32 files changed, 138 insertions, 147 deletions

diff --git a/README b/README
index c2736a7b6..eb8a8e374 100644
--- a/README
+++ b/README
@@ -827,7 +827,7 @@ soredake (https://github.com/soredake)
         - fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile
         - fix keepassxc.profile
         - fix qtox.profile
-        - add ocaltime to private-etc to make qtox show correct time
+        - add localtime to private-etc to make qtox show correct time
         - fixes for the keepassxc 2.2.5 version
 SkewedZeppelin (https://github.com/SkewedZeppelin)
         - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
diff --git a/contrib/sort.py b/contrib/sort.py
index 9e5062c3c..c7325facb 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -35,43 +35,16 @@ def sort_alphabetical(raw_items):
 
 def sort_protocol(protocols):
     """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
+
     # shortcut for common protocol lines
     if protocols in ("unix", "unix,inet,inet6"):
         return protocols
+
     fixed_protocols = ""
-    present_protocols = {
-        "unix": False,
-        "inet": False,
-        "inet6": False,
-        "netlink": False,
-        "packet": False,
-        "bluetooth": False,
-    }
-    for protocol in protocols.split(","):
-        if protocol == "unix":
-            present_protocols["unix"] = True
-        elif protocol == "inet":
-            present_protocols["inet"] = True
-        elif protocol == "inet6":
-            present_protocols["inet6"] = True
-        elif protocol == "netlink":
-            present_protocols["netlink"] = True
-        elif protocol == "packet":
-            present_protocols["packet"] = True
-        elif protocol == "bluetooth":
-            present_protocols["bluetooth"] = True
-    if present_protocols["unix"]:
-        fixed_protocols += "unix,"
-    if present_protocols["inet"]:
-        fixed_protocols += "inet,"
-    if present_protocols["inet6"]:
-        fixed_protocols += "inet6,"
-    if present_protocols["netlink"]:
-        fixed_protocols += "netlink,"
-    if present_protocols["packet"]:
-        fixed_protocols += "packet,"
-    if present_protocols["bluetooth"]:
-        fixed_protocols += "bluetooth,"
+    for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"):
+        for prefix in ("", "-", "+", "="):
+            if f",{prefix}{protocol}," in f",{protocols},":
+                fixed_protocols += f"{prefix}{protocol},"
     return fixed_protocols[:-1]
 
 
diff --git a/etc/inc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc
index 316378cb8..3ed9a1b14 100644
--- a/etc/inc/disable-passwdmgr.inc
+++ b/etc/inc/disable-passwdmgr.inc
@@ -7,6 +7,7 @@ blacklist ${HOME}/.config/KeePass
 blacklist ${HOME}/.config/keepass
 blacklist ${HOME}/.config/keepassx
 blacklist ${HOME}/.config/keepassxc
+blacklist ${HOME}/.config/KeePassXCrc
 blacklist ${HOME}/.config/Sinew Software Systems
 blacklist ${HOME}/.fpm
 blacklist ${HOME}/.keepass
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index cf9ef44bf..1e1734a9e 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -138,6 +138,7 @@ blacklist ${HOME}/.config/Rambox
 blacklist ${HOME}/.config/Riot
 blacklist ${HOME}/.config/Rocket.Chat
 blacklist ${HOME}/.config/RogueLegacy
+blacklist ${HOME}/.config/RogueLegacyStorageContainer
 blacklist ${HOME}/.config/Signal
 blacklist ${HOME}/.config/Sinew Software Systems
 blacklist ${HOME}/.config/Slack
@@ -612,7 +613,8 @@ blacklist ${HOME}/.local/share/QGIS
 blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
-blacklist ${HOME}/.local/share/RogueLegacy*
+blacklist ${HOME}/.local/share/RogueLegacy
+blacklist ${HOME}/.local/share/RogueLegacyStorageContainer
 blacklist ${HOME}/.local/share/Shortwave
 blacklist ${HOME}/.local/share/Steam
 blacklist ${HOME}/.local/share/SteamWorldDig
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index b2ed3b030..2c7fdc812 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 whitelist ${MUSIC}
 whitelist ${DOWNLOADS}
 whitelist /usr/share/audio-recorder
+whitelist /usr/share/gstreamer-1.0
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -44,7 +45,11 @@ tracelog
 disable-mnt
 # private-bin audio-recorder
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
 
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
index ae4a63c62..2ca7bd400 100644
--- a/etc/profile-a-l/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/digikam
 noblacklist ${HOME}/.config/digikamrc
 noblacklist ${HOME}/.kde/share/apps/digikam
 noblacklist ${HOME}/.kde4/share/apps/digikam
+noblacklist ${HOME}/.local/share/kxmlgui5/digikam
 noblacklist ${PICTURES}
 
 include disable-common.inc
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index b583f1a1d..b83e626d9 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -18,6 +18,7 @@ ignore dbus-user none
 ignore dbus-system none
 
 ignore noexec ${HOME}
+ignore novideo
 
 whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index f55d23778..6d31f3042 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index cefba93d4..b22a78458 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -6,6 +6,14 @@ include firefox.local
 # Persistent global definitions
 include globals.local
 
+# NOTE: sandboxing web browsers is as important as it is complex. Users might be
+# interested in creating custom profiles depending on use case (e.g. one for
+# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more
+# info. Here are a few links to get you going.
+# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance
+# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
+# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
+
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
 
diff --git a/etc/profile-a-l/gl-117-wrapper.profie b/etc/profile-a-l/gl-117-wrapper.profie
deleted file mode 100644
index d783940f3..000000000
--- a/etc/profile-a-l/gl-117-wrapper.profie
+++ /dev/null
@@ -1,14 +0,0 @@
-# Firejail profile for gl-117-wrapper
-# This file is overwritten after every install/update
-# Persistent local customizations
-include gl-117-wrapper.local
-# Persistent global definitions
-# added by included profile
-#include globals.local
-
-include allow-opengl-game.inc
-
-private-bin gl-117-wrapper
-
-# Redirect
-include gl-117.profile
diff --git a/etc/profile-a-l/glaxium-wrapper.profie b/etc/profile-a-l/glaxium-wrapper.profie
deleted file mode 100644
index 7dc2cf65e..000000000
--- a/etc/profile-a-l/glaxium-wrapper.profie
+++ /dev/null
@@ -1,14 +0,0 @@
-# Firejail profile for glaxium-wrapper
-# This file is overwritten after every install/update
-# Persistent local customizations
-include glaxium-wrapper.local
-# Persistent global definitions
-# added by included profile
-#include globals.local
-
-include allow-opengl-game.inc
-
-private-bin glaxium-wrapper
-
-# Redirect
-include glaxium.profile
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index fa82e76f3..c1414472b 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -15,6 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/kxmlgui5/kcalc
 mkfile ${HOME}/.config/kcalcrc
@@ -24,7 +25,12 @@ whitelist ${HOME}/.config/kcalcrc
 whitelist ${HOME}/.kde/share/config/kcalcrc
 whitelist ${HOME}/.kde4/share/config/kcalcrc
 whitelist ${HOME}/.local/share/kxmlgui5/kcalc
+whitelist /usr/share/config.kcfg/kcalc.kcfg
+whitelist /usr/share/kcalc
+whitelist /usr/share/kconf_update/kcalcrc.upd
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -41,13 +47,19 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
+tracelog
 
 disable-mnt
 private-bin kcalc
+private-cache
 private-dev
+private-etc alternatives,fonts,ld.so.cache,locale,locale.conf
 # private-lib - problems on Arch
 private-tmp
 
 dbus-user none
 dbus-system none
+
+#memory-deny-write-execute
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 11c279911..3c7737063 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/*.kdb
 noblacklist ${HOME}/*.kdbx
 noblacklist ${HOME}/.cache/keepassxc
 noblacklist ${HOME}/.config/keepassxc
+noblacklist ${HOME}/.config/KeePassXCrc
 noblacklist ${HOME}/.keepassxc
 noblacklist ${DOCUMENTS}
 
@@ -51,6 +52,7 @@ include disable-xdg.inc
 #mkdir ${HOME}/.config/keepassxc
 #whitelist ${HOME}/.cache/keepassxc
 #whitelist ${HOME}/.config/keepassxc
+#whitelist ${HOME}/.config/KeePassXCrc
 #include whitelist-common.inc
 
 whitelist /usr/share/keepassxc
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index f02a4f357..5b2164bae 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -8,18 +8,23 @@ include globals.local
 
 noblacklist ${HOME}/.local/share/love
 
+include allow-bin-sh.inc
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/love
 whitelist ${HOME}/.local/share/love
 whitelist /usr/share/mrrescue
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -35,6 +40,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/neverball-wrapper.profie b/etc/profile-m-z/neverball-wrapper.profie
deleted file mode 100644
index 534e41dd1..000000000
--- a/etc/profile-m-z/neverball-wrapper.profie
+++ /dev/null
@@ -1,14 +0,0 @@
-# Firejail profile for neverball-wrapper
-# This file is overwritten after every install/update
-# Persistent local customizations
-include neverball-wrapper.local
-# Persistent global definitions
-# added by included profile
-#include globals.local
-
-include allow-opengl-game.inc
-
-private-bin neverball-wrapper
-
-# Redirect
-include neverball.profile
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile
index 84c634549..2695f2f90 100644
--- a/etc/profile-m-z/neverball.profile
+++ b/etc/profile-m-z/neverball.profile
@@ -14,13 +14,19 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.neverball
 whitelist ${HOME}/.neverball
+whitelist /usr/share/neverball
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
@@ -28,12 +34,18 @@ noroot
 notv
 nou2f
 novideo
-protocol unix,netlink
+protocol unix
 seccomp
+seccomp.block-secondary
 shell none
+tracelog
 
 disable-mnt
 private-bin neverball
+private-cache
 private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/neverputt-wrapper.profie b/etc/profile-m-z/neverputt-wrapper.profie
deleted file mode 100644
index dacd113cc..000000000
--- a/etc/profile-m-z/neverputt-wrapper.profie
+++ /dev/null
@@ -1,14 +0,0 @@
-# Firejail profile for neverputt-wrapper
-# This file is overwritten after every install/update
-# Persistent local customizations
-include neverputt-wrapper.local
-# Persistent global definitions
-# added by included profile
-#include globals.local
-
-include allow-opengl-game.inc
-
-private-bin neverputt-wrapper
-
-# Redirect
-include neverputt.profile
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index e21ac997a..3f75d4f09 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -28,10 +28,16 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/config.kcfg
+whitelist /usr/share/config.kcfg/gssettings.kcfg
+whitelist /usr/share/config.kcfg/pdfsettings.kcfg
+whitelist /usr/share/config.kcfg/okular.kcfg
+whitelist /usr/share/config.kcfg/okular_core.kcfg
+whitelist /usr/share/ghostscript
+whitelist /usr/share/kconf_update/okular.upd
 whitelist /usr/share/kxmlgui5/okular
 whitelist /usr/share/okular
 whitelist /usr/share/poppler
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/pinball-wrapper.profie b/etc/profile-m-z/pinball-wrapper.profie
deleted file mode 100644
index 2b5ed6e27..000000000
--- a/etc/profile-m-z/pinball-wrapper.profie
+++ /dev/null
@@ -1,14 +0,0 @@
-# Firejail profile for pinball-wrapper
-# This file is overwritten after every install/update
-# Persistent local customizations
-include pinball-wrapper.local
-# Persistent global definitions
-# added by included profile
-#include globals.local
-
-include allow-opengl-game.inc
-
-private-bin pinball-wrapper
-
-# Redirect
-include pinball.profile
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index ebfd236aa..e3b20e59f 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -8,12 +8,15 @@ include globals.local
 
 noblacklist ${HOME}/.pingus
 
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.pingus
@@ -36,6 +39,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index 6fb0d4b5f..bab2badb5 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -16,9 +16,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/com.github.artemanufrij.regextester
-include whitelist-usr-share-common.inc
-
 include whitelist-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -48,11 +47,9 @@ private-etc alternatives,fonts
 private-lib libgranite.so.*
 private-tmp
 
-# makes settings immutable
-# dbus-user none
-# dbus-system none
-
-memory-deny-write-execute
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
 
 # never write anything
 read-only ${HOME}
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index cedff0b83..f99246ad6 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -26,6 +26,8 @@ include disable-xdg.inc
 mkfile  ${HOME}/.config/spectaclerc
 whitelist ${HOME}/.config/spectaclerc
 whitelist ${PICTURES}
+whitelist /usr/share/kconf_update/spectacle_newConfig.upd
+whitelist /usr/share/kconf_update/spectacle_shortcuts.upd
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 0bcbe6da2..922823f98 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Epic
 noblacklist ${HOME}/.config/Loop_Hero
 noblacklist ${HOME}/.config/ModTheSpire
 noblacklist ${HOME}/.config/RogueLegacy
+noblacklist ${HOME}/.config/RogueLegacyStorageContainer
 noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.klei
 noblacklist ${HOME}/.local/share/3909/PapersPlease
@@ -22,7 +23,8 @@ noblacklist ${HOME}/.local/share/feral-interactive
 noblacklist ${HOME}/.local/share/IntoTheBreach
 noblacklist ${HOME}/.local/share/Paradox Interactive
 noblacklist ${HOME}/.local/share/PillarsOfEternity
-noblacklist ${HOME}/.local/share/RogueLegacy*
+noblacklist ${HOME}/.local/share/RogueLegacy
+noblacklist ${HOME}/.local/share/RogueLegacyStorageContainer
 noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/SteamWorldDig
 noblacklist ${HOME}/.local/share/SteamWorld Dig 2
@@ -69,7 +71,7 @@ mkdir ${HOME}/.local/share/feral-interactive
 mkdir ${HOME}/.local/share/IntoTheBreach
 mkdir ${HOME}/.local/share/Paradox Interactive
 mkdir ${HOME}/.local/share/PillarsOfEternity
-mkdir ${HOME}/.local/share/RogueLegacy*
+mkdir ${HOME}/.local/share/RogueLegacy
 mkdir ${HOME}/.local/share/Steam
 mkdir ${HOME}/.local/share/SteamWorldDig
 mkdir ${HOME}/.local/share/SteamWorld Dig 2
@@ -86,6 +88,7 @@ whitelist ${HOME}/.config/Epic
 whitelist ${HOME}/.config/Loop_Hero
 whitelist ${HOME}/.config/ModTheSpire
 whitelist ${HOME}/.config/RogueLegacy
+whitelist ${HOME}/.config/RogueLegacyStorageContainer
 whitelist ${HOME}/.config/unity3d
 whitelist ${HOME}/.killingfloor
 whitelist ${HOME}/.klei
@@ -99,7 +102,8 @@ whitelist ${HOME}/.local/share/feral-interactive
 whitelist ${HOME}/.local/share/IntoTheBreach
 whitelist ${HOME}/.local/share/Paradox Interactive
 whitelist ${HOME}/.local/share/PillarsOfEternity
-whitelist ${HOME}/.local/share/RogueLegacy*
+whitelist ${HOME}/.local/share/RogueLegacy
+whitelist ${HOME}/.local/share/RogueLegacyStorageContainer
 whitelist ${HOME}/.local/share/Steam
 whitelist ${HOME}/.local/share/SteamWorldDig
 whitelist ${HOME}/.local/share/SteamWorld Dig 2
@@ -115,6 +119,14 @@ whitelist ${HOME}/.steampid
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+# Note: The following were intentionally left out as they are alternative
+# (i.e.: unnecessary and/or legacy) paths whose existence may potentially
+# clobber other paths (see #4225).  If you use any, either add the entry to
+# steam.local or move the contents to a path listed above (or open an issue if
+# it's missing above).
+#mkdir ${HOME}/.config/RogueLegacyStorageContainer
+#mkdir ${HOME}/.local/share/RogueLegacyStorageContainer
+
 caps.drop all
 #ipc-namespace
 netfilter
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 9cc023765..d31f25c0d 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/supertux2
@@ -42,6 +43,8 @@ tracelog
 
 disable-mnt
 # private-bin supertux2
+private-cache
+private-etc machine-id
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index 64d787bfb..c22fb0ff9 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -44,7 +44,7 @@ shell none
 tracelog
 
 #disable-mnt
-#private-bin basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
+#private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
 private-cache
 private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 78cb2862c..d9d1cd393 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -19,7 +19,7 @@ include disable-xdg.inc
 
 mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
 whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-whitelist /usr/share/gstreamer
+whitelist /usr/share/gstreamer-*
 whitelist /usr/share/xfce4
 whitelist /usr/share/xfce4-mixer
 include whitelist-common.inc
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
index 96bd351f3..431aebee6 100644
--- a/src/fbuilder/build_bin.c
+++ b/src/fbuilder/build_bin.c
@@ -121,6 +121,6 @@ void build_bin(const char *fname, FILE *fp) {
                         ptr = ptr->next;
                 }
                 fprintf(fp, "\n");
-                fprintf(fp, "# private-lib\n");
+                fprintf(fp, "#private-lib\n");
         }
 }
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 495f71ab8..ac0cd455a 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -220,6 +220,10 @@ static void tmp_callback(char *ptr) {
         // skip strace file
         if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
                 return;
+        if (strncmp(ptr, "/tmp/runtime-", 13) == 0)
+                return;
+        if (strcmp(ptr, "/tmp") == 0)
+                return;
 
         tmp_out = filedb_add(tmp_out, ptr);
 }
@@ -232,8 +236,7 @@ void build_tmp(const char *fname, FILE *fp) {
         if (tmp_out == NULL)
                 fprintf(fp, "private-tmp\n");
         else {
-                fprintf(fp, "\n");
-                fprintf(fp, "# private-tmp\n");
+                fprintf(fp, "#private-tmp\n");
                 fprintf(fp, "# File accessed in /tmp directory:\n");
                 fprintf(fp, "# ");
                 FileDB *ptr = tmp_out;
@@ -310,9 +313,8 @@ void build_dev(const char *fname, FILE *fp) {
         if (dev_out == NULL)
                 fprintf(fp, "private-dev\n");
         else {
-                fprintf(fp, "\n");
-                fprintf(fp, "# private-dev\n");
-                fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n");
+                fprintf(fp, "#private-dev\n");
+                fprintf(fp, "# This is the list of devices accessed on top of regular private-dev devices:\n");
                 fprintf(fp, "# ");
                 FileDB *ptr = dev_out;
                 while (ptr) {
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index 683009b71..d7706282a 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -141,7 +141,7 @@ void process_home(const char *fname, char *home, int home_len) {
                 }
 
                 // skip files and directories in whitelist-common.inc
-                if (filedb_find(db_skip, toadd)) {
+                if (strlen(toadd) == 0 || filedb_find(db_skip, toadd)) {
                         if (dir)
                                 free(dir);
                         continue;
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 96a83954d..0c1b57384 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -150,12 +150,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 
                 fprintf(fp, "### basic blacklisting\n");
                 fprintf(fp, "include disable-common.inc\n");
-                fprintf(fp, "# include disable-devel.inc\n");
-                fprintf(fp, "# include disable-exec.inc\n");
-                fprintf(fp, "# include disable-interpreters.inc\n");
+                fprintf(fp, "#include disable-devel.inc\n");
+                fprintf(fp, "#include disable-exec.inc\n");
+                fprintf(fp, "#include disable-interpreters.inc\n");
                 fprintf(fp, "include disable-passwdmgr.inc\n");
-                fprintf(fp, "# include disable-programs.inc\n");
-                fprintf(fp, "# include disable-xdg.inc\n");
+                fprintf(fp, "#include disable-programs.inc\n");
+                fprintf(fp, "#include disable-xdg.inc\n");
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### home directory whitelisting\n");
@@ -163,18 +163,17 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### filesystem\n");
-                fprintf(fp, "# /usr/share:\n");
+                fprintf(fp, "### /usr/share:\n");
                 build_share(trace_output, fp);
-                fprintf(fp, "# /var:\n");
+                fprintf(fp, "### /var:\n");
                 build_var(trace_output, fp);
-                fprintf(fp, "\n");
-                fprintf(fp, "# $PATH:\n");
+                fprintf(fp, "### /bin:\n");
                 build_bin(trace_output, fp);
-                fprintf(fp, "# /dev:\n");
+                fprintf(fp, "### /dev:\n");
                 build_dev(trace_output, fp);
-                fprintf(fp, "# /etc:\n");
+                fprintf(fp, "### /etc:\n");
                 build_etc(trace_output, fp);
-                fprintf(fp, "# /tmp:\n");
+                fprintf(fp, "### /tmp:\n");
                 build_tmp(trace_output, fp);
                 fprintf(fp, "\n");
 
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index ee685da73..2bb57cee2 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -295,7 +295,9 @@ Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional res
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /etc directory.
+the /etc directory, and must not contain the / character
+(e.g., /etc/foo must be expressed as foo, but /etc/foo/bar --
+expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
 #ifdef HAVE_PRIVATE_HOME
 .TP
@@ -319,14 +321,18 @@ This feature is still under development, see \fBman 1 firejail\fR for some examp
 Build a new /opt in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /opt directory.
+the /opt directory, and must not contain the / character
+(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar --
+expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-srv file,directory
 Build a new /srv in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /srv directory.
+the /srv directory, and must not contain the / character
+(e.g., /srv/foo must be expressed as foo, but /srv/foo/bar --
+expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-tmp
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f27379a2d..1ee7ab1f1 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1883,7 +1883,9 @@ $
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /etc directory.
+the /etc directory, and must not contain the / character
+(e.g., /etc/foo must be expressed as foo, but /etc/foo/bar --
+expressed as foo/bar -- is disallowed).
 If no listed file is found, /etc directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br
@@ -1893,7 +1895,7 @@ Example:
 .br
 $ firejail --private-etc=group,hostname,localtime, \\
 .br
-nsswitch.conf,passwd,resolv.conf,default/motd-news
+nsswitch.conf,passwd,resolv.conf
 #ifdef HAVE_PRIVATE_HOME
 .TP
 \fB\-\-private-home=file,directory
@@ -1968,7 +1970,9 @@ $
 Build a new /opt in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /opt directory.
+the /opt directory, and must not contain the / character
+(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar --
+expressed as foo/bar -- is disallowed).
 If no listed file is found, /opt directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br
@@ -1983,7 +1987,9 @@ $ firejail --private-opt=firefox /opt/firefox/firefox
 Build a new /srv in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /srv directory.
+the /srv directory, and must not contain the / character
+(e.g., /opt/srv must be expressed as foo, but /srv/foo/bar --
+expressed as srv/bar -- is disallowed).
 If no listed file is found, /srv directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br