116 files changed, 856 insertions, 132 deletions

diff --git a/.gitignore b/.gitignore
index 9995da44c..661370b02 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,6 +33,7 @@ src/fsec-optimize/fsec-optimize
 src/fcopy/fcopy
 src/fldd/fldd
 src/fbuilder/fbuilder
+etc/profstats
 uids.h
 seccomp
 seccomp.debug
diff --git a/Makefile.in b/Makefile.in
index 0285d8592..f7c94aa09 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,6 +1,7 @@
 all: apps man filters
 MYLIBS = src/lib
-APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
+APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee \
+src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp src/profstats
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx
 
diff --git a/README.md b/README.md
index bc2708041..374d6f456 100644
--- a/README.md
+++ b/README.md
@@ -149,6 +149,31 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 
 ## Current development version: 0.9.63
 
+### Profile Statistics
+
+A small tool to print profile statistics. Compile as usual and run:
+`````
+$ make
+$ cd etc
+$ ./profstats *.profile
+Stats:
+    profiles                    925
+    include local profile       925   (include profile-name.local)
+    include globals             925   (include globals.local)
+    blacklist ~/.ssh            910   (include disable-common.inc)
+    seccomp                     868
+    capabilities                924
+    noexec                      785   (include disable-exec.inc)
+    apparmor                    426
+    private-dev                 788
+    private-tmp                 687
+    whitelist var directory     595   (include whitelist-var-common.inc)
+    net none                    274
+`````
+
+Run ./profstats -h for help.
+
 ### New profiles:
 
-gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal
+gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal,
+gnome-screenshot, ripperX, sound-juicer
diff --git a/RELNOTES b/RELNOTES
index df0e3ec85..afd6bdbbd 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,13 +2,14 @@ firejail (0.9.63) baseline; urgency=low
   * work in progress
   * DHCP client support
   * SELinux labeling support
+  * new condition: HAS_NOSOUND
   * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
   * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
   * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
   * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
   * new profiles: desktopeditors, impressive, planmaker18, planmaker18free
   * new profiles: presentations18, presentations18free, textmaker18, teams
-  * new profiles: textmaker18free, xournal
+  * new profiles: textmaker18free, xournal, gnome-screenshot
 
 firejail (0.9.62) baseline; urgency=low
   * added file-copy-limit in /etc/firejail/firejail.config
diff --git a/configure b/configure
index 53ea8f19d..f587bb25e 100755
--- a/configure
+++ b/configure
@@ -683,6 +683,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -776,6 +777,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1028,6 +1030,15 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1165,7 +1176,7 @@ fi
 for ac_var in   exec_prefix prefix bindir sbindir libexecdir datarootdir \
                 datadir sysconfdir sharedstatedir localstatedir includedir \
                 oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-                libdir localedir mandir
+                libdir localedir mandir runstatedir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1318,6 +1329,7 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -4174,7 +4186,7 @@ if test "$prefix" = /usr; then
         test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
 fi
 
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile"
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4902,6 +4914,7 @@ do
     "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;;
     "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;;
     "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;;
+    "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
diff --git a/configure.ac b/configure.ac
index 3c9f901cb..8cf170c80 100644
--- a/configure.ac
+++ b/configure.ac
@@ -206,7 +206,8 @@ fi
 
 AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
-src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile)
+src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
+src/profstats/Makefile)
 
 echo
 echo "Configuration options:"
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile
index 2347039a6..12268706a 100644
--- a/etc/2048-qt.profile
+++ b/etc/2048-qt.profile
@@ -23,8 +23,9 @@ whitelist ${HOME}/.config/xiaoyong
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/Screenshot.profile b/etc/Screenshot.profile
new file mode 100644
index 000000000..d4b083736
--- /dev/null
+++ b/etc/Screenshot.profile
@@ -0,0 +1,6 @@
+# Firejail profile for gnome-screenshot
+# This file is overwritten after every install/update
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-screenshot.profile
diff --git a/etc/Viber.profile b/etc/Viber.profile
index 925e130de..3195e39fa 100644
--- a/etc/Viber.profile
+++ b/etc/Viber.profile
@@ -6,6 +6,7 @@ include Viber.local
 include globals.local
 
 noblacklist ${HOME}/.ViberPC
+noblacklist ${PATH}/dig
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/asunder.profile b/etc/asunder.profile
index 1f3acd735..fceac7cf9 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -20,21 +20,25 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
 netfilter
+no3d
 nodbus
 # nogroups
 nonewprivs
 noroot
 nou2f
+notv
 novideo
 protocol unix,inet,inet6
 seccomp
 shell none
 
+private-cache
 private-dev
 private-tmp
 
diff --git a/etc/atool.profile b/etc/atool.profile
index 0250451fc..ff3c81a80 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -25,7 +25,6 @@ hostname atool
 ipc-namespace
 machine-id
 net none
-netfilter
 no3d
 nodvd
 nodbus
diff --git a/etc/baobab.profile b/etc/baobab.profile
index 18c862a4d..d87de9d66 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -29,6 +29,7 @@ novideo
 protocol unix
 seccomp
 shell none
+tracelog
 
 private-bin baobab
 private-dev
diff --git a/etc/bluefish.profile b/etc/bluefish.profile
index 412088ba9..a85840d2f 100644
--- a/etc/bluefish.profile
+++ b/etc/bluefish.profile
@@ -15,6 +15,7 @@ include disable-programs.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
 no3d
diff --git a/etc/brasero.profile b/etc/brasero.profile
index 67fc07afb..417a6b3e0 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -15,6 +15,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
 net none
 nogroups
diff --git a/etc/calibre.profile b/etc/calibre.profile
index ad6f0aa0d..d17cfa85f 100644
--- a/etc/calibre.profile
+++ b/etc/calibre.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/catfish.profile b/etc/catfish.profile
index c6c2d7e8a..577391c5d 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -24,6 +24,7 @@ include disable-passwdmgr.inc
 whitelist /var/lib/mlocate
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
 no3d
diff --git a/etc/curl.profile b/etc/curl.profile
index 3f93e5f7e..a720aca9b 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -19,7 +19,9 @@ include disable-programs.inc
 #include disable-xdg.inc
 
 include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
diff --git a/etc/default.profile b/etc/default.profile
index 95a6e8095..7731b6e00 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -16,6 +16,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 # include disable-xdg.inc
 
+# include whitelist-common.inc
+# include whitelist-usr-share-common.inc
+# include whitelist-runuser-common.inc
+# include whitelist-var-common.inc
+
 # apparmor
 caps.drop all
 # ipc-namespace
@@ -42,8 +47,11 @@ seccomp
 # private-bin program
 # private-cache
 # private-dev
-# private-etc alternatives
+# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
+# private-etc alternatives,fonts,machine-id
 # private-lib
+# private-opt none
 # private-tmp
 
 # memory-deny-write-execute
+# read-only ${HOME}
diff --git a/etc/deluge.profile b/etc/deluge.profile
index 8f4f9fbe9..17c5059f5 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -14,6 +14,7 @@ include allow-python3.inc
 
 include disable-common.inc
 # include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -24,6 +25,7 @@ whitelist ${HOME}/.config/deluge
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 machine-id
 netfilter
diff --git a/etc/dia.profile b/etc/dia.profile
index bd79797b7..3a8651e2e 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -19,6 +19,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
 net none
 no3d
diff --git a/etc/dig.profile b/etc/dig.profile
index 054e4891d..e6b7e46d9 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -8,6 +8,7 @@ include dig.local
 include globals.local
 
 noblacklist ${HOME}/.digrc
+noblacklist ${PATH}/dig
 
 blacklist /tmp/.X11-unix
 
@@ -25,6 +26,7 @@ include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
@@ -47,7 +49,6 @@ tracelog
 disable-mnt
 private
 private-bin bash,dig,sh
-private-cache
 private-dev
 # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)
 #private-lib
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index bf29cd137..815e4b13d 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -444,7 +444,14 @@ blacklist /.snapshots
 
 # flatpak
 blacklist ${HOME}/.config/flatpak
-blacklist ${HOME}/.local/share/flatpak
+blacklist ${HOME}/.local/share/flatpak/app
+blacklist ${HOME}/.local/share/flatpak/appstream
+blacklist ${HOME}/.local/share/flatpak/db
+read-only ${HOME}/.local/share/flatpak/exports
+blacklist ${HOME}/.local/share/flatpak/oci
+blacklist ${HOME}/.local/share/flatpak/overrides
+blacklist ${HOME}/.local/share/flatpak/repo
+blacklist ${HOME}/.local/share/flatpak/runtime
 blacklist ${HOME}/.var
 blacklist /usr/share/flatpak
 blacklist /var/lib/flatpak
@@ -462,3 +469,16 @@ blacklist ${HOME}/sent
 
 # kernel configuration
 blacklist /proc/config.gz
+
+# prevent DNS malware attempting to communicate with the server
+# using regular DNS tools
+blacklist ${PATH}/dig
+blacklist ${PATH}/kdig
+blacklist ${PATH}/nslookup
+blacklist ${PATH}/host
+blacklist ${PATH}/dlint
+blacklist ${PATH}/dnswalk
+blacklist ${PATH}/dns2tcp
+blacklist ${PATH}/iodine
+blacklist ${PATH}/knsupdate
+blacklist ${PATH}/resolvectl
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 59df9fb0f..e1ba13380 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -26,7 +26,6 @@ blacklist ${PATH}/*-gcc*
 blacklist ${PATH}/*-g++*
 blacklist ${PATH}/*-gcc*
 blacklist ${PATH}/*-g++*
-blacklist /usr/include
 # seems to create problems on Gentoo
 #blacklist /usr/lib/gcc
 
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index db257c1b6..b54c1cce3 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -305,6 +305,7 @@ blacklist ${HOME}/.config/slimjet
 blacklist ${HOME}/.config/smplayer
 blacklist ${HOME}/.config/smtube
 blacklist ${HOME}/.config/snox
+blacklist ${HOME}/.config/sound-juicer
 blacklist ${HOME}/.config/specialmailcollectionsrc
 blacklist ${HOME}/.config/spotify
 blacklist ${HOME}/.config/sqlitebrowser
@@ -650,6 +651,7 @@ blacklist ${HOME}/.remmina
 blacklist ${HOME}/.repo_.gitconfig.json
 blacklist ${HOME}/.repoconfig
 blacklist ${HOME}/.retroshare
+blacklist ${HOME}/.ripperXrc
 blacklist ${HOME}/.scorched3d
 blacklist ${HOME}/.scribus
 blacklist ${HOME}/.scribusrc
@@ -759,6 +761,7 @@ blacklist ${HOME}/.cache/gfeeds
 blacklist ${HOME}/.cache/gimp
 blacklist ${HOME}/.cache/gnome-builder
 blacklist ${HOME}/.cache/gnome-recipes
+blacklist ${HOME}/.cache/gnome-screenshot
 blacklist ${HOME}/.cache/gnome-twitch
 blacklist ${HOME}/.cache/godot
 blacklist ${HOME}/.cache/google-chrome
diff --git a/etc/discord-common.profile b/etc/discord-common.profile
index a6e730937..43e8d5cd7 100644
--- a/etc/discord-common.profile
+++ b/etc/discord-common.profile
@@ -6,8 +6,11 @@ include discord-common.local
 # added by caller profile
 #include globals.local
 
+ignore noexec ${HOME}
+
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
@@ -25,11 +28,9 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 
-private-bin bash,cut,echo,egrep,grep,head,sed,sh,tr,xdg-mime,xdg-open,zsh
+private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
 private-tmp
-
-noexec /tmp
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index 701f14dce..af670cee2 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -18,8 +19,9 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-netfilter
+net none
 nodvd
 nonewprivs
 noroot
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 253b82cfe..9d84f07de 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -36,7 +36,7 @@ seccomp
 shell none
 tracelog
 
-private-bin 7z,7za,7zr,ar,arj,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,rar,rzip,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo
+private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,p7zip,rar,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo
 private-cache
 private-dev
 private-etc dconf,fonts,gtk-3.0,xdg
diff --git a/etc/file.profile b/etc/file.profile
index 9b21818f8..82b161d48 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -38,8 +38,8 @@ x11 none
 #private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd
 private-cache
 private-dev
-private-etc alternatives,localtime,magic,magic.mgc
-private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*
+#private-etc alternatives,localtime,magic,magic.mgc
+#private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*,libseccomp.so.*
 
 memory-deny-write-execute
 read-only ${HOME}
diff --git a/etc/firejail-default b/etc/firejail-default
index 763b838d3..e68e51c63 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -65,6 +65,8 @@ owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,
 
 # Needed for electron apps
 /proc/@{PID}/comm w,
+# Needed for nslookup, dig, host
+/proc/@{PID}/task/@{PID}/comm w,
 
 # Used by chromium
 owner /proc/@{PID}/oom_score_adj w,
diff --git a/etc/freeciv.profile b/etc/freeciv.profile
index fa115d325..379c5eca9 100644
--- a/etc/freeciv.profile
+++ b/etc/freeciv.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.freeciv
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile
index b6ca167eb..9449e7c48 100644
--- a/etc/freeoffice-planmaker.profile
+++ b/etc/freeoffice-planmaker.profile
@@ -7,4 +7,4 @@ include freeoffice-planmaker.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile
index 43661028c..636868e2e 100644
--- a/etc/freeoffice-presentations.profile
+++ b/etc/freeoffice-presentations.profile
@@ -7,4 +7,4 @@ include freeoffice-presentations.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile
index f7d30eaed..5d98d1cc6 100644
--- a/etc/freeoffice-textmaker.profile
+++ b/etc/freeoffice-textmaker.profile
@@ -6,4 +6,4 @@ include freeoffice-textmaker.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index 6cef181c8..c089d2e35 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -13,6 +13,7 @@ include allow-perl.inc
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -22,6 +23,7 @@ whitelist ${HOME}/.frozen-bubble
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
 nodbus
diff --git a/etc/gitg.profile b/etc/gitg.profile
index 56f8e136f..3c6f9d72f 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -19,6 +19,14 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+#whitelist ${HOME}/YOUR_GIT_PROJECTS_DIRECTORY
+#whitelist ${HOME}/.config/git
+#whitelist ${HOME}/.gitconfig
+#whitelist ${HOME}/.git-credentials
+#whitelist ${HOME}/.local/share/gitg
+#whitelist ${HOME}/.ssh
+#include whitelist-common.inc
+
 whitelist /usr/share/gitg
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 62350b862..12415a937 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -13,7 +13,6 @@ include globals.local
 
 noblacklist ${HOME}/.cache/champlain
 noblacklist ${HOME}/.cache/org.gnome.Maps
-noblacklist ${HOME}/.local/share/flatpak
 noblacklist ${HOME}/.local/share/maps-places.json
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
diff --git a/etc/gnome-screenshot.profile b/etc/gnome-screenshot.profile
new file mode 100644
index 000000000..c00aefdb7
--- /dev/null
+++ b/etc/gnome-screenshot.profile
@@ -0,0 +1,47 @@
+# Firejail profile for gnome-screenshot
+# Description: GNOME screenshot tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-screenshot.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+noblacklist ${HOME}/.cache/gnome-screenshot
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${RUNUSER}/bus
+whitelist ${RUNUSER}/pulse
+whitelist ${RUNUSER}/gdm/Xauthority
+whitelist ${RUNUSER}/wayland-0
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin gnome-screenshot
+private-dev
+private-etc dconf,fonts,gtk-3.0,localtime,machine-id
+private-tmp
diff --git a/etc/gnome-sound-recorder.profile b/etc/gnome-sound-recorder.profile
index 7f8fc8a0c..a64ec25a9 100644
--- a/etc/gnome-sound-recorder.profile
+++ b/etc/gnome-sound-recorder.profile
@@ -7,7 +7,6 @@ include gnome-sound-recorder.local
 include globals.local
 
 noblacklist ${MUSIC}
-noblacklist ${HOME}/.local/share/flatpak
 noblacklist ${HOME}/.local/share/Trash
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index 324c629e3..add3f407c 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-netfilter
+net none
 nodbus
 nogroups
 nonewprivs
diff --git a/etc/host.profile b/etc/host.profile
new file mode 100644
index 000000000..51b372361
--- /dev/null
+++ b/etc/host.profile
@@ -0,0 +1,49 @@
+# Firejail profile for host
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include host.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/host
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin bash,host,sh
+private-dev
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/kino.profile b/etc/kino.profile
index 9e8d61391..b3ade0dd9 100644
--- a/etc/kino.profile
+++ b/etc/kino.profile
@@ -16,6 +16,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
 netfilter
 nogroups
diff --git a/etc/leafpad.profile b/etc/leafpad.profile
index 56a792c8e..c456541aa 100644
--- a/etc/leafpad.profile
+++ b/etc/leafpad.profile
@@ -17,8 +17,9 @@ include disable-programs.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-netfilter
+net none
 no3d
 nodvd
 nogroups
diff --git a/etc/lincity-ng.profile b/etc/lincity-ng.profile
index b55ac9a15..748d38221 100644
--- a/etc/lincity-ng.profile
+++ b/etc/lincity-ng.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.lincity-ng
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 net none
diff --git a/etc/lrzuntar.profile b/etc/lrzuntar.profile
index 245d1c669..17215a5d7 100644
--- a/etc/lrzuntar.profile
+++ b/etc/lrzuntar.profile
@@ -7,6 +7,7 @@ include lrzuntar.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile
index 74adb7a67..a33ddab78 100644
--- a/etc/lximage-qt.profile
+++ b/etc/lximage-qt.profile
@@ -14,9 +14,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-netfilter
+net none
 no3d
 nodvd
 nogroups
diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile
index e1a37343e..9094f4377 100644
--- a/etc/lxmusic.profile
+++ b/etc/lxmusic.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/lzcat.profile b/etc/lzcat.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzcat.profile
+++ b/etc/lzcat.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzcmp.profile b/etc/lzcmp.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzcmp.profile
+++ b/etc/lzcmp.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzegrep.profile b/etc/lzegrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzegrep.profile
+++ b/etc/lzegrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzfgrep.profile b/etc/lzfgrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzfgrep.profile
+++ b/etc/lzfgrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzgrep.profile b/etc/lzgrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzgrep.profile
+++ b/etc/lzgrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzip.profile b/etc/lzip.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzip.profile
+++ b/etc/lzip.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzless.profile b/etc/lzless.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzless.profile
+++ b/etc/lzless.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzma.profile b/etc/lzma.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzma.profile
+++ b/etc/lzma.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzmainfo.profile b/etc/lzmainfo.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzmainfo.profile
+++ b/etc/lzmainfo.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzmore.profile b/etc/lzmore.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzmore.profile
+++ b/etc/lzmore.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index 2f6020ad3..8bd62ae0b 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -22,7 +22,9 @@ whitelist ${HOME}/.cache/mate-calc
 whitelist ${HOME}/.config/caja
 whitelist ${HOME}/.config/mate-menu
 include whitelist-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
 no3d
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile
index 49a776766..59f439c91 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/mate-dictionary.profile
@@ -18,6 +18,7 @@ mkdir ${HOME}/.config/mate/mate-dictionary
 whitelist ${HOME}/.config/mate/mate-dictionary
 include whitelist-common.inc
 
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/midori.profile b/etc/midori.profile
index e11e2acaa..e15259608 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -48,7 +48,9 @@ whitelist ${HOME}/.local/share/webkitgtk
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -60,3 +62,4 @@ seccomp
 tracelog
 
 disable-mnt
+private-tmp
diff --git a/etc/mousepad.profile b/etc/mousepad.profile
index 20370a5b5..868313c40 100644
--- a/etc/mousepad.profile
+++ b/etc/mousepad.profile
@@ -17,8 +17,9 @@ include disable-programs.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/mplayer.profile b/etc/mplayer.profile
index 9ab4f8c7f..cd25d6c0b 100644
--- a/etc/mplayer.profile
+++ b/etc/mplayer.profile
@@ -21,7 +21,9 @@ include disable-xdg.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
+# net none - mplayer can be used for streaming.
 netfilter
 # nogroups
 nonewprivs
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 43afbc859..592467658 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -18,6 +18,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 machine-id
 net none
diff --git a/etc/musescore.profile b/etc/musescore.profile
index b3693c956..679e82ae8 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -23,6 +23,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/nslookup.profile b/etc/nslookup.profile
new file mode 100644
index 000000000..40cb3b6d8
--- /dev/null
+++ b/etc/nslookup.profile
@@ -0,0 +1,49 @@
+# Firejail profile for nslookup
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include nslookup.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/nslookup
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin bash,nslookup,sh
+private-dev
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index 5925ccc09..0ba9451d8 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.openinvaders
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -17,7 +18,9 @@ include disable-programs.inc
 mkdir ${HOME}/.openinvaders
 whitelist ${HOME}/.openinvaders
 include whitelist-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
 nodbus
diff --git a/etc/opencity.profile b/etc/opencity.profile
index 6a27c8095..b0192c947 100644
--- a/etc/opencity.profile
+++ b/etc/opencity.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.opencity
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 net none
diff --git a/etc/openclonk.profile b/etc/openclonk.profile
index da60006b3..20b2a9626 100644
--- a/etc/openclonk.profile
+++ b/etc/openclonk.profile
@@ -21,9 +21,11 @@ whitelist ${HOME}/.clonk
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
-net none
+# net none - networked game
+netfilter
 nodbus
 nodvd
 nogroups
diff --git a/etc/openttd.profile b/etc/openttd.profile
index 5de4d325d..10f2f39c3 100644
--- a/etc/openttd.profile
+++ b/etc/openttd.profile
@@ -21,9 +21,10 @@ whitelist ${HOME}/.openttd
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
-netfilter
+net none
 nodbus
 nodvd
 nogroups
diff --git a/etc/ping.profile b/etc/ping.profile
index 5f68ee011..75ad0ee31 100644
--- a/etc/ping.profile
+++ b/etc/ping.profile
@@ -19,6 +19,7 @@ include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.keep net_raw
 ipc-namespace
 #net tun0
diff --git a/etc/pingus.profile b/etc/pingus.profile
index a3adc55a2..8e77a26d0 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.pingus
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -17,7 +18,9 @@ include disable-programs.inc
 mkdir ${HOME}/.pingus
 whitelist ${HOME}/.pingus
 include whitelist-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
 nodbus
diff --git a/etc/planmaker18.profile b/etc/planmaker18.profile
index 4cf1efb7f..2ba8e86c0 100644
--- a/etc/planmaker18.profile
+++ b/etc/planmaker18.profile
@@ -7,4 +7,4 @@ include planmaker18.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/planmaker18free.profile b/etc/planmaker18free.profile
index bb85f1fc7..d0bce44f5 100644
--- a/etc/planmaker18free.profile
+++ b/etc/planmaker18free.profile
@@ -7,4 +7,4 @@ include planmaker18free.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile
index 970290002..0b5da661a 100644
--- a/etc/ppsspp.profile
+++ b/etc/ppsspp.profile
@@ -21,7 +21,6 @@ include whitelist-var-common.inc
 
 caps.drop all
 ipc-namespace
-netfilter
 net none
 nodbus
 nodvd
diff --git a/etc/presentations18.profile b/etc/presentations18.profile
index ac844d1af..d4f531060 100644
--- a/etc/presentations18.profile
+++ b/etc/presentations18.profile
@@ -7,4 +7,5 @@ include presentations18.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
+
diff --git a/etc/presentations18free.profile b/etc/presentations18free.profile
index 218747224..e2319f13f 100644
--- a/etc/presentations18free.profile
+++ b/etc/presentations18free.profile
@@ -7,4 +7,4 @@ include presentations18free.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 863f57ba4..dace1634f 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 machine-id
 # needs D-Bus when started from a file manager
diff --git a/etc/ripperx.profile b/etc/ripperx.profile
new file mode 100644
index 000000000..b572aa1b4
--- /dev/null
+++ b/etc/ripperx.profile
@@ -0,0 +1,41 @@
+# Firejail profile for mpv
+# Description: Graphical audio CD ripper and encoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ripperx.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ripperXrc
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodbus
+nogroups
+nonewprivs
+noroot
+nou2f
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
diff --git a/etc/scribus.profile b/etc/scribus.profile
index e20cd1b5a..e7faccea1 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -40,6 +40,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
 nodbus
diff --git a/etc/slack.profile b/etc/slack.profile
index 54069f657..9a10e38fe 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -28,7 +28,7 @@ noroot
 notv
 nou2f
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 shell none
 
 disable-mnt
diff --git a/etc/sol.profile b/etc/sol.profile
index ea1620b31..4c8fdfbb1 100644
--- a/etc/sol.profile
+++ b/etc/sol.profile
@@ -17,6 +17,7 @@ include disable-xdg.inc
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 net none
diff --git a/etc/sound-juicer.profile b/etc/sound-juicer.profile
new file mode 100644
index 000000000..ebd321573
--- /dev/null
+++ b/etc/sound-juicer.profile
@@ -0,0 +1,41 @@
+# Firejail profile for mpv
+# Description: Graphical audio CD ripper and encoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sound-juicer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/sound-juicer
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+#nodbus
+nogroups
+nonewprivs
+noroot
+nosound
+nou2f
+notv
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index bc90af837..5c8ced875 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -38,14 +38,13 @@ include disable-programs.inc
 
 include whitelist-var-common.inc
 
-# allow-debuggers needed for running some games with proton
-allow-debuggers
 caps.drop all
 #ipc-namespace
 netfilter
 # nodbus disabled as it breaks appindicator support
 #nodbus
 nodvd
+# nVidia user may need to comment / ignore nogroups and noroot
 nogroups
 nonewprivs
 noroot
@@ -54,9 +53,9 @@ nou2f
 # novideo should be commented for VR
 novideo
 protocol unix,inet,inet6,netlink
-# seccomp cause sometimes issues (see #2860, #2951),
+# seccomp cause sometimes issues (see #2951, #3267),
 # comment it or add 'ignore seccomp' to steam.local if so.
-seccomp
+seccomp !kcmp,!ptrace
 shell none
 # tracelog disabled as it breaks integrated browser
 #tracelog
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index 4c64ee766..a702faa9e 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/supertux2
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -19,6 +20,7 @@ whitelist ${HOME}/.local/share/supertux2
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
 nodbus
diff --git a/etc/tcpdump.profile b/etc/tcpdump.profile
index 3c46dfdcb..881fbf49e 100644
--- a/etc/tcpdump.profile
+++ b/etc/tcpdump.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 
 include whitelist-common.inc
 
+apparmor
 caps.keep net_raw
 ipc-namespace
 #net tun0
diff --git a/etc/terasology.profile b/etc/terasology.profile
index 9a8426435..3324a18be 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -28,7 +28,6 @@ include whitelist-common.inc
 caps.drop all
 ipc-namespace
 net none
-netfilter
 nodbus
 nodvd
 nogroups
diff --git a/etc/textmaker18.profile b/etc/textmaker18.profile
index 8284df791..d28947394 100644
--- a/etc/textmaker18.profile
+++ b/etc/textmaker18.profile
@@ -7,4 +7,5 @@ include textmaker18.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
+
diff --git a/etc/textmaker18free.profile b/etc/textmaker18free.profile
index ad945ca55..7b4fd5b08 100644
--- a/etc/textmaker18free.profile
+++ b/etc/textmaker18free.profile
@@ -7,4 +7,5 @@ include textmaker18free.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
+
diff --git a/etc/tshark.profile b/etc/tshark.profile
index 22ced5d8a..211f59f29 100644
--- a/etc/tshark.profile
+++ b/etc/tshark.profile
@@ -19,6 +19,7 @@ include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 #caps.keep net_raw
 caps.keep dac_override,net_admin,net_raw
 ipc-namespace
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index ae868a022..d2b13d9ee 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -15,6 +15,7 @@ include allow-java.inc
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -22,6 +23,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/unlzma.profile b/etc/unlzma.profile
index f7410b928..d9c72407f 100644
--- a/etc/unlzma.profile
+++ b/etc/unlzma.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/unxz.profile b/etc/unxz.profile
index f7410b928..d9c72407f 100644
--- a/etc/unxz.profile
+++ b/etc/unxz.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index e65e0a0c3..e33cace49 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -22,6 +22,7 @@ whitelist ${HOME}/.warzone2100-3.2
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/wget.profile b/etc/wget.profile
index 401926e2d..d402316e9 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -26,6 +26,7 @@ include disable-programs.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
diff --git a/etc/whois.profile b/etc/whois.profile
index 0e60e18ab..9af6d6843 100644
--- a/etc/whois.profile
+++ b/etc/whois.profile
@@ -21,6 +21,7 @@ include disable-xdg.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 hostname whois
 ipc-namespace
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile
index e21b74030..b6424f342 100644
--- a/etc/x-terminal-emulator.profile
+++ b/etc/x-terminal-emulator.profile
@@ -8,7 +8,6 @@ include globals.local
 caps.drop all
 ipc-namespace
 net none
-netfilter
 nodbus
 nogroups
 noroot
diff --git a/etc/xcalc.profile b/etc/xcalc.profile
index 0ad423d30..a096f803c 100644
--- a/etc/xcalc.profile
+++ b/etc/xcalc.profile
@@ -17,7 +17,6 @@ include whitelist-var-common.inc
 
 caps.drop all
 net none
-netfilter
 no3d
 nodbus
 nodvd
diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile
index bc499bd30..a3e0c4633 100644
--- a/etc/xfce4-dict.profile
+++ b/etc/xfce4-dict.profile
@@ -15,6 +15,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile
index 4dad1bf7a..c3d0930ff 100644
--- a/etc/xfce4-notes.profile
+++ b/etc/xfce4-notes.profile
@@ -17,6 +17,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
index 8c405ba1d..cb7ac4a59 100644
--- a/etc/xpdf.profile
+++ b/etc/xpdf.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 machine-id
 net none
@@ -38,4 +39,4 @@ shell none
 
 private-dev
 private-tmp
-
+memory-deny-write-execute
diff --git a/etc/xxd.profile b/etc/xxd.profile
index 569f194d3..864e8ce9c 100644
--- a/etc/xxd.profile
+++ b/etc/xxd.profile
@@ -1,6 +1,7 @@
 # Firejail profile for xxd
 # Description: Tool to make (or reverse) a hex dump
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include xxd.local
 # Persistent global definitions
@@ -8,4 +9,4 @@ include xxd.local
 #include globals.local
 
 # Redirect
-include vim.profile
+include cpio.profile
diff --git a/etc/xz.profile b/etc/xz.profile
index f7410b928..d9c72407f 100644
--- a/etc/xz.profile
+++ b/etc/xz.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/xzcat.profile b/etc/xzcat.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzcat.profile
+++ b/etc/xzcat.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/xzcmp.profile b/etc/xzcmp.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzcmp.profile
+++ b/etc/xzcmp.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/xzdiff.profile b/etc/xzdiff.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzdiff.profile
+++ b/etc/xzdiff.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/xzegrep.profile b/etc/xzegrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzegrep.profile
+++ b/etc/xzegrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/xzfgrep.profile b/etc/xzfgrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzfgrep.profile
+++ b/etc/xzfgrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/xzmore.profile b/etc/xzmore.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzmore.profile
+++ b/etc/xzmore.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 703c8edd4..9ca5fd862 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -25,6 +25,7 @@ whitelist /usr/share/zathura
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
@@ -47,7 +48,8 @@ private-bin zathura
 private-cache
 private-dev
 private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id
-private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura
+# private-lib has problems on Debian 10
+#private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura
 private-tmp
 
 read-only ${HOME}
diff --git a/etc/zoom.profile b/etc/zoom.profile
index 6d312aff6..6eac10703 100644
--- a/etc/zoom.profile
+++ b/etc/zoom.profile
@@ -27,7 +27,7 @@ nodvd
 nonewprivs
 noroot
 notv
-protocol unix,inet,inet6
-seccomp
+protocol unix,inet,inet6,netlink
+seccomp !chroot
 
 private-tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 4cd4fad6c..2798605d5 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -23,6 +23,7 @@ Natron
 PPSSPPQt
 QMediathekView
 QOwnNotes
+Screenshot
 Telegram
 Viber
 VirtualBox
@@ -148,6 +149,7 @@ desktopeditors
 devhelp
 dex2jar
 dia
+dig
 digikam
 dillo
 dino
@@ -275,6 +277,7 @@ gnome-passwordsafe
 gnome-photos
 gnome-recipes
 gnome-schedule
+gnome-screenshot
 gnome-system-log
 gnome-twitch
 gnome-weather
@@ -303,6 +306,7 @@ hashcat
 hedgewars
 hexchat
 highlight
+host
 hugin
 icecat
 icedove
@@ -466,6 +470,7 @@ nitroshare-nmh
 nitroshare-send
 nitroshare-ui
 nomacs
+nslookup
 nylas
 nyx
 obs
@@ -479,6 +484,7 @@ ooviewdoc
 open-invaders
 openarena
 opencity
+openclonk
 openoffice.org
 openshot
 openshot-qt
@@ -546,6 +552,7 @@ rhythmbox-client
 ricochet
 riot-desktop
 riot-web
+ripperx
 ristretto
 rocketchat
 rtorrent
@@ -578,6 +585,7 @@ smtube
 snox
 soffice
 sol
+sound-juicer
 soundconverter
 spotify
 sqlitebrowser
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 0e4fcea6a..7391a8994 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -395,6 +395,7 @@ typedef enum {
         MOUNT_TMPFS,
         MOUNT_NOEXEC,
         MOUNT_RDWR,
+        MOUNT_RDWR_NOCHECK, // no check of ownership
         OPERATION_MAX
 } OPERATION;
 
@@ -403,8 +404,7 @@ void fs_blacklist(void);
 // mount a writable tmpfs
 void fs_tmpfs(const char *dir, unsigned check_owner);
 // remount noexec/nodev/nosuid or read-only or read-write
-void fs_remount(const char *dir, OPERATION op, unsigned check_mnt);
-void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt);
+void fs_remount(const char *dir, OPERATION op, int rec);
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void);
 // blacklist firejail configuration and runtime directories
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index c7dd91b06..b642329bf 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -28,10 +28,9 @@
 #include <dirent.h>
 #include <errno.h>
 
-
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 
 #define MAX_BUF 4096
@@ -43,6 +42,8 @@
 //***********************************************
 // process profile file
 //***********************************************
+static void fs_remount_rec(const char *dir, OPERATION op);
+
 static char *opstr[] = {
         [BLACKLIST_FILE] = "blacklist",
         [BLACKLIST_NOLOG] = "blacklist-nolog",
@@ -50,6 +51,7 @@ static char *opstr[] = {
         [MOUNT_TMPFS] = "tmpfs",
         [MOUNT_NOEXEC] = "noexec",
         [MOUNT_RDWR] = "read-write",
+        [MOUNT_RDWR_NOCHECK] = "read-write",
 };
 
 typedef enum {
@@ -148,7 +150,7 @@ static void disable_file(OPERATION op, const char *filename) {
                 }
         }
         else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) {
-                fs_remount_rec(fname, op, 1);
+                fs_remount_rec(fname, op);
                 // todo: last_disable = SUCCESSFUL;
         }
         else if (op == MOUNT_TMPFS) {
@@ -425,21 +427,11 @@ void fs_blacklist(void) {
         free(noblacklist);
 }
 
-static int get_mount_flags(const char *path, unsigned long *flags) {
-        struct statvfs buf;
-
-        if (statvfs(path, &buf) < 0)
-                return -errno;
-        *flags = buf.f_flag;
-        return 0;
-}
-
 //***********************************************
 // mount namespace
-//              - functions need fully resolved paths
 //***********************************************
 
-// mount a writable tmpfs on directory
+// mount a writable tmpfs on directory; requires a resolved path
 void fs_tmpfs(const char *dir, unsigned check_owner) {
         assert(dir);
         if (arg_debug)
@@ -480,71 +472,114 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
         close(fd);
 }
 
-void fs_remount(const char *dir, OPERATION op, unsigned check_mnt) {
-        assert(dir);
-        // check directory exists
+// remount path, but preserve existing mount flags; requires a resolved path
+static void fs_remount_simple(const char *path, OPERATION op) {
+        assert(path);
+
+        // open path without following symbolic links
+        int fd = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1)
+                goto out;
+        // identify file owner
         struct stat s;
-        int rv = stat(dir, &s);
-        if (rv == 0) {
-                unsigned long flags = 0;
-                if (get_mount_flags(dir, &flags) != 0) {
-                        fwarning("cannot remount %s\n", dir);
+        if (fstat(fd, &s) == -1) {
+                // fstat can fail with EACCES if path is a FUSE mount,
+                // mounted without 'allow_root' or 'allow_other'
+                if (errno != EACCES)
+                        errExit("fstat");
+                close(fd);
+                goto out;
+        }
+        // get mount flags
+        struct statvfs buf;
+        if (fstatvfs(fd, &buf) == -1)
+                errExit("fstatvfs");
+        unsigned long flags = buf.f_flag;
+
+        // read-write option
+        if (op == MOUNT_RDWR || op == MOUNT_RDWR_NOCHECK) {
+                // nothing to do if there is no read-only flag
+                if ((flags & MS_RDONLY) == 0) {
+                        close(fd);
                         return;
                 }
-                if (op == MOUNT_RDWR) {
-                        // allow only user owned directories, except the user is root
-                        if (getuid() != 0 && s.st_uid != getuid()) {
-                                fwarning("you are not allowed to change %s to read-write\n", dir);
-                                return;
-                        }
-                        if ((flags & MS_RDONLY) == 0)
-                                return;
-                        flags &= ~MS_RDONLY;
-                }
-                else if (op == MOUNT_NOEXEC) {
-                        if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID))
-                                return;
-                        flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
+                // allow only user owned directories, except the user is root
+                if (op == MOUNT_RDWR && getuid() != 0 && s.st_uid != getuid()) {
+                        fwarning("you are not allowed to change %s to read-write\n", path);
+                        close(fd);
+                        return;
                 }
-                else if (op == MOUNT_READONLY) {
-                        if ((flags & MS_RDONLY) == MS_RDONLY)
-                                return;
-                        flags |= MS_RDONLY;
+                flags &= ~MS_RDONLY;
+        }
+        // noexec option
+        else if (op == MOUNT_NOEXEC) {
+                // nothing to do if path is mounted noexec already
+                if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) {
+                        close(fd);
+                        return;
                 }
-                else
-                        assert(0);
-
-                if (arg_debug)
-                        printf("Mounting %s %s\n", opstr[op], dir);
-                // mount --bind /bin /bin
-                // mount --bind -o remount,rw /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                    mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
-                        errExit("remounting");
-                // run a sanity check on /proc/self/mountinfo
-                if (check_mnt) {
-                        // confirm target of the last mount operation was dir; if there are other
-                        // mount points contained inside dir, one of those will show up as target
-                        // of the last mount operation instead
-                        MountData *mptr = get_last_mount();
-                        size_t len = strlen(dir);
-                        if ((strncmp(mptr->dir, dir, len) != 0 ||
-                           (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
-                           && strcmp(dir, "/") != 0) // support read-only=/
-                                errLogExit("invalid %s mount", opstr[op]);
+                flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
+        }
+        // read-only option
+        else if (op == MOUNT_READONLY) {
+                // nothing to do if path is mounted read-only already
+                if ((flags & MS_RDONLY) == MS_RDONLY) {
+                        close(fd);
+                        return;
                 }
-                fs_logger2(opstr[op], dir);
+                flags |= MS_RDONLY;
         }
+        else
+                assert(0);
+
+        if (arg_debug)
+                printf("Mounting %s %s\n", opstr[op], path);
+        // mount --bind /bin /bin
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount(proc, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount");
+        free(proc);
+        close(fd);
+
+        // mount --bind -o remount,ro /bin
+        // we need to open path again
+        fd = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1)
+                errExit("open");
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount(NULL, proc, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
+                errExit("mount");
+
+        // run a sanity check on /proc/self/mountinfo and confirm that target of the last
+        // mount operation was path; if there are other mount points contained inside path,
+        // one of those will show up as target of the last mount operation instead
+        MountData *mptr = get_last_mount();
+        size_t len = strlen(path);
+        if ((strncmp(mptr->dir, path, len) != 0 ||
+           (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
+           && strcmp(path, "/") != 0) // support read-only=/
+                errLogExit("invalid %s mount", opstr[op]);
+        fs_logger2(opstr[op], path);
+        free(proc);
+        close(fd);
+        return;
+
+out:
+        fwarning("not remounting %s\n", path);
 }
 
-void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) {
+// remount recursively; requires a resolved path
+static void fs_remount_rec(const char *dir, OPERATION op) {
         assert(dir);
         struct stat s;
         if (stat(dir, &s) != 0)
                 return;
         if (!S_ISDIR(s.st_mode)) {
                 // no need to search in /proc/self/mountinfo for submounts if not a directory
-                fs_remount(dir, op, check_mnt);
+                fs_remount_simple(dir, op);
                 return;
         }
         // get mount point of the directory
@@ -558,7 +593,7 @@ void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) {
                         fwarning("read-only, read-write and noexec options are not applied recursively\n");
                         mount_warning = 1;
                 }
-                fs_remount(dir, op, check_mnt);
+                fs_remount_simple(dir, op);
                 return;
         }
         // build array with all mount points that need to get remounted
@@ -567,12 +602,25 @@ void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) {
         // remount
         char **tmp = arr;
         while (*tmp) {
-                fs_remount(*tmp, op, check_mnt);
+                fs_remount_simple(*tmp, op);
                 free(*tmp++);
         }
         free(arr);
 }
 
+// resolve a path and remount it
+void fs_remount(const char *path, OPERATION op, int rec) {
+        assert(path);
+        char *rpath = realpath(path, NULL);
+        if (rpath) {
+                if (rec)
+                        fs_remount_rec(rpath, op);
+                else
+                        fs_remount_simple(rpath, op);
+                free(rpath);
+        }
+}
+
 // Disable /mnt, /media, /run/mount and /run/media access
 void fs_mnt(const int enforce) {
         if (enforce) {
@@ -749,22 +797,22 @@ void fs_basic_fs(void) {
         if (arg_debug)
                 printf("Basic read-only filesystem:\n");
         if (!arg_writable_etc) {
-                fs_remount("/etc", MOUNT_READONLY, 0);
+                fs_remount("/etc", MOUNT_READONLY, 1);
                 if (uid)
-                        fs_remount("/etc", MOUNT_NOEXEC, 0);
+                        fs_remount("/etc", MOUNT_NOEXEC, 1);
         }
         if (!arg_writable_var) {
-                fs_remount("/var", MOUNT_READONLY, 0);
+                fs_remount("/var", MOUNT_READONLY, 1);
                 if (uid)
-                        fs_remount("/var", MOUNT_NOEXEC, 0);
+                        fs_remount("/var", MOUNT_NOEXEC, 1);
         }
-        fs_remount("/bin", MOUNT_READONLY, 0);
-        fs_remount("/sbin", MOUNT_READONLY, 0);
-        fs_remount("/lib", MOUNT_READONLY, 0);
-        fs_remount("/lib64", MOUNT_READONLY, 0);
-        fs_remount("/lib32", MOUNT_READONLY, 0);
-        fs_remount("/libx32", MOUNT_READONLY, 0);
-        fs_remount("/usr", MOUNT_READONLY, 0);
+        fs_remount("/usr", MOUNT_READONLY, 1);
+        fs_remount("/bin", MOUNT_READONLY, 1);
+        fs_remount("/sbin", MOUNT_READONLY, 1);
+        fs_remount("/lib", MOUNT_READONLY, 1);
+        fs_remount("/lib64", MOUNT_READONLY, 1);
+        fs_remount("/lib32", MOUNT_READONLY, 1);
+        fs_remount("/libx32", MOUNT_READONLY, 1);
 
         // update /var directory in order to support multiple sandboxes running on the same root directory
         fs_var_lock();
@@ -773,7 +821,7 @@ void fs_basic_fs(void) {
         if (!arg_writable_var_log)
                 fs_var_log();
         else
-                fs_remount("/var/log", MOUNT_RDWR, 0);
+                fs_remount("/var/log", MOUNT_RDWR_NOCHECK, 0);
 
         fs_var_lib();
         fs_var_cache();
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 969209869..c7269857d 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -151,6 +151,10 @@ static int check_nodbus(void) {
         return arg_nodbus != 0;
 }
 
+static int check_nosound(void) {
+        return arg_nosound != 0;
+}
+
 static int check_x11(void) {
         return (arg_x11_block || arg_x11_xorg || getenv("FIREJAIL_X11"));
 }
@@ -167,6 +171,7 @@ Cond conditionals[] = {
         {"HAS_APPIMAGE", check_appimage},
         {"HAS_NET", check_netoptions},
         {"HAS_NODBUS", check_nodbus},
+        {"HAS_NOSOUND", check_nosound},
         {"HAS_X11", check_x11},
         {"BROWSER_DISABLE_U2F", check_disable_u2f},
         {"BROWSER_ALLOW_DRM", check_allow_drm},
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 84aed41a4..9af25bf63 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -103,7 +103,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 
 This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
 
-Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
+Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
 can be enabled or disabled globally in Firejail's configuration file.
 
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in
new file mode 100644
index 000000000..4ada23c23
--- /dev/null
+++ b/src/profstats/Makefile.in
@@ -0,0 +1,14 @@
+all: ../../etc/profstats
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+../../etc/profstats: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+clean:; rm -fr *.o ../../etc/profstats *.gcov *.gcda *.gcno *.plist
+
+distclean: clean
+        rm -fr Makefile
diff --git a/src/profstats/main.c b/src/profstats/main.c
new file mode 100644
index 000000000..775142643
--- /dev/null
+++ b/src/profstats/main.c
@@ -0,0 +1,240 @@
+ /*
+ * Copyright (C) 2014-2020 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+#define MAXBUF 2048
+// stats
+static int cnt_profiles = 0;
+static int cnt_apparmor = 0;
+static int cnt_seccomp = 0;
+static int cnt_caps = 0;
+static int cnt_dotlocal = 0;
+static int cnt_globalsdotlocal = 0;
+static int cnt_netnone = 0;
+static int cnt_noexec = 0;      // include disable-exec.inc
+static int cnt_privatedev = 0;
+static int cnt_privatetmp = 0;
+static int cnt_whitelistvar = 0;        // include whitelist-var-common.inc
+static int cnt_ssh = 0;
+
+static int level = 0;
+static int arg_debug = 0;
+static int arg_apparmor = 0;
+static int arg_caps = 0;
+static int arg_seccomp = 0;
+static int arg_noexec = 0;
+static int arg_privatedev = 0;
+static int arg_privatetmp = 0;
+static int arg_whitelistvar = 0;
+static int arg_ssh = 0;
+
+static void usage(void) {
+        printf("proftool - print profile statistics\n");
+        printf("Usage: proftool [options] file[s]\n");
+        printf("Options:\n");
+        printf("   --apparmor - print profiles without apparmor\n");
+        printf("   --caps - print profiles without caps\n");
+        printf("   --ssh - print profiles without \"include disable-common.inc\"\n");
+        printf("   --noexec - print profiles without \"include disable-exec.inc\"\n");
+        printf("   --private-dev - print profiles without private-dev\n");
+        printf("   --private-tmp - print profiles without private-tmp\n");
+        printf("   --seccomp - print profiles without seccomp\n");
+        printf("   --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
+        printf("   --debug\n");
+        printf("\n");
+}
+
+void process_file(const char *fname) {
+        assert(fname);
+
+        if (arg_debug)
+                printf("processing #%s#\n", fname);
+        level++;
+        assert(level < 32); // to do - check in firejail code
+
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                exit(1);
+        }
+
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                ptr = buf;
+
+                while (*ptr == ' ' || *ptr == '\t')
+                        ptr++;
+                if (*ptr == '\n' || *ptr == '#')
+                        continue;
+
+                if (strncmp(ptr, "seccomp", 7) == 0)
+                        cnt_seccomp++;
+                else if (strncmp(ptr, "caps", 4) == 0)
+                        cnt_caps++;
+                else if (strncmp(ptr, "include disable-exec.inc", 24) == 0)
+                        cnt_noexec++;
+                else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0)
+                        cnt_whitelistvar++;
+                else if (strncmp(ptr, "include disable-common.inc", 26) == 0)
+                        cnt_ssh++;
+                else if (strncmp(ptr, "net none", 8) == 0)
+                        cnt_netnone++;
+                else if (strncmp(ptr, "apparmor", 8) == 0)
+                        cnt_apparmor++;
+                else if (strncmp(ptr, "private-dev", 11) == 0)
+                        cnt_privatedev++;
+                else if (strncmp(ptr, "private-tmp", 11) == 0)
+                        cnt_privatetmp++;
+                else if (strncmp(ptr, "include ", 8) == 0) {
+                        // not processing .local files
+                        if (strstr(ptr, ".local")) {
+//printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8);
+                                if (strstr(ptr, "globals.local"))
+                                        cnt_globalsdotlocal++;
+                                else
+                                        cnt_dotlocal++;
+                                continue;
+                        }
+                        process_file(buf + 8);
+                }
+        }
+
+        fclose(fp);
+        level--;
+}
+
+int main(int argc, char **argv) {
+        if (argc <= 1) {
+                usage();
+                return 1;
+        }
+
+        int start = 1;
+        int i;
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--debug") == 0)
+                        arg_debug = 1;
+                else if (strcmp(argv[i], "--apparmor") == 0)
+                        arg_apparmor = 1;
+                else if (strcmp(argv[i], "--caps") == 0)
+                        arg_caps = 1;
+                else if (strcmp(argv[i], "--seccomp") == 0)
+                        arg_seccomp = 1;
+                else if (strcmp(argv[i], "--noexec") == 0)
+                        arg_noexec = 1;
+                else if (strcmp(argv[i], "--private-dev") == 0)
+                        arg_privatedev = 1;
+                else if (strcmp(argv[i], "--private-tmp") == 0)
+                        arg_privatetmp = 1;
+                else if (strcmp(argv[i], "--whitelist-var") == 0)
+                        arg_whitelistvar = 1;
+                else if (strcmp(argv[i], "--ssh") == 0)
+                        arg_ssh = 1;
+                else if (*argv[i] == '-') {
+                        fprintf(stderr, "Error: invalid option %s\n", argv[i]);
+                        return 1;
+                 }
+                 else
+                        break;
+        }
+
+        start = i;
+        if (i == argc) {
+                fprintf(stderr, "Error: no porfile file specified\n");
+                return 1;
+        }
+
+        for (i = start; i < argc; i++) {
+                cnt_profiles++;
+
+                // watch seccomp
+                int seccomp = cnt_seccomp;
+                int caps = cnt_caps;
+                int apparmor = cnt_apparmor;
+                int noexec = cnt_noexec;
+                int privatetmp = cnt_privatetmp;
+                int privatedev = cnt_privatedev;
+                int dotlocal = cnt_dotlocal;
+                int globalsdotlocal = cnt_globalsdotlocal;
+                int whitelistvar = cnt_whitelistvar;
+                int ssh = cnt_ssh;
+
+                // process file
+                process_file(argv[i]);
+
+                // warnings
+                if ((caps + 2) <= cnt_caps) {
+                        printf("Warning: multiple caps in %s\n", argv[i]);
+                        cnt_caps = caps + 1;
+                }
+
+                // fix redirections
+                if (cnt_dotlocal > (dotlocal + 1))
+                        cnt_dotlocal = dotlocal + 1;
+                if (cnt_globalsdotlocal > (globalsdotlocal + 1))
+                        cnt_globalsdotlocal = globalsdotlocal + 1;
+
+                if (arg_apparmor && apparmor == cnt_apparmor)
+                        printf("No apparmor found in %s\n", argv[i]);
+                if (arg_caps && caps == cnt_caps)
+                        printf("No caps found in %s\n", argv[i]);
+                if (arg_seccomp && seccomp == cnt_seccomp)
+                        printf("No seccomp found in %s\n", argv[i]);
+                if (arg_noexec && noexec == cnt_noexec)
+                        printf("No include disable-exec.inc found in %s\n", argv[i]);
+                if (arg_privatedev && privatedev == cnt_privatedev)
+                        printf("No private-dev found in %s\n", argv[i]);
+                if (arg_privatetmp && privatetmp == cnt_privatetmp)
+                        printf("No private-tmp found in %s\n", argv[i]);
+                if (arg_whitelistvar && whitelistvar == cnt_whitelistvar)
+                        printf("No include whitelist-var-common.inc found in %s\n", argv[i]);
+                if (arg_ssh && ssh == cnt_ssh)
+                        printf("No include disable-common.inc found in %s\n", argv[i]);
+
+                assert(level == 0);
+        }
+
+        printf("\n");
+        printf("Stats:\n");
+        printf("    profiles\t\t\t%d\n", cnt_profiles);
+        printf("    include local profile\t%d   (include profile-name.local)\n", cnt_dotlocal);
+        printf("    include globals\t\t%d   (include globals.local)\n", cnt_dotlocal);
+        printf("    blacklist ~/.ssh\t\t%d   (include disable-common.inc)\n", cnt_ssh);
+        printf("    seccomp\t\t\t%d\n", cnt_seccomp);
+        printf("    capabilities\t\t%d\n", cnt_caps);
+        printf("    noexec\t\t\t%d   (include disable-exec.inc)\n", cnt_noexec);
+        printf("    apparmor\t\t\t%d\n", cnt_apparmor);
+        printf("    private-dev\t\t\t%d\n", cnt_privatedev);
+        printf("    private-tmp\t\t\t%d\n", cnt_privatetmp);
+        printf("    whitelist var directory\t%d   (include whitelist-var-common.inc)\n", cnt_whitelistvar);
+        printf("    net none\t\t\t%d\n", cnt_netnone);
+        printf("\n");
+        return 0;
+}
\ No newline at end of file