184 files changed, 1744 insertions, 1299 deletions

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 562d6b9e1..47e099cde 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -33,10 +33,10 @@ Other context about the problem like related errors to understand the problem.
 **Checklist**
  - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it.
  - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
- - [ ] Programs needed for interaction are listed in the profile.
  - [ ] A short search for duplicates was performed.
  - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile.
  - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages.
+ - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.
 
 
 <details><summary> debug output </summary>
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
new file mode 100644
index 000000000..1468ef898
--- /dev/null
+++ b/.github/workflows/build-extra.yml
@@ -0,0 +1,52 @@
+name: Build-extra CI
+
+on:   
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md
+      - RELNOTES
+      - SECURITY.md
+      - 'etc/**'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md
+      - RELNOTES
+      - SECURITY.md
+      - 'etc/**'
+        
+jobs:
+  build-clang:
+    if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: configure
+      run: CC=clang-10 ./configure --enable-fatal-warnings
+    - name: make
+      run: make
+  scan-build:
+    if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: install clang-tools-10
+      run: sudo apt-get install clang-tools-10
+    - name: configure
+      run: CC=clang-10 ./configure --enable-fatal-warnings
+    - name: scan-build
+      run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make
+  cppcheck:
+    if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: install cppcheck
+      run: sudo apt-get install cppcheck
+    - name: cppcheck
+      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 71cb7f0b4..99b8a3be5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -3,11 +3,24 @@ name: Build CI
 on:
   push:
     branches: [ master ]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md
+      - RELNOTES
+      - SECURITY.md
   pull_request:
     branches: [ master ]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md
+      - RELNOTES
+      - SECURITY.md
 
 jobs:
   build_and_test:
+    if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
     runs-on: ubuntu-20.04
     steps:
     - uses: actions/checkout@v2
@@ -21,35 +34,3 @@ jobs:
       run: sudo make install
     - name: run tests
       run: SHELL=/bin/bash make test-github
-  build-clang:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: configure
-      run: CC=clang-10 ./configure --enable-fatal-warnings
-    - name: make
-      run: make
-  scan-build:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: install clang-tools-10
-      run: sudo apt-get install clang-tools-10
-    - name: configure
-      run: CC=clang-10 ./configure --enable-fatal-warnings
-    - name: scan-build
-      run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make
-  cppcheck:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: install cppcheck
-      run: sudo apt-get install cppcheck
-    - name: cppcheck
-      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
-  profile-sort:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: check profiles
-      run: ./contrib/sort.py etc/*/{*.inc,*.net,*.profile}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index a37bbb5c7..301c7fad2 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -8,9 +8,23 @@ name: "CodeQL"
 on:
   push:
     branches: [master]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md  
+      - RELNOTES
+      - SECURITY.md
+      - 'etc/**'
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [master]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md  
+      - RELNOTES
+      - SECURITY.md
+      - 'etc/**'
   schedule:
     - cron: '0 7 * * 2'
 
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
new file mode 100644
index 000000000..55ac065b6
--- /dev/null
+++ b/.github/workflows/sort.yml
@@ -0,0 +1,21 @@
+name: sort.py
+
+on:    
+  push: 
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+
+jobs:
+  profile-sort:
+    if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: check profiles
+      run: ./contrib/sort.py etc/*/{*.inc,*.profile}
+
diff --git a/README b/README
index 81f5fd5e8..6c86dcc5a 100644
--- a/README
+++ b/README
@@ -252,12 +252,14 @@ Danil Semelenov (https://github.com/sgtpep)
 Dara Adib (https://github.com/daradib)
         - ssh profile fix
         - evince profile fix
+        - linphone profile fix
 Dario Pellegrini (https://github.com/dpellegr)
         - allowing links in netns
 David Thole (https://github.com/TheDarkTrumpet)
         - added profile for teams-for-linux
 Davide Beatrici (https://github.com/davidebeatrici)
         - steam.profile: correctly blacklist unneeded directories in user's home
+        - minetest fixes
 David Hyrule (https://github.com/Svaag)
         - remove nou2f in ssh profile
 Deelvesh Bunjun (https://github.com/DeelveshBunjun)
@@ -515,6 +517,8 @@ KellerFuchs (https://github.com/KellerFuchs)
         - added support for .local profile files in /etc/firejail
         - fixed Cryptocat profile
         - make ~/.local read-only
+Kelvin (https://github.com/kmk3)
+        - disable ldns utilities
 Kishore96in (https://github.com/Kishore96in)
         - added falkon profile
         - kxmlgui fixes
@@ -546,6 +550,7 @@ Liorst4 (https://github.com/Liorst4)
         - Preserve CFLAGS given to configure in common.mk.in
         - fix emacs config to load as read-write
         - disable browser drm by default
+        - minetest fixes
 Lockdis (https://github.com/Lockdis)
         - Added crow, nyx, and google-earth-pro profiles
 Lukáš Krejčí (https://github.com/lskrejci)
@@ -604,6 +609,7 @@ Neo00001 (https://github.com/Neo00001)
         - add vmware profile
         - update virtualbox profile
         - update telegram profile
+        - add spectacle profile
 Nick Fox (https://github.com/njfox)
         - add a profile alias for code-oss
         - add code-oss config directory
@@ -701,6 +707,8 @@ Rahiel Kasim (https://github.com/rahiel)
         - added telegram-desktop profile
 Rahul Golam (https://github.com/technoLord)
         - strings profile
+RandomVoid (https://github.com/RandomVoid)
+        - fix building C# projects in Godot
 Raphaël Droz (https://github.com/drzraf)
         - zoom profile fixes
 Reiner Herrmann (https://github.com/reinerh)
@@ -953,6 +961,8 @@ Vladimir Schowalter (https://github.com/VladimirSchowalter20)
         read-only kde5 services directory
 xee5ch (https://github.com/xee5ch)
         - skypeforlinux profile
+Ypnose (https://github.com/Ypnose)
+        - disable-shell.inc: add mksh shell
 yumkam (https://github.com/yumkam)
         - add compile-time option to restrict --net= to root only
         - man page fixes
diff --git a/README.md b/README.md
index cc50df2f7..8d3b3c3bb 100644
--- a/README.md
+++ b/README.md
@@ -163,7 +163,7 @@ Release discussion: https://github.com/netblue30/firejail/issues/3696
 ### Profile Statistics
 
 A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
-`````
+```
 $ sudo cp src/profstats/profstats /etc/firejail/.
 $ cd /etc/firejail
 $ ./profstats *.profile
@@ -191,7 +191,8 @@ Stats:
     net none                    333
     dbus-user none              523
     dbus-system none            632
+```
 
 ### New profiles:
 
-spectacle, chromium-browser-privacy
+spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo
diff --git a/RELNOTES b/RELNOTES
index f623517b3..5f5b451e1 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,7 +2,11 @@ firejail (0.9.65) baseline; urgency=low
   * allow --tmpfs inside $HOME for unprivileged users
   * --disable-usertmpfs  compile time option
   * allow AF_BLUETOOTH via --protocol=bluetooth
-  * new profiles: spectacle, chromium-browser-privacy
+  * Setup guide for new users: contrib/firejail-welcome.sh
+  * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer
+  * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer
+  * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo
+
  -- netblue30 <netblue30@yahoo.com>  Wed, 21 Oct 2020 09:00:00 -0500
 
 firejail (0.9.64) baseline; urgency=low
diff --git a/contrib/firejail-welcome.sh b/contrib/firejail-welcome.sh
new file mode 100755
index 000000000..2943983e5
--- /dev/null
+++ b/contrib/firejail-welcome.sh
@@ -0,0 +1,128 @@
+#!/bin/bash
+
+# This file is part of Firejail project
+# Copyright (C) 2020 Firejail Authors
+# License GPL v2
+
+if ! command -v zenity >/dev/null; then
+        echo "Please install zenity."
+        exit 1
+fi
+if ! command -v sudo >/dev/null; then
+        echo "Please install sudo."
+        exit 1
+fi
+
+export LANG=en_US.UTF8
+
+zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM
+Welcome to firejail!
+
+This is a quick setup guide for newbies.
+
+Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named
+<profile-name>.local in ~/.config/firejal.
+
+Firejail's own configuration can be found at /etc/firejail/firejail.config.
+
+Please note that running this script a second time can set new options, but does not unset options
+set in a previous run.
+
+Website: https://firejail.wordpress.com
+Bug-Tracker: https://github.com/netblue30/firejail/issues
+Documentation:
+- https://github.com/netblue30/firejail/wiki
+- https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
+- https://firejail.wordpress.com/documentation-2
+- man:firejail(1) and man:firejail-profile(5)
+
+PS: If you have any improvements for this script, open an issue or pull request.
+EOM
+[[ $? -eq 1 ]] && exit 0
+
+sed_scripts=()
+
+read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
+<big><b>Should browsers be allowed to access u2f hardware?</b></big>
+EOM
+
+read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
+<big><b>Should browsers be able to play DRM content?</b></big>
+
+\$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing programs which are located in \$HOME,
+is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary
+DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to
+allow their execution. Clearly, this may help an attacker to start malicious code.
+
+NOTE: Other software written in an interpreter language such as bash, python or java can always be started from \$HOME.
+
+HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
+EOM
+
+read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM
+You maybe want to set some of these advanced options.
+EOM
+
+read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
+<big><b>Should most programs be started in firejail by default?</b></big>
+EOM
+
+read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM
+In order to apply these changes, root privileges are required.
+You will now be asked to enter your password.
+EOM
+
+read -r -d $'\0' MSG_I_FINISH <<EOM
+🥳
+EOM
+
+if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
+        sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
+fi
+
+if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
+        sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
+fi
+
+advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \
+        --text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \
+        --column="" --column=Option --column=Description <<EOM
+
+force-nonewprivs
+Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore.
+
+restricted-network
+Restrict all network related commands except 'net none' to root only.
+
+seccomp-error-action=kill
+Kill programs which violate seccomp rules (default: return a error).
+EOM
+)
+
+if [[ $advanced_options == *force-nonewprivs* ]]; then
+        sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
+fi
+if [[ $advanced_options == *restricted-network* ]]; then
+        sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
+fi
+if [[ $advanced_options == *seccomp-error-action=kill* ]]; then
+        sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
+fi
+
+if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
+        run_firecfg=true
+fi
+
+zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED"
+
+passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK)
+if [[ -n "${sed_scripts[*]}" ]]; then
+        sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
+fi
+if [[ "$run_firecfg" == "true" ]]; then
+        sudo -S -p "" -- firecfg <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
+fi
+sudo -k
+unset passwd
+
+zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH"
diff --git a/etc/inc/archiver-common.inc b/etc/inc/archiver-common.inc
new file mode 100644
index 000000000..9812e3ebb
--- /dev/null
+++ b/etc/inc/archiver-common.inc
@@ -0,0 +1,53 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include archiver-common.local
+
+# common profile for archiver/compression tools
+
+blacklist ${RUNUSER}
+
+# WARNING:
+# Users can (un)restrict file access for **all** archivers by commenting/uncommenting the needed
+# include file(s) here or by putting those into archiver-common.local.
+# Another option is to do this **per archiver** in the relevant <archiver>.local.
+# Just beware that things tend to break when overtightening profiles. For example, because you only
+# need to (un)compress files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
+
+# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-common.inc.
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-programs.inc.
+#include disable-programs.inc
+include disable-shell.inc
+
+apparmor
+caps.drop all
+hostname archiver
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 1268b4cd2..d88506d90 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -280,6 +280,7 @@ read-only ${HOME}/.plan
 read-only ${HOME}/.profile
 read-only ${HOME}/.project
 read-only ${HOME}/.tcshrc
+read-only ${HOME}/.zfunc
 read-only ${HOME}/.zlogin
 read-only ${HOME}/.zlogout
 read-only ${HOME}/.zprofile
@@ -302,6 +303,7 @@ read-only ${HOME}/.exrc
 read-only ${HOME}/.gvimrc
 read-only ${HOME}/.homesick
 read-only ${HOME}/.iscreenrc
+read-only ${HOME}/.local/lib
 read-only ${HOME}/.local/share/cool-retro-term
 read-only ${HOME}/.mailcap
 read-only ${HOME}/.msmtprc
@@ -513,18 +515,24 @@ blacklist /proc/config.gz
 # prevent DNS malware attempting to communicate with the server
 # using regular DNS tools
 blacklist ${PATH}/dig
-blacklist ${PATH}/kdig
-blacklist ${PATH}/nslookup
-blacklist ${PATH}/host
 blacklist ${PATH}/dlint
-blacklist ${PATH}/dnswalk
 blacklist ${PATH}/dns2tcp
+blacklist ${PATH}/dnssec-*
+blacklist ${PATH}/dnswalk
+blacklist ${PATH}/drill
+blacklist ${PATH}/host
 blacklist ${PATH}/iodine
+blacklist ${PATH}/kdig
+blacklist ${PATH}/khost
 blacklist ${PATH}/knsupdate
+blacklist ${PATH}/ldns-*
+blacklist ${PATH}/ldnsd
+blacklist ${PATH}/nslookup
 blacklist ${PATH}/resolvectl
+blacklist ${PATH}/unbound-host
 
 # rest of ${RUNUSER}
 blacklist ${RUNUSER}/*.lock
 blacklist ${RUNUSER}/inaccessible
-blacklist ${RUNUSER}/update-notifier.pid
 blacklist ${RUNUSER}/pk-debconf-socket
+blacklist ${RUNUSER}/update-notifier.pid
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 7e3c0b657..7ab11e620 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -188,6 +188,7 @@ blacklist ${HOME}/.config/chromium-flags.conf
 blacklist ${HOME}/.config/clipit
 blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
+blacklist ${HOME}/.config/com.github.bleakgrey.tootle
 blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/cower
 blacklist ${HOME}/.config/darktable
@@ -200,6 +201,7 @@ blacklist ${HOME}/.config/discord
 blacklist ${HOME}/.config/discordcanary
 blacklist ${HOME}/.config/dkl
 blacklist ${HOME}/.config/dnox
+blacklist ${HOME}/.config/dolphin-emu
 blacklist ${HOME}/.config/dolphinrc
 blacklist ${HOME}/.config/dragonplayerrc
 blacklist ${HOME}/.config/draw.io
@@ -293,6 +295,7 @@ blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
 blacklist ${HOME}/.config/linphone
 blacklist ${HOME}/.config/lugaru
+blacklist ${HOME}/.config/lutris
 blacklist ${HOME}/.config/lximage-qt
 blacklist ${HOME}/.config/mailtransports
 blacklist ${HOME}/.local/share/man
@@ -300,11 +303,13 @@ blacklist ${HOME}/.config/mana
 blacklist ${HOME}/.config/mate-calc
 blacklist ${HOME}/.config/mate/eom
 blacklist ${HOME}/.config/mate/mate-dictionary
+blacklist ${HOME}/.config/matrix-mirage
 blacklist ${HOME}/.config/meld
 blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/menulibre.cfg
 blacklist ${HOME}/.config/mfusion
 blacklist ${HOME}/.config/Microsoft
+blacklist ${HOME}/.config/microsoft-edge-dev
 blacklist ${HOME}/.config/midori
 blacklist ${HOME}/.config/mirage
 blacklist ${HOME}/.config/mono
@@ -378,6 +383,7 @@ blacklist ${HOME}/.config/spotify
 blacklist ${HOME}/.config/sqlitebrowser
 blacklist ${HOME}/.config/stellarium
 blacklist ${HOME}/.config/strawberry
+blacklist ${HOME}/.config/straw-viewer
 blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/synfig
 blacklist ${HOME}/.config/teams
@@ -427,6 +433,7 @@ blacklist ${HOME}/.config/Zulip
 blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.crawl
 blacklist ${HOME}/.cups
+blacklist ${HOME}/.curl-hsts
 blacklist ${HOME}/.curlrc
 blacklist ${HOME}/.dashcore
 blacklist ${HOME}/.devilspie
@@ -549,6 +556,7 @@ blacklist ${HOME}/.kino-history
 blacklist ${HOME}/.kinorc
 blacklist ${HOME}/.klatexformula
 blacklist ${HOME}/.kodi
+blacklist ${HOME}/.librewolf
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.links
 blacklist ${HOME}/.linphone-history.db
@@ -584,6 +592,7 @@ blacklist ${HOME}/.local/share/agenda
 blacklist ${HOME}/.local/share/apps/korganizer
 blacklist ${HOME}/.local/share/aspyr-media
 blacklist ${HOME}/.local/share/autokey
+blacklist ${HOME}/.local/share/authenticator-rs
 blacklist ${HOME}/.local/share/backintime
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/barrier
@@ -603,6 +612,7 @@ blacklist ${HOME}/.local/share/data/nomacs
 blacklist ${HOME}/.local/share/data/qBittorrent
 blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
+blacklist ${HOME}/.local/share/dolphin-emu
 blacklist ${HOME}/.local/share/emailidentities
 blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
@@ -661,8 +671,10 @@ blacklist ${HOME}/.local/share/local-mail
 blacklist ${HOME}/.local/share/lollypop
 blacklist ${HOME}/.local/share/love
 blacklist ${HOME}/.local/share/lugaru
+blacklist ${HOME}/.local/share/lutris
 blacklist ${HOME}/.local/share/mana
 blacklist ${HOME}/.local/share/maps-places.json
+blacklist ${HOME}/.local/share/matrix-mirage
 blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/midori
 blacklist ${HOME}/.local/share/mirage
@@ -793,7 +805,7 @@ blacklist ${HOME}/.synfig
 blacklist ${HOME}/.tb
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.teeworlds
-blacklist ${HOME}/.texlive2018
+blacklist ${HOME}/.texlive20*
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tilp
 blacklist ${HOME}/.tooling
@@ -883,6 +895,7 @@ blacklist ${HOME}/.cache/deja-dup
 blacklist ${HOME}/.cache/discover
 blacklist ${HOME}/.cache/dnox
 blacklist ${HOME}/.cache/dolphin
+blacklist ${HOME}/.cache/dolphin-emu
 blacklist ${HOME}/.cache/ephemeral
 blacklist ${HOME}/.cache/epiphany
 blacklist ${HOME}/.cache/evolution
@@ -931,8 +944,12 @@ blacklist ${HOME}/.cache/ksplashqml
 blacklist ${HOME}/.cache/kube
 blacklist ${HOME}/.cache/kwin
 blacklist ${HOME}/.cache/libgweather
+blacklist ${HOME}/.cache/librewolf
 blacklist ${HOME}/.cache/liferea
+blacklist ${HOME}/.cache/lutris
 blacklist ${HOME}/.cache/Mendeley Ltd.
+blacklist ${HOME}/.cache/matrix-mirage
+blacklist ${HOME}/.cache/microsoft-edge-dev
 blacklist ${HOME}/.cache/midori
 blacklist ${HOME}/.cache/minetest
 blacklist ${HOME}/.cache/mirage
@@ -948,7 +965,7 @@ blacklist ${HOME}/.cache/ms-skype-online
 blacklist ${HOME}/.cache/ms-word-online
 blacklist ${HOME}/.cache/mutt
 blacklist ${HOME}/.cache/mypaint
-blacklist ${HOME}/.cache/nheko/nheko
+blacklist ${HOME}/.cache/nheko
 blacklist ${HOME}/.cache/netsurf
 blacklist ${HOME}/.cache/okular
 blacklist ${HOME}/.cache/opera
@@ -972,6 +989,7 @@ blacklist ${HOME}/.cache/smuxi
 blacklist ${HOME}/.cache/snox
 blacklist ${HOME}/.cache/spotify
 blacklist ${HOME}/.cache/strawberry
+blacklist ${HOME}/.cache/straw-viewer
 blacklist ${HOME}/.cache/supertuxkart
 blacklist ${HOME}/.cache/systemsettings
 blacklist ${HOME}/.cache/telepathy
@@ -986,6 +1004,7 @@ blacklist ${HOME}/.cache/vmware
 blacklist ${HOME}/.cache/warsow-2.1
 blacklist ${HOME}/.cache/waterfox
 blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/winetricks
 blacklist ${HOME}/.cache/xmms2
 blacklist ${HOME}/.cache/xreader
 blacklist ${HOME}/.cache/yandex-browser
diff --git a/etc/inc/disable-shell.inc b/etc/inc/disable-shell.inc
index e66d23c9f..8274b0215 100644
--- a/etc/inc/disable-shell.inc
+++ b/etc/inc/disable-shell.inc
@@ -8,6 +8,7 @@ blacklist ${PATH}/dash
 blacklist ${PATH}/fish
 blacklist ${PATH}/ksh
 blacklist ${PATH}/mksh
+blacklist ${PATH}/oksh
 blacklist ${PATH}/sh
 blacklist ${PATH}/tclsh
 blacklist ${PATH}/tcsh
diff --git a/etc/inc/disable-write-mnt.inc b/etc/inc/disable-write-mnt.inc
index 3990cf760..01f57cb0f 100644
--- a/etc/inc/disable-write-mnt.inc
+++ b/etc/inc/disable-write-mnt.inc
@@ -2,7 +2,7 @@
 # Persistent customizations should go in a .local file.
 include disable-write-mnt.local
 
-read-only /mnt
 read-only /media
-read-only /run/mount
+read-only /mnt
 read-only /run/media
+read-only /run/mount
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc
index 7ea692607..1d3728521 100644
--- a/etc/inc/whitelist-common.inc
+++ b/etc/inc/whitelist-common.inc
@@ -1,4 +1,5 @@
-# Local customizations come here
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
 include whitelist-common.local
 
 # common whitelist for all profiles
diff --git a/etc/inc/whitelist-players.inc b/etc/inc/whitelist-player-common.inc
index 0e473768b..e5bf36804 100644
--- a/etc/inc/whitelist-players.inc
+++ b/etc/inc/whitelist-player-common.inc
@@ -1,5 +1,6 @@
-# Local customizations come here
-include whitelist-players.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include whitelist-player-common.local
 
 # common whitelist for all media players
 
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
index 7d9f106ef..0a1030b34 100644
--- a/etc/inc/whitelist-runuser-common.inc
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -1,4 +1,5 @@
-# Local customizations come here
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
 include whitelist-runuser-common.local
 
 # common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
@@ -10,4 +11,5 @@ whitelist ${RUNUSER}/ICEauthority
 whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
 whitelist ${RUNUSER}/pulse/native
 whitelist ${RUNUSER}/wayland-0
+whitelist ${RUNUSER}/wayland-1
 whitelist ${RUNUSER}/xauth_*
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index de4ae2101..45e988602 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -1,4 +1,5 @@
-# Local customizations come here
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
 include whitelist-usr-share-common.local
 
 # common /usr/share whitelist for all profiles
@@ -60,6 +61,8 @@ whitelist /usr/share/texlive
 whitelist /usr/share/texmf
 whitelist /usr/share/themes
 whitelist /usr/share/thumbnail.so
+whitelist /usr/share/vulkan
 whitelist /usr/share/X11
 whitelist /usr/share/xml
+whitelist /usr/share/zenity
 whitelist /usr/share/zoneinfo
diff --git a/etc/inc/whitelist-var-common.inc b/etc/inc/whitelist-var-common.inc
index 08bd23d6a..1c077b232 100644
--- a/etc/inc/whitelist-var-common.inc
+++ b/etc/inc/whitelist-var-common.inc
@@ -1,4 +1,5 @@
-# Local customizations come here
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
 include whitelist-var-common.local
 
 # common /var whitelist for all profiles
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile
index 02a2e7ea0..5e1c17b28 100644
--- a/etc/profile-a-l/7z.profile
+++ b/etc/profile-a-l/7z.profile
@@ -7,41 +7,6 @@ include 7z.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname 7z
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-#nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-#private-bin 7z,7z*,p7zip
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
+noblacklist ${PATH}/bash
+noblacklist ${PATH}/sh
+include archiver-common.inc
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
new file mode 100644
index 000000000..98188d2a7
--- /dev/null
+++ b/etc/profile-a-l/alacarte.profile
@@ -0,0 +1,64 @@
+# Firejail profile for alacarte
+# Description: Create desktop and menu launchers easily
+# This file is overwritten after every install/update
+# Persistent local customizations
+include alacarte.local
+# Persistent global definitions
+include globals.local
+
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-xdg.inc
+
+# Whitelist your system icon directory,varies by distro
+whitelist /usr/share/alacarte
+whitelist /usr/share/app-info
+whitelist /usr/share/desktop-directories
+whitelist /usr/share/icons
+whitelist /var/lib/app-info/icons
+whitelist /var/lib/flatpak/exports/share/applications
+whitelist /var/lib/flatpak/exports/share/icons
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+# private-bin alacarte,bash,python*,sh
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-write ${HOME}/.config/menus
+read-write ${HOME}/.gnome/apps
+read-write ${HOME}/.local/share/applications
+read-write ${HOME}/.local/share/flatpak/exports
diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile
index 183587ff8..c2b215807 100644
--- a/etc/profile-a-l/ar.profile
+++ b/etc/profile-a-l/ar.profile
@@ -7,42 +7,4 @@ include ar.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-shell.inc
-
-apparmor
-caps.drop all
-hostname ar
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-private-bin ar
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
+include archiver-common.inc
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index cf0a5a42b..f21a5febf 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -6,31 +6,27 @@ include atom.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore disable-mnt
+
 noblacklist ${HOME}/.atom
 noblacklist ${HOME}/.config/Atom
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
 
-include disable-common.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-caps.keep sys_admin,sys_chroot
 # net none
 netfilter
-nodvd
-nogroups
 nosound
-notv
-nou2f
-novideo
-shell none
-
-private-cache
-private-dev
-private-tmp
 
-dbus-user none
-dbus-system none
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index e501e956c..34af47df2 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -7,47 +7,12 @@ include atool.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
+include archiver-common.inc
 
-include disable-common.inc
-# include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname atool
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
 noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
 
-# private-bin atool,perl
-private-cache
-private-dev
 # without login.defs atool complains and uses UID/GID 1000 by default
 private-etc alternatives,group,login.defs,passwd
 private-tmp
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
new file mode 100644
index 000000000..fb12018f5
--- /dev/null
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -0,0 +1,55 @@
+# Firejail profile for authenticator-rs
+# Description: Rust based 2FA authentication program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include authenticator-rs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/authenticator-rs
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/authenticator-rs
+whitelist ${HOME}/.local/share/authenticator-rs
+whitelist ${DOWNLOADS}
+whitelist /usr/share/uk.co.grumlimited.authenticator-rs
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin authenticator-rs
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index a401ac592..cda6b1aa0 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -58,7 +58,7 @@ shell none
 tracelog
 
 # disable-mnt
-# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
 # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin balsa,balsa-ab
 private-cache
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile
index cc1886a49..f3a9568bd 100644
--- a/etc/profile-a-l/beaker.profile
+++ b/etc/profile-a-l/beaker.profile
@@ -3,17 +3,26 @@
 # Persistent local customizations
 include beaker.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
-noblacklist ${HOME}/.config/Beaker Browser
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore shell none
+ignore disable-mnt
+ignore private-cache
+ignore private-dev
+ignore private-tmp
 
-include disable-devel.inc
-include disable-interpreters.inc
+noblacklist ${HOME}/.config/Beaker Browser
 
 mkdir ${HOME}/.config/Beaker Browser
 whitelist ${HOME}/.config/Beaker Browser
-include whitelist-common.inc
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 904d3e94f..5a5e9eacd 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -10,10 +10,6 @@ include globals.local
 ignore noexec /tmp
 # TOR is installed in ${HOME}
 ignore noexec ${HOME}
-# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
 
 noblacklist ${HOME}/.cache/BraveSoftware
 noblacklist ${HOME}/.config/BraveSoftware
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index 08e51f3c1..c37f4071e 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -6,43 +6,6 @@ include bsdtar.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+include archiver-common.inc
 
-include disable-common.inc
-# include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname bsdtar
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-# noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-# support compressed archives
-private-bin bash,bsdcat,bsdcpio,bsdtar,bzip2,compress,gtar,gzip,lbzip2,libarchive,lz4,lzip,lzma,lzop,sh,xz
-private-cache
-private-dev
 private-etc alternatives,group,localtime,passwd
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 56709a466..d379651c7 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -32,7 +32,7 @@ whitelist ${HOME}/.config/celluloid
 whitelist ${HOME}/.config/gnome-mpv
 whitelist ${HOME}/.config/youtube-dl
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 6a9cf99b0..ce9c652c6 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -25,7 +25,6 @@ mkdir ${HOME}/.local/share/pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
-whitelist /usr/share/chromium
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
index dab9ce449..14f1bbe64 100644
--- a/etc/profile-a-l/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
@@ -15,6 +15,7 @@ mkdir ${HOME}/.config/chromium
 whitelist ${HOME}/.cache/chromium
 whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.config/chromium-flags.conf
+whitelist /usr/share/chromium
 
 # private-bin chromium,chromium-browser,chromedriver
 
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
new file mode 100644
index 000000000..4de7eb497
--- /dev/null
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -0,0 +1,55 @@
+# Firejail profile for com.github.bleakgrey.tootle
+# Description: Gtk Mastodon client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.bleakgrey.tootle.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/com.github.bleakgrey.tootle
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/com.github.bleakgrey.tootle
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/com.github.bleakgrey.tootle
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin com.github.bleakgrey.tootle
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+# Settings are immutable
+# dbus-user filter
+# dbus-user.own com.github.bleakgrey.tootle
+# dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index 0ab5a7f78..2c6b15e02 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -46,5 +46,4 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-
 read-only ${HOME}/.config/cower/config
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile
index 087a5b2bb..785308ffd 100644
--- a/etc/profile-a-l/cpio.profile
+++ b/etc/profile-a-l/cpio.profile
@@ -7,40 +7,7 @@ include cpio.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 noblacklist /sbin
 noblacklist /usr/sbin
 
-include disable-common.inc
-# include disable-devel.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname cpio
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-nosound
-notv
-nou2f
-novideo
-seccomp
-shell none
-tracelog
-x11 none
-
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
+include archiver-common.inc
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 996ff51d3..f8b194044 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -7,10 +7,15 @@ include curl.local
 # Persistent global definitions
 include globals.local
 
+# curl 7.74.0 introduces experimental support for HSTS cache
+# https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/
+# technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts
+# if your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local
+# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact
+noblacklist ${HOME}/.curl-hsts
 noblacklist ${HOME}/.curlrc
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 7eb7660dd..2ecf1a45d 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -5,7 +5,7 @@ include default.local
 # Persistent global definitions
 include globals.local
 
-# generic gui profile
+# generic GUI profile
 # depending on your usage, you can enable some of the commands below:
 
 include disable-common.inc
@@ -14,12 +14,13 @@ include disable-common.inc
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+# include disable-shell.inc
 # include disable-write-mnt.inc
 # include disable-xdg.inc
 
 # include whitelist-common.inc
-# include whitelist-usr-share-common.inc
 # include whitelist-runuser-common.inc
+# include whitelist-usr-share-common.inc
 # include whitelist-var-common.inc
 
 # apparmor
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index b8b07469d..a47a71feb 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -50,5 +50,4 @@ private-tmp
 # dbus-system none
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
-
 read-only ${HOME}
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 1ab10a6f6..7c3ac50ad 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -56,5 +56,4 @@ dbus-user none
 dbus-system none
 
 memory-deny-write-execute
-
 read-only ${HOME}
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index 152dfd980..80d97a31f 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.digrc
 noblacklist ${PATH}/dig
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index 35bea4aaa..e6edbd7eb 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -6,33 +6,24 @@ include discord-common.local
 # added by caller profile
 #include globals.local
 
-ignore noexec ${HOME}
+# Disabled until someone reported positive feedback
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore apparmor
+ignore disable-mnt
+ignore private-cache
+ignore dbus-user none
+ignore dbus-system none
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
+ignore noexec ${HOME}
 
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
-include whitelist-common.inc
-include whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
 
 private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
-private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
new file mode 100644
index 000000000..13d830b55
--- /dev/null
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -0,0 +1,63 @@
+# Firejail profile for dolphin-emu
+# Description: An emulator for Gamecube and Wii games
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dolphin-emu.local
+# Persistent global definitions
+include globals.local
+
+# Note: you must whitelist your games folder in a dolphin-emu.local
+
+noblacklist ${HOME}/.cache/dolphin-emu
+noblacklist ${HOME}/.config/dolphin-emu
+noblacklist ${HOME}/.local/share/dolphin-emu
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/dolphin-emu
+mkdir ${HOME}/.config/dolphin-emu
+mkdir ${HOME}/.local/share/dolphin-emu
+whitelist ${HOME}/.cache/dolphin-emu
+whitelist ${HOME}/.config/dolphin-emu
+whitelist ${HOME}/.local/share/dolphin-emu
+whitelist /usr/share/dolphin-emu
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# uncomment the following line if you do not need NetPlay support
+# net none
+netfilter
+# uncomment the following line if you do not need disc support
+#nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink,bluetooth
+seccomp
+shell none
+tracelog
+
+private-bin bash,dolphin-emu,dolphin-emu-x11,sh
+private-cache
+# uncomment the following line if you do not need controller support
+#private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
new file mode 100644
index 000000000..07f47be5d
--- /dev/null
+++ b/etc/profile-a-l/drill.profile
@@ -0,0 +1,55 @@
+# Firejail profile for drill
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include drill.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/drill
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+# include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin bash,drill,sh
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
index 9b99c7ffb..d3be07c9d 100644
--- a/etc/profile-a-l/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -3,25 +3,39 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include electron.local
-# Persistent global definitions
-include globals.local
 
 include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# Uncomment the next line (or add it to your chromium-common.local)
+# if your kernel allows unprivileged userns clone.
+#include chromium-common-hardened.inc
 
 apparmor
-caps.drop all
+caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
-nonewprivs
-noroot
 notv
-protocol unix,inet,inet6,netlink
-seccomp
+nou2f
+novideo
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index c1aa821e3..48a826f2e 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -7,16 +7,18 @@ include element-desktop.local
 # added by included profile
 #include globals.local
 
+ignore dbus-user none
+
 noblacklist ${HOME}/.config/Element
-noblacklist ${HOME}/.config/Element (Riot)
 
 mkdir ${HOME}/.config/Element
-mkdir ${HOME}/.config/Element (Riot)
 whitelist ${HOME}/.config/Element
-whitelist ${HOME}/.config/Element (Riot)
 whitelist /opt/Element
 
 private-opt Element
 
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+
 # Redirect
 include riot-desktop.profile
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 0024b6660..640b0e485 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -15,15 +15,20 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.cache/falkon
 mkdir ${HOME}/.config/falkon
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/falkon
 whitelist ${HOME}/.config/falkon
+whitelist /usr/share/falkon
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -37,7 +42,13 @@ protocol unix,inet,inet6,netlink
 seccomp !chroot
 # tracelog
 
+disable-mnt
+# private-bin falkon
+private-cache
 private-dev
-# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
-# private-tmp - interferes with the opening of downloaded files
+private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-tmp
 
+# dbus-user filter
+# dbus-user.own org.kde.Falkon
+dbus-system none
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 3ee07e559..8ac7755de 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -1,6 +1,7 @@
 # Firejail profile for feh
 # Description: imlib2 based image viewer
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include feh.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
index 74620d4cd..c02f9e3de 100644
--- a/etc/profile-a-l/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -7,7 +7,6 @@ include file.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 3472ac5c4..772aad7da 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -16,6 +16,7 @@ whitelist ${HOME}/.mozilla
 
 whitelist /usr/share/doc
 whitelist /usr/share/firefox
+whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
 whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/mozilla
 whitelist /usr/share/webext
@@ -29,6 +30,7 @@ include whitelist-usr-share-common.inc
 #private-etc firefox
 
 dbus-user filter
+dbus-user.own org.mozilla.Firefox.*
 dbus-user.own org.mozilla.firefox.*
 dbus-user.own org.mpris.MediaPlayer2.firefox.*
 # Uncomment or put in your firefox.local to enable native notifications.
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index ab907eb0d..c3af29e15 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -1,5 +1,5 @@
 # Firejail profile for fractal
-# Description: Desktop client for Matrix 
+# Description: Desktop client for Matrix
 # This file is overwritten after every install/update
 # Persistent local customizations
 include fractal.local
@@ -21,7 +21,7 @@ mkdir ${HOME}/.cache/fractal
 whitelist ${HOME}/.cache/fractal
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/freeoffice-planmaker.profile b/etc/profile-a-l/freeoffice-planmaker.profile
index 9449e7c48..b6ca167eb 100644
--- a/etc/profile-a-l/freeoffice-planmaker.profile
+++ b/etc/profile-a-l/freeoffice-planmaker.profile
@@ -7,4 +7,4 @@ include freeoffice-planmaker.local
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff --git a/etc/profile-a-l/freeoffice-presentations.profile b/etc/profile-a-l/freeoffice-presentations.profile
index 636868e2e..43661028c 100644
--- a/etc/profile-a-l/freeoffice-presentations.profile
+++ b/etc/profile-a-l/freeoffice-presentations.profile
@@ -7,4 +7,4 @@ include freeoffice-presentations.local
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff --git a/etc/profile-a-l/freeoffice-textmaker.profile b/etc/profile-a-l/freeoffice-textmaker.profile
index 5d98d1cc6..f7d30eaed 100644
--- a/etc/profile-a-l/freeoffice-textmaker.profile
+++ b/etc/profile-a-l/freeoffice-textmaker.profile
@@ -6,4 +6,4 @@ include freeoffice-textmaker.local
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index 91f0caf87..e6aff533d 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -8,24 +8,13 @@ include globals.local
 
 noblacklist ${HOME}/.config/FreeTube
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/FreeTube
 whitelist ${HOME}/.config/FreeTube
 
-seccomp !chroot
-shell none
-
-disable-mnt
 private-bin freetube
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
-private-tmp
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index e06a9afad..77287769a 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -51,5 +51,4 @@ dbus-user none
 dbus-system none
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
-
 read-only ${HOME}
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index c15174815..d56d6714e 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.local/share/ghostwriter
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index ed27de7f5..bc5ef966c 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -52,7 +52,7 @@ nosound
 notv
 nou2f
 protocol unix
-seccomp
+seccomp !mbind
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index 152396553..325c54ced 100644
--- a/etc/profile-a-l/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -6,43 +6,35 @@ include github-desktop.local
 # Persistent global definitions
 include globals.local
 
+# Note: On debian-based distributions the binary might be located in
+# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
+# If that's the case you can start GitHub Desktop with firejail via
+# `firejail "/opt/GitHub Desktop/github-desktop"`.
+
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore dbus-user none
+ignore dbus-system none
+
 noblacklist ${HOME}/.config/GitHub Desktop
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 
-include disable-common.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-
-caps.drop all
-netfilter
 # no3d
-nodvd
-nogroups
-nonewprivs
-noroot
 nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
 
-# Note: On debian-based distributions the binary might be located in
-# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
-# If that's the case you can start GitHub Desktop with firejail via
-# `firejail "/opt/GitHub Desktop/github-desktop"`.
-
-disable-mnt
 # private-bin github-desktop
-private-cache
 ?HAS_APPIMAGE: ignore private-dev
-private-dev
 # private-lib
-private-tmp
 
 # memory-deny-write-execute
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index 14b0f758e..9c0a26a02 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -53,7 +53,6 @@ writable-var-log
 # dbus-system none
 
 memory-deny-write-execute
-
-# comment this if you export logs to a file in your ${HOME}
+# Comment the line below if you export logs to a file in your ${HOME}
 # or put 'ignore read-only ${HOME}' in your gnome-system-log.local
 read-only ${HOME}
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index 8324a4eb5..f37f345ba 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -38,7 +38,7 @@ tracelog
 # private-bin godot
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile
new file mode 100644
index 000000000..e2721360b
--- /dev/null
+++ b/etc/profile-a-l/gtk-straw-viewer.profile
@@ -0,0 +1,14 @@
+# Firejail profile for gtk-straw-viewer
+# Description: Gtk front-end to straw-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-straw-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include straw-viewer.profile
diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer.profile
index 023f10d3d..848979b52 100644
--- a/etc/profile-a-l/gtk-youtube-viewer
+++ b/etc/profile-a-l/gtk-youtube-viewer.profile
@@ -3,16 +3,12 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}/wayland-*
-noblacklist ${RUNUSER}
-
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer.profile
index 331e73218..787c7bd90 100644
--- a/etc/profile-a-l/gtk2-youtube-viewer
+++ b/etc/profile-a-l/gtk2-youtube-viewer.profile
@@ -3,16 +3,15 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk2-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
 noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}/wayland-*
 noblacklist ${RUNUSER}
 
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer.profile
index 4c5bde55f..988882622 100644
--- a/etc/profile-a-l/gtk3-youtube-viewer
+++ b/etc/profile-a-l/gtk3-youtube-viewer.profile
@@ -3,16 +3,15 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk3-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
 noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}/wayland-*
 noblacklist ${RUNUSER}
 
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile
index 8ec39d8ca..9b59e57e7 100644
--- a/etc/profile-a-l/gzip.profile
+++ b/etc/profile-a-l/gzip.profile
@@ -7,43 +7,7 @@ include gzip.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname gzip
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
+include archiver-common.inc
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile
index 0761aa2fc..c2812d7f5 100644
--- a/etc/profile-a-l/highlight.profile
+++ b/etc/profile-a-l/highlight.profile
@@ -6,7 +6,6 @@ include highlight.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index 8e600a2d7..da32de640 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -10,7 +10,7 @@ noblacklist ${HOME}/.config/homebank
 
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile
index c4121d835..e5beb741a 100644
--- a/etc/profile-a-l/jitsi-meet-desktop.profile
+++ b/etc/profile-a-l/jitsi-meet-desktop.profile
@@ -6,34 +6,22 @@ include jitsi-meet-desktop.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore nou2f
+ignore novideo
+ignore shell none
+
 ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Jitsi Meet
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-xdg.inc
-
 nowhitelist ${DOWNLOADS}
 
 mkdir ${HOME}/.config/Jitsi Meet
-
 whitelist ${HOME}/.config/Jitsi Meet
 
-include whitelist-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-runuser-common.inc
-include whitelist-var-common.inc
-
-seccomp !chroot
-
-disable-mnt
 private-bin bash,jitsi-meet-desktop
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
-private-tmp
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 9899ff195..9c095e106 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -12,12 +12,12 @@ noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 noblacklist ${HOME}/.config/kazam
 
-include allow-python2.inc 
-include allow-python3.inc 
+include allow-python2.inc
+include allow-python3.inc
 
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -25,7 +25,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/kazam
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 6a3b29c9d..a3a1b500a 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -73,12 +73,11 @@ dbus-user.talk org.freedesktop.login1.Session
 dbus-user.talk org.gnome.ScreenSaver
 dbus-user.talk org.gnome.SessionManager
 dbus-user.talk org.gnome.SessionManager.Presence
-# Uncomment or add to your keepassxc.local to allow Notifications/Tray.
+# Uncomment or add to your keepassxc.local to allow Notifications.
 #dbus-user.talk org.freedesktop.Notifications
+# Uncomment or add to your keepassxc.local to allow Tray.
 #dbus-user.talk org.kde.StatusNotifierWatcher
-# These numbers seems to be not stable, see #3713. Play around with them.
-#dbus-user.own org.kde.StatusNotifierItem-2-2
-#dbus-user.own org.kde.StatusNotifierItem-10-2
+#dbus-user.own org.kde.*
 dbus-system none
 
 # Mutex is stored in /tmp by default, which is broken by private-tmp
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index cf3a69fd7..e0cfb9f24 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -63,7 +63,7 @@ shell none
 tracelog
 
 # disable-mnt
-# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
 # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin kube,sink_synchronizer
 private-cache
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
index de6fa67d1..e1f0bc290 100644
--- a/etc/profile-a-l/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -7,7 +7,6 @@ include less.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 noblacklist ${HOME}/.lesshst
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
new file mode 100644
index 000000000..5208cb979
--- /dev/null
+++ b/etc/profile-a-l/librewolf.profile
@@ -0,0 +1,28 @@
+# Firejail profile for Librewolf
+# Description: Firefox fork based on privacy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include librewolf.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/librewolf
+noblacklist ${HOME}/.librewolf
+
+mkdir ${HOME}/.cache/librewolf
+mkdir ${HOME}/.librewolf
+whitelist ${HOME}/.cache/librewolf
+whitelist ${HOME}/.librewolf
+
+# Uncomment (or add to librewolf.local) the following lines if you want to
+# use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# librewolf requires a shell to launch on Arch. We can possibly remove sh though.
+#private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which
+# private-etc must first be enabled in firefox-common.profile
+#private-etc librewolf
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
index b2f94d3cf..ccc77f274 100644
--- a/etc/profile-a-l/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -1,6 +1,7 @@
 # Firejail profile for links
 # Description: Text WWW browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include links.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
new file mode 100644
index 000000000..652f571bb
--- /dev/null
+++ b/etc/profile-a-l/lutris.profile
@@ -0,0 +1,74 @@
+# Firejail profile for lutris
+# Description: Multi-library game handler with special support for Wine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lutris.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/llvm*
+noblacklist ${HOME}/Games
+noblacklist ${HOME}/.cache/lutris
+noblacklist ${HOME}/.cache/winetricks
+noblacklist ${HOME}/.config/lutris
+noblacklist ${HOME}/.local/share/lutris
+# noblacklist ${HOME}/.wine
+noblacklist /tmp/.wine-*
+
+ignore noexec ${HOME}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/Games
+mkdir ${HOME}/.cache/lutris
+mkdir ${HOME}/.cache/winetricks
+mkdir ${HOME}/.config/lutris
+mkdir ${HOME}/.local/share/lutris
+# mkdir ${HOME}/.wine
+whitelist ${HOME}/Downloads
+whitelist ${HOME}/Games
+whitelist ${HOME}/.cache/lutris
+whitelist ${HOME}/.cache/winetricks
+whitelist ${HOME}/.config/lutris
+whitelist ${HOME}/.local/share/lutris
+# whitelist ${HOME}/.wine
+whitelist /usr/share/lutris
+whitelist /usr/share/wine
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+# allow-debuggers
+# apparmor
+caps.drop all
+ipc-namespace
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+# uncomment the following line if you do not need controller support
+# private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index dbd0a61e5..76a0e7ed0 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lynx
 # Description: Classic non-graphical (text-mode) web browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lynx.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index b2c0afbe7..ffde057d5 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -27,7 +27,7 @@ apparmor
 machine-id
 
 # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
-private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,mime.types,passwd,texmf,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
 
 # Redirect
 include latex-common.profile
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index 589dcfeb6..5ab302218 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -53,7 +53,7 @@ private-cache
 private-dev
 private-tmp
 
-# dbus-user none
-# dbus-system none
+dbus-user none
+dbus-system none
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/matrix-mirage.profile b/etc/profile-m-z/matrix-mirage.profile
new file mode 100644
index 000000000..b3080df88
--- /dev/null
+++ b/etc/profile-m-z/matrix-mirage.profile
@@ -0,0 +1,24 @@
+# Firejail profile for matrix-mirage
+# Description: Debian name for mirage binary/package
+# This file is overwritten after every install/update
+# Persistent local customizations
+include matrix-mirage.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/matrix-mirage
+noblacklist ${HOME}/.config/matrix-mirage
+noblacklist ${HOME}/.local/share/matrix-mirage
+
+mkdir ${HOME}/.cache/matrix-mirage
+mkdir ${HOME}/.config/matrix-mirage
+mkdir ${HOME}/.local/share/matrix-mirage
+whitelist ${HOME}/.cache/matrix-mirage
+whitelist ${HOME}/.config/matrix-mirage
+whitelist ${HOME}/.local/share/matrix-mirage
+
+private-bin matrix-mirage
+
+# Redirect
+include mirage.profile
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index c70090a25..8a98209a2 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -11,7 +11,7 @@ include allow-python3.inc
 
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -25,7 +25,7 @@ whitelist /usr/share/menulibre
 whitelist /var/lib/app-info/icons
 whitelist /var/lib/flatpak/exports/share/applications
 whitelist /var/lib/flatpak/exports/share/icons
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile
new file mode 100644
index 000000000..039cd36a8
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge-dev.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Microsoft Edge Dev
+# Description: Web browser from Microsoft,dev channel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge-dev.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/microsoft-edge-dev
+noblacklist ${HOME}/.config/microsoft-edge-dev
+
+mkdir ${HOME}/.cache/microsoft-edge-dev
+mkdir ${HOME}/.config/microsoft-edge-dev
+whitelist ${HOME}/.cache/microsoft-edge-dev
+whitelist ${HOME}/.config/microsoft-edge-dev
+
+private-opt microsoft
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile
new file mode 100644
index 000000000..f427507d1
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge.profile
@@ -0,0 +1,11 @@
+# Firejail profile for Microsoft Edge
+# Description: Web browser from Microsoft
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include microsoft-edge-dev.profile
diff --git a/etc/profile-m-z/min.profile b/etc/profile-m-z/min.profile
index be85fdbc4..7f3aeab44 100644
--- a/etc/profile-m-z/min.profile
+++ b/etc/profile-m-z/min.profile
@@ -6,8 +6,6 @@ include min.local
 # Persistent global definitions
 include globals.local
 
-nowhitelist /usr/share/chromium
-
 noblacklist ${HOME}/.config/Min
 
 mkdir ${HOME}/.config/Min
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index 5678a781c..666af323d 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -52,8 +52,9 @@ shell none
 tracelog
 
 disable-mnt
-private-bin minetest
-private-cache
+private-bin minetest,rm
+# cache is used for storing assets when connecting to servers
+#private-cache
 private-dev
 # private-etc needs to be updated, see #1702
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
index 39ecc7127..78ef5e398 100644
--- a/etc/profile-m-z/minitube.profile
+++ b/etc/profile-m-z/minitube.profile
@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-shell.inc 
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/Flavio Tordini
@@ -30,8 +30,8 @@ whitelist ${HOME}/.cache/Flavio Tordini
 whitelist ${HOME}/.config/Flavio Tordini
 whitelist ${HOME}/.local/share/Flavio Tordini
 whitelist /usr/share/minitube
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
+include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
index 4a5f12aec..7130267e8 100644
--- a/etc/profile-m-z/mirage.profile
+++ b/etc/profile-m-z/mirage.profile
@@ -1,5 +1,5 @@
 # Firejail profile for mirage
-# Description: Desktop client for Matrix 
+# Description: Desktop client for Matrix
 # This file is overwritten after every install/update
 # Persistent local customizations
 include mirage.local
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.cache/mirage
 noblacklist ${HOME}/.config/mirage
 noblacklist ${HOME}/.local/share/mirage
+noblacklist /sbin
 
 include allow-python2.inc
 include allow-python3.inc
@@ -30,7 +31,7 @@ whitelist ${HOME}/.config/mirage
 whitelist ${HOME}/.local/share/mirage
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -49,7 +50,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin mirage
+private-bin ldconfig,mirage
 private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index 31a6caa9a..58384e33c 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -19,7 +19,7 @@ read-only ${DESKTOP}
 mkdir ${HOME}/.mplayer
 whitelist ${HOME}/.mplayer
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
index 414eaf312..bdf50421b 100644
--- a/etc/profile-m-z/mpsyt.profile
+++ b/etc/profile-m-z/mpsyt.profile
@@ -44,7 +44,7 @@ whitelist ${HOME}/.mplayer
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/mps
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index ce3bfe421..1d87eeb48 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -50,7 +50,7 @@ whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.config/youtube-dl
 whitelist ${HOME}/.netrc
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 whitelist /usr/share/lua
 whitelist /usr/share/lua*
 whitelist /usr/share/vulkan
diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile
index cfd00e8ae..9f1f0f53d 100644
--- a/etc/profile-m-z/mtpaint.profile
+++ b/etc/profile-m-z/mtpaint.profile
@@ -10,14 +10,14 @@ noblacklist ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile
index 955df698d..dbfd12619 100644
--- a/etc/profile-m-z/musictube.profile
+++ b/etc/profile-m-z/musictube.profile
@@ -1,5 +1,5 @@
 # Firejail profile for musictube
-# Description: Stream music 
+# Description: Stream music
 # This file is overwritten after every install/update
 # Persistent local customizations
 include musictube.local
@@ -16,7 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-shell.inc 
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/Flavio Tordini
@@ -26,8 +26,8 @@ whitelist ${HOME}/.cache/Flavio Tordini
 whitelist ${HOME}/.config/Flavio Tordini
 whitelist ${HOME}/.local/share/Flavio Tordini
 whitelist /usr/share/musictube
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
+include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 701098f4b..42e7e92fc 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -7,7 +7,7 @@ include nheko.local
 include globals.local
 
 noblacklist ${HOME}/.config/nheko
-noblacklist ${HOME}/.cache/nheko/nheko
+noblacklist ${HOME}/.cache/nheko
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,14 +16,19 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.config/nheko
 mkdir ${HOME}/.cache/nheko/nheko
 whitelist ${HOME}/.config/nheko
-whitelist ${HOME}/.cache/nheko/nheko
+whitelist ${HOME}/.cache/nheko
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -38,5 +43,14 @@ tracelog
 
 disable-mnt
 private-bin nheko
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
 
+dbus-user none
+# Comment the above line and uncomment below lines for notification popups
+# dbus-user filter
+# dbus-user.talk org.freedesktop.Notifications
+# dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile
index a8e0ddd89..17798a6fb 100644
--- a/etc/profile-m-z/nslookup.profile
+++ b/etc/profile-m-z/nslookup.profile
@@ -8,7 +8,6 @@ include nslookup.local
 include globals.local
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 noblacklist ${PATH}/nslookup
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index 1b97eda9b..886403b9e 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -10,31 +10,16 @@ ignore dbus-user
 
 noblacklist ${HOME}/.config/nuclear
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/nuclear
 whitelist ${HOME}/.config/nuclear
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
 no3d
-nou2f
-novideo
-shell none
 
-disable-mnt
 # private-bin nuclear
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt nuclear
-private-tmp
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index 3a235a677..f7cb8790b 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -13,7 +13,7 @@ include allow-python3.inc
 
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -23,9 +23,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/onboard
 whitelist ${HOME}/.config/onboard
 whitelist /usr/share/onboard
-include whitelist-common.inc 
+include whitelist-common.inc
 include whitelist-usr-share-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile
index cc44d5a48..3bfda7946 100644
--- a/etc/profile-m-z/ostrichriders.profile
+++ b/etc/profile-m-z/ostrichriders.profile
@@ -42,7 +42,7 @@ tracelog
 disable-mnt
 private-bin ostrichriders
 private-cache
-# private-dev should be commented for controllers
+# comment the following line if you need controller support
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index 652b6b7cb..aa26ddd4e 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -1,5 +1,5 @@
 # Firejail profile for otter-browser
-# Description: Lightweight web browser based on Qt5 
+# Description: Lightweight web browser based on Qt5
 # This file is overwritten after every install/update
 # Persistent local customizations
 include otter-browser.local
@@ -32,7 +32,7 @@ whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
 whitelist /usr/share/otter-browser
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -54,6 +54,6 @@ private-bin bash,otter-browser,sh,which
 private-cache
 ?BROWSER_DISABLE_U2F: private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
-private-tmp 
+private-tmp
 
 dbus-system none
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index 9ee7e75b4..d2dcef0d0 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -7,7 +7,6 @@ include pandoc.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 6cbaa66ad..46a84372c 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -7,7 +7,6 @@ include patch.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index 2a7d0cec1..6bbd30b22 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -6,7 +6,6 @@ include pdftotext.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
new file mode 100644
index 000000000..9e6b4a87d
--- /dev/null
+++ b/etc/profile-m-z/photoflare.profile
@@ -0,0 +1,50 @@
+# Firejail profile for photoflare
+# Description: Simple painting and editing program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include photoflare.local
+# Persistent global definitions
+include photoflare.local
+
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin photoflare
+private-cache
+private-dev
+private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index bd95cb1de..03b548ffa 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -8,7 +8,6 @@ include ping.local
 include globals.local
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff --git a/etc/profile-m-z/planmaker18.profile b/etc/profile-m-z/planmaker18.profile
index 2ba8e86c0..4cf1efb7f 100644
--- a/etc/profile-m-z/planmaker18.profile
+++ b/etc/profile-m-z/planmaker18.profile
@@ -7,4 +7,4 @@ include planmaker18.local
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff --git a/etc/profile-m-z/planmaker18free.profile b/etc/profile-m-z/planmaker18free.profile
index d0bce44f5..bb85f1fc7 100644
--- a/etc/profile-m-z/planmaker18free.profile
+++ b/etc/profile-m-z/planmaker18free.profile
@@ -7,4 +7,4 @@ include planmaker18free.local
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile
index 03091af6d..0ebef226a 100644
--- a/etc/profile-m-z/playonlinux.profile
+++ b/etc/profile-m-z/playonlinux.profile
@@ -4,34 +4,17 @@
 # Persistent local customizations
 include playonlinux.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.local/share/Steam
-noblacklist ${HOME}/.local/share/steam
-noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.PlayOnLinux
 
 # nc is needed to run playonlinux
 noblacklist ${PATH}/nc
 
-# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
-
-# Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-seccomp
+# Redirect
+include wine.profile
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index c62e53151..c71553bcd 100644
--- a/etc/profile-m-z/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -32,7 +32,7 @@ protocol unix,netlink
 seccomp
 shell none
 
-# private-dev is disabled to allow controller support
+# uncomment the following line if you do not need controller support
 #private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-opt ppsspp
diff --git a/etc/profile-m-z/presentations18.profile b/etc/profile-m-z/presentations18.profile
index d4f531060..65d684c40 100644
--- a/etc/profile-m-z/presentations18.profile
+++ b/etc/profile-m-z/presentations18.profile
@@ -7,5 +7,5 @@ include presentations18.local
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
 
diff --git a/etc/profile-m-z/presentations18free.profile b/etc/profile-m-z/presentations18free.profile
index e2319f13f..218747224 100644
--- a/etc/profile-m-z/presentations18free.profile
+++ b/etc/profile-m-z/presentations18free.profile
@@ -7,4 +7,4 @@ include presentations18free.local
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
index 5e49a342a..952e9f5f3 100644
--- a/etc/profile-m-z/qrencode.profile
+++ b/etc/profile-m-z/qrencode.profile
@@ -7,7 +7,6 @@ include qrencode.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile
index 2133c74d3..3041860b3 100644
--- a/etc/profile-m-z/quaternion.profile
+++ b/etc/profile-m-z/quaternion.profile
@@ -1,5 +1,5 @@
 # Firejail profile for quaternion
-# Description: Desktop client for Matrix 
+# Description: Desktop client for Matrix
 # This file is overwritten after every install/update
 # Persistent local customizations
 include quaternion.local
@@ -25,7 +25,7 @@ whitelist ${HOME}/.config/Quotient
 whitelist ${DOWNLOADS}
 whitelist /usr/share/Quotient/quaternion
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index e7f379509..9fb7dc713 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -59,6 +59,7 @@ dbus-user.own org.gnome.Rhythmbox3
 dbus-user.own org.mpris.MediaPlayer2.rhythmbox
 dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox
 dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.*
 dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
 dbus-system filter
diff --git a/etc/profile-m-z/riot-desktop.profile b/etc/profile-m-z/riot-desktop.profile
index 4372fabe1..e91d25196 100644
--- a/etc/profile-m-z/riot-desktop.profile
+++ b/etc/profile-m-z/riot-desktop.profile
@@ -7,7 +7,5 @@ include riot-desktop.local
 # added by included profile
 #include globals.local
 
-seccomp !chroot
-
 # Redirect
 include riot-web.profile
diff --git a/etc/profile-m-z/riot-web.profile b/etc/profile-m-z/riot-web.profile
index b930adf2b..687c943b0 100644
--- a/etc/profile-m-z/riot-web.profile
+++ b/etc/profile-m-z/riot-web.profile
@@ -4,14 +4,15 @@
 # Persistent local customizations
 include riot-web.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Riot
 
 mkdir ${HOME}/.config/Riot
 whitelist ${HOME}/.config/Riot
-include whitelist-common.inc
+whitelist /usr/share/webapps/element
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/rocketchat.profile b/etc/profile-m-z/rocketchat.profile
index a574e4e8b..8d3607c75 100644
--- a/etc/profile-m-z/rocketchat.profile
+++ b/etc/profile-m-z/rocketchat.profile
@@ -3,14 +3,28 @@
 # Persistent local customizations
 include rocketchat.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-exec.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore shell none
+ignore disable-mnt
+ignore private-cache
+ignore private-dev
+ignore private-tmp
 
 noblacklist ${HOME}/.config/Rocket.Chat
 
 mkdir ${HOME}/.config/Rocket.Chat
 whitelist ${HOME}/.config/Rocket.Chat
-include whitelist-common.inc
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index 95deed119..78159527a 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -13,7 +13,6 @@ include globals.local
 # Usage: firejail --profile=rsync-download_only rsync
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 5bc4735ae..d47f1289a 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -45,10 +45,17 @@ include disable-common.inc
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-# include disable-xdg.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
 
+# include whitelist-runuser-common.inc
+# include whitelist-usr-share-common.inc
+# include whitelist-var-common.inc
+
+apparmor
 caps
 # ipc-namespace
+machine-id
 # netfilter /etc/firejail/webserver.net
 no3d
 nodvd
@@ -59,19 +66,26 @@ nosound
 notv
 nou2f
 novideo
+# protocol unix,inet,inet6,netlink
 seccomp
 # shell none
 
-# disable-mnt
+disable-mnt
 private
 # private-bin program
 # private-cache
 private-dev
+# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
 # private-etc alternatives
 # private-lib
+# private-opt none
 private-tmp
 
-# dbus-user none
+dbus-user none
 # dbus-system none
 
 # memory-deny-write-execute
+# read-only ${HOME}
+# writable-run-user
+# writable-var
+# writable-var-log
diff --git a/etc/profile-m-z/servo.profile b/etc/profile-m-z/servo.profile
new file mode 100644
index 000000000..65da5d0de
--- /dev/null
+++ b/etc/profile-m-z/servo.profile
@@ -0,0 +1,48 @@
+# Firejail profile for servo
+# Description: The Servo Browser Engine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include servo.local
+# Persistent global definitions
+include globals.local
+
+# Servo is usually installed inside $HOME
+ignore noexec ${HOME}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# Add a whitelist for the directory where servo is installed and uncomment the lines below.
+#whitelist ${DOWNLOADS}
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin servo,sh
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
index c67a88161..2ae298142 100644
--- a/etc/profile-m-z/shellcheck.profile
+++ b/etc/profile-m-z/shellcheck.profile
@@ -7,7 +7,6 @@ include shellcheck.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index c28571270..08e1c1f03 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -5,6 +5,13 @@ include signal-desktop.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore include-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore private-cache
+ignore novideo
+
 ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Signal
@@ -14,32 +21,12 @@ noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 
-include disable-common.inc
-include disable-devel.inc
 include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-passwdmgr.inc
 
 mkdir ${HOME}/.config/Signal
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Signal
-include whitelist-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-nou2f
-shell none
-
-disable-mnt
-private-dev
+
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
-private-tmp
 
-dbus-user none
-dbus-system none
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile
index 341c25a95..b39763981 100644
--- a/etc/profile-m-z/skypeforlinux.profile
+++ b/etc/profile-m-z/skypeforlinux.profile
@@ -5,27 +5,24 @@ include skypeforlinux.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore private-dev
+ignore dbus-user none
+ignore dbus-system none
+
 # breaks Skype
 ignore noexec /tmp
 
 noblacklist ${HOME}/.config/skypeforlinux
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-disable-mnt
-private-cache
 # private-dev - needs /dev/disk
-private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index 8ab3edd63..9ad772cd5 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -5,31 +5,26 @@ include slack.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore apparmor
+ignore novideo
+ignore private-tmp
+ignore dbus-user none
+ignore dbus-system none
+
 noblacklist ${HOME}/.config/Slack
 
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
-whitelist ${DOWNLOADS}
-include whitelist-common.inc
-include whitelist-var-common.inc
-
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-nou2f
-shell none
 
-disable-mnt
 private-bin locale,slack
-private-cache
-private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
+
+# Redirect
+include electron.profile
diff --git a/etc/inc/softmaker-common.inc b/etc/profile-m-z/softmaker-common.profile
index a8ec5848c..a8ec5848c 100644
--- a/etc/inc/softmaker-common.inc
+++ b/etc/profile-m-z/softmaker-common.profile
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index d7f94e144..093661d8c 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -1,5 +1,5 @@
 # Firejail profile for spectral
-# Description: Desktop client for Matrix 
+# Description: Desktop client for Matrix
 # This file is overwritten after every install/update
 # Persistent local customizations
 include spectral.local
@@ -24,7 +24,7 @@ whitelist ${HOME}/.cache/ENCOM/Spectral
 whitelist ${HOME}/.config/ENCOM
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -50,4 +50,8 @@ private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,
 private-tmp
 
 dbus-user none
+# Comment the above line and uncomment below lines for notification popups
+# dbus-user filter
+# dbus-user.talk org.freedesktop.Notifications
+# dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 78b12c2cb..d873a5672 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -34,7 +34,7 @@ nonewprivs
 # noroot - see issue #1543
 nosound
 notv
-# nou2f - OpenSSH >= 8.2 supports U2F 
+# nou2f - OpenSSH >= 8.2 supports U2F
 novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 7292f189c..55078d993 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -109,10 +109,10 @@ shell none
 # picture viewers are needed for viewing screenshots
 #private-bin eog,eom,gthumb,pix,viewnior,xviewer
 
-# private-dev should be commented for controllers
+# comment the following line if you need controller support
 private-dev
 # private-etc breaks a small selection of games on some systems, comment to support those
-private-etc alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
 private-tmp
 
 # breaks appindicator support
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
new file mode 100644
index 000000000..721ad38ee
--- /dev/null
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -0,0 +1,58 @@
+# Firejail profile for straw-viewer
+# Description: Fork of youtube-viewer acts like an invidious frontend
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include straw-viewer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/straw-viewer
+noblacklist ${HOME}/.config/straw-viewer
+
+include allow-lua.inc
+include allow-perl.inc
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/straw-viewer
+mkdir ${HOME}/.cache/straw-viewer
+whitelist ${HOME}/.cache/straw-viewer
+whitelist ${HOME}/.config/straw-viewer
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,ffmpeg,ffprobe,gtk-straw-viewer,mpv,perl,python*,sh,smplayer,straw-viewer,stty,vlc,wget,which,youtube-dl
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
index cd36c0d41..0801add28 100644
--- a/etc/profile-m-z/strawberry.profile
+++ b/etc/profile-m-z/strawberry.profile
@@ -21,7 +21,7 @@ include disable-xdg.inc
 
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
-include whitelist-var-common.inc 
+include whitelist-var-common.inc
 
 apparmor
 caps.drop all
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile
index 09ada1e25..6a582532d 100644
--- a/etc/profile-m-z/strings.profile
+++ b/etc/profile-m-z/strings.profile
@@ -7,7 +7,6 @@ include strings.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 #include disable-common.inc
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index ff99c234e..1b20f5d3d 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -41,7 +41,7 @@ noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,bluetooth
 seccomp
 seccomp.block-secondary
 shell none
@@ -50,7 +50,8 @@ tracelog
 disable-mnt
 private-bin supertuxkart
 private-cache
-private-dev
+# uncomment the following line if you do not need controller support
+#private-dev
 private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl
 private-tmp
 private-opt none
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index ad3346285..9e9d2a448 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -6,6 +6,7 @@ include sysprof.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -14,6 +15,19 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+# help menu functionality (yelp) - comment or add this block prepended with 'ignore'
+# to your sysprof.local if you don't need the help functionality
+noblacklist ${HOME}/.config/yelp
+mkdir ${HOME}/.config/yelp
+whitelist ${HOME}/.config/yelp
+whitelist /usr/share/help/C/sysprof
+whitelist /usr/share/yelp
+whitelist /usr/share/yelp-tools
+whitelist /usr/share/yelp-xsl
+
+whitelist ${DOCUMENTS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -26,27 +40,30 @@ no3d
 nodvd
 nogroups
 nonewprivs
-# Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that
-#noroot
+# Ubuntu 16.04 version needs root privileges - comment or put 'ignore noroot' in sysprof.local if you run Xenial
+noroot
 nosound
 notv
 nou2f
 novideo
 protocol unix,netlink
+seccomp
 shell none
 tracelog
 
 disable-mnt
-#private-bin sysprof - breaks GUI help menu
+#private-bin sysprof - breaks help menu
 private-cache
 private-dev
 private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
-# private-lib breaks GUI help menu
+# private-lib breaks help menu
 #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
 private-tmp
 
-# makes settings immutable
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.own org.gnome.Shell
+dbus-user.own org.gnome.Yelp
+dbus-user.own org.gnome.Sysprof3
+dbus-user.talk ca.desrt.dconf
 
-# memory-deny-write-execute - Breaks GUI on Arch
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 3a7405305..f6efb0feb 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -7,49 +7,13 @@ include tar.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname tar
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
+ignore include disable-shell.inc
+include archiver-common.inc
 
-# support compressed archives
-private-bin awk,bash,bzip2,compress,firejail,grep,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz
-private-cache
-private-dev
 private-etc alternatives,group,localtime,login.defs,passwd
-private-lib libfakeroot
+#private-lib libfakeroot,liblzma.so.*,libreadline.so.*
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index a13c92bc3..eee083332 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -4,33 +4,23 @@
 # Persistent local customizations
 include teams-for-linux.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
 
 ignore dbus-user none
 ignore dbus-system none
 
 noblacklist ${HOME}/.config/teams-for-linux
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-
 mkdir ${HOME}/.config/teams-for-linux
 whitelist ${HOME}/.config/teams-for-linux
-include whitelist-common.inc
-include whitelist-var-common.inc
-
-nou2f
-novideo
-shell none
 
-disable-mnt
 private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
-private-cache
-private-dev
 private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
-private-tmp
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
index bd7faa80a..c8d98cbaa 100644
--- a/etc/profile-m-z/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -4,8 +4,14 @@
 # Persistent local customizations
 include teams.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore novideo
+ignore private-tmp
 
 # see #3404
 ignore apparmor
@@ -15,24 +21,10 @@ ignore dbus-system none
 noblacklist ${HOME}/.config/teams
 noblacklist ${HOME}/.config/Microsoft
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-
 mkdir ${HOME}/.config/teams
 mkdir ${HOME}/.config/Microsoft
 whitelist ${HOME}/.config/teams
 whitelist ${HOME}/.config/Microsoft
-include whitelist-common.inc
-include whitelist-var-common.inc
-
-nou2f
-shell none
-tracelog
-
-disable-mnt
-private-cache
-private-dev
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index 5be834fb0..0e7413fc9 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -25,5 +25,5 @@ seccomp
 
 disable-mnt
 private-cache
-private-etc alsa,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
diff --git a/etc/profile-m-z/textmaker18.profile b/etc/profile-m-z/textmaker18.profile
index d28947394..e5a4b6454 100644
--- a/etc/profile-m-z/textmaker18.profile
+++ b/etc/profile-m-z/textmaker18.profile
@@ -7,5 +7,5 @@ include textmaker18.local
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
 
diff --git a/etc/profile-m-z/textmaker18free.profile b/etc/profile-m-z/textmaker18free.profile
index 7b4fd5b08..0e918bf0a 100644
--- a/etc/profile-m-z/textmaker18free.profile
+++ b/etc/profile-m-z/textmaker18free.profile
@@ -7,5 +7,5 @@ include textmaker18free.local
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
 
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 2e7b69cec..b478fbe1e 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -6,7 +6,7 @@ include thunderbird.local
 # Persistent global definitions
 include globals.local
 
-ignore whitelist-runuser-common.inc
+ignore include whitelist-runuser-common.inc
 
 # writable-run-user and dbus are needed by enigmail
 ignore dbus-user none
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index 7bb2f3e2d..36495064e 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -30,7 +30,7 @@ whitelist ${HOME}/.config/totem
 whitelist ${HOME}/.local/share/totem
 whitelist /usr/share/totem
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index 3c50344f1..2f573c872 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -6,31 +6,20 @@ include twitch.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore nou2f
+ignore novideo
+
 noblacklist ${HOME}/.config/Twitch
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/Twitch
 whitelist ${HOME}/.config/Twitch
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-seccomp !chroot
-shell none
 
-disable-mnt
 private-bin twitch
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Twitch
-private-tmp
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
index e07a6fc93..9487f8e68 100644
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -7,40 +7,8 @@ include unrar.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-shell.inc
-
-caps.drop all
-hostname unrar
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-#nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
+include archiver-common.inc
 
 private-bin unrar
-private-dev
 private-etc alternatives,group,localtime,passwd
 private-tmp
-
-dbus-user none
-dbus-system none
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index e08511c12..8da9ea820 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -7,42 +7,9 @@ include unzip.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-shell.inc
-
-caps.drop all
-hostname unzip
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-#nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
+include archiver-common.inc
 
-private-bin unzip
-private-dev
 private-etc alternatives,group,localtime,passwd
-
-dbus-user none
-dbus-system none
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile
index cd06b7f4c..fdeb0307f 100644
--- a/etc/profile-m-z/vivaldi.profile
+++ b/etc/profile-m-z/vivaldi.profile
@@ -35,5 +35,7 @@ whitelist ${HOME}/.local/lib/vivaldi
 ignore dbus-user none
 ignore dbus-system none
 
+read-write ${HOME}/.local/lib/vivaldi
+
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
index fc8efe089..9a12686cd 100644
--- a/etc/profile-m-z/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -27,7 +27,7 @@ whitelist ${HOME}/.config/vlc
 whitelist ${HOME}/.config/aacs
 whitelist ${HOME}/.local/share/vlc
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 include whitelist-var-common.inc
 
 #apparmor - on Ubuntu 18.04 it refuses to start without dbus access
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index bd33edd6a..0e172333a 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -7,6 +7,11 @@ include w3m.local
 # Persistent global definitions
 include globals.local
 
+# Uncomment or add to your w3m.local if you want to use w3m-img on a vconsole
+#ignore nogroups
+#ignore private-dev
+#ignore private-etc
+
 noblacklist ${HOME}/.w3m
 
 blacklist /tmp/.X11-unix
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index 8a64d2d73..f67d28618 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -12,7 +12,6 @@ noblacklist ${HOME}/.wget-hsts
 noblacklist ${HOME}/.wgetrc
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 187c49ed8..22a84274d 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -4,36 +4,24 @@
 # Persistent local customizations
 include whalebird.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
 
 ignore dbus-user none
 ignore dbus-system none
 
 noblacklist ${HOME}/.config/Whalebird
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-xdg.inc
-
 mkdir ${HOME}/.config/Whalebird
 whitelist ${HOME}/.config/Whalebird
-include whitelist-common.inc
-include whitelist-var-common.inc
 
 no3d
-nou2f
-novideo
-protocol unix,inet,inet6
-shell none
 
-disable-mnt
 private-bin whalebird
-private-cache
-private-dev
 private-etc fonts,machine-id
-private-tmp
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index a9cecb18d..fa7a16093 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -8,7 +8,6 @@ include whois.local
 include globals.local
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 901340052..6ac74b9da 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -6,6 +6,7 @@ include wine.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/winetricks
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/steam
@@ -19,6 +20,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+# whitelist /usr/share/wine
+# include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 # some applications don't need allow-debuggers, comment the next line
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index d265c6bae..151cd2adb 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -4,33 +4,29 @@
 # Persistent local customizations
 include wire-desktop.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
 # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
 
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore novideo
+ignore private-cache
+
 ignore dbus-user none
 ignore dbus-system none
 
 noblacklist ${HOME}/.config/Wire
 
-include disable-devel.inc
-include disable-interpreters.inc
-
 mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
-include whitelist-common.inc
-
-nou2f
-ignore seccomp
-seccomp !chroot
-shell none
 
-disable-mnt
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
-private-tmp
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 6ff4a1103..78cb2862c 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 
 mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
 whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+whitelist /usr/share/gstreamer
 whitelist /usr/share/xfce4
 whitelist /usr/share/xfce4-mixer
 include whitelist-common.inc
@@ -48,7 +49,9 @@ private-dev
 private-etc alternatives,asound.conf,fonts,machine-id,pulse
 private-tmp
 
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.own org.xfce.xfce4-mixer
+dbus-user.talk org.xfce.Xfconf
+dbus-system none
 
-memory-deny-write-execute
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index b760b44dd..c9200304c 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -48,4 +48,4 @@ private-tmp
 dbus-user none
 dbus-system none
 
-memory-deny-write-execute
+# memory-deny-write-execute -- see #3790
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile
index a52858870..988b878b9 100644
--- a/etc/profile-m-z/xournalpp.profile
+++ b/etc/profile-m-z/xournalpp.profile
@@ -18,7 +18,7 @@ include whitelist-runuser-common.inc
 
 #mkdir ${HOME}/.xournalpp
 #whitelist ${HOME}/.xournalpp
-#whitelist ${HOME}/.texlive2019
+#whitelist ${HOME}/.texlive20*
 #whitelist ${DOCUMENTS}
 #include whitelist-common.inc
 
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index d22d04818..f0290f461 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -25,7 +25,7 @@ mkdir ${HOME}/.local/share/xplayer
 whitelist ${HOME}/.config/xplayer
 whitelist ${HOME}/.local/share/xplayer
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 include whitelist-var-common.inc
 
 # apparmor - makes settings immutable
diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile
index 542363b57..082392a08 100644
--- a/etc/profile-m-z/xzdec.profile
+++ b/etc/profile-m-z/xzdec.profile
@@ -7,35 +7,4 @@ include xzdec.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-caps.drop all
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-#nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-private-dev
-
-dbus-user none
-dbus-system none
+include archiver-common.inc
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index e198af8b2..479582b2a 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -20,7 +20,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/yelp
 whitelist ${HOME}/.config/yelp
 whitelist /usr/share/doc
+whitelist /usr/share/groff
 whitelist /usr/share/help
+whitelist /usr/share/man
 whitelist /usr/share/yelp
 whitelist /usr/share/yelp-tools
 whitelist /usr/share/yelp-xsl
@@ -31,11 +33,15 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
+# machine-id breaks sound - uncomment here or put it in your yelp.local if you don't need it
+#machine-id
 net none
 nodvd
 nogroups
 nonewprivs
 noroot
+# nosound - uncomment here or put it in your yelp.local if you don't need it
+#nosound
 notv
 nou2f
 novideo
@@ -46,17 +52,25 @@ shell none
 tracelog
 
 disable-mnt
-private-bin yelp
+private-bin groff,man,tbl,troff,yelp
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
 private-tmp
 
+dbus-user filter
+dbus-user.own org.gnome.Yelp
+dbus-user.talk ca.desrt.dconf
 dbus-system none
 
-# read-only ${HOME} breaks some not necesarry featrues, comment it if
-# you need them or put 'ignore read-only ${HOME}' into your yelp.local.
-# broken features:
+# read-only ${HOME} breaks some features:
 #  1. yelp --editor-mode
 #  2. saving the window geometry
+# comment the line below or put 'ignore read-only ${HOME}' into your yelp.local if you need these features
 read-only ${HOME}
+read-write ${HOME}/.cache
+#  3. printing to PDF in ${DOCUMENTS}
+# additionally uncomment the lines below or put 'noblacklist ${DOCUMENTS}' and
+# 'whitelist ${DOCUMENTS}' into your yelp.local if you need printing to PDF support
+#noblacklist ${DOCUMENTS}
+#whitelist ${DOCUMENTS}
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index d9dee6891..6ce632682 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -21,7 +21,6 @@ include allow-python2.inc
 include allow-python3.inc
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index 513cb0f6e..a3a2afa29 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -7,10 +7,6 @@ include youtube-viewer.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
-blacklist ${RUNUSER}
-
 noblacklist ${HOME}/.config/youtube-viewer
 
 include allow-perl.inc
@@ -47,11 +43,11 @@ shell none
 tracelog
 
 disable-mnt
-# private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer
+private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,sh,smplayer,stty,vlc,which,youtube-dl,youtube-viewer
 private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
 
 dbus-user none
-dbus-system none
\ No newline at end of file
+dbus-system none
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index a6c7750a9..ad7ceaee4 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -6,32 +6,19 @@ include youtube.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore nou2f
+
 noblacklist ${HOME}/.config/Youtube
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/Youtube
 whitelist ${HOME}/.config/Youtube
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-novideo
-seccomp !chroot
-shell none
 
-disable-mnt
 private-bin youtube
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Youtube
-private-tmp
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index 3a94a5707..74b0e38b9 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -8,31 +8,14 @@ include globals.local
 
 noblacklist ${HOME}/.config/youtubemusic-nativefier-040164
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/youtubemusic-nativefier-040164
 whitelist ${HOME}/.config/youtubemusic-nativefier-040164
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
-nou2f
-novideo
-seccomp !chroot
-shell none
-
-disable-mnt
 private-bin youtubemusic-nativefier
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt youtubemusic-nativefier
-private-tmp
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index 5c37b838b..ab46fccc2 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -10,30 +10,12 @@ ignore dbus-user none
 
 noblacklist ${HOME}/.config/youtube-music-desktop-app
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-xdg.inc
-
 mkdir ${HOME}/.config/youtube-music-desktop-app
 whitelist ${HOME}/.config/youtube-music-desktop-app
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-nou2f
-novideo
-seccomp !chroot
-shell none
 
-disable-mnt
 # private-bin env,ytmdesktop
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
-# private-opt 
-private-tmp
+# private-opt
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile
index 5274e5b42..86615341f 100644
--- a/etc/profile-m-z/zathura.profile
+++ b/etc/profile-m-z/zathura.profile
@@ -28,7 +28,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-ipc-namespace
 machine-id
 net none
 nodvd
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
index f175e5e21..e8cd64c93 100644
--- a/etc/profile-m-z/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -6,16 +6,20 @@ include zoom.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore apparmor
+ignore novideo
+ignore dbus-user none
+ignore dbus-system none
+
+# nogroups breaks webcam access on non-systemd systems (see #3711).
+# If you use such a system uncomment the line below or put 'ignore nogroups' in your zoom.local
+#ignore nogroups
+
 noblacklist ${HOME}/.config/zoomus.conf
 noblacklist ${HOME}/.zoom
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
+nowhitelist ${DOWNLOADS}
 
 mkdir ${HOME}/.cache/zoom
 mkfile ${HOME}/.config/zoomus.conf
@@ -23,27 +27,9 @@ mkdir ${HOME}/.zoom
 whitelist ${HOME}/.cache/zoom
 whitelist ${HOME}/.config/zoomus.conf
 whitelist ${HOME}/.zoom
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
-caps.drop all
-netfilter
-nodvd
-#nogroups - breaks webcam access (see #3711)
-nonewprivs
-noroot
-notv
-nou2f
-protocol unix,inet,inet6,netlink
-seccomp !chroot
-shell none
-tracelog
-
-disable-mnt
-private-cache
-private-dev
 # Disable for now, see https://github.com/netblue30/firejail/issues/3726
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
-private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile
index be27c10e1..42749ba6d 100644
--- a/etc/profile-m-z/zstd.profile
+++ b/etc/profile-m-z/zstd.profile
@@ -7,37 +7,4 @@ include zstd.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname zstd
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-private-cache
-private-dev
-
-memory-deny-write-execute
+include archiver-common.inc
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index b0a223911..23b1e364a 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -34,6 +34,7 @@ abiword
 abrowser
 akonadi_control
 akregator
+alacarte
 amarok
 amule
 amuled
@@ -63,6 +64,7 @@ audacious
 audacity
 audio-recorder
 authenticator
+authenticator-rs
 autokey-gtk
 autokey-qt
 autokey-run
@@ -139,6 +141,7 @@ cmus
 code
 code-oss
 cola
+com.github.bleakgrey.tootle
 com.github.dahenson.agenda
 com.github.johnfactotum.Foliate
 com.gitlab.newsflash
@@ -173,11 +176,13 @@ dnox
 dnscrypt-proxy
 dnsmasq
 dolphin
+dolphin-emu
 dooble
 dooble-qt4
 dosbox
 dragon
 drawio
+drill
 dropbox
 d-feet
 easystroke
@@ -197,14 +202,14 @@ enpass
 eog
 eom
 ephemeral
-#epiphany
+#epiphany - see #2995
 equalx
 et
 etr
 evince
 evince-previewer
 evince-thumbnailer
-evolution
+#evolution - see #3647
 exfalso
 exiftool
 falkon
@@ -212,7 +217,7 @@ fbreader
 feedreader
 feh
 ferdi
-ffmpeg
+#ffmpeg
 ffmpegthumbnailer
 ffplay
 ffprobe
@@ -334,6 +339,7 @@ gradio
 gramps
 gravity-beams-and-evaporating-stars
 gthumb
+gtk-straw-viewer
 gtk-youtube-viewer
 gtk2-youtube-viewer
 gtk3-youtube-viewer
@@ -417,6 +423,7 @@ kwrite
 leafpad
 # less - breaks man
 libreoffice
+librewolf
 liferea
 lightsoff
 lincity-ng
@@ -456,6 +463,7 @@ mate-calculator
 mate-color-select
 mate-dictionary
 mathematica
+matrix-mirage
 mattermost-desktop
 mcabber
 mediainfo
@@ -467,6 +475,8 @@ mencoder
 mendeleydesktop
 menulibre
 meteo-qt
+microsoft-edge
+microsoft-edge-dev
 midori
 min
 mindless
@@ -578,6 +588,7 @@ pdfsam
 pdftotext
 peek
 penguin-command
+photoflare
 picard
 pidgin
 #ping - disabled until we fix  #1912
@@ -682,6 +693,7 @@ steam-native
 steam-runtime
 stellarium
 strawberry
+straw-viewer
 strings
 studio.sh
 subdownloader
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 6c0ebcd43..80987e494 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -372,7 +372,7 @@ char *guess_shell(void);
 // sandbox.c
 #define SANDBOX_DONE '1'
 int sandbox(void* sandbox_arg);
-void start_application(int no_sandbox, char *set_sandbox_status) __attribute__((noreturn));
+void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn));
 void set_apparmor(void);
 
 // network_main.c
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 76ec102c3..0d4e496e8 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -162,6 +162,13 @@ static void disable_file(OPERATION op, const char *filename) {
         }
         else if (op == MOUNT_TMPFS) {
                 if (S_ISDIR(s.st_mode)) {
+                        if (getuid()) {
+                                if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+                                    fname[strlen(cfg.homedir)] != '/') {
+                                        fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
+                                        exit(1);
+                                }
+                        }
                         fs_tmpfs(fname, getuid());
                         last_disable = SUCCESSFUL;
                 }
@@ -366,14 +373,6 @@ void fs_blacklist(void) {
                 else if (strncmp(entry->data, "tmpfs ", 6) == 0) {
                         ptr = entry->data + 6;
                         op = MOUNT_TMPFS;
-                        char *resolved_path = realpath(ptr, NULL);
-                        if (!resolved_path || strncmp(cfg.homedir, resolved_path, strlen(cfg.homedir)) != 0) {
-                                if (getuid() != 0) {
-                                        fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
-                                        exit(1);
-                                }
-                        }
-                        free(resolved_path);
                 }
                 else if (strncmp(entry->data, "mkdir ", 6) == 0) {
                         EUID_USER();
@@ -1262,28 +1261,3 @@ void fs_private_tmp(void) {
         }
         closedir(dir);
 }
-
-// this function is called from sandbox.c before blacklist/whitelist functions
-void fs_private_cache(void) {
-        char *cache;
-        if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1)
-                errExit("asprintf");
-        // check if ~/.cache is a valid destination
-        struct stat s;
-        if (lstat(cache, &s) == -1) {
-                fwarning("skipping private-cache: cannot find %s\n", cache);
-                free(cache);
-                return;
-        }
-        if (!S_ISDIR(s.st_mode)) {
-                if (S_ISLNK(s.st_mode))
-                        fwarning("skipping private-cache: %s is a symbolic link\n", cache);
-                else
-                        fwarning("skipping private-cache: %s is not a directory\n", cache);
-                free(cache);
-                return;
-        }
-        // do the mount
-        fs_tmpfs(cache, getuid()); // check ownership of ~/.cache
-        free(cache);
-}
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index af891d61f..8c7c19203 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -360,43 +360,38 @@ void fs_private(void) {
         selinux_relabel_path("/root", "/root");
         fs_logger("tmpfs /root");
 
-        if (arg_allusers) {
-                if (u != 0)
-                        // mask user home directory
-                        // the directory should be owned by the current user
-                        fs_tmpfs(homedir, 1);
-        }
-        else { // mask /home
+        // mask /home
+        if (!arg_allusers) {
                 if (arg_debug)
                         printf("Mounting a new /home directory\n");
                 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                         errExit("mounting /home directory");
                 selinux_relabel_path("/home", "/home");
                 fs_logger("tmpfs /home");
+        }
 
-                if (u != 0) {
-                        if (strncmp(homedir, "/home/", 6) == 0) {
-                                // create /home/user
-                                if (arg_debug)
-                                        printf("Create a new user directory\n");
-                                if (mkdir(homedir, S_IRWXU) == -1) {
-                                        if (mkpath_as_root(homedir) == -1)
-                                                errExit("mkpath");
-                                        if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST)
-                                                errExit("mkdir");
-                                }
-                                if (chown(homedir, u, g) < 0)
-                                        errExit("chown");
-
-                                selinux_relabel_path(homedir, homedir);
-                                fs_logger2("mkdir", homedir);
-                                fs_logger2("tmpfs", homedir);
+        if (u != 0) {
+                if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) {
+                        // create new empty /home/user directory
+                        if (arg_debug)
+                                printf("Create a new user directory\n");
+                        if (mkdir(homedir, S_IRWXU) == -1) {
+                                if (mkpath_as_root(homedir) == -1)
+                                        errExit("mkpath");
+                                if (mkdir(homedir, S_IRWXU) == -1)
+                                        errExit("mkdir");
                         }
-                        else
-                                // mask user home directory
-                                // the directory should be owned by the current user
-                                fs_tmpfs(homedir, 1);
+                        if (chown(homedir, u, g) < 0)
+                                errExit("chown");
+
+                        selinux_relabel_path(homedir, homedir);
+                        fs_logger2("mkdir", homedir);
+                        fs_logger2("tmpfs", homedir);
                 }
+                else
+                        // mask user home directory
+                        // the directory should be owned by the current user
+                        fs_tmpfs(homedir, 1);
         }
 
         skel(homedir, u, g);
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 64444bba2..5cfd33b42 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -378,6 +378,9 @@ void fs_private_lib(void) {
         // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail
         fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable
 
+        // install libraries needed by fcopy
+        fslib_install_list(PATH_FCOPY);
+
         fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries",
                 dir_cnt, (dir_cnt == 1)? "directory": "directories");
 
diff --git a/src/firejail/join.c b/src/firejail/join.c
index ca8b8c4bf..d2f802add 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -20,10 +20,14 @@
 #include "firejail.h"
 #include <sys/stat.h>
 #include <sys/wait.h>
-#include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
 
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
 #include <sys/prctl.h>
 #ifndef PR_SET_NO_NEW_PRIVS
 #define PR_SET_NO_NEW_PRIVS 38
@@ -299,6 +303,21 @@ static void extract_umask(pid_t pid) {
         fclose(fp);
 }
 
+static int open_shell(void) {
+        EUID_ASSERT();
+        assert(cfg.shell);
+
+        if (arg_debug)
+                printf("Opening shell %s\n", cfg.shell);
+        // file descriptor will leak if not opened with O_CLOEXEC !!
+        int fd = open(cfg.shell, O_PATH|O_CLOEXEC);
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot open shell %s\n", cfg.shell);
+                exit(1);
+        }
+        return fd;
+}
+
 // return false if the sandbox identified by pid is not fully set up yet or if
 // it is no firejail sandbox at all, return true if the sandbox is complete
 bool is_ready_for_join(const pid_t pid) {
@@ -391,6 +410,10 @@ void join(pid_t pid, int argc, char **argv, int index) {
 
         extract_x11_display(parent);
 
+        int shfd = -1;
+        if (!arg_shell_none)
+                shfd = open_shell();
+
         EUID_ROOT();
         // in user mode set caps seccomp, cpu, cgroup, etc
         if (getuid() != 0) {
@@ -522,10 +545,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 extract_command(argc, argv, index);
                 if (cfg.command_line == NULL) {
                         assert(cfg.shell);
-                        cfg.command_line = cfg.shell;
                         cfg.window_title = cfg.shell;
                 }
-                if (arg_debug)
+                else if (arg_debug)
                         printf("Extracted command #%s#\n", cfg.command_line);
 
                 // set cpu affinity
@@ -554,11 +576,13 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         dbus_set_system_bus_env();
 #endif
 
-                start_application(0, NULL);
+                start_application(0, shfd, NULL);
 
                 __builtin_unreachable();
         }
         EUID_USER();
+        if (shfd != -1)
+                close(shfd);
 
         int status = 0;
         //*****************************
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 1a65c9ff0..e61edf427 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -26,6 +26,7 @@
 #include <dirent.h>
 #include <pwd.h>
 #include <grp.h>
+#include <fcntl.h>
 //#include <dirent.h>
 //#include <stdio.h>
 //#include <stdlib.h>
@@ -293,6 +294,41 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                 printf("file2 %s\n", fname2 ? fname2 : "(null)");
         }
 
+        // get file from sandbox and store it in the current directory
+        // implemented using --cat
+        if (op == SANDBOX_FS_GET) {
+                char *dest_fname = strrchr(fname1, '/');
+                if (!dest_fname || *(++dest_fname) == '\0') {
+                        fprintf(stderr, "Error: invalid file name %s\n", fname1);
+                        exit(1);
+                }
+                // create destination file if necessary
+                EUID_ASSERT();
+                int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWRITE);
+                if (fd == -1) {
+                        fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname);
+                        exit(1);
+                }
+                struct stat s;
+                if (fstat(fd, &s) == -1)
+                        errExit("fstat");
+                if (!S_ISREG(s.st_mode)) {
+                        fprintf(stderr, "Error: %s is no regular file\n", dest_fname);
+                        exit(1);
+                }
+                if (ftruncate(fd, 0) == -1)
+                        errExit("ftruncate");
+                // go quiet - messages on stdout will corrupt the file
+                arg_debug = 0;
+                arg_quiet = 1;
+                // redirection
+                if (dup2(fd, STDOUT_FILENO) == -1)
+                        errExit("dup2");
+                assert(fd != STDOUT_FILENO);
+                close(fd);
+                op = SANDBOX_FS_CAT;
+        }
+
         // sandbox root directory
         char *rootdir;
         if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
@@ -317,92 +353,6 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                 __gcov_flush();
 #endif
         }
-
-        // get file from sandbox and store it in the current directory
-        else if (op == SANDBOX_FS_GET) {
-                char *src_fname =fname1;
-                char *dest_fname = strrchr(fname1, '/');
-                if (!dest_fname || *(++dest_fname) == '\0') {
-                        fprintf(stderr, "Error: invalid file name %s\n", fname1);
-                        exit(1);
-                }
-
-                EUID_ROOT();
-                if (arg_debug)
-                        printf("copy %s to %s\n", src_fname, dest_fname);
-
-                // create a user-owned temporary file in /run/firejail directory
-                char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";
-                int fd = mkstemp(tmp_fname);
-                if (fd == -1) {
-                        fprintf(stderr, "Error: cannot create temporary file %s\n", tmp_fname);
-                        exit(1);
-                }
-                SET_PERMS_FD(fd, getuid(), getgid(), 0600);
-                close(fd);
-
-                // copy the source file into the temporary file - we need to chroot
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // chroot
-                        if (chroot(rootdir) < 0)
-                                errExit("chroot");
-                        if (chdir("/") < 0)
-                                errExit("chdir");
-
-                        // drop privileges
-                        drop_privs(0);
-
-                        // copy the file
-                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
-                                _exit(1);
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
-                        _exit(0);
-                }
-
-                // wait for the child to finish
-                int status = 0;
-                waitpid(child, &status, 0);
-                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
-                else {
-                        unlink(tmp_fname);
-                        exit(1);
-                }
-
-                // copy the temporary file into the destination file
-                child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // drop privileges
-                        drop_privs(0);
-
-                        // copy the file
-                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
-                                _exit(1);
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
-                        _exit(0);
-                }
-
-                // wait for the child to finish
-                status = 0;
-                waitpid(child, &status, 0);
-                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
-                else {
-                        unlink(tmp_fname);
-                        exit(1);
-                }
-
-                // remove the temporary file
-                unlink(tmp_fname);
-                EUID_USER();
-        }
         // get file from host and store it in the sandbox
         else if (op == SANDBOX_FS_PUT && path2) {
                 char *src_fname =fname1;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 676d04895..e5d8a4720 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -161,7 +161,6 @@ int fullargc = 0;
 static pid_t child = 0;
 pid_t sandbox_pid;
 mode_t orig_umask = 022;
-unsigned long long start_timestamp;
 
 static void clear_atexit(void) {
         EUID_ROOT();
@@ -868,7 +867,8 @@ char *guess_shell(void) {
         shell = getenv("SHELL");
         if (shell) {
                 invalid_filename(shell, 0); // no globbing
-                if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0)
+                if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 &&
+                    strcmp(shell, PATH_FIREJAIL) != 0)
                         return shell;
         }
 
@@ -1026,7 +1026,7 @@ int main(int argc, char **argv, char **envp) {
         init_cfg(argc, argv);
 
         // get starting timestamp, process --quiet
-        start_timestamp = getticks();
+        timetrace_start();
         char *env_quiet = getenv("FIREJAIL_QUIET");
         if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0))
                 arg_quiet = 1;
@@ -2398,6 +2398,13 @@ int main(int argc, char **argv, char **envp) {
                                         fprintf(stderr, "Error: invalid MAC address\n");
                                         exit(1);
                                 }
+
+                                // check multicast address
+                                if (br->macsandbox[0] & 1) {
+                                        fprintf(stderr, "Error: invalid MAC address (multicast)\n");
+                                        exit(1);
+                                }
+
                         }
                         else
                                 exit_err_feature("networking");
@@ -2780,7 +2787,7 @@ int main(int argc, char **argv, char **envp) {
 
         // build the sandbox command
         if (prog_index == -1 && cfg.shell) {
-                cfg.command_line = cfg.shell;
+                assert(cfg.command_line == NULL); // runs cfg.shell
                 cfg.window_title = cfg.shell;
                 cfg.command_name = cfg.shell;
         }
@@ -3023,8 +3030,15 @@ int main(int argc, char **argv, char **envp) {
                 ptr += strlen(ptr);
 
                 if (!arg_nogroups) {
+                        //  add firejail group
+                        gid_t g = get_group_id("firejail");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+
                         //  add tty group
-                        gid_t g = get_group_id("tty");
+                        g = get_group_id("tty");
                         if (g) {
                                 sprintf(ptr, "%d %d 1\n", g, g);
                                 ptr += strlen(ptr);
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 01df77ee6..6c7803602 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -204,14 +204,15 @@ void run_no_sandbox(int argc, char **argv) {
                         break;
                 }
         }
-        // if shell is /usr/bin/firejail, replace it with /bin/bash
-        if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
-                cfg.shell = "/bin/bash";
-                prog_index = 0;
-        }
+
+// if shell is /usr/bin/firejail, replace it with /bin/bash
+//      if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
+//              cfg.shell = "/bin/bash";
+//              prog_index = 0;
+//      }
 
         if (prog_index == 0) {
-                cfg.command_line = cfg.shell;
+                assert(cfg.command_line == NULL); // runs cfg.shell
                 cfg.window_title = cfg.shell;
         } else {
                 build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
@@ -230,5 +231,5 @@ void run_no_sandbox(int argc, char **argv) {
 
         arg_quiet = 1;
 
-        start_application(1, NULL);
+        start_application(1, -1, NULL);
 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5ddf6fdbb..1ee8cdfcb 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -619,6 +619,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 0;
         }
+        else if (strncmp(ptr, "netns  ", 6) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        arg_netns = ptr + 6;
+                        check_netns(arg_netns);
+                }
+                else
+                        warning_feature_disabled("networking");
+#endif
+                return 0;
+        }
         else if (strcmp(ptr, "net none") == 0) {
                 arg_nonetwork  = 1;
                 cfg.bridge0.configured = 0;
@@ -745,6 +756,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                                 fprintf(stderr, "Error: invalid MAC address\n");
                                 exit(1);
                         }
+
+                        // check multicast address
+                        if (br->macsandbox[0] & 1) {
+                                fprintf(stderr, "Error: invalid MAC address (multicast)\n");
+                                exit(1);
+                        }
                 }
                 else
                         warning_feature_disabled("networking");
@@ -1497,7 +1514,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 if (checkcfg(CFG_JOIN) || getuid() == 0) {
                         // try to join by name only
                         pid_t pid;
-                        if (!name2pid(ptr + 14, &pid)) {
+                        EUID_ROOT();
+                        int r = name2pid(ptr + 14, &pid);
+                        EUID_USER();
+                        if (!r) {
                                 if (!cfg.shell && !arg_shell_none)
                                         cfg.shell = guess_shell();
 
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 84cbb1977..a5c924a70 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -31,6 +31,8 @@
 #define O_PATH 010000000
 #endif
 
+#define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf"
+
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
         if (arg_debug)
@@ -73,8 +75,8 @@ void pulseaudio_disable(void) {
         closedir(dir);
 }
 
-static void pulseaudio_set_environment(const char *path) {
-        assert(path);
+static void pulseaudio_fallback(const char *path) {
+        fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir);
         if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0)
                 errExit("setenv");
 }
@@ -84,9 +86,9 @@ void pulseaudio_init(void) {
         struct stat s;
 
         // do we have pulseaudio in the system?
-        if (stat("/etc/pulse/client.conf", &s) == -1) {
+        if (stat(PULSE_CLIENT_SYSCONF, &s) == -1) {
                 if (arg_debug)
-                        printf("/etc/pulse/client.conf not found\n");
+                        printf("%s not found\n", PULSE_CLIENT_SYSCONF);
                 return;
         }
 
@@ -101,7 +103,7 @@ void pulseaudio_init(void) {
         char *pulsecfg = NULL;
         if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
                 errExit("asprintf");
-        if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed
+        if (copy_file(PULSE_CLIENT_SYSCONF, pulsecfg, -1, -1, 0644)) // root needed
                 errExit("copy_file");
         FILE *fp = fopen(pulsecfg, "a");
         if (!fp)
@@ -126,11 +128,11 @@ void pulseaudio_init(void) {
         if (create_empty_dir_as_user(homeusercfg, 0700))
                 fs_logger2("create", homeusercfg);
 
-        // if ~/.config/pulse now exists and there are no symbolic links, mount the new directory
+        // if ~/.config/pulse exists and there are no symbolic links, mount the new directory
         // else set environment variable
         int fd = safe_fd(homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1) {
-                pulseaudio_set_environment(pulsecfg);
+                pulseaudio_fallback(pulsecfg);
                 goto out;
         }
         // confirm the actual mount destination is owned by the user
@@ -138,12 +140,12 @@ void pulseaudio_init(void) {
                 if (errno != EACCES)
                         errExit("fstat");
                 close(fd);
-                pulseaudio_set_environment(pulsecfg);
+                pulseaudio_fallback(pulsecfg);
                 goto out;
         }
         if (s.st_uid != getuid()) {
                 close(fd);
-                pulseaudio_set_environment(pulsecfg);
+                pulseaudio_fallback(pulsecfg);
                 goto out;
         }
         // preserve a read-only mount
@@ -171,8 +173,9 @@ void pulseaudio_init(void) {
         char *p;
         if (asprintf(&p, "%s/client.conf", homeusercfg) == -1)
                 errExit("asprintf");
+        if (setenv("PULSE_CLIENTCONFIG", p, 1) < 0)
+                errExit("setenv");
         fs_logger2("create", p);
-        pulseaudio_set_environment(p);
         free(p);
 
         // RUN_PULSE_DIR not needed anymore, mask it
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 8bfe76603..d811fe45a 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -141,7 +141,7 @@ void set_apparmor(void) {
 }
 #endif
 
-void seccomp_debug(void) {
+static void seccomp_debug(void) {
         if (arg_debug == 0)
                 return;
 
@@ -400,19 +400,8 @@ static int monitor_application(pid_t app_pid) {
 }
 
 static void print_time(void) {
-        if (start_timestamp) {
-                unsigned long long end_timestamp = getticks();
-                // measure 1 ms
-                usleep(1000);
-                unsigned long long onems = getticks() - end_timestamp;
-                if (onems) {
-                        fmessage("Child process initialized in %.02f ms\n",
-                                (float) (end_timestamp - start_timestamp) / (float) onems);
-                        return;
-                }
-        }
-
-        fmessage("Child process initialized\n");
+        float delta = timetrace_end();
+        fmessage("Child process initialized in %.02f ms\n", delta);
 }
 
 
@@ -472,7 +461,7 @@ static int ok_to_run(const char *program) {
         return 0;
 }
 
-void start_application(int no_sandbox, char *set_sandbox_status) {
+void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
         // set environment
         if (no_sandbox == 0) {
                 env_defaults();
@@ -482,7 +471,7 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
         umask(orig_umask);
 
         if (arg_debug) {
-                printf("starting application\n");
+                printf("Starting application\n");
                 printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
         }
 
@@ -499,9 +488,6 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
                 if (set_sandbox_status)
                         *set_sandbox_status = SANDBOX_DONE;
                 execl(arg_audit_prog, arg_audit_prog, NULL);
-
-                perror("execl");
-                exit(1);
         }
         //****************************************
         // start the program without using a shell
@@ -543,35 +529,37 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
         //****************************************
         else {
                 assert(cfg.shell);
-                assert(cfg.command_line);
 
                 char *arg[5];
                 int index = 0;
                 arg[index++] = cfg.shell;
-                if (login_shell) {
-                        arg[index++] = "-l";
-                        if (arg_debug)
-                                printf("Starting %s login shell\n", cfg.shell);
-                } else {
-                        arg[index++] = "-c";
+                if (cfg.command_line) {
                         if (arg_debug)
                                 printf("Running %s command through %s\n", cfg.command_line, cfg.shell);
+                        arg[index++] = "-c";
                         if (arg_doubledash)
                                 arg[index++] = "--";
                         arg[index++] = cfg.command_line;
                 }
-                arg[index] = NULL;
+                else if (login_shell) {
+                        if (arg_debug)
+                                printf("Starting %s login shell\n", cfg.shell);
+                        arg[index++] = "-l";
+                }
+                else if (arg_debug)
+                        printf("Starting %s shell\n", cfg.shell);
+
                 assert(index < 5);
+                arg[index] = NULL;
 
                 if (arg_debug) {
                         char *msg;
-                        if (asprintf(&msg, "sandbox %d, execvp into %s", sandbox_pid, cfg.command_line) == -1)
+                        if (asprintf(&msg, "sandbox %d, execvp into %s",
+                                sandbox_pid, cfg.command_line ? cfg.command_line : cfg.shell) == -1)
                                 errExit("asprintf");
                         logmsg(msg);
                         free(msg);
-                }
 
-                if (arg_debug) {
                         int i;
                         for (i = 0; i < 5; i++) {
                                 if (arg[i] == NULL)
@@ -591,10 +579,14 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
                 if (set_sandbox_status)
                         *set_sandbox_status = SANDBOX_DONE;
                 execvp(arg[0], arg);
+
+                // join sandbox without shell in the mount namespace
+                if (fd > -1)
+                        fexecve(fd, arg, environ);
         }
 
-        perror("execvp");
-        exit(1); // it should never get here!!!
+        perror("Cannot start application");
+        exit(1);
 }
 
 static void enforce_filters(void) {
@@ -923,12 +915,9 @@ int sandbox(void* sandbox_arg) {
 
 #ifdef HAVE_USERTMPFS
         if (arg_private_cache) {
-                if (cfg.chrootdir)
-                        fwarning("private-cache feature is disabled in chroot\n");
-                else if (arg_overlay)
-                        fwarning("private-cache feature is disabled in overlay\n");
-                else
-                        fs_private_cache();
+                EUID_USER();
+                profile_add("tmpfs ${HOME}/.cache");
+                EUID_ROOT();
         }
 #endif
 
@@ -1237,7 +1226,7 @@ int sandbox(void* sandbox_arg) {
                         set_nice(cfg.nice);
                 set_rlimits();
 
-                start_application(0, set_sandbox_status);
+                start_application(0, -1, set_sandbox_status);
         }
 
         munmap(set_sandbox_status, 1);
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 02befdc12..a3927cc88 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -36,6 +36,11 @@
 #define O_PATH 010000000
 #endif
 
+#include <sys/syscall.h>
+#ifdef __NR_openat2
+#include <linux/openat2.h>
+#endif
+
 #define MAX_GROUPS 1024
 #define MAXBUF 4098
 #define EMPTY_STRING ("")
@@ -70,10 +75,11 @@ static void clean_supplementary_groups(gid_t gid) {
                 goto clean_all;
 
         // clean supplementary group list
-        // allow only tty, audio, video, games
+        // allow only firejail, tty, audio, video, games
         gid_t new_groups[MAX_GROUPS];
         int new_ngroups = 0;
         char *allowed[] = {
+                "firejail",
                 "tty",
                 "audio",
                 "video",
@@ -1007,12 +1013,8 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
                                 if (chmod(dir, mode) == -1)
                                         {;} // do nothing
                         }
-                        else if (arg_debug) {
-                                char *str;
-                                if (asprintf(&str, "Directory %s not created", dir) == -1)
-                                        errExit("asprintf");
-                                perror(str);
-                        }
+                        else if (arg_debug)
+                                printf("Directory %s not created: %s\n", dir, strerror(errno));
 #ifdef HAVE_GCOV
                         __gcov_flush();
 #endif
@@ -1157,46 +1159,57 @@ void disable_file_path(const char *path, const char *file) {
         free(fname);
 }
 
-// open file without following any symbolic link
-// returns a file descriptor on success, or -1 if a symlink is found
+// open an existing file without following any symbolic link
 int safe_fd(const char *path, int flags) {
+        flags |= O_NOFOLLOW;
         assert(path);
-        if (*path != '/')
-                goto errexit;
-        if (strstr(path, ".."))
-                goto errexit;
-
-        int parentfd = open("/", O_PATH|O_DIRECTORY|O_CLOEXEC);
-        if (parentfd == -1)
-                errExit("open");
+        if (*path != '/' || strstr(path, "..")) {
+                fprintf(stderr, "Error: invalid path %s\n", path);
+                exit(1);
+        }
         int fd = -1;
 
-        char *last_tok = EMPTY_STRING;
+#ifdef __NR_openat2 // kernel 5.6 or better
+        struct open_how oh;
+        memset(&oh, 0, sizeof(oh));
+        oh.flags = flags;
+        oh.resolve = RESOLVE_NO_SYMLINKS;
+        fd = syscall(__NR_openat2, -1, path, &oh, sizeof(struct open_how));
+        if (fd != -1 || errno != ENOSYS)
+                return fd;
+#endif
+
+        // openat2 syscall is not available, traverse path and
+        // check each component if it is a symbolic link or not
         char *dup = strdup(path);
         if (!dup)
                 errExit("strdup");
         char *tok = strtok(dup, "/");
         if (!tok) { // root directory
                 free(dup);
-                return parentfd;
+                return open("/", flags);
         }
+        char *last_tok = EMPTY_STRING;
+        int parentfd = open("/", O_PATH|O_CLOEXEC);
+        if (parentfd == -1)
+                errExit("open");
 
         while(1) {
-                // open the element, assuming it is a directory; this fails with ENOTDIR if it is a symbolic link
+                // open path component, assuming it is a directory; this fails with ENOTDIR if it is a symbolic link
                 // if token is a single dot, the previous directory is reopened
                 fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
                 if (fd == -1) {
-                        // if the following token is NULL, the current token is the final path element
+                        // if the following token is NULL, the current token is the final path component
                         // try again to open it, this time using the passed flags, and return -1 or the descriptor
                         last_tok = tok;
                         tok = strtok(NULL, "/");
                         if (!tok)
-                                fd = openat(parentfd, last_tok, flags|O_NOFOLLOW);
+                                fd = openat(parentfd, last_tok, flags);
                         close(parentfd);
                         free(dup);
-                        return fd; // -1 if open failed
+                        return fd;
                 }
-                // move on to next path segment
+                // move on to next path component
                 last_tok = tok;
                 tok = strtok(NULL, "/");
                 if (!tok)
@@ -1204,18 +1217,13 @@ int safe_fd(const char *path, int flags) {
                 close(parentfd);
                 parentfd = fd;
         }
-
-        // we are here because the last path element exists and is of file type directory
+        // getting here when the last path component exists and is of file type directory
         // reopen it using the passed flags
         close(fd);
-        fd = openat(parentfd, last_tok, flags|O_NOFOLLOW);
+        fd = openat(parentfd, last_tok, flags);
         close(parentfd);
         free(dup);
-        return fd; // -1 if open failed
-
-errexit:
-        fprintf(stderr, "Error: cannot open \"%s\": invalid path\n", path);
-        exit(1);
+        return fd;
 }
 
 int has_handler(pid_t pid, int signal) {
@@ -1321,7 +1329,7 @@ static int has_link(const char *dir) {
         assert(dir);
         int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1) {
-                if (errno == ENOTDIR && is_dir(dir))
+                if ((errno == ELOOP || errno == ENOTDIR) && is_dir(dir))
                         return 1;
         }
         else
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index e10abad4e..4872a5207 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1368,7 +1368,7 @@ void fs_x11(void) {
 void x11_block(void) {
 #ifdef HAVE_X11
         // check abstract socket presence and network namespace options
-        if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
+        if ((!arg_nonetwork && !arg_netns && !cfg.bridge0.configured && !cfg.interface0.configured)
         && x11_abstract_sockets_present()) {
                 fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n"
                         "Additional setup required. To block abstract X11 socket you can either:\n"
diff --git a/src/include/common.h b/src/include/common.h
index 2fa61cc91..5df51c5a9 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -118,21 +118,6 @@ static inline int mac_not_zero(const unsigned char mac[6]) {
         return 0;
 }
 
-// rtdsc timestamp on x86-64/amd64  processors
-static inline unsigned long long getticks(void) {
-#if defined(__x86_64__)
-        unsigned a, d;
-        asm volatile("rdtsc" : "=a" (a), "=d" (d));
-        return ((unsigned long long)a) | (((unsigned long long)d) << 32);
-#elif defined(__i386__)
-        unsigned long long ret;
-        __asm__ __volatile__("rdtsc" : "=A" (ret));
-        return ret;
-#else
-        return 0; // not implemented
-#endif
-}
-
 void timetrace_start(void);
 float timetrace_end(void);
 int join_namespace(pid_t pid, char *type);
diff --git a/src/lib/common.c b/src/lib/common.c
index 1fd317d4f..823442835 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -30,6 +30,7 @@
 #include <signal.h>
 #include <dirent.h>
 #include <string.h>
+#include <time.h>
 #include "../include/common.h"
 #define BUFLEN 4096
 
@@ -277,7 +278,7 @@ int pid_hidepid(void) {
                 if (strstr(buf, "proc /proc proc")) {
                         fclose(fp);
                         // check hidepid
-                        if (strstr(buf, "hidepid=2") || strstr(buf, "hidepid=1"))
+                        if (strstr(buf, "hidepid="))
                                 return 1;
                         return 0;
                 }
@@ -290,38 +291,42 @@ int pid_hidepid(void) {
 //**************************
 // time trace based on getticks function
 //**************************
-static int tt_not_implemented = 0; // not implemented for the current architecture
-static unsigned long long tt_1ms = 0;
-static unsigned long long tt = 0;       // start time
+typedef struct list_entry_t {
+        struct list_entry_t *next;
+        struct timespec ts;
+} ListEntry;
 
-void timetrace_start(void) {
-        if (tt_not_implemented)
-                return;
-        unsigned long long t1 = getticks();
-        if (t1 == 0) {
-                tt_not_implemented = 1;
-                return;
-        }
+static ListEntry *ts_list = NULL;
 
-        if (tt_1ms == 0) {
-                usleep(1000);   // sleep 1 ms
-                unsigned long long t2 = getticks();
-                tt_1ms = t2 - t1;
-                if (tt_1ms == 0) {
-                        tt_not_implemented = 1;
-                        return;
-                }
-        }
+static inline float msdelta(struct timespec *start, struct timespec *end) {
+        unsigned sec = end->tv_sec - start->tv_sec;
+        long nsec = end->tv_nsec - start->tv_nsec;
+        return (float) sec * 1000 + (float) nsec / 1000000;
+}
 
-        tt = getticks();
+void timetrace_start(void) {
+        ListEntry *t = malloc(sizeof(ListEntry));
+        if (!t)
+                errExit("malloc");
+        memset(t, 0, sizeof(ListEntry));
+        clock_gettime(CLOCK_MONOTONIC, &t->ts);
+
+        // add it to the list
+        t->next = ts_list;
+        ts_list = t;
 }
 
 float timetrace_end(void) {
-        if (tt_not_implemented)
+        if (!ts_list)
                 return 0;
 
-        unsigned long long delta = getticks() - tt;
-        assert(tt_1ms);
+        // remove start time  from the list
+        ListEntry *t = ts_list;
+        ts_list = t->next;
 
-        return (float) delta / (float) tt_1ms;
+        struct timespec end;
+        clock_gettime(CLOCK_MONOTONIC, &end);
+        float rv = msdelta(&t->ts, &end);
+        free(t);
+        return rv;
 }
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 8c73962fb..347e2b31b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -76,10 +76,10 @@ If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
 to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
-If a program argument is not specified, Firejail starts /bin/bash shell.
+If a program argument is not specified, Firejail starts the user's preferred shell.
 Examples:
 .PP
-$ firejail [OPTIONS]                # starting a /bin/bash shell
+$ firejail [OPTIONS]                # starting the program specified in $SHELL, usually /bin/bash
 .PP
 $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 .PP
@@ -1558,7 +1558,7 @@ Parent pid 8553, child pid 8554
 Child process initialized
 .br
 [...]
-#if HAVE_USERNS
+#ifdef HAVE_USERNS
 .TP
 \fB\-\-noroot
 Install a user namespace with a single user - the current user.
@@ -2476,7 +2476,7 @@ $ firejail \-\-shell=none script.sh
 \fB\-\-shell=program
 Set default user shell. Use this shell to run the application using \-c shell option.
 For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
-By default Bash shell (/bin/bash) is used.
+By default the user's preferred shell is used.
 .br
 
 .br
@@ -3023,7 +3023,7 @@ We provide a tool that automates all this integration, please see \&\flfirecfg\f
 .SH EXAMPLES
 .TP
 \f\firejail
-Sandbox a regular /bin/bash session.
+Sandbox a regular shell session.
 .TP
 \f\firejail firefox
 Start Mozilla Firefox.
@@ -3043,7 +3043,7 @@ Start Firefox in a new network namespace. An IP address is
 assigned automatically.
 .TP
 \f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
-Start a /bin/bash session in a new network namespace and connect it
+Start a shell session in a new network namespace and connect it
 to br0, br1, and br2 host bridge devices. IP addresses are assigned
 automatically for the interfaces connected to br1 and b2
 #endif
diff --git a/src/man/preproc.awk b/src/man/preproc.awk
index 20081b551..1471be3ec 100755
--- a/src/man/preproc.awk
+++ b/src/man/preproc.awk
@@ -23,7 +23,7 @@
 BEGIN {
         macros[0] = 0
         for (arg in ARGV) {
-                if (ARGV[arg] ~ /^-D[A-Z_]+$/) {
+                if (ARGV[arg] ~ /^-D[A-Z0-9_]+$/) {
                         macros[length(macros) + 1] = substr(ARGV[arg], 3)
                 }
                 ARGV[arg] = ""
@@ -31,7 +31,7 @@ BEGIN {
 
         include = 1
 }
-/^#ifdef [A-Z_]+$/ {
+/^#ifdef [A-Z0-9_]+$/ {
         macro = substr($0, 8)
         for (i in macros) {
                 if (macros[i] == macro) {
diff --git a/test/fs/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp
index ebd3eeb9c..818549fe2 100755
--- a/test/fs/fscheck-tmpfs.exp
+++ b/test/fs/fscheck-tmpfs.exp
@@ -7,12 +7,49 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-# ..
-send -- "firejail --tmpfs=fscheck-dir\r"
+send -- "mkdir -p ~/fjtest-dir/fjtest-dir\r"
+after 100
+send -- "mkdir /tmp/fjtest-dir\r"
+after 100
+
+if { ! [file exists ~/fjtest-dir/fjtest-dir] } {
+        puts "TESTING ERROR 1\n"
+        exit
+}
+if { ! [file exists /tmp/fjtest-dir] } {
+        puts "TESTING ERROR 2\n"
+        exit
+}
+
+send -- "firejail --noprofile --tmpfs=~/fjtest-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+after 500
+
+send -- "ls ~/fjtest-dir/fjtest-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "No such file or directory"
+}
+after 500
+
+send -- "exit\r"
+after 500
+
+send -- "firejail --noprofile --tmpfs=/tmp/fjtest-dir\r"
 expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
         "Error"
 }
+after 500
+
+# cleanup
+send -- "rm -fr ~/fjtest-dir\r"
 after 100
+send -- "rm -fr /tmp/fjtest-dir\r"
+after 100
+
 
 puts "\nall done\n"
diff --git a/test/fs/private-cache.exp b/test/fs/private-cache.exp
index 0597e8921..6e4c6bd1b 100755
--- a/test/fs/private-cache.exp
+++ b/test/fs/private-cache.exp
@@ -7,16 +7,17 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-if {[file exists ~/.cache]} {
-        puts "found .cache directory\n"
-} else {
-        send -- "mkdir --mode=755 ~/.cache\r"
-}
+send -- "mkdir --mode=700 ~/.cache\r"
 after 100
 
 send -- "touch ~/.cache/abcdefg\r"
 after 100
 
+if { ! [file exists ~/.cache/abcdefg] } {
+        puts "TESTING ERROR 0\n"
+        exit
+}
+
 send -- "firejail --noprofile --private-cache\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -34,23 +35,8 @@ after 100
 send -- "exit\r"
 sleep 1
 
-send -- "rm -v ~/.cache/abcdefg\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "removed"
-}
+# cleanup
+send -- "rm ~/.cache/abcdefg\r"
 after 100
 
-# redo the test with --private
-
-send -- "firejail --noprofile --private --private-cache\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Warning"
-}
-sleep 1
-
-send -- "exit\r"
-sleep 1
-
 puts "\nall done\n"
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh
index 75d961eb1..2d7d2a966 100755
--- a/test/profiles/profiles.sh
+++ b/test/profiles/profiles.sh
@@ -40,7 +40,7 @@ if [ -d "/run/user/$UID" ]; then
         PROFILES=`ls /etc/firejail/*.profile`
         echo "TESTING: default profiles installed in /etc"
 else
-        PROFILES=`ls /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile`
+        PROFILES=`ls /etc/firejail/transmission*.profile /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile`
         echo "TESTING: small number of default profiles installed in /etc"
 fi