Dreamhost
+208.113.128.0/17 Dreamhost
+
+# Shopify
+23.227.32.0/19 Shopify
+
+# Sucuri
+66.248.200.0/22 Sucuri
+185.93.228.0/22 Sucuri
+192.88.134.0/23 Sucuri
+192.124.249.0/24 Sucuri
+192.161.0.0/24 Sucuri
+
+# HostGator
+# Bluehost
+# Squarespace
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index ca7c61c8e..602f7218c 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -1104,13 +1104,13 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_pciconfig_write
           "pciconfig_write,"
 #endif
-#ifdef SYS_s390_mmio_read
-          "s390_mmio_read,"
+#ifdef SYS_s390_pci_mmio_read
+          "s390_pci_mmio_read,"
 #endif
-#ifdef SYS_s390_mmio_write
-          "s390_mmio_write"
+#ifdef SYS_s390_pci_mmio_write
+          "s390_pci_mmio_write"
 #endif
-#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write)
+#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_pci_mmio_read) && !defined(SYS_s390_pci_mmio_write)
           "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed
 #endif
         },
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 19fc94ebd..06969e851 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -788,7 +788,6 @@ $ firejail \-\-list
 .br
 $ firejail \-\-dns.print=3272
 
-#ifdef HAVE_NETWORK
 .TP
 \fB\-\-dnstrace[=name|pid]
 Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -828,7 +827,6 @@ $ sudo firejail --dnstrace
 .br
 11:32:08  9.9.9.9        www.youtube.com (type 1)
 .br
-#endif
 
 .TP
 \fB\-\-env=name=value
@@ -930,7 +928,6 @@ $ firejail --ignore=seccomp --ignore=caps firefox
 $ firejail \-\-ignore="net eth0" firefox
 #endif
 
-#ifdef HAVE_NETWORK
 .TP
 \fB\-\-icmptrace[=name|pid]
 Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -956,7 +953,6 @@ $ sudo firejail --icmptrace
 .br
 20:53:55  192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
 .br
-#endif
 
 .TP
 \fB\-\-\include=file.profile
@@ -1643,6 +1639,7 @@ PID  User    RX(KB/s) TX(KB/s) Command
 1294 netblue 53.355   1.473    firejail \-\-net=eth0 firefox
 .br
 7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
+#endif
 .TP
 \fB\-\-nettrace[=name|pid]
 Monitor received TCP. UDP, and ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -1658,17 +1655,15 @@ Example:
 .br
 $ sudo firejail --nettrace
 .br
-                        95 KB/s  geoip 457, IP database 4436
-.br
-   52 KB/s ***********           64.222.84.207:443 United States
+                       93 KB/s  address:port (protocol) network
 .br
-   33 KB/s *******               89.147.74.105:63930 Hungary
+  14 B/s  **                    104.24.8.4:443(QUIC) Cloudflare
 .br
-    0 B/s                        45.90.28.0:443 NextDNS
+  80 KB/s *****************     192.187.97.90:443(TLS) BitChute
 .br
-    0 B/s                        94.70.122.176:52309(UDP) Greece
+   1 B/s                        149.56.228.45:443(DoH) Canada
 .br
-  339 B/s                        104.26.7.35:443 Cloudflare
+(D)isplay, (S)ave, (C)lear, e(X)it
 .br
 
 .br
@@ -1677,7 +1672,6 @@ the country the traffic originates from is added to the trace.
 We also use the static IP map in /usr/lib/firejail/static-ip-map
 to print the domain names for some of the more common websites and cloud platforms.
 No external services are contacted for reverse IP lookup.
-#endif
 .TP
 \fB\-\-nice=value
 Set nice value for all processes running inside the sandbox.
@@ -2263,6 +2257,18 @@ All modifications are discarded when the sandbox is closed.
 Example:
 .br
 $ firejail --private-opt=firefox /opt/firefox/firefox
+.br
+
+.br
+Note: Program installations in /opt tend to be relatively large and private-opt
+copies the entire path(s) into RAM, which may significantly increase RAM usage
+and break \fBfile-copy-limit\fR in firejail.config.
+Therefore, in general it is recommended to use "whitelist /opt/PATH" instead of
+"private-opt PATH".
+For details, see
+.UR https://github.com/netblue30/firejail/discussions/5307
+#5307
+.UE
 
 .TP
 \fB\-\-private-srv=file,directory
@@ -2850,7 +2856,6 @@ $ firejail \-\-list
 .br
 $ firejail \-\-shutdown=3272
 
-#ifdef HAVE_NETWORK
 .TP
 \fB\-\-snitrace[=name|pid]
 Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes
@@ -2892,7 +2897,6 @@ $ sudo firejail --snitrace
 .br
 07:53:11  192.0.73.2       1.gravatar.com
 .br
-#endif
 
 .TP
 \fB\-\-tab
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index 0e3425f8d..b7a3b39d8 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -52,7 +52,7 @@ print_title() {
         echo "**************************************************"
 }
 
-DIST="$(TARNAME)-$(VERSION)"
+DIST="$TARNAME-$VERSION"
 while [[ $# -gt 0 ]]; do    # Until you run out of parameters . . .
         case "$1" in
         --clean)
diff --git a/test/fs/kmsg.exp b/test/fs/kmsg.exp
index 3f952a4d4..deab8fcf5 100755
--- a/test/fs/kmsg.exp
+++ b/test/fs/kmsg.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail\r"
+send -- "firejail --ignore=private-dev\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp
index f440a7674..cec1aac69 100755
--- a/test/sysutils/strings.exp
+++ b/test/sysutils/strings.exp
@@ -13,7 +13,7 @@ sleep 1
 send -- "firejail /usr/bin/strings /usr/bin/firejail > firejail_t2\r"
 sleep 1
 
-send -- "diff -s firejail_t1 firejail_t2\r"
+send -- "diff -s firejail_t1 firejail_t2 | head\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "firejail_t1 and firejail_t2 are identical"
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
index f5567ff02..354bd0aba 100755
--- a/test/sysutils/sysutils.sh
+++ b/test/sysutils/sysutils.sh
@@ -121,8 +121,8 @@ fi
 
 if command -v wget
 then
-        echo "TESTING: wget"
-        ./wget.exp
+        echo "TESTING: FIXME: wget"
+        #./wget.exp # FIXME: Broken in CI
 else
         echo "TESTING SKIP: wget not found"
 fi
@@ -137,8 +137,8 @@ fi
 
 if command -v strings
 then
-        echo "TESTING: strings"
-        ./strings.exp
+        echo "TESTING: FIXME: strings"
+        #./strings.exp # FIXME: Broken since commit 3077b2d1f
 else
         echo "TESTING SKIP: strings not found"
 fi
diff --git a/test/sysutils/wget.exp b/test/sysutils/wget.exp
index 7f994ff81..26756eeb2 100755
--- a/test/sysutils/wget.exp
+++ b/test/sysutils/wget.exp
@@ -3,7 +3,7 @@
 # Copyright (C) 2014-2023 Firejail Authors
 # License GPL v2
 
-set timeout 10
+set timeout 30
 spawn $env(SHELL)
 match_max 100000
 
diff --git a/test/utils/build.exp b/test/utils/build.exp
index e1ea6af69..d8813b3a4 100755
--- a/test/utils/build.exp
+++ b/test/utils/build.exp
@@ -94,15 +94,19 @@ expect {
 }
 after 100
 
-send -- "firejail --build wget --output-document=~ debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
-        "protocol"
-}
-expect {
-        timeout {puts "TESTING ERROR 13.1\n";exit}
-        "inet"
-}
-after 100
+# increase the timeout for remote services
+set timeout 30
+
+# FIXME: Broken in CI
+#send -- "firejail --build wget --output-document=~ debian.org\r"
+#expect {
+#       timeout {puts "TESTING ERROR 13\n";exit}
+#       "protocol"
+#}
+#expect {
+#       timeout {puts "TESTING ERROR 13.1\n";exit}
+#       "inet"
+#}
+#after 100
 
 puts "all done\n"
diff --git a/test/utils/trace.exp b/test/utils/trace.exp
index 3805955d7..282b52e50 100755
--- a/test/utils/trace.exp
+++ b/test/utils/trace.exp
@@ -52,7 +52,8 @@ expect {
 }
 sleep 1
 
-send -- "firejail --trace wget -q debian.org\r"
+# FIXME: Broken in CI
+#send -- "firejail --trace wget -q debian.org\r"
 #expect {
 #       timeout {puts "TESTING ERROR 8.1\n";exit}
 #       -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -62,22 +63,23 @@ send -- "firejail --trace wget -q debian.org\r"
 #       "bash:open /dev/tty" {puts "OK\n";}
 #       "bash:open64 /dev/tty" {puts "OK\n";}
 #}
-expect {
-        timeout {puts "TESTING ERROR 8.3\n";exit}
-        "wget:fopen64 /etc/wgetrc" {puts "OK\n";}
-        "wget:fopen /etc/wgetrc"  {puts "OK\n";}
-}
-expect {
-        timeout {puts "TESTING ERROR 8.5\n";exit}
-        "wget:connect"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.6\n";exit}
-        "wget:fopen64 index.html" {puts "OK\n";}
-        "wget:fopen index.html" {puts "OK\n";}
-        "Parent is shutting down" {puts "OK\n";}
-}
-sleep 1
+#expect {
+#       timeout {puts "TESTING ERROR 8.3\n";exit}
+#       "wget:fopen64 /etc/wgetrc" {puts "OK\n";}
+#       "wget:fopen /etc/wgetrc"  {puts "OK\n";}
+#}
+#expect {
+#       timeout {puts "TESTING ERROR 8.5\n";exit}
+#       "wget:connect"
+#}
+#expect {
+#       timeout {puts "TESTING ERROR 8.6\n";exit}
+#       "wget:stat64 index.html" {puts "OK\n";}
+#       "wget:fopen64 index.html" {puts "OK\n";}
+#       "wget:fopen index.html" {puts "OK\n";}
+#       "Parent is shutting down" {puts "OK\n";}
+#}
+#sleep 1
 
 send -- "firejail --trace rm index.html\r"
 expect {