43 files changed, 626 insertions, 83 deletions

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 47e099cde..bf58e1dff 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -31,9 +31,9 @@ Steps to reproduce the behavior:
 Other context about the problem like related errors to understand the problem.
 
 **Checklist**
- - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it.
+ - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc).
  - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
- - [ ] A short search for duplicates was performed.
+ - [ ] I have performed a short search for similar issues (to avoid opening a duplicate).
  - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile.
  - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages.
  - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.
diff --git a/README b/README
index 6c86dcc5a..a271f6170 100644
--- a/README
+++ b/README
@@ -69,7 +69,7 @@ Adrian L. Shaw (https://github.com/adrianlshaw)
         - add profanity profile
         - add barrirer profile
 Aidan Gauland (https://github.com/aidalgol)
-        - added electron and riot-web profiles
+        - added electron, riot-web and npm profiles
 Akhil Hans Maulloo (https://github.com/kouul)
         - xz profile
 Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
diff --git a/README.md b/README.md
index 8d3b3c3bb..69e059bba 100644
--- a/README.md
+++ b/README.md
@@ -195,4 +195,4 @@ Stats:
 
 ### New profiles:
 
-spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo
+spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, tutanota-desktop, npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi
diff --git a/RELNOTES b/RELNOTES
index 5f5b451e1..705ef8500 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -3,9 +3,11 @@ firejail (0.9.65) baseline; urgency=low
   * --disable-usertmpfs  compile time option
   * allow AF_BLUETOOTH via --protocol=bluetooth
   * Setup guide for new users: contrib/firejail-welcome.sh
+  * implement netns in profiles
   * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer
   * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer
   * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo
+  * new profiles: npm, marker
 
  -- netblue30 <netblue30@yahoo.com>  Wed, 21 Oct 2020 09:00:00 -0500
 
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 7cd087b14..41643657d 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -11,6 +11,15 @@ noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.java
 
+# Node.js
+noblacklist ${HOME}/.node-gyp
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+noblacklist ${HOME}/.yarn
+noblacklist ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarncache
+noblacklist ${HOME}/.yarnrc
+
 # Python
 noblacklist ${HOME}/.pylint.d
 noblacklist ${HOME}/.python-history
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc
new file mode 100644
index 000000000..78a4bed80
--- /dev/null
+++ b/etc/inc/allow-nodejs.inc
@@ -0,0 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-nodejs.local
+
+noblacklist ${PATH}/node
+noblacklist /usr/include/node
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index d88506d90..0de539d57 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -310,6 +310,7 @@ read-only ${HOME}/.msmtprc
 read-only ${HOME}/.mutt/muttrc
 read-only ${HOME}/.muttrc
 read-only ${HOME}/.nano
+read-only ${HOME}/.npmrc
 read-only ${HOME}/.pythonrc.py
 read-only ${HOME}/.reportbugrc
 read-only ${HOME}/.tmux.conf
@@ -318,6 +319,7 @@ read-only ${HOME}/.viminfo
 read-only ${HOME}/.vimrc
 read-only ${HOME}/.xmonad
 read-only ${HOME}/.xscreensaver
+read-only ${HOME}/.yarnrc
 read-only ${HOME}/_exrc
 read-only ${HOME}/_gvimrc
 read-only ${HOME}/_vimrc
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 7ab11e620..26bcb987f 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -357,6 +357,7 @@ blacklist ${HOME}/.config/psi
 blacklist ${HOME}/.config/psi+
 blacklist ${HOME}/.config/qBittorrent
 blacklist ${HOME}/.config/qBittorrentrc
+blacklist ${HOME}/.config/qnapi.ini
 blacklist ${HOME}/.config/qpdfview
 blacklist ${HOME}/.config/qupzilla
 blacklist ${HOME}/.config/qutebrowser
@@ -395,6 +396,8 @@ blacklist ${HOME}/.config/tox
 blacklist ${HOME}/.config/transgui
 blacklist ${HOME}/.config/transmission
 blacklist ${HOME}/.config/truecraft
+blacklist ${HOME}/.config/tuta_integration
+blacklist ${HOME}/.config/tutanota-desktop
 blacklist ${HOME}/.config/tvbrowser
 blacklist ${HOME}/.config/uGet
 blacklist ${HOME}/.config/ungoogled-chromium
@@ -598,6 +601,7 @@ blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/barrier
 blacklist ${HOME}/.local/share/bibletime
 blacklist ${HOME}/.local/share/bijiben
+blacklist ${HOME}/.local/share/bohemiainteractive
 blacklist ${HOME}/.local/share/caja-python
 blacklist ${HOME}/.local/share/cantata
 blacklist ${HOME}/.local/share/cdprojektred
@@ -707,6 +711,7 @@ blacklist ${HOME}/.local/share/remmina
 blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/rtv
 blacklist ${HOME}/.local/share/scribus
+blacklist ${HOME}/.local/share/shotwell
 blacklist ${HOME}/.local/share/signal-cli
 blacklist ${HOME}/.local/share/sink
 blacklist ${HOME}/.local/share/smuxi
@@ -758,6 +763,9 @@ blacklist ${HOME}/.neverball
 blacklist ${HOME}/.newsbeuter
 blacklist ${HOME}/.newsboat
 blacklist ${HOME}/.nicotine
+blacklist ${HOME}/.node-gyp
+blacklist ${HOME}/.npm
+blacklist ${HOME}/.npmrc
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.openarena
@@ -844,6 +852,10 @@ blacklist ${HOME}/.xmr-stak
 blacklist ${HOME}/.xonotic
 blacklist ${HOME}/.xournalpp
 blacklist ${HOME}/.xpdfrc
+blacklist ${HOME}/.yarn
+blacklist ${HOME}/.yarn-config
+blacklist ${HOME}/.yarncache
+blacklist ${HOME}/.yarnrc
 blacklist ${HOME}/.zoom
 blacklist /tmp/akonadi-*
 blacklist /tmp/ssh-*
@@ -948,6 +960,7 @@ blacklist ${HOME}/.cache/librewolf
 blacklist ${HOME}/.cache/liferea
 blacklist ${HOME}/.cache/lutris
 blacklist ${HOME}/.cache/Mendeley Ltd.
+blacklist ${HOME}/.cache/marker
 blacklist ${HOME}/.cache/matrix-mirage
 blacklist ${HOME}/.cache/microsoft-edge-dev
 blacklist ${HOME}/.cache/midori
@@ -983,6 +996,7 @@ blacklist ${HOME}/.cache/qBittorrent
 blacklist ${HOME}/.cache/qupzilla
 blacklist ${HOME}/.cache/qutebrowser
 blacklist ${HOME}/.cache/rhythmbox
+blacklist ${HOME}/.cache/shotwell
 blacklist ${HOME}/.cache/simple-scan
 blacklist ${HOME}/.cache/slimjet
 blacklist ${HOME}/.cache/smuxi
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
new file mode 100644
index 000000000..6d5dab41a
--- /dev/null
+++ b/etc/profile-a-l/agetpkg.profile
@@ -0,0 +1,60 @@
+# Firejail profile for agetpkg
+# Description: CLI tool to list/get/install packages from the Arch Linux Archive
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include agetpkg.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+hostname agetpkg
+ipc-namespace
+machine-id
+noautopulse
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin agetpkg,python3
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 9c0b92598..4986ac63a 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -9,6 +9,9 @@ include globals.local
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index f21a5febf..5f237ac59 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -25,7 +25,6 @@ noblacklist ${HOME}/.config/Atom
 include allow-common-devel.inc
 
 # net none
-netfilter
 nosound
 
 # Redirect
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index cda6b1aa0..d755fd803 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.balsa
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.signature
 noblacklist ${HOME}/mail
 noblacklist /var/mail
 noblacklist /var/spool/mail
@@ -24,10 +25,12 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.balsa
 mkdir ${HOME}/.gnupg
+mkfile ${HOME}/.signature
 mkdir ${HOME}/mail
 whitelist ${HOME}/.balsa
 whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.signature
 whitelist ${HOME}/mail
 whitelist ${RUNUSER}/gnupg
 whitelist /usr/share/balsa
@@ -58,9 +61,9 @@ shell none
 tracelog
 
 # disable-mnt
-# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
 # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
-private-bin balsa,balsa-ab
+private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
 private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
@@ -71,8 +74,9 @@ writable-var
 dbus-user filter
 dbus-user.own org.desktop.Balsa
 dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
\ No newline at end of file
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index e6edbd7eb..b583f1a1d 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -23,7 +23,7 @@ whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
 
 private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index c0c16e929..25d5196fc 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -6,6 +6,10 @@ include evince.local
 # Persistent global definitions
 include globals.local
 
+# Uncomment this line and the bottom ones to use bookmarks
+# NOTE: This possibly exposes information, including file history from other programs.
+#noblacklist ${HOME}/.local/share/gvfs-metadata
+
 noblacklist ${HOME}/.config/evince
 noblacklist ${DOCUMENTS}
 
@@ -54,5 +58,8 @@ private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf
 private-tmp
 
 # might break two-page-view on some systems
-dbus-user none
+dbus-user filter
+# Also uncomment these two lines if you want to use bookmarks
+#dbus-user.talk org.gtk.vfs.Daemon
+#dbus-user.talk org.gtk.vfs.Metadata
 dbus-system none
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index c3af29e15..dc8d6e3ad 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -8,6 +8,9 @@ include globals.local
 
 noblacklist ${HOME}/.cache/fractal
 
+include allow-python2.inc
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -49,6 +52,6 @@ private-tmp
 dbus-user filter
 dbus-user.own org.gnome.Fractal
 dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
 dbus-system none
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index 85d9b9bd9..125ddf79c 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -6,6 +6,7 @@ include gajim.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.cache/gajim
 noblacklist ${HOME}/.config/gajim
 noblacklist ${HOME}/.local/share/gajim
@@ -20,19 +21,27 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-# Comment the following line if you need to whitelist other folders than ~/Downloads
+# Comment the following line if you need to whitelist folders other than ~/Downloads
 include disable-xdg.inc
 
+mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.cache/gajim
 mkdir ${HOME}/.config/gajim
 mkdir ${HOME}/.local/share/gajim
+whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.cache/gajim
 whitelist ${HOME}/.config/gajim
 whitelist ${HOME}/.local/share/gajim
 whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -47,9 +56,24 @@ shell none
 tracelog
 
 disable-mnt
-private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python,python3,sh,zsh
+private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh
+private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
+writable-run-user
+
+dbus-user filter
+dbus-user.own org.gajim.Gajim
+dbus-user.talk org.gnome.Mutter.IdleMonitor
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.kde.kwalletd5
+dbus-user.talk org.mpris.MediaPlayer2.*
+dbus-system filter
+dbus-system.talk org.freedesktop.login1
+# Uncomment for location plugin support
+#dbus-system.talk org.freedesktop.GeoClue2
 
 join-or-start gajim
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index 7cfd4fc10..a122e9bbc 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -42,7 +42,7 @@ noroot
 # nosound
 notv
 nou2f
-# novideo
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
@@ -51,3 +51,12 @@ tracelog
 disable-mnt
 private-dev
 private-tmp
+
+dbus-user filter
+dbus-user.own net.sourceforge.liferea
+dbus-user.talk ca.desrt.dconf
+# Uncomment the below if you use the 'Popup Notifications' plugin or add 'dbus-user.talk org.freedesktop.Notifications' to your liferea.local
+#dbus-user.talk org.freedesktop.Notifications
+# Uncomment the below if you use the 'Libsecret Support' plugin or add 'dbus-user.talk org.freedesktop.secrets' to your liferea.local
+#dbus-user.talk org.freedesktop.secrets
+dbus-system none
diff --git a/etc/profile-a-l/lsar.profile b/etc/profile-a-l/lsar.profile
new file mode 100644
index 000000000..faf5bb7f9
--- /dev/null
+++ b/etc/profile-a-l/lsar.profile
@@ -0,0 +1,13 @@
+# Firejail profile for lsar
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lsar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin lsar
+
+# Redirect
+include ar.profile
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
new file mode 100644
index 000000000..55865fe72
--- /dev/null
+++ b/etc/profile-m-z/marker.profile
@@ -0,0 +1,59 @@
+# Firejail profile for marker
+# Description: Marker is a markdown editor for Linux made with Gtk+-3.0
+# This file is overwritten after every install/update
+# Persistent local customizations
+include marker.local
+# Persistent global definitions
+include globals.local
+
+# Uncomment (or add to your marker.local) if you need internet access.
+#ignore net none
+#protocol unix,inet,inet6
+#private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf
+
+noblacklist ${HOME}/.cache/marker
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/com.github.fabiocolacio.marker
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin marker
+private-cache
+private-dev
+private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.own com.github.fabiocolacio.marker
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile
index e4487c8aa..3c2bf4fa3 100644
--- a/etc/profile-m-z/mattermost-desktop.profile
+++ b/etc/profile-m-z/mattermost-desktop.profile
@@ -5,42 +5,25 @@ include mattermost-desktop.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore apparmor
+ignore dbus-user none
+ignore dbus-system none
+
 noblacklist ${HOME}/.config/Mattermost
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-passwdmgr.inc
 include disable-shell.inc
-include disable-xdg.inc
 
 mkdir ${HOME}/.config/Mattermost
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Mattermost
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-nou2f
-novideo
-shell none
 
-disable-mnt
-private-cache
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
-private-tmp
 
 # Not tested
 #dbus-user filter
 #dbus-user.own com.mattermost.Desktop
 #dbus-user.talk org.freedesktop.Notifications
 #dbus-system none
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
new file mode 100644
index 000000000..fb97daa27
--- /dev/null
+++ b/etc/profile-m-z/mdr.profile
@@ -0,0 +1,55 @@
+# Firejail profile for mdr
+# Description: A standalone Markdown renderer for the terminal
+# Persistent local customizations
+include mdr.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+hostname mdr
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin mdr
+private-cache
+private-dev
+private-etc none
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
new file mode 100644
index 000000000..acef622c2
--- /dev/null
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -0,0 +1,54 @@
+# Firejail profile for Node.js
+# Description: Common profile for npm/yarn
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nodejs-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+ignore noexec ${HOME}
+
+noblacklist ${PATH}/bash
+noblacklist ${PATH}/dash
+noblacklist ${PATH}/sh
+
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+
+disable-mnt
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile
new file mode 100644
index 000000000..e95e875be
--- /dev/null
+++ b/etc/profile-m-z/npm.profile
@@ -0,0 +1,29 @@
+# Firejail profile for npm
+# Description: The Node.js Package Manager
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include npm.local
+# Persistent global definitions
+include globals.local
+
+ignore read-only ${HOME}/.npm-packages
+ignore read-only ${HOME}/.npmrc
+
+noblacklist ${HOME}/.node-gyp
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+
+# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory
+# and uncomment the lines below.
+#mkdir ${HOME}/.node-gyp
+#mkdir ${HOME}/.npm
+#mkfile ${HOME}/.npmrc
+#whitelist ${HOME}/.node-gyp
+#whitelist ${HOME}/.npm
+#whitelist ${HOME}/.npmrc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile
index e1839c724..ac960345a 100644
--- a/etc/profile-m-z/openshot.profile
+++ b/etc/profile-m-z/openshot.profile
@@ -19,6 +19,10 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+whitelist /usr/share/blender
+whitelist /usr/share/inkscape
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -32,11 +36,14 @@ notv
 nou2f
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
+private-bin blender,inkscape,openshot,openshot-qt,python3*
+private-cache
 private-dev
 private-tmp
 
-dbus-user none
+dbus-user filter
 dbus-system none
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
new file mode 100644
index 000000000..0d1f9c3de
--- /dev/null
+++ b/etc/profile-m-z/qnapi.profile
@@ -0,0 +1,55 @@
+# Firejail profile for qnapi
+# Description: Qt client for downloading movie subtitles from NapiProjekt, OpenSubtitles and Napisy24
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qnapi.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/qnapi.ini
+
+ignore noexec /tmp
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.config/qnapi.ini
+whitelist ${HOME}/.config/qnapi.ini
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin 7z,qnapi
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
new file mode 100644
index 000000000..749029530
--- /dev/null
+++ b/etc/profile-m-z/shotwell.profile
@@ -0,0 +1,60 @@
+# Firejail profile for shotwell
+# Description: A digital photo organizer designed for the GNOME desktop environment
+# This file is overwritten after every install/update
+# Persistent local customizations
+include shotwell.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/shotwell
+noblacklist ${HOME}/.local/share/shotwell
+
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/shotwell
+mkdir ${HOME}/.local/share/shotwell
+whitelist ${HOME}/.cache/shotwell
+whitelist ${HOME}/.local/share/shotwell
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin shotwell
+private-cache
+private-dev
+private-etc alternatives,fonts,machine-id
+private-opt none
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Shotwell
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
+dbus-system none
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 08e1c1f03..666a37def 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -21,8 +21,6 @@ noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 
-include disable-exec.inc
-
 mkdir ${HOME}/.config/Signal
 whitelist ${HOME}/.config/Signal
 
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index d873a5672..e3e2b4541 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -19,8 +19,8 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist ${RUNUSER}/keyring/ssh
 whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
+whitelist ${RUNUSER}/keyring/ssh
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
 
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 55078d993..758b37815 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.local/share/3909/PapersPlease
 noblacklist ${HOME}/.local/share/aspyr-media
+noblacklist ${HOME}/.local/share/bohemiainteractive
 noblacklist ${HOME}/.local/share/cdprojektred
 noblacklist ${HOME}/.local/share/FasterThanLight
 noblacklist ${HOME}/.local/share/feral-interactive
@@ -45,6 +46,7 @@ mkdir ${HOME}/.config/unity3d
 mkdir ${HOME}/.killingfloor
 mkdir ${HOME}/.local/share/3909/PapersPlease
 mkdir ${HOME}/.local/share/aspyr-media
+mkdir ${HOME}/.local/share/bohemiainteractive
 mkdir ${HOME}/.local/share/cdprojektred
 mkdir ${HOME}/.local/share/FasterThanLight
 mkdir ${HOME}/.local/share/feral-interactive
@@ -64,6 +66,7 @@ whitelist ${HOME}/.config/unity3d
 whitelist ${HOME}/.killingfloor
 whitelist ${HOME}/.local/share/3909/PapersPlease
 whitelist ${HOME}/.local/share/aspyr-media
+whitelist ${HOME}/.local/share/bohemiainteractive
 whitelist ${HOME}/.local/share/cdprojektred
 whitelist ${HOME}/.local/share/FasterThanLight
 whitelist ${HOME}/.local/share/feral-interactive
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index a8641af85..b82aadd13 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -57,7 +57,8 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 
-dbus-user none
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
 dbus-system none
 
 read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
new file mode 100644
index 000000000..d2cb0cc8a
--- /dev/null
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -0,0 +1,31 @@
+# Firejail profile for tutanota-desktop
+# Description: Encrypted email client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tutanota-desktop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/tuta_integration
+noblacklist ${HOME}/.config/tutanota-desktop
+
+ignore noexec /tmp
+
+include disable-shell.inc
+
+mkdir ${HOME}/.config/tuta_integration
+mkdir ${HOME}/.config/tutanota-desktop
+whitelist ${HOME}/.config/tuta_integration
+whitelist ${HOME}/.config/tutanota-desktop
+
+# These lines are needed to allow Firefox to open links
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
+?HAS_APPIMAGE: ignore private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-opt tutanota-desktop
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/unar.profile b/etc/profile-m-z/unar.profile
new file mode 100644
index 000000000..0226a7de8
--- /dev/null
+++ b/etc/profile-m-z/unar.profile
@@ -0,0 +1,13 @@
+# Firejail profile for unar
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin unar
+
+# Redirect
+include ar.profile
diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile
new file mode 100644
index 000000000..f20225050
--- /dev/null
+++ b/etc/profile-m-z/yarn.profile
@@ -0,0 +1,29 @@
+# Firejail profile for yarn
+# Description: Fast, reliable, and secure dependency management
+quiet
+# Persistent local customizations
+include yarn.local
+# Persistent global definitions
+include globals.local
+
+ignore read-only ${HOME}/.yarnrc
+
+noblacklist ${HOME}/.yarn
+noblacklist ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarncache
+noblacklist ${HOME}/.yarnrc
+
+# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below.
+#mkdir ${HOME}/.yarn
+#mkdir ${HOME}/.yarn-config
+#mkdir ${HOME}/.yarncache
+#mkfile ${HOME}/.yarnrc
+#whitelist ${HOME}/.yarn
+#whitelist ${HOME}/.yarn-config
+#whitelist ${HOME}/.yarncache
+#whitelist ${HOME}/.yarnrc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index c454887dd..ebc648548 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -35,7 +35,7 @@ Definition of groups
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
 @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
 @default-nodebuggers=@default,ptrace,personality,process_vm_readv
-@default-keep=execve,prctl
+@default-keep=execveat,execve,prctl
 @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
 @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select
 @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index fca3396c4..c0f4a3407 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -24,7 +24,7 @@ static FileDB *db_skip = NULL;
 static FileDB *db_out = NULL;
 
 static void load_whitelist_common(void) {
-        FILE *fp = fopen("/etc/firejail/whitelist-common.inc", "r");
+        FILE *fp = fopen(SYSCONFDIR "/whitelist-common.inc", "r");
         if (!fp) {
                 fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
                 exit(1);
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index adc00e67b..0517c837e 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -80,10 +80,19 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
           stroutput,
         };
 
-        // detect strace
+        // detect strace and check if Yama LSM allows us to use it
         int have_strace = 0;
-        if (access("/usr/bin/strace", X_OK) == 0)
+        int have_yama_permission = 1;
+        if (access("/usr/bin/strace", X_OK) == 0) {
                 have_strace = 1;
+                FILE *fp = fopen("/proc/sys/kernel/yama/ptrace_scope", "r");
+                if (fp) {
+                        unsigned val;
+                        if (fscanf(fp, "%u", &val) == 1)
+                                have_yama_permission = (val < 2);
+                        fclose(fp);
+                }
+        }
 
         // calculate command length
         unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1;
@@ -93,10 +102,11 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
         cmd[0] = cmdlist[0];    // explicit assignment to clean scan-build error
 
         // build command
+        int skip_strace = !(have_strace && have_yama_permission);
         unsigned i = 0;
         for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) {
-                // skip strace if not installed
-                if (have_strace == 0 && strcmp(cmdlist[i], "/usr/bin/strace") == 0)
+                // skip strace if not installed, or no permission to use it
+                if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0)
                         break;
                 cmd[i] = cmdlist[i];
         }
@@ -172,12 +182,14 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                 fprintf(fp, "caps.drop all\n");
                 fprintf(fp, "nonewprivs\n");
                 fprintf(fp, "seccomp\n");
-                if (have_strace)
-                        build_seccomp(strace_output, fp);
-                else {
+                if (!have_strace) {
                         fprintf(fp, "# If you install strace on your system, Firejail will also create a\n");
                         fprintf(fp, "# whitelisted seccomp filter.\n");
                 }
+                else if (!have_yama_permission)
+                        fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n");
+                else
+                        build_seccomp(strace_output, fp);
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### network\n");
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 23b1e364a..109f89f39 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -455,6 +455,7 @@ macrofusion
 magicor
 # man
 manaplus
+marker
 masterpdfeditor
 masterpdfeditor4
 masterpdfeditor5
@@ -621,6 +622,7 @@ qemu-launcher
 qgis
 qlipper
 qmmp
+qnapi
 qpdfview
 qt-faststart
 qtox
@@ -662,6 +664,7 @@ secret-tool
 shellcheck
 shortwave
 shotcut
+shotwell
 signal-cli
 signal-desktop
 silentarmy
@@ -771,6 +774,7 @@ tremulous
 trojita
 truecraft
 tshark
+tutanota-desktop
 tuxguitar
 tvbrowser
 twitch
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 941d6ad82..b76999d8f 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -165,7 +165,7 @@ void fslib_copy_dir(const char *full_path) {
         mkdir_attr(dest, 0755, 0, 0);
 
         if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
+                mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
                 errExit("mount bind");
         fs_logger2("clone", full_path);
         fs_logger2("mount", full_path);
diff --git a/src/firejail/join.c b/src/firejail/join.c
index d2f802add..4f0210f95 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -296,7 +296,7 @@ static void extract_umask(pid_t pid) {
                 fprintf(stderr, "Error: cannot open umask file\n");
                 exit(1);
         }
-        if (fscanf(fp, "%o", &orig_umask) != 1) {
+        if (fscanf(fp, "%3o", &orig_umask) != 1) {
                 fprintf(stderr, "Error: cannot read umask\n");
                 exit(1);
         }
@@ -335,7 +335,7 @@ bool is_ready_for_join(const pid_t pid) {
         struct stat s;
         if (fstat(fd, &s) == -1)
                 errExit("fstat");
-        if (!S_ISREG(s.st_mode) || s.st_uid != 0) {
+        if (!S_ISREG(s.st_mode) || s.st_uid != 0 || s.st_size != 1) {
                 close(fd);
                 return false;
         }
@@ -411,7 +411,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
         extract_x11_display(parent);
 
         int shfd = -1;
-        if (!arg_shell_none)
+        if (!arg_shell_none && !arg_audit)
                 shfd = open_shell();
 
         EUID_ROOT();
@@ -423,6 +423,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 extract_cgroup(pid);
                 extract_nogroups(pid);
                 extract_user_namespace(pid);
+                extract_umask(pid);
 #ifdef HAVE_APPARMOR
                 extract_apparmor(pid);
 #endif
@@ -432,9 +433,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
         if (cfg.cgroup) // not available for uid 0
                 set_cgroup(cfg.cgroup);
 
-        // set umask, also uid 0
-        extract_umask(pid);
-
         // join namespaces
         if (arg_join_network) {
                 if (join_namespace(pid, "net"))
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 0b095e1be..911c8bd94 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -565,27 +565,18 @@ char *clean_pathname(const char *path) {
         if (!rv)
                 errExit("malloc");
 
-        if (len > 0) {
-                size_t i = 0, j = 0, cnt = 0;
-                for (; i < len; i++) {
-                        if (path[i] == '/')
-                                cnt++;
-                        else
-                                cnt = 0;
-
-                        if (cnt < 2) {
-                                rv[j] = path[i];
-                                j++;
-                        }
-                }
-                rv[j] = '\0';
-
-                // remove a trailing slash
-                if (j > 1 && rv[j - 1] == '/')
-                        rv[j - 1] = '\0';
+        size_t i = 0;
+        size_t j = 0;
+        while (path[i]) {
+                while (path[i] == '/' && path[i+1] == '/')
+                        i++;
+                rv[j++] = path[i++];
         }
-        else
-                *rv = '\0';
+        rv[j] = '\0';
+
+        // remove a trailing slash
+        if (j > 1 && rv[j - 1] == '/')
+                rv[j - 1] = '\0';
 
         return rv;
 }
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index 4903971ad..6823d0ae6 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -336,6 +336,7 @@ static const SyscallGroupList sysgroups[] = {
 #endif
         },
         { .name = "@default-keep", .list =
+          "execveat," // commonly used by fexecve
           "execve,"
           "prctl"
         },
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9524254c1..030a3c95c 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -862,6 +862,11 @@ the parent interface specified by --net is not configured. An IP address and
 a default gateway address also have to be added.
 
 .TP
+\fBnetns namespace
+Run the program in a named, persistent network namespace. These can
+be created and configured using "ip netns".
+
+.TP
 \fBveth-name name
 Use this name for the interface connected to the bridge for --net=bridge_interface commands,
 instead of the default one.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 347e2b31b..e72ef48c2 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2273,7 +2273,7 @@ rm: cannot remove `testfile': Operation not permitted
 .TP
 \fB\-\-seccomp.keep=syscall,@group,!syscall2
 Enable seccomp filter, blacklist all syscall not listed and "syscall2".
-The system calls needed by Firejail (group @default-keep: prctl, execve)
+The system calls needed by Firejail (group @default-keep: prctl, execve, execveat)
 are handled with the preload library. On a 64 bit architecture, an
 additional filter for 32 bit system calls can be installed with
 \-\-seccomp.32.keep.