53 files changed, 645 insertions, 81 deletions

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 40ba00db6..29f14788d 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -10,6 +10,9 @@ on:
       - RELNOTES
       - SECURITY.md
       - 'etc/**'
+      - 'src/firecfg/firecfg.config'
+      - '.github/ISSUE_TEMPLATE/*'
+      - '.github/pull_request_template.md'
   pull_request:
     branches: [ master ]
     paths-ignore:
@@ -19,6 +22,9 @@ on:
       - RELNOTES
       - SECURITY.md
       - 'etc/**'
+      - 'src/firecfg/firecfg.config'
+      - '.github/ISSUE_TEMPLATE/*'
+      - '.github/pull_request_template.md'
 
 jobs:
   build-clang:
diff --git a/README b/README
index c2736a7b6..eb8a8e374 100644
--- a/README
+++ b/README
@@ -827,7 +827,7 @@ soredake (https://github.com/soredake)
         - fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile
         - fix keepassxc.profile
         - fix qtox.profile
-        - add ocaltime to private-etc to make qtox show correct time
+        - add localtime to private-etc to make qtox show correct time
         - fixes for the keepassxc 2.2.5 version
 SkewedZeppelin (https://github.com/SkewedZeppelin)
         - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
diff --git a/README.md b/README.md
index c9711226d..4de1c2bc8 100644
--- a/README.md
+++ b/README.md
@@ -333,4 +333,6 @@ Stats:
 vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
 avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop,
 pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum,
-sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway
+sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper,
+ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper,
+pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon
diff --git a/RELNOTES b/RELNOTES
index 8dda7c01c..fb384a419 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -19,6 +19,10 @@ firejail (0.9.65) baseline; urgency=low
   * PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, sum
   * bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, sha256sum
   * sha384sum, sha512sum, librewold-nightly, Quodlibet, tmux, sway
+  * alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper,
+  * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium,
+  * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon
+  * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper
  -- netblue30 <netblue30@yahoo.com>  Tue, 9 Feb 2021 09:00:00 -0500
 
 firejail (0.9.64.4) baseline; urgency=low
diff --git a/contrib/sort.py b/contrib/sort.py
index 9e5062c3c..c7325facb 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -35,43 +35,16 @@ def sort_alphabetical(raw_items):
 
 def sort_protocol(protocols):
     """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
+
     # shortcut for common protocol lines
     if protocols in ("unix", "unix,inet,inet6"):
         return protocols
+
     fixed_protocols = ""
-    present_protocols = {
-        "unix": False,
-        "inet": False,
-        "inet6": False,
-        "netlink": False,
-        "packet": False,
-        "bluetooth": False,
-    }
-    for protocol in protocols.split(","):
-        if protocol == "unix":
-            present_protocols["unix"] = True
-        elif protocol == "inet":
-            present_protocols["inet"] = True
-        elif protocol == "inet6":
-            present_protocols["inet6"] = True
-        elif protocol == "netlink":
-            present_protocols["netlink"] = True
-        elif protocol == "packet":
-            present_protocols["packet"] = True
-        elif protocol == "bluetooth":
-            present_protocols["bluetooth"] = True
-    if present_protocols["unix"]:
-        fixed_protocols += "unix,"
-    if present_protocols["inet"]:
-        fixed_protocols += "inet,"
-    if present_protocols["inet6"]:
-        fixed_protocols += "inet6,"
-    if present_protocols["netlink"]:
-        fixed_protocols += "netlink,"
-    if present_protocols["packet"]:
-        fixed_protocols += "packet,"
-    if present_protocols["bluetooth"]:
-        fixed_protocols += "bluetooth,"
+    for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"):
+        for prefix in ("", "-", "+", "="):
+            if f",{prefix}{protocol}," in f",{protocols},":
+                fixed_protocols += f"{prefix}{protocol},"
     return fixed_protocols[:-1]
 
 
diff --git a/etc/inc/allow-opengl-game.inc b/etc/inc/allow-opengl-game.inc
new file mode 100644
index 000000000..b5ff1bd50
--- /dev/null
+++ b/etc/inc/allow-opengl-game.inc
@@ -0,0 +1,3 @@
+noblacklist ${PATH}/bash
+whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh
+private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
diff --git a/etc/inc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc
index 316378cb8..3ed9a1b14 100644
--- a/etc/inc/disable-passwdmgr.inc
+++ b/etc/inc/disable-passwdmgr.inc
@@ -7,6 +7,7 @@ blacklist ${HOME}/.config/KeePass
 blacklist ${HOME}/.config/keepass
 blacklist ${HOME}/.config/keepassx
 blacklist ${HOME}/.config/keepassxc
+blacklist ${HOME}/.config/KeePassXCrc
 blacklist ${HOME}/.config/Sinew Software Systems
 blacklist ${HOME}/.fpm
 blacklist ${HOME}/.keepass
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 8ccbae5ca..1e1734a9e 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -52,6 +52,7 @@ blacklist ${HOME}/.atom
 blacklist ${HOME}/.attic
 blacklist ${HOME}/.audacity-data
 blacklist ${HOME}/.avidemux6
+blacklist ${HOME}/.ballbuster.hs
 blacklist ${HOME}/.balsa
 blacklist ${HOME}/.bcast5
 blacklist ${HOME}/.bibletime
@@ -137,6 +138,7 @@ blacklist ${HOME}/.config/Rambox
 blacklist ${HOME}/.config/Riot
 blacklist ${HOME}/.config/Rocket.Chat
 blacklist ${HOME}/.config/RogueLegacy
+blacklist ${HOME}/.config/RogueLegacyStorageContainer
 blacklist ${HOME}/.config/Signal
 blacklist ${HOME}/.config/Sinew Software Systems
 blacklist ${HOME}/.config/Slack
@@ -220,6 +222,7 @@ blacklist ${HOME}/.config/d-feet
 blacklist ${HOME}/.config/electron-mail
 blacklist ${HOME}/.config/emaildefaults
 blacklist ${HOME}/.config/emailidentities
+blacklist ${HOME}/.config/emilia
 blacklist ${HOME}/.config/enchant
 blacklist ${HOME}/.config/eog
 blacklist ${HOME}/.config/epiphany
@@ -479,6 +482,7 @@ blacklist ${HOME}/.equalx
 blacklist ${HOME}/.ethereum
 blacklist ${HOME}/.etr
 blacklist ${HOME}/.filezilla
+blacklist ${HOME}/.firedragon
 blacklist ${HOME}/.flowblade
 blacklist ${HOME}/.fltk
 blacklist ${HOME}/.fossamail
@@ -490,6 +494,8 @@ blacklist ${HOME}/.frozen-bubble
 blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.gist
 blacklist ${HOME}/.gitconfig
+blacklist ${HOME}/.gl-117
+blacklist ${HOME}/.glaxiumrc
 blacklist ${HOME}/.gnome/gnome-schedule
 blacklist ${HOME}/.googleearth
 blacklist ${HOME}/.gradle
@@ -607,7 +613,8 @@ blacklist ${HOME}/.local/share/QGIS
 blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
-blacklist ${HOME}/.local/share/RogueLegacy*
+blacklist ${HOME}/.local/share/RogueLegacy
+blacklist ${HOME}/.local/share/RogueLegacyStorageContainer
 blacklist ${HOME}/.local/share/Shortwave
 blacklist ${HOME}/.local/share/Steam
 blacklist ${HOME}/.local/share/SteamWorldDig
@@ -637,6 +644,7 @@ blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
 blacklist ${HOME}/.local/share/contacts
+blacklist ${HOME}/.local/share/cor-games
 blacklist ${HOME}/.local/share/data/Mendeley Ltd.
 blacklist ${HOME}/.local/share/data/Mumble
 blacklist ${HOME}/.local/share/data/MusE
@@ -844,6 +852,7 @@ blacklist ${HOME}/.steampid
 blacklist ${HOME}/.stellarium
 blacklist ${HOME}/.subversion
 blacklist ${HOME}/.surf
+blacklist ${HOME}/.suve/colorful
 blacklist ${HOME}/.swb.ini
 blacklist ${HOME}/.sword
 blacklist ${HOME}/.sylpheed-2.0
@@ -952,6 +961,7 @@ blacklist ${HOME}/.cache/epiphany
 blacklist ${HOME}/.cache/evolution
 blacklist ${HOME}/.cache/falkon
 blacklist ${HOME}/.cache/feedreader
+blacklist ${HOME}/.cache/firedragon
 blacklist ${HOME}/.cache/flaska.net/trojita
 blacklist ${HOME}/.cache/folks
 blacklist ${HOME}/.cache/font-manager
diff --git a/etc/profile-a-l/alienarena-wrapper.profile b/etc/profile-a-l/alienarena-wrapper.profile
new file mode 100644
index 000000000..b31996cd2
--- /dev/null
+++ b/etc/profile-a-l/alienarena-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for alienarena-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include alienarena-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin alienarena-wrapper
+
+# Redirect
+include alienarena.profile
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
new file mode 100644
index 000000000..4048b66f8
--- /dev/null
+++ b/etc/profile-a-l/alienarena.profile
@@ -0,0 +1,52 @@
+# Firejail profile for alienarena
+# Description: Multiplayer retro sci-fi deathmatch game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include alienarena.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/cor-games
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/cor-games
+whitelist ${HOME}/.local/share/cor-games
+whitelist /usr/share/alienarena
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin alienarena
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index b2ed3b030..2c7fdc812 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 whitelist ${MUSIC}
 whitelist ${DOWNLOADS}
 whitelist /usr/share/audio-recorder
+whitelist /usr/share/gstreamer-1.0
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -44,7 +45,11 @@ tracelog
 disable-mnt
 # private-bin audio-recorder
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
 
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/ballbuster-wrapper.profile b/etc/profile-a-l/ballbuster-wrapper.profile
new file mode 100644
index 000000000..419dcaab5
--- /dev/null
+++ b/etc/profile-a-l/ballbuster-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for ballbuster-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ballbuster-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin ballbuster-wrapper
+
+# Redirect
+include ballbuster.profile
diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile
new file mode 100644
index 000000000..1c137e6ae
--- /dev/null
+++ b/etc/profile-a-l/ballbuster.profile
@@ -0,0 +1,52 @@
+# Firejail profile for ballbuster
+# Description: Move the paddle to bounce the ball and break all the bricks
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ballbuster.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ballbuster.hs
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.ballbuster.hs
+whitelist ${HOME}/.ballbuster.hs
+whitelist /usr/share/ballbuster
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin ballbuster
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index e9bef8df7..134f4665c 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -12,6 +12,10 @@ include chromium-common.local
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
 
+# Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser
+# to have access to Gnome extensions (extensions.gnome.org) via browser connector
+#include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/colorful-wrapper.profile b/etc/profile-a-l/colorful-wrapper.profile
new file mode 100644
index 000000000..4b762047d
--- /dev/null
+++ b/etc/profile-a-l/colorful-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for colorful-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include colorful-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin colorful-wrapper
+
+# Redirect
+include colorful.profile
diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile
new file mode 100644
index 000000000..4b8a5e477
--- /dev/null
+++ b/etc/profile-a-l/colorful.profile
@@ -0,0 +1,52 @@
+# Firejail profile for colorful
+# Description: simple 2D sideview shooter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include colorful.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.suve/colorful
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.suve/colorful
+whitelist ${HOME}/.suve/colorful
+whitelist /usr/share/suve
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin colorful
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
index ae4a63c62..2ca7bd400 100644
--- a/etc/profile-a-l/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/digikam
 noblacklist ${HOME}/.config/digikamrc
 noblacklist ${HOME}/.kde/share/apps/digikam
 noblacklist ${HOME}/.kde4/share/apps/digikam
+noblacklist ${HOME}/.local/share/kxmlgui5/digikam
 noblacklist ${PICTURES}
 
 include disable-common.inc
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index b583f1a1d..b83e626d9 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -18,6 +18,7 @@ ignore dbus-user none
 ignore dbus-system none
 
 ignore noexec ${HOME}
+ignore novideo
 
 whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
diff --git a/etc/profile-a-l/etr-wrapper.profile b/etc/profile-a-l/etr-wrapper.profile
new file mode 100644
index 000000000..98f949918
--- /dev/null
+++ b/etc/profile-a-l/etr-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for etr-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include etr-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin etr-wrapper
+
+# Redirect
+include etr.profile
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index f55d23778..6d31f3042 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index e61c3d1ff..50d2b923b 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -38,7 +38,7 @@ seccomp.block-secondary
 shell none
 tracelog
 
-private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo,zstd
+private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
 private-cache
 private-dev
 private-etc dconf,fonts,gtk-3.0,xdg
diff --git a/etc/profile-a-l/firedragon.profile b/etc/profile-a-l/firedragon.profile
new file mode 100644
index 000000000..77487161e
--- /dev/null
+++ b/etc/profile-a-l/firedragon.profile
@@ -0,0 +1,26 @@
+# Firejail profile for FireDragon
+# Description: Librewolf fork with enhanced KDE integration
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firedragon.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/firedragon
+noblacklist ${HOME}/.firedragon
+
+mkdir ${HOME}/.cache/firedragon
+mkdir ${HOME}/.firedragon
+whitelist ${HOME}/.cache/firedragon
+whitelist ${HOME}/.firedragon
+
+# Add the next lines to your firedragon.local if you want to use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# FireDragon requires a shell to launch on Arch. We can possibly remove sh though.
+# Add the next line to your firedragon.local to enable private-bin.
+#private-bin bash,dbus-launch,dbus-send,env,firedragon,python*,sh,which
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index 4da087f7f..d282f9a60 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -73,8 +73,9 @@ whitelist /usr/share/vulkan
 # GNOME Shell integration (chrome-gnome-shell) needs dbus and python
 noblacklist ${HOME}/.local/share/gnome-shell
 whitelist ${HOME}/.local/share/gnome-shell
-ignore dbus-user none
-ignore dbus-system none
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.ChromeGnomeShell
+dbus-user.talk org.gnome.Shell
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index cefba93d4..b22a78458 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -6,6 +6,14 @@ include firefox.local
 # Persistent global definitions
 include globals.local
 
+# NOTE: sandboxing web browsers is as important as it is complex. Users might be
+# interested in creating custom profiles depending on use case (e.g. one for
+# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more
+# info. Here are a few links to get you going.
+# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance
+# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
+# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
+
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
 
diff --git a/etc/profile-a-l/gl-117-wrapper.profile b/etc/profile-a-l/gl-117-wrapper.profile
new file mode 100644
index 000000000..d783940f3
--- /dev/null
+++ b/etc/profile-a-l/gl-117-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for gl-117-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gl-117-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin gl-117-wrapper
+
+# Redirect
+include gl-117.profile
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
new file mode 100644
index 000000000..87194843a
--- /dev/null
+++ b/etc/profile-a-l/gl-117.profile
@@ -0,0 +1,52 @@
+# Firejail profile for gl-117
+# Description: Action flight simulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gl-117.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gl-117
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.gl-117
+whitelist ${HOME}/.gl-117
+whitelist /usr/share/gl-117
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin gl-117
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/glaxium-wrapper.profile b/etc/profile-a-l/glaxium-wrapper.profile
new file mode 100644
index 000000000..7dc2cf65e
--- /dev/null
+++ b/etc/profile-a-l/glaxium-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for glaxium-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include glaxium-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin glaxium-wrapper
+
+# Redirect
+include glaxium.profile
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
new file mode 100644
index 000000000..ea5211e9e
--- /dev/null
+++ b/etc/profile-a-l/glaxium.profile
@@ -0,0 +1,52 @@
+# Firejail profile for glaxium
+# Description: 3d spaceship shoot-em-up
+# This file is overwritten after every install/update
+# Persistent local customizations
+include glaxium.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.glaxiumrc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.glaxiumrc
+whitelist ${HOME}/.glaxiumrc
+whitelist /usr/share/glaxium
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin glaxium
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index fa82e76f3..c1414472b 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -15,6 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/kxmlgui5/kcalc
 mkfile ${HOME}/.config/kcalcrc
@@ -24,7 +25,12 @@ whitelist ${HOME}/.config/kcalcrc
 whitelist ${HOME}/.kde/share/config/kcalcrc
 whitelist ${HOME}/.kde4/share/config/kcalcrc
 whitelist ${HOME}/.local/share/kxmlgui5/kcalc
+whitelist /usr/share/config.kcfg/kcalc.kcfg
+whitelist /usr/share/kcalc
+whitelist /usr/share/kconf_update/kcalcrc.upd
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -41,13 +47,19 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
+tracelog
 
 disable-mnt
 private-bin kcalc
+private-cache
 private-dev
+private-etc alternatives,fonts,ld.so.cache,locale,locale.conf
 # private-lib - problems on Arch
 private-tmp
 
 dbus-user none
 dbus-system none
+
+#memory-deny-write-execute
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 11c279911..3c7737063 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/*.kdb
 noblacklist ${HOME}/*.kdbx
 noblacklist ${HOME}/.cache/keepassxc
 noblacklist ${HOME}/.config/keepassxc
+noblacklist ${HOME}/.config/KeePassXCrc
 noblacklist ${HOME}/.keepassxc
 noblacklist ${DOCUMENTS}
 
@@ -51,6 +52,7 @@ include disable-xdg.inc
 #mkdir ${HOME}/.config/keepassxc
 #whitelist ${HOME}/.cache/keepassxc
 #whitelist ${HOME}/.config/keepassxc
+#whitelist ${HOME}/.config/KeePassXCrc
 #include whitelist-common.inc
 
 whitelist /usr/share/keepassxc
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index f02a4f357..5b2164bae 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -8,18 +8,23 @@ include globals.local
 
 noblacklist ${HOME}/.local/share/love
 
+include allow-bin-sh.inc
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/love
 whitelist ${HOME}/.local/share/love
 whitelist /usr/share/mrrescue
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -35,6 +40,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/neverball-wrapper.profile b/etc/profile-m-z/neverball-wrapper.profile
new file mode 100644
index 000000000..534e41dd1
--- /dev/null
+++ b/etc/profile-m-z/neverball-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for neverball-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include neverball-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin neverball-wrapper
+
+# Redirect
+include neverball.profile
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile
index 84c634549..2695f2f90 100644
--- a/etc/profile-m-z/neverball.profile
+++ b/etc/profile-m-z/neverball.profile
@@ -14,13 +14,19 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.neverball
 whitelist ${HOME}/.neverball
+whitelist /usr/share/neverball
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
@@ -28,12 +34,18 @@ noroot
 notv
 nou2f
 novideo
-protocol unix,netlink
+protocol unix
 seccomp
+seccomp.block-secondary
 shell none
+tracelog
 
 disable-mnt
 private-bin neverball
+private-cache
 private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/neverputt-wrapper.profile b/etc/profile-m-z/neverputt-wrapper.profile
new file mode 100644
index 000000000..dacd113cc
--- /dev/null
+++ b/etc/profile-m-z/neverputt-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for neverputt-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include neverputt-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin neverputt-wrapper
+
+# Redirect
+include neverputt.profile
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index e21ac997a..3f75d4f09 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -28,10 +28,16 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/config.kcfg
+whitelist /usr/share/config.kcfg/gssettings.kcfg
+whitelist /usr/share/config.kcfg/pdfsettings.kcfg
+whitelist /usr/share/config.kcfg/okular.kcfg
+whitelist /usr/share/config.kcfg/okular_core.kcfg
+whitelist /usr/share/ghostscript
+whitelist /usr/share/kconf_update/okular.upd
 whitelist /usr/share/kxmlgui5/okular
 whitelist /usr/share/okular
 whitelist /usr/share/poppler
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/pinball-wrapper.profile b/etc/profile-m-z/pinball-wrapper.profile
new file mode 100644
index 000000000..2b5ed6e27
--- /dev/null
+++ b/etc/profile-m-z/pinball-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for pinball-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pinball-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin pinball-wrapper
+
+# Redirect
+include pinball.profile
diff --git a/etc/profile-m-z/pinball.profile b/etc/profile-m-z/pinball.profile
new file mode 100644
index 000000000..feeed8184
--- /dev/null
+++ b/etc/profile-m-z/pinball.profile
@@ -0,0 +1,52 @@
+# Firejail profile for pinball
+# Description: Emilia 3D Pinball Game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pinball.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/emilia
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/emilia
+whitelist ${HOME}/.config/emilia
+whitelist /usr/share/pinball
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin pinball
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index ebfd236aa..e3b20e59f 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -8,12 +8,15 @@ include globals.local
 
 noblacklist ${HOME}/.pingus
 
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.pingus
@@ -36,6 +39,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index 6fb0d4b5f..bab2badb5 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -16,9 +16,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/com.github.artemanufrij.regextester
-include whitelist-usr-share-common.inc
-
 include whitelist-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -48,11 +47,9 @@ private-etc alternatives,fonts
 private-lib libgranite.so.*
 private-tmp
 
-# makes settings immutable
-# dbus-user none
-# dbus-system none
-
-memory-deny-write-execute
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
 
 # never write anything
 read-only ${HOME}
diff --git a/etc/profile-m-z/scorched3d-wrapper.profile b/etc/profile-m-z/scorched3d-wrapper.profile
index 507d0827e..e76caec1d 100644
--- a/etc/profile-m-z/scorched3d-wrapper.profile
+++ b/etc/profile-m-z/scorched3d-wrapper.profile
@@ -1,10 +1,11 @@
-# Firejail profile for scorched3d
+# Firejail profile for scorched3d-wrapper
 # This file is overwritten after every install/update
 # Persistent local customizations
 include scorched3d-wrapper.local
 
-whitelist /usr/share/opengl-games-utils
-private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
+include allow-opengl-game.inc
+
+private-bin scorched3d-wrapper
 
 # Redirect
 include scorched3d.profile
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
index 6a1003c33..1808018d1 100644
--- a/etc/profile-m-z/scorched3d.profile
+++ b/etc/profile-m-z/scorched3d.profile
@@ -40,7 +40,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin scorched3d,scorched3d-wrapper,scorched3dc,scorched3ds
+private-bin scorched3d,scorched3dc,scorched3ds
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index cedff0b83..f99246ad6 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -26,6 +26,8 @@ include disable-xdg.inc
 mkfile  ${HOME}/.config/spectaclerc
 whitelist ${HOME}/.config/spectaclerc
 whitelist ${PICTURES}
+whitelist /usr/share/kconf_update/spectacle_newConfig.upd
+whitelist /usr/share/kconf_update/spectacle_shortcuts.upd
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 0bcbe6da2..922823f98 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Epic
 noblacklist ${HOME}/.config/Loop_Hero
 noblacklist ${HOME}/.config/ModTheSpire
 noblacklist ${HOME}/.config/RogueLegacy
+noblacklist ${HOME}/.config/RogueLegacyStorageContainer
 noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.klei
 noblacklist ${HOME}/.local/share/3909/PapersPlease
@@ -22,7 +23,8 @@ noblacklist ${HOME}/.local/share/feral-interactive
 noblacklist ${HOME}/.local/share/IntoTheBreach
 noblacklist ${HOME}/.local/share/Paradox Interactive
 noblacklist ${HOME}/.local/share/PillarsOfEternity
-noblacklist ${HOME}/.local/share/RogueLegacy*
+noblacklist ${HOME}/.local/share/RogueLegacy
+noblacklist ${HOME}/.local/share/RogueLegacyStorageContainer
 noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/SteamWorldDig
 noblacklist ${HOME}/.local/share/SteamWorld Dig 2
@@ -69,7 +71,7 @@ mkdir ${HOME}/.local/share/feral-interactive
 mkdir ${HOME}/.local/share/IntoTheBreach
 mkdir ${HOME}/.local/share/Paradox Interactive
 mkdir ${HOME}/.local/share/PillarsOfEternity
-mkdir ${HOME}/.local/share/RogueLegacy*
+mkdir ${HOME}/.local/share/RogueLegacy
 mkdir ${HOME}/.local/share/Steam
 mkdir ${HOME}/.local/share/SteamWorldDig
 mkdir ${HOME}/.local/share/SteamWorld Dig 2
@@ -86,6 +88,7 @@ whitelist ${HOME}/.config/Epic
 whitelist ${HOME}/.config/Loop_Hero
 whitelist ${HOME}/.config/ModTheSpire
 whitelist ${HOME}/.config/RogueLegacy
+whitelist ${HOME}/.config/RogueLegacyStorageContainer
 whitelist ${HOME}/.config/unity3d
 whitelist ${HOME}/.killingfloor
 whitelist ${HOME}/.klei
@@ -99,7 +102,8 @@ whitelist ${HOME}/.local/share/feral-interactive
 whitelist ${HOME}/.local/share/IntoTheBreach
 whitelist ${HOME}/.local/share/Paradox Interactive
 whitelist ${HOME}/.local/share/PillarsOfEternity
-whitelist ${HOME}/.local/share/RogueLegacy*
+whitelist ${HOME}/.local/share/RogueLegacy
+whitelist ${HOME}/.local/share/RogueLegacyStorageContainer
 whitelist ${HOME}/.local/share/Steam
 whitelist ${HOME}/.local/share/SteamWorldDig
 whitelist ${HOME}/.local/share/SteamWorld Dig 2
@@ -115,6 +119,14 @@ whitelist ${HOME}/.steampid
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+# Note: The following were intentionally left out as they are alternative
+# (i.e.: unnecessary and/or legacy) paths whose existence may potentially
+# clobber other paths (see #4225).  If you use any, either add the entry to
+# steam.local or move the contents to a path listed above (or open an issue if
+# it's missing above).
+#mkdir ${HOME}/.config/RogueLegacyStorageContainer
+#mkdir ${HOME}/.local/share/RogueLegacyStorageContainer
+
 caps.drop all
 #ipc-namespace
 netfilter
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 9cc023765..d31f25c0d 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/supertux2
@@ -42,6 +43,8 @@ tracelog
 
 disable-mnt
 # private-bin supertux2
+private-cache
+private-etc machine-id
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/supertuxkart-wrapper.profile b/etc/profile-m-z/supertuxkart-wrapper.profile
new file mode 100644
index 000000000..af8d73deb
--- /dev/null
+++ b/etc/profile-m-z/supertuxkart-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for supertuxkart-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include supertuxkart-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin supertuxkart-wrapper
+
+# Redirect
+include supertuxkart.profile
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index 64d787bfb..c22fb0ff9 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -44,7 +44,7 @@ shell none
 tracelog
 
 #disable-mnt
-#private-bin basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
+#private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
 private-cache
 private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 78cb2862c..d9d1cd393 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -19,7 +19,7 @@ include disable-xdg.inc
 
 mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
 whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-whitelist /usr/share/gstreamer
+whitelist /usr/share/gstreamer-*
 whitelist /usr/share/xfce4
 whitelist /usr/share/xfce4-mixer
 include whitelist-common.inc
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index aa8cc7d0e..df6c34fbb 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -8,12 +8,16 @@ include globals.local
 
 noblacklist ${HOME}/.xonotic
 
+include allow-bin-sh.inc
+include allow-opengl-game.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.xonotic
@@ -41,7 +45,7 @@ tracelog
 
 disable-mnt
 private-cache
-private-bin basename,bash,blind-id,cut,darkplaces-glx,darkplaces-sdl,dirname,glxinfo,grep,head,ldd,netstat,ps,readlink,sed,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl,xonotic-sdl-wrapper,zenity
+private-bin blind-id,darkplaces-glx,darkplaces-sdl,dirname,ldd,netstat,ps,readlink,sh,uname,xonotic*
 private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
index 96bd351f3..431aebee6 100644
--- a/src/fbuilder/build_bin.c
+++ b/src/fbuilder/build_bin.c
@@ -121,6 +121,6 @@ void build_bin(const char *fname, FILE *fp) {
                         ptr = ptr->next;
                 }
                 fprintf(fp, "\n");
-                fprintf(fp, "# private-lib\n");
+                fprintf(fp, "#private-lib\n");
         }
 }
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 495f71ab8..ac0cd455a 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -220,6 +220,10 @@ static void tmp_callback(char *ptr) {
         // skip strace file
         if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
                 return;
+        if (strncmp(ptr, "/tmp/runtime-", 13) == 0)
+                return;
+        if (strcmp(ptr, "/tmp") == 0)
+                return;
 
         tmp_out = filedb_add(tmp_out, ptr);
 }
@@ -232,8 +236,7 @@ void build_tmp(const char *fname, FILE *fp) {
         if (tmp_out == NULL)
                 fprintf(fp, "private-tmp\n");
         else {
-                fprintf(fp, "\n");
-                fprintf(fp, "# private-tmp\n");
+                fprintf(fp, "#private-tmp\n");
                 fprintf(fp, "# File accessed in /tmp directory:\n");
                 fprintf(fp, "# ");
                 FileDB *ptr = tmp_out;
@@ -310,9 +313,8 @@ void build_dev(const char *fname, FILE *fp) {
         if (dev_out == NULL)
                 fprintf(fp, "private-dev\n");
         else {
-                fprintf(fp, "\n");
-                fprintf(fp, "# private-dev\n");
-                fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n");
+                fprintf(fp, "#private-dev\n");
+                fprintf(fp, "# This is the list of devices accessed on top of regular private-dev devices:\n");
                 fprintf(fp, "# ");
                 FileDB *ptr = dev_out;
                 while (ptr) {
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index 683009b71..d7706282a 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -141,7 +141,7 @@ void process_home(const char *fname, char *home, int home_len) {
                 }
 
                 // skip files and directories in whitelist-common.inc
-                if (filedb_find(db_skip, toadd)) {
+                if (strlen(toadd) == 0 || filedb_find(db_skip, toadd)) {
                         if (dir)
                                 free(dir);
                         continue;
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 96a83954d..0c1b57384 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -150,12 +150,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 
                 fprintf(fp, "### basic blacklisting\n");
                 fprintf(fp, "include disable-common.inc\n");
-                fprintf(fp, "# include disable-devel.inc\n");
-                fprintf(fp, "# include disable-exec.inc\n");
-                fprintf(fp, "# include disable-interpreters.inc\n");
+                fprintf(fp, "#include disable-devel.inc\n");
+                fprintf(fp, "#include disable-exec.inc\n");
+                fprintf(fp, "#include disable-interpreters.inc\n");
                 fprintf(fp, "include disable-passwdmgr.inc\n");
-                fprintf(fp, "# include disable-programs.inc\n");
-                fprintf(fp, "# include disable-xdg.inc\n");
+                fprintf(fp, "#include disable-programs.inc\n");
+                fprintf(fp, "#include disable-xdg.inc\n");
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### home directory whitelisting\n");
@@ -163,18 +163,17 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### filesystem\n");
-                fprintf(fp, "# /usr/share:\n");
+                fprintf(fp, "### /usr/share:\n");
                 build_share(trace_output, fp);
-                fprintf(fp, "# /var:\n");
+                fprintf(fp, "### /var:\n");
                 build_var(trace_output, fp);
-                fprintf(fp, "\n");
-                fprintf(fp, "# $PATH:\n");
+                fprintf(fp, "### /bin:\n");
                 build_bin(trace_output, fp);
-                fprintf(fp, "# /dev:\n");
+                fprintf(fp, "### /dev:\n");
                 build_dev(trace_output, fp);
-                fprintf(fp, "# /etc:\n");
+                fprintf(fp, "### /etc:\n");
                 build_etc(trace_output, fp);
-                fprintf(fp, "# /tmp:\n");
+                fprintf(fp, "### /tmp:\n");
                 build_tmp(trace_output, fp);
                 fprintf(fp, "\n");
 
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index be50d5f44..35954cfb8 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -74,6 +74,7 @@ autokey-run
 autokey-shell
 avidemux3_qt5
 aweather
+ballbuster
 baloo_file
 baloo_filemetadata_temp_extractor
 balsa
@@ -147,6 +148,7 @@ cmus
 code
 code-oss
 cola
+colorful
 com.github.bleakgrey.tootle
 com.github.dahenson.agenda
 com.github.johnfactotum.Foliate
@@ -236,6 +238,7 @@ ffplay
 ffprobe
 file-roller
 filezilla
+firedragon
 firefox
 firefox-beta
 firefox-developer-edition
@@ -293,6 +296,8 @@ git-cola
 github-desktop
 gitter
 # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
+gl-117
+glaxium
 globaltime
 gmpc
 gnome-2048
@@ -615,6 +620,7 @@ penguin-command
 photoflare
 picard
 pidgin
+pinball
 #ping - disabled until we fix  #1912
 pingus
 pinta
@@ -673,7 +679,6 @@ runenpass.sh
 sayonara
 scallion
 scorched3d
-scorched3d-wrapper
 scorchwentbonkers
 scribus
 sdat2img
@@ -867,7 +872,6 @@ xmr-stak
 xonotic
 xonotic-glx
 xonotic-sdl
-xonotic-sdl-wrapper
 xournal
 xournalpp
 xpdf