78 files changed, 527 insertions, 494 deletions
diff --git a/README.md b/README.md
index c92d5bf30..8d3b3c3bb 100644
--- a/README.md
+++ b/README.md
@@ -195,4 +195,4 @@ Stats:
 ### New profiles:
-spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs
+spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo
diff --git a/RELNOTES b/RELNOTES
index 4eda50bc8..5f5b451e1 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -5,7 +5,7 @@ firejail (0.9.65) baseline; urgency=low
  * Setup guide for new users: contrib/firejail-welcome.sh
  * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer
  * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer
-  * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs
+  * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo
 -- netblue30 <netblue30@yahoo.com>  Wed, 21 Oct 2020 09:00:00 -0500
diff --git a/etc/inc/archiver-common.inc b/etc/inc/archiver-common.inc
index 2c5e4d8bf..9812e3ebb 100644
--- a/etc/inc/archiver-common.inc
+++ b/etc/inc/archiver-common.inc
@@ -6,12 +6,21 @@ include archiver-common.local
 blacklist ${RUNUSER}
-include disable-common.inc
+# WARNING:
+# Users can (un)restrict file access for **all** archivers by commenting/uncommenting the needed
+# include file(s) here or by putting those into archiver-common.local.
+# Another option is to do this **per archiver** in the relevant <archiver>.local.
+# Just beware that things tend to break when overtightening profiles. For example, because you only
+# need to (un)compress files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
+# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-common.inc.
+#include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-include disable-programs.inc
+# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-programs.inc.
+#include disable-programs.inc
 include disable-shell.inc
 apparmor
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 2b56bb5be..d88506d90 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -517,16 +517,19 @@ blacklist /proc/config.gz
 blacklist ${PATH}/dig
 blacklist ${PATH}/dlint
 blacklist ${PATH}/dns2tcp
+blacklist ${PATH}/dnssec-*
 blacklist ${PATH}/dnswalk
 blacklist ${PATH}/drill
 blacklist ${PATH}/host
 blacklist ${PATH}/iodine
 blacklist ${PATH}/kdig
+blacklist ${PATH}/khost
 blacklist ${PATH}/knsupdate
 blacklist ${PATH}/ldns-*
 blacklist ${PATH}/ldnsd
 blacklist ${PATH}/nslookup
 blacklist ${PATH}/resolvectl
+blacklist ${PATH}/unbound-host
 # rest of ${RUNUSER}
 blacklist ${RUNUSER}/*.lock
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 59bd28f95..7ab11e620 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -303,11 +303,13 @@ blacklist ${HOME}/.config/mana
 blacklist ${HOME}/.config/mate-calc
 blacklist ${HOME}/.config/mate/eom
 blacklist ${HOME}/.config/mate/mate-dictionary
+blacklist ${HOME}/.config/matrix-mirage
 blacklist ${HOME}/.config/meld
 blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/menulibre.cfg
 blacklist ${HOME}/.config/mfusion
 blacklist ${HOME}/.config/Microsoft
+blacklist ${HOME}/.config/microsoft-edge-dev
 blacklist ${HOME}/.config/midori
 blacklist ${HOME}/.config/mirage
 blacklist ${HOME}/.config/mono
@@ -554,6 +556,7 @@ blacklist ${HOME}/.kino-history
 blacklist ${HOME}/.kinorc
 blacklist ${HOME}/.klatexformula
 blacklist ${HOME}/.kodi
+blacklist ${HOME}/.librewolf
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.links
 blacklist ${HOME}/.linphone-history.db
@@ -589,7 +592,7 @@ blacklist ${HOME}/.local/share/agenda
 blacklist ${HOME}/.local/share/apps/korganizer
 blacklist ${HOME}/.local/share/aspyr-media
 blacklist ${HOME}/.local/share/autokey
-blacklist ${HOME}/.local/share/authenticator-rs 
+blacklist ${HOME}/.local/share/authenticator-rs
 blacklist ${HOME}/.local/share/backintime
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/barrier
@@ -671,6 +674,7 @@ blacklist ${HOME}/.local/share/lugaru
 blacklist ${HOME}/.local/share/lutris
 blacklist ${HOME}/.local/share/mana
 blacklist ${HOME}/.local/share/maps-places.json
+blacklist ${HOME}/.local/share/matrix-mirage
 blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/midori
 blacklist ${HOME}/.local/share/mirage
@@ -940,9 +944,12 @@ blacklist ${HOME}/.cache/ksplashqml
 blacklist ${HOME}/.cache/kube
 blacklist ${HOME}/.cache/kwin
 blacklist ${HOME}/.cache/libgweather
+blacklist ${HOME}/.cache/librewolf
 blacklist ${HOME}/.cache/liferea
 blacklist ${HOME}/.cache/lutris
 blacklist ${HOME}/.cache/Mendeley Ltd.
+blacklist ${HOME}/.cache/matrix-mirage
+blacklist ${HOME}/.cache/microsoft-edge-dev
 blacklist ${HOME}/.cache/midori
 blacklist ${HOME}/.cache/minetest
 blacklist ${HOME}/.cache/mirage
@@ -958,7 +965,7 @@ blacklist ${HOME}/.cache/ms-skype-online
 blacklist ${HOME}/.cache/ms-word-online
 blacklist ${HOME}/.cache/mutt
 blacklist ${HOME}/.cache/mypaint
-blacklist ${HOME}/.cache/nheko/nheko
+blacklist ${HOME}/.cache/nheko
 blacklist ${HOME}/.cache/netsurf
 blacklist ${HOME}/.cache/okular
 blacklist ${HOME}/.cache/opera
diff --git a/etc/inc/disable-shell.inc b/etc/inc/disable-shell.inc
index e66d23c9f..8274b0215 100644
--- a/etc/inc/disable-shell.inc
+++ b/etc/inc/disable-shell.inc
@@ -8,6 +8,7 @@ blacklist ${PATH}/dash
 blacklist ${PATH}/fish
 blacklist ${PATH}/ksh
 blacklist ${PATH}/mksh
+blacklist ${PATH}/oksh
 blacklist ${PATH}/sh
 blacklist ${PATH}/tclsh
 blacklist ${PATH}/tcsh
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile
index 4f9e72a79..5e1c17b28 100644
--- a/etc/profile-a-l/7z.profile
+++ b/etc/profile-a-l/7z.profile
@@ -10,5 +10,3 @@ include globals.local
 noblacklist ${PATH}/bash
 noblacklist ${PATH}/sh
 include archiver-common.inc
-private-bin 7z,7z*,bash,p7zip,sh
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 5fabf8283..98188d2a7 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -11,7 +11,7 @@ include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -25,7 +25,7 @@ whitelist /usr/share/icons
 whitelist /var/lib/app-info/icons
 whitelist /var/lib/flatpak/exports/share/applications
 whitelist /var/lib/flatpak/exports/share/icons
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -49,7 +49,7 @@ shell none
 tracelog
 disable-mnt
-private-bin alacarte,bash,python*,sh
+# private-bin alacarte,bash,python*,sh
 private-cache
 private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile
index a600eddef..c2b215807 100644
--- a/etc/profile-a-l/ar.profile
+++ b/etc/profile-a-l/ar.profile
@@ -8,5 +8,3 @@ include ar.local
 include globals.local
 include archiver-common.inc
-private-bin ar
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index cf0a5a42b..f21a5febf 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -6,31 +6,27 @@ include atom.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore disable-mnt
 noblacklist ${HOME}/.atom
 noblacklist ${HOME}/.config/Atom
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
-include disable-common.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-caps.keep sys_admin,sys_chroot
 # net none
 netfilter
-nodvd
-nogroups
 nosound
-notv
-nou2f
-novideo
-shell none
-private-cache
-private-dev
-private-tmp
-dbus-user none
+# Redirect
-dbus-system none
+include electron.profile
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index 1eb802d9b..fb12018f5 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -6,7 +6,7 @@ include authenticator-rs.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.local/share/authenticator-rs 
+noblacklist ${HOME}/.local/share/authenticator-rs
 include disable-common.inc
 include disable-devel.inc
@@ -18,12 +18,12 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/authenticator-rs
-whitelist ${HOME}/.local/share/authenticator-rs 
+whitelist ${HOME}/.local/share/authenticator-rs
-whitelist ${DOWNLOADS} 
+whitelist ${DOWNLOADS}
 whitelist /usr/share/uk.co.grumlimited.authenticator-rs
-include whitelist-common.inc 
+include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc 
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index a401ac592..cda6b1aa0 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -58,7 +58,7 @@ shell none
 tracelog
 # disable-mnt
-# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
 # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin balsa,balsa-ab
 private-cache
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile
index cc1886a49..f3a9568bd 100644
--- a/etc/profile-a-l/beaker.profile
+++ b/etc/profile-a-l/beaker.profile
@@ -3,17 +3,26 @@
 # Persistent local customizations
 include beaker.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
-noblacklist ${HOME}/.config/Beaker Browser
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore shell none
+ignore disable-mnt
+ignore private-cache
+ignore private-dev
+ignore private-tmp
-include disable-devel.inc
+noblacklist ${HOME}/.config/Beaker Browser
-include disable-interpreters.inc
 mkdir ${HOME}/.config/Beaker Browser
 whitelist ${HOME}/.config/Beaker Browser
-include whitelist-common.inc
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 904d3e94f..5a5e9eacd 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -10,10 +10,6 @@ include globals.local
 ignore noexec /tmp
 # TOR is installed in ${HOME}
 ignore noexec ${HOME}
-# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
 noblacklist ${HOME}/.cache/BraveSoftware
 noblacklist ${HOME}/.config/BraveSoftware
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index f2116f4ab..c37f4071e 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -8,6 +8,4 @@ include globals.local
 include archiver-common.inc
-# support compressed archives
-private-bin bash,bsdcat,bsdcpio,bsdtar,bzip2,compress,gtar,gzip,lbzip2,libarchive,lz4,lzip,lzma,lzop,sh,xz
 private-etc alternatives,group,localtime,passwd
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 6a9cf99b0..ce9c652c6 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -25,7 +25,6 @@ mkdir ${HOME}/.local/share/pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
-whitelist /usr/share/chromium
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
index dab9ce449..14f1bbe64 100644
--- a/etc/profile-a-l/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
@@ -15,6 +15,7 @@ mkdir ${HOME}/.config/chromium
 whitelist ${HOME}/.cache/chromium
 whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.config/chromium-flags.conf
+whitelist /usr/share/chromium
 # private-bin chromium,chromium-browser,chromedriver
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index 35bea4aaa..e6edbd7eb 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -6,33 +6,24 @@ include discord-common.local
 # added by caller profile
 #include globals.local
-ignore noexec ${HOME}
+# Disabled until someone reported positive feedback
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore apparmor
+ignore disable-mnt
+ignore private-cache
+ignore dbus-user none
+ignore dbus-system none
-include disable-common.inc
+ignore noexec ${HOME}
-include disable-devel.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
-include whitelist-common.inc
-include whitelist-var-common.inc
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
 private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
-private-tmp
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
index 9b99c7ffb..d3be07c9d 100644
--- a/etc/profile-a-l/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -3,25 +3,39 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include electron.local
-# Persistent global definitions
-include globals.local
 include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+# Uncomment the next line (or add it to your chromium-common.local)
+# if your kernel allows unprivileged userns clone.
+#include chromium-common-hardened.inc
 apparmor
-caps.drop all
+caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
-nonewprivs
-noroot
 notv
-protocol unix,inet,inet6,netlink
+nou2f
-seccomp
+novideo
+shell none
+disable-mnt
+private-cache
+private-dev
+private-tmp
 dbus-user none
 dbus-system none
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index 2d56369cd..48a826f2e 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -7,6 +7,8 @@ include element-desktop.local
 # added by included profile
 #include globals.local
+ignore dbus-user none
 noblacklist ${HOME}/.config/Element
 mkdir ${HOME}/.config/Element
@@ -15,5 +17,8 @@ whitelist /opt/Element
 private-opt Element
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
 # Redirect
 include riot-desktop.profile
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 3ee07e559..8ac7755de 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -1,6 +1,7 @@
 # Firejail profile for feh
 # Description: imlib2 based image viewer
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include feh.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index ab907eb0d..c3af29e15 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -1,5 +1,5 @@
 # Firejail profile for fractal
-# Description: Desktop client for Matrix 
+# Description: Desktop client for Matrix
 # This file is overwritten after every install/update
 # Persistent local customizations
 include fractal.local
@@ -21,7 +21,7 @@ mkdir ${HOME}/.cache/fractal
 whitelist ${HOME}/.cache/fractal
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index 91f0caf87..e6aff533d 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -8,24 +8,13 @@ include globals.local
 noblacklist ${HOME}/.config/FreeTube
-include disable-devel.inc
+include disable-shell.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
 mkdir ${HOME}/.config/FreeTube
 whitelist ${HOME}/.config/FreeTube
-seccomp !chroot
-shell none
-disable-mnt
 private-bin freetube
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index 152396553..325c54ced 100644
--- a/etc/profile-a-l/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -6,43 +6,35 @@ include github-desktop.local
 # Persistent global definitions
 include globals.local
+# Note: On debian-based distributions the binary might be located in
+# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
+# If that's the case you can start GitHub Desktop with firejail via
+# `firejail "/opt/GitHub Desktop/github-desktop"`.
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore dbus-user none
+ignore dbus-system none
 noblacklist ${HOME}/.config/GitHub Desktop
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
-include disable-common.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-caps.drop all
-netfilter
 # no3d
-nodvd
-nogroups
-nonewprivs
-noroot
 nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
-# Note: On debian-based distributions the binary might be located in
-# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
-# If that's the case you can start GitHub Desktop with firejail via
-# `firejail "/opt/GitHub Desktop/github-desktop"`.
-disable-mnt
 # private-bin github-desktop
-private-cache
 ?HAS_APPIMAGE: ignore private-dev
-private-dev
 # private-lib
-private-tmp
 # memory-deny-write-execute
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index 8e600a2d7..da32de640 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -10,7 +10,7 @@ noblacklist ${HOME}/.config/homebank
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile
index c4121d835..e5beb741a 100644
--- a/etc/profile-a-l/jitsi-meet-desktop.profile
+++ b/etc/profile-a-l/jitsi-meet-desktop.profile
@@ -6,34 +6,22 @@ include jitsi-meet-desktop.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore nou2f
+ignore novideo
+ignore shell none
 ignore noexec /tmp
 noblacklist ${HOME}/.config/Jitsi Meet
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-xdg.inc
 nowhitelist ${DOWNLOADS}
 mkdir ${HOME}/.config/Jitsi Meet
 whitelist ${HOME}/.config/Jitsi Meet
-include whitelist-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-runuser-common.inc
-include whitelist-var-common.inc
-seccomp !chroot
-disable-mnt
 private-bin bash,jitsi-meet-desktop
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 9899ff195..9c095e106 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -12,12 +12,12 @@ noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 noblacklist ${HOME}/.config/kazam
-include allow-python2.inc 
+include allow-python2.inc
-include allow-python3.inc 
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -25,7 +25,7 @@ include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/kazam
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 58db056b2..456f1820d 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -73,12 +73,11 @@ dbus-user.talk org.freedesktop.login1.Session
 dbus-user.talk org.gnome.ScreenSaver
 dbus-user.talk org.gnome.SessionManager
 dbus-user.talk org.gnome.SessionManager.Presence
-# Uncomment or add to your keepassxc.local to allow Notifications/Tray.
+# Uncomment or add to your keepassxc.local to allow Notifications.
 #dbus-user.talk org.freedesktop.Notifications
+# Uncomment or add to your keepassxc.local to allow Tray.
 #dbus-user.talk org.kde.StatusNotifierWatcher
-# These numbers seems to be not stable, see #3713. Play around with them.
+#dbus-user.own org.kde.*
-#dbus-user.own org.kde.StatusNotifierItem-2-2
-#dbus-user.own org.kde.StatusNotifierItem-10-2
 dbus-system none
 # Mutex is stored in /tmp by default, which is broken by private-tmp
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index cf3a69fd7..e0cfb9f24 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -63,7 +63,7 @@ shell none
 tracelog
 # disable-mnt
-# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
 # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin kube,sink_synchronizer
 private-cache
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
new file mode 100644
index 000000000..5208cb979
--- /dev/null
+++ b/etc/profile-a-l/librewolf.profile
@@ -0,0 +1,28 @@
+# Firejail profile for Librewolf
+# Description: Firefox fork based on privacy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include librewolf.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/librewolf
+noblacklist ${HOME}/.librewolf
+mkdir ${HOME}/.cache/librewolf
+mkdir ${HOME}/.librewolf
+whitelist ${HOME}/.cache/librewolf
+whitelist ${HOME}/.librewolf
+# Uncomment (or add to librewolf.local) the following lines if you want to
+# use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+# librewolf requires a shell to launch on Arch. We can possibly remove sh though.
+#private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which
+# private-etc must first be enabled in firefox-common.profile
+#private-etc librewolf
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
index b2f94d3cf..ccc77f274 100644
--- a/etc/profile-a-l/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -1,6 +1,7 @@
 # Firejail profile for links
 # Description: Text WWW browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include links.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index dbd0a61e5..76a0e7ed0 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lynx
 # Description: Classic non-graphical (text-mode) web browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lynx.local
 # Persistent global definitions
diff --git a/etc/profile-m-z/matrix-mirage.profile b/etc/profile-m-z/matrix-mirage.profile
new file mode 100644
index 000000000..b3080df88
--- /dev/null
+++ b/etc/profile-m-z/matrix-mirage.profile
@@ -0,0 +1,24 @@
+# Firejail profile for matrix-mirage
+# Description: Debian name for mirage binary/package
+# This file is overwritten after every install/update
+# Persistent local customizations
+include matrix-mirage.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+noblacklist ${HOME}/.cache/matrix-mirage
+noblacklist ${HOME}/.config/matrix-mirage
+noblacklist ${HOME}/.local/share/matrix-mirage
+mkdir ${HOME}/.cache/matrix-mirage
+mkdir ${HOME}/.config/matrix-mirage
+mkdir ${HOME}/.local/share/matrix-mirage
+whitelist ${HOME}/.cache/matrix-mirage
+whitelist ${HOME}/.config/matrix-mirage
+whitelist ${HOME}/.local/share/matrix-mirage
+private-bin matrix-mirage
+# Redirect
+include mirage.profile
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index c70090a25..8a98209a2 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -11,7 +11,7 @@ include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -25,7 +25,7 @@ whitelist /usr/share/menulibre
 whitelist /var/lib/app-info/icons
 whitelist /var/lib/flatpak/exports/share/applications
 whitelist /var/lib/flatpak/exports/share/icons
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile
new file mode 100644
index 000000000..039cd36a8
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge-dev.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Microsoft Edge Dev
+# Description: Web browser from Microsoft,dev channel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge-dev.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/microsoft-edge-dev
+noblacklist ${HOME}/.config/microsoft-edge-dev
+mkdir ${HOME}/.cache/microsoft-edge-dev
+mkdir ${HOME}/.config/microsoft-edge-dev
+whitelist ${HOME}/.cache/microsoft-edge-dev
+whitelist ${HOME}/.config/microsoft-edge-dev
+private-opt microsoft
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile
new file mode 100644
index 000000000..f427507d1
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge.profile
@@ -0,0 +1,11 @@
+# Firejail profile for Microsoft Edge
+# Description: Web browser from Microsoft
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include microsoft-edge-dev.profile
diff --git a/etc/profile-m-z/min.profile b/etc/profile-m-z/min.profile
index be85fdbc4..7f3aeab44 100644
--- a/etc/profile-m-z/min.profile
+++ b/etc/profile-m-z/min.profile
@@ -6,8 +6,6 @@ include min.local
 # Persistent global definitions
 include globals.local
-nowhitelist /usr/share/chromium
 noblacklist ${HOME}/.config/Min
 mkdir ${HOME}/.config/Min
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
index 39ecc7127..78ef5e398 100644
--- a/etc/profile-m-z/minitube.profile
+++ b/etc/profile-m-z/minitube.profile
@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-shell.inc 
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.cache/Flavio Tordini
@@ -30,8 +30,8 @@ whitelist ${HOME}/.cache/Flavio Tordini
 whitelist ${HOME}/.config/Flavio Tordini
 whitelist ${HOME}/.local/share/Flavio Tordini
 whitelist /usr/share/minitube
-include whitelist-common.inc 
+include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
index 4a5f12aec..7130267e8 100644
--- a/etc/profile-m-z/mirage.profile
+++ b/etc/profile-m-z/mirage.profile
@@ -1,5 +1,5 @@
 # Firejail profile for mirage
-# Description: Desktop client for Matrix 
+# Description: Desktop client for Matrix
 # This file is overwritten after every install/update
 # Persistent local customizations
 include mirage.local
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.cache/mirage
 noblacklist ${HOME}/.config/mirage
 noblacklist ${HOME}/.local/share/mirage
+noblacklist /sbin
 include allow-python2.inc
 include allow-python3.inc
@@ -30,7 +31,7 @@ whitelist ${HOME}/.config/mirage
 whitelist ${HOME}/.local/share/mirage
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -49,7 +50,7 @@ shell none
 tracelog
 disable-mnt
-private-bin mirage
+private-bin ldconfig,mirage
 private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile
index cfd00e8ae..9f1f0f53d 100644
--- a/etc/profile-m-z/mtpaint.profile
+++ b/etc/profile-m-z/mtpaint.profile
@@ -10,14 +10,14 @@ noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile
index 955df698d..dbfd12619 100644
--- a/etc/profile-m-z/musictube.profile
+++ b/etc/profile-m-z/musictube.profile
@@ -1,5 +1,5 @@
 # Firejail profile for musictube
-# Description: Stream music 
+# Description: Stream music
 # This file is overwritten after every install/update
 # Persistent local customizations
 include musictube.local
@@ -16,7 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-shell.inc 
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.cache/Flavio Tordini
@@ -26,8 +26,8 @@ whitelist ${HOME}/.cache/Flavio Tordini
 whitelist ${HOME}/.config/Flavio Tordini
 whitelist ${HOME}/.local/share/Flavio Tordini
 whitelist /usr/share/musictube
-include whitelist-common.inc 
+include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 701098f4b..42e7e92fc 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -7,7 +7,7 @@ include nheko.local
 include globals.local
 noblacklist ${HOME}/.config/nheko
-noblacklist ${HOME}/.cache/nheko/nheko
+noblacklist ${HOME}/.cache/nheko
 include disable-common.inc
 include disable-devel.inc
@@ -16,14 +16,19 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-xdg.inc
 mkdir ${HOME}/.config/nheko
 mkdir ${HOME}/.cache/nheko/nheko
 whitelist ${HOME}/.config/nheko
-whitelist ${HOME}/.cache/nheko/nheko
+whitelist ${HOME}/.cache/nheko
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -38,5 +43,14 @@ tracelog
 disable-mnt
 private-bin nheko
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
+dbus-user none
+# Comment the above line and uncomment below lines for notification popups
+# dbus-user filter
+# dbus-user.talk org.freedesktop.Notifications
+# dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index 1b97eda9b..886403b9e 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -10,31 +10,16 @@ ignore dbus-user
 noblacklist ${HOME}/.config/nuclear
-include disable-devel.inc
+include disable-shell.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
 mkdir ${HOME}/.config/nuclear
 whitelist ${HOME}/.config/nuclear
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 no3d
-nou2f
-novideo
-shell none
-disable-mnt
 # private-bin nuclear
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt nuclear
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index 3a235a677..f7cb8790b 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -13,7 +13,7 @@ include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -23,9 +23,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/onboard
 whitelist ${HOME}/.config/onboard
 whitelist /usr/share/onboard
-include whitelist-common.inc 
+include whitelist-common.inc
 include whitelist-usr-share-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index 652b6b7cb..aa26ddd4e 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -1,5 +1,5 @@
 # Firejail profile for otter-browser
-# Description: Lightweight web browser based on Qt5 
+# Description: Lightweight web browser based on Qt5
 # This file is overwritten after every install/update
 # Persistent local customizations
 include otter-browser.local
@@ -32,7 +32,7 @@ whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
 whitelist /usr/share/otter-browser
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -54,6 +54,6 @@ private-bin bash,otter-browser,sh,which
 private-cache
 ?BROWSER_DISABLE_U2F: private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
-private-tmp 
+private-tmp
 dbus-system none
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
index d9df3e3b3..9e6b4a87d 100644
--- a/etc/profile-m-z/photoflare.profile
+++ b/etc/profile-m-z/photoflare.profile
@@ -10,14 +10,14 @@ noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile
index 2133c74d3..3041860b3 100644
--- a/etc/profile-m-z/quaternion.profile
+++ b/etc/profile-m-z/quaternion.profile
@@ -1,5 +1,5 @@
 # Firejail profile for quaternion
-# Description: Desktop client for Matrix 
+# Description: Desktop client for Matrix
 # This file is overwritten after every install/update
 # Persistent local customizations
 include quaternion.local
@@ -25,7 +25,7 @@ whitelist ${HOME}/.config/Quotient
 whitelist ${DOWNLOADS}
 whitelist /usr/share/Quotient/quaternion
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/riot-desktop.profile b/etc/profile-m-z/riot-desktop.profile
index 4372fabe1..e91d25196 100644
--- a/etc/profile-m-z/riot-desktop.profile
+++ b/etc/profile-m-z/riot-desktop.profile
@@ -7,7 +7,5 @@ include riot-desktop.local
 # added by included profile
 #include globals.local
-seccomp !chroot
 # Redirect
 include riot-web.profile
diff --git a/etc/profile-m-z/riot-web.profile b/etc/profile-m-z/riot-web.profile
index b930adf2b..687c943b0 100644
--- a/etc/profile-m-z/riot-web.profile
+++ b/etc/profile-m-z/riot-web.profile
@@ -4,14 +4,15 @@
 # Persistent local customizations
 include riot-web.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+ignore noexec /tmp
 noblacklist ${HOME}/.config/Riot
 mkdir ${HOME}/.config/Riot
 whitelist ${HOME}/.config/Riot
-include whitelist-common.inc
+whitelist /usr/share/webapps/element
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/rocketchat.profile b/etc/profile-m-z/rocketchat.profile
index a574e4e8b..8d3607c75 100644
--- a/etc/profile-m-z/rocketchat.profile
+++ b/etc/profile-m-z/rocketchat.profile
@@ -3,14 +3,28 @@
 # Persistent local customizations
 include rocketchat.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-exec.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore shell none
+ignore disable-mnt
+ignore private-cache
+ignore private-dev
+ignore private-tmp
 noblacklist ${HOME}/.config/Rocket.Chat
 mkdir ${HOME}/.config/Rocket.Chat
 whitelist ${HOME}/.config/Rocket.Chat
-include whitelist-common.inc
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/servo.profile b/etc/profile-m-z/servo.profile
new file mode 100644
index 000000000..65da5d0de
--- /dev/null
+++ b/etc/profile-m-z/servo.profile
@@ -0,0 +1,48 @@
+# Firejail profile for servo
+# Description: The Servo Browser Engine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include servo.local
+# Persistent global definitions
+include globals.local
+# Servo is usually installed inside $HOME
+ignore noexec ${HOME}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+# Add a whitelist for the directory where servo is installed and uncomment the lines below.
+#whitelist ${DOWNLOADS}
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin servo,sh
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index c28571270..08e1c1f03 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -5,6 +5,13 @@ include signal-desktop.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore include-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore private-cache
+ignore novideo
 ignore noexec /tmp
 noblacklist ${HOME}/.config/Signal
@@ -14,32 +21,12 @@ noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
-include disable-common.inc
-include disable-devel.inc
 include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-passwdmgr.inc
 mkdir ${HOME}/.config/Signal
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Signal
-include whitelist-common.inc
-include whitelist-var-common.inc
-apparmor
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-nou2f
-shell none
-disable-mnt
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
-private-tmp
-dbus-user none
+# Redirect
-dbus-system none
+include electron.profile
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile
index 341c25a95..b39763981 100644
--- a/etc/profile-m-z/skypeforlinux.profile
+++ b/etc/profile-m-z/skypeforlinux.profile
@@ -5,27 +5,24 @@ include skypeforlinux.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore private-dev
+ignore dbus-user none
+ignore dbus-system none
 # breaks Skype
 ignore noexec /tmp
 noblacklist ${HOME}/.config/skypeforlinux
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-shell none
-disable-mnt
-private-cache
 # private-dev - needs /dev/disk
-private-tmp
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index 8ab3edd63..9ad772cd5 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -5,31 +5,26 @@ include slack.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore apparmor
+ignore novideo
+ignore private-tmp
+ignore dbus-user none
+ignore dbus-system none
 noblacklist ${HOME}/.config/Slack
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
 include disable-shell.inc
 mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
-whitelist ${DOWNLOADS}
-include whitelist-common.inc
-include whitelist-var-common.inc
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-nou2f
-shell none
-disable-mnt
 private-bin locale,slack
-private-cache
-private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index d7f94e144..093661d8c 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -1,5 +1,5 @@
 # Firejail profile for spectral
-# Description: Desktop client for Matrix 
+# Description: Desktop client for Matrix
 # This file is overwritten after every install/update
 # Persistent local customizations
 include spectral.local
@@ -24,7 +24,7 @@ whitelist ${HOME}/.cache/ENCOM/Spectral
 whitelist ${HOME}/.config/ENCOM
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -50,4 +50,8 @@ private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,
 private-tmp
 dbus-user none
+# Comment the above line and uncomment below lines for notification popups
+# dbus-user filter
+# dbus-user.talk org.freedesktop.Notifications
+# dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 78b12c2cb..d873a5672 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -34,7 +34,7 @@ nonewprivs
 # noroot - see issue #1543
 nosound
 notv
-# nou2f - OpenSSH >= 8.2 supports U2F 
+# nou2f - OpenSSH >= 8.2 supports U2F
 novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
index cd36c0d41..0801add28 100644
--- a/etc/profile-m-z/strawberry.profile
+++ b/etc/profile-m-z/strawberry.profile
@@ -21,7 +21,7 @@ include disable-xdg.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
-include whitelist-var-common.inc 
+include whitelist-var-common.inc
 apparmor
 caps.drop all
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 5233f5e4e..f6efb0feb 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -13,9 +13,7 @@ noblacklist /var/lib/pacman
 ignore include disable-shell.inc
 include archiver-common.inc
-# support compressed archives
-private-bin awk,bash,bzip2,compress,firejail,grep,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz
 private-etc alternatives,group,localtime,login.defs,passwd
-private-lib libfakeroot,liblzma.so.*,libreadline.so.*
+#private-lib libfakeroot,liblzma.so.*,libreadline.so.*
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index a13c92bc3..eee083332 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -4,33 +4,23 @@
 # Persistent local customizations
 include teams-for-linux.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
 ignore dbus-user none
 ignore dbus-system none
 noblacklist ${HOME}/.config/teams-for-linux
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
 mkdir ${HOME}/.config/teams-for-linux
 whitelist ${HOME}/.config/teams-for-linux
-include whitelist-common.inc
-include whitelist-var-common.inc
-nou2f
-novideo
-shell none
-disable-mnt
 private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
-private-cache
-private-dev
 private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
index af1365571..c8d98cbaa 100644
--- a/etc/profile-m-z/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -4,8 +4,14 @@
 # Persistent local customizations
 include teams.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore novideo
+ignore private-tmp
 # see #3404
 ignore apparmor
@@ -15,24 +21,10 @@ ignore dbus-system none
 noblacklist ${HOME}/.config/teams
 noblacklist ${HOME}/.config/Microsoft
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
 mkdir ${HOME}/.config/teams
 mkdir ${HOME}/.config/Microsoft
 whitelist ${HOME}/.config/teams
 whitelist ${HOME}/.config/Microsoft
-include whitelist-common.inc
-include whitelist-var-common.inc
-nou2f
-seccomp !chroot
-shell none
-disable-mnt
-private-cache
-private-dev
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index 3c50344f1..2f573c872 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -6,31 +6,20 @@ include twitch.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore nou2f
+ignore novideo
 noblacklist ${HOME}/.config/Twitch
-include disable-devel.inc
+include disable-shell.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
 mkdir ${HOME}/.config/Twitch
 whitelist ${HOME}/.config/Twitch
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-seccomp !chroot
-shell none
-disable-mnt
 private-bin twitch
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Twitch
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index be480923e..8da9ea820 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -10,8 +10,6 @@ include globals.local
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
-noroot
 include archiver-common.inc
-private-bin unzip
 private-etc alternatives,group,localtime,passwd
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 187c49ed8..22a84274d 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -4,36 +4,24 @@
 # Persistent local customizations
 include whalebird.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+# Disabled until someone reported positive feedback
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
 ignore dbus-user none
 ignore dbus-system none
 noblacklist ${HOME}/.config/Whalebird
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-xdg.inc
 mkdir ${HOME}/.config/Whalebird
 whitelist ${HOME}/.config/Whalebird
-include whitelist-common.inc
-include whitelist-var-common.inc
 no3d
-nou2f
-novideo
-protocol unix,inet,inet6
-shell none
-disable-mnt
 private-bin whalebird
-private-cache
-private-dev
 private-etc fonts,machine-id
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index d265c6bae..151cd2adb 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -4,33 +4,29 @@
 # Persistent local customizations
 include wire-desktop.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore novideo
+ignore private-cache
 ignore dbus-user none
 ignore dbus-system none
 noblacklist ${HOME}/.config/Wire
-include disable-devel.inc
-include disable-interpreters.inc
 mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
-include whitelist-common.inc
-nou2f
-ignore seccomp
-seccomp !chroot
-shell none
-disable-mnt
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index a6c7750a9..ad7ceaee4 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -6,32 +6,19 @@ include youtube.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore nou2f
 noblacklist ${HOME}/.config/Youtube
-include disable-devel.inc
+include disable-shell.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
 mkdir ${HOME}/.config/Youtube
 whitelist ${HOME}/.config/Youtube
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-novideo
-seccomp !chroot
-shell none
-disable-mnt
 private-bin youtube
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Youtube
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index 3a94a5707..74b0e38b9 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -8,31 +8,14 @@ include globals.local
 noblacklist ${HOME}/.config/youtubemusic-nativefier-040164
-include disable-devel.inc
+include disable-shell.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
 mkdir ${HOME}/.config/youtubemusic-nativefier-040164
 whitelist ${HOME}/.config/youtubemusic-nativefier-040164
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-nou2f
-novideo
-seccomp !chroot
-shell none
-disable-mnt
 private-bin youtubemusic-nativefier
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt youtubemusic-nativefier
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index 5c37b838b..ab46fccc2 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -10,30 +10,12 @@ ignore dbus-user none
 noblacklist ${HOME}/.config/youtube-music-desktop-app
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-xdg.inc
 mkdir ${HOME}/.config/youtube-music-desktop-app
 whitelist ${HOME}/.config/youtube-music-desktop-app
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-nou2f
-novideo
-seccomp !chroot
-shell none
-disable-mnt
 # private-bin env,ytmdesktop
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
-# private-opt 
+# private-opt
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
index 889e8c02e..e8cd64c93 100644
--- a/etc/profile-m-z/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -6,16 +6,20 @@ include zoom.local
 # Persistent global definitions
 include globals.local
+# Disabled until someone reported positive feedback
+ignore apparmor
+ignore novideo
+ignore dbus-user none
+ignore dbus-system none
+# nogroups breaks webcam access on non-systemd systems (see #3711).
+# If you use such a system uncomment the line below or put 'ignore nogroups' in your zoom.local
+#ignore nogroups
 noblacklist ${HOME}/.config/zoomus.conf
 noblacklist ${HOME}/.zoom
-include disable-common.inc
+nowhitelist ${DOWNLOADS}
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
 mkdir ${HOME}/.cache/zoom
 mkfile ${HOME}/.config/zoomus.conf
@@ -23,29 +27,9 @@ mkdir ${HOME}/.zoom
 whitelist ${HOME}/.cache/zoom
 whitelist ${HOME}/.config/zoomus.conf
 whitelist ${HOME}/.zoom
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-caps.drop all
-netfilter
-nodvd
-# nogroups breaks webcam access on non-systemd systems (see #3711).
-# If you use such a system comment the line below or put 'ignore nogroups' in your zoom.local
-nogroups
-nonewprivs
-noroot
-notv
-nou2f
-protocol unix,inet,inet6,netlink
-seccomp !chroot
-shell none
-tracelog
-disable-mnt
-private-cache
-private-dev
 # Disable for now, see https://github.com/netblue30/firejail/issues/3726
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
-private-tmp
+# Redirect
+include electron.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 3f1591cbd..23b1e364a 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -423,6 +423,7 @@ kwrite
 leafpad
 # less - breaks man
 libreoffice
+librewolf
 liferea
 lightsoff
 lincity-ng
@@ -462,6 +463,7 @@ mate-calculator
 mate-color-select
 mate-dictionary
 mathematica
+matrix-mirage
 mattermost-desktop
 mcabber
 mediainfo
@@ -473,6 +475,8 @@ mencoder
 mendeleydesktop
 menulibre
 meteo-qt
+microsoft-edge
+microsoft-edge-dev
 midori
 min
 mindless
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index af891d61f..8c7c19203 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -360,43 +360,38 @@ void fs_private(void) {
        selinux_relabel_path("/root", "/root");
        fs_logger("tmpfs /root");
-        if (arg_allusers) {
+        // mask /home
-                if (u != 0)
+        if (!arg_allusers) {
-                        // mask user home directory
-                        // the directory should be owned by the current user
-                        fs_tmpfs(homedir, 1);
-        }
-        else { // mask /home
                if (arg_debug)
                        printf("Mounting a new /home directory\n");
                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                        errExit("mounting /home directory");
                selinux_relabel_path("/home", "/home");
                fs_logger("tmpfs /home");
+        }
-                if (u != 0) {
+        if (u != 0) {
-                        if (strncmp(homedir, "/home/", 6) == 0) {
+                if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) {
-                                // create /home/user
+                        // create new empty /home/user directory
-                                if (arg_debug)
+                        if (arg_debug)
-                                        printf("Create a new user directory\n");
+                                printf("Create a new user directory\n");
-                                if (mkdir(homedir, S_IRWXU) == -1) {
+                        if (mkdir(homedir, S_IRWXU) == -1) {
-                                        if (mkpath_as_root(homedir) == -1)
+                                if (mkpath_as_root(homedir) == -1)
-                                                errExit("mkpath");
+                                        errExit("mkpath");
-                                        if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST)
+                                if (mkdir(homedir, S_IRWXU) == -1)
-                                                errExit("mkdir");
+                                        errExit("mkdir");
-                                }
-                                if (chown(homedir, u, g) < 0)
-                                        errExit("chown");
-                                selinux_relabel_path(homedir, homedir);
-                                fs_logger2("mkdir", homedir);
-                                fs_logger2("tmpfs", homedir);
                        }
-                        else
+                        if (chown(homedir, u, g) < 0)
-                                // mask user home directory
+                                errExit("chown");
-                                // the directory should be owned by the current user
-                                fs_tmpfs(homedir, 1);
+                        selinux_relabel_path(homedir, homedir);
+                        fs_logger2("mkdir", homedir);
+                        fs_logger2("tmpfs", homedir);
                }
+                else
+                        // mask user home directory
+                        // the directory should be owned by the current user
+                        fs_tmpfs(homedir, 1);
        }
        skel(homedir, u, g);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 213d5c014..e5d8a4720 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -867,7 +867,8 @@ char *guess_shell(void) {
        shell = getenv("SHELL");
        if (shell) {
                invalid_filename(shell, 0); // no globbing
-                if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0)
+                if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 &&
+                    strcmp(shell, PATH_FIREJAIL) != 0)
                        return shell;
        }
@@ -3029,8 +3030,15 @@ int main(int argc, char **argv, char **envp) {
                ptr += strlen(ptr);
                if (!arg_nogroups) {
+                        //  add firejail group
+                        gid_t g = get_group_id("firejail");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
                        //  add tty group
-                        gid_t g = get_group_id("tty");
+                        g = get_group_id("tty");
                        if (g) {
                                sprintf(ptr, "%d %d 1\n", g, g);
                                ptr += strlen(ptr);
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 22f36ef07..6c7803602 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -204,11 +204,12 @@ void run_no_sandbox(int argc, char **argv) {
                        break;
                }
        }
-        // if shell is /usr/bin/firejail, replace it with /bin/bash
-        if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
+// if shell is /usr/bin/firejail, replace it with /bin/bash
-                cfg.shell = "/bin/bash";
+//      if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
-                prog_index = 0;
+//              cfg.shell = "/bin/bash";
-        }
+//              prog_index = 0;
+//      }
        if (prog_index == 0) {
                assert(cfg.command_line == NULL); // runs cfg.shell
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index ff8b47102..1ee8cdfcb 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -619,6 +619,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                return 0;
        }
+        else if (strncmp(ptr, "netns  ", 6) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        arg_netns = ptr + 6;
+                        check_netns(arg_netns);
+                }
+                else
+                        warning_feature_disabled("networking");
+#endif
+                return 0;
+        }
        else if (strcmp(ptr, "net none") == 0) {
                arg_nonetwork  = 1;
                cfg.bridge0.configured = 0;
@@ -745,6 +756,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                                fprintf(stderr, "Error: invalid MAC address\n");
                                exit(1);
                        }
+                        // check multicast address
+                        if (br->macsandbox[0] & 1) {
+                                fprintf(stderr, "Error: invalid MAC address (multicast)\n");
+                                exit(1);
+                        }
                }
                else
                        warning_feature_disabled("networking");
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 84cbb1977..a5c924a70 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -31,6 +31,8 @@
 #define O_PATH 010000000
 #endif
+#define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf"
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
        if (arg_debug)
@@ -73,8 +75,8 @@ void pulseaudio_disable(void) {
        closedir(dir);
 }
-static void pulseaudio_set_environment(const char *path) {
+static void pulseaudio_fallback(const char *path) {
-        assert(path);
+        fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir);
        if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0)
                errExit("setenv");
 }
@@ -84,9 +86,9 @@ void pulseaudio_init(void) {
        struct stat s;
        // do we have pulseaudio in the system?
-        if (stat("/etc/pulse/client.conf", &s) == -1) {
+        if (stat(PULSE_CLIENT_SYSCONF, &s) == -1) {
                if (arg_debug)
-                        printf("/etc/pulse/client.conf not found\n");
+                        printf("%s not found\n", PULSE_CLIENT_SYSCONF);
                return;
        }
@@ -101,7 +103,7 @@ void pulseaudio_init(void) {
        char *pulsecfg = NULL;
        if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
                errExit("asprintf");
-        if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed
+        if (copy_file(PULSE_CLIENT_SYSCONF, pulsecfg, -1, -1, 0644)) // root needed
                errExit("copy_file");
        FILE *fp = fopen(pulsecfg, "a");
        if (!fp)
@@ -126,11 +128,11 @@ void pulseaudio_init(void) {
        if (create_empty_dir_as_user(homeusercfg, 0700))
                fs_logger2("create", homeusercfg);
-        // if ~/.config/pulse now exists and there are no symbolic links, mount the new directory
+        // if ~/.config/pulse exists and there are no symbolic links, mount the new directory
        // else set environment variable
        int fd = safe_fd(homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
        if (fd == -1) {
-                pulseaudio_set_environment(pulsecfg);
+                pulseaudio_fallback(pulsecfg);
                goto out;
        }
        // confirm the actual mount destination is owned by the user
@@ -138,12 +140,12 @@ void pulseaudio_init(void) {
                if (errno != EACCES)
                        errExit("fstat");
                close(fd);
-                pulseaudio_set_environment(pulsecfg);
+                pulseaudio_fallback(pulsecfg);
                goto out;
        }
        if (s.st_uid != getuid()) {
                close(fd);
-                pulseaudio_set_environment(pulsecfg);
+                pulseaudio_fallback(pulsecfg);
                goto out;
        }
        // preserve a read-only mount
@@ -171,8 +173,9 @@ void pulseaudio_init(void) {
        char *p;
        if (asprintf(&p, "%s/client.conf", homeusercfg) == -1)
                errExit("asprintf");
+        if (setenv("PULSE_CLIENTCONFIG", p, 1) < 0)
+                errExit("setenv");
        fs_logger2("create", p);
-        pulseaudio_set_environment(p);
        free(p);
        // RUN_PULSE_DIR not needed anymore, mask it
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 991e5b2f2..d811fe45a 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -141,7 +141,7 @@ void set_apparmor(void) {
 }
 #endif
-void seccomp_debug(void) {
+static void seccomp_debug(void) {
        if (arg_debug == 0)
                return;
diff --git a/src/firejail/util.c b/src/firejail/util.c
index e8b35a64b..a3927cc88 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -29,7 +29,6 @@
 #include <sys/ioctl.h>
 #include <termios.h>
 #include <sys/wait.h>
-#include <sys/syscall.h>
 #include <limits.h>
 #include <fcntl.h>
@@ -37,6 +36,7 @@
 #define O_PATH 010000000
 #endif
+#include <sys/syscall.h>
 #ifdef __NR_openat2
 #include <linux/openat2.h>
 #endif
@@ -75,10 +75,11 @@ static void clean_supplementary_groups(gid_t gid) {
                goto clean_all;
        // clean supplementary group list
-        // allow only tty, audio, video, games
+        // allow only firejail, tty, audio, video, games
        gid_t new_groups[MAX_GROUPS];
        int new_ngroups = 0;
        char *allowed[] = {
+                "firejail",
                "tty",
                "audio",
                "video",
@@ -1012,12 +1013,8 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
                                if (chmod(dir, mode) == -1)
                                        {;} // do nothing
                        }
-                        else if (arg_debug) {
+                        else if (arg_debug)
-                                char *str;
+                                printf("Directory %s not created: %s\n", dir, strerror(errno));
-                                if (asprintf(&str, "Directory %s not created", dir) == -1)
-                                        errExit("asprintf");
-                                perror(str);
-                        }
 #ifdef HAVE_GCOV
                        __gcov_flush();
 #endif
@@ -1164,12 +1161,12 @@ void disable_file_path(const char *path, const char *file) {
 // open an existing file without following any symbolic link
 int safe_fd(const char *path, int flags) {
+        flags |= O_NOFOLLOW;
        assert(path);
        if (*path != '/' || strstr(path, "..")) {
                fprintf(stderr, "Error: invalid path %s\n", path);
                exit(1);
        }
-        flags |= O_NOFOLLOW;
        int fd = -1;
 #ifdef __NR_openat2 // kernel 5.6 or better
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index e10abad4e..4872a5207 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1368,7 +1368,7 @@ void fs_x11(void) {
 void x11_block(void) {
 #ifdef HAVE_X11
        // check abstract socket presence and network namespace options
-        if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
+        if ((!arg_nonetwork && !arg_netns && !cfg.bridge0.configured && !cfg.interface0.configured)
        && x11_abstract_sockets_present()) {
                fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n"
                        "Additional setup required. To block abstract X11 socket you can either:\n"
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 562b3eda3..347e2b31b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -76,10 +76,10 @@ If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
 to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
-If a program argument is not specified, Firejail starts /bin/bash shell.
+If a program argument is not specified, Firejail starts the user's preferred shell.
 Examples:
 .PP
-$ firejail [OPTIONS]                # starting a /bin/bash shell
+$ firejail [OPTIONS]                # starting the program specified in $SHELL, usually /bin/bash
 .PP
 $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 .PP
@@ -2476,7 +2476,7 @@ $ firejail \-\-shell=none script.sh
 \fB\-\-shell=program
 Set default user shell. Use this shell to run the application using \-c shell option.
 For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
-By default Bash shell (/bin/bash) is used.
+By default the user's preferred shell is used.
 .br
 .br
@@ -3023,7 +3023,7 @@ We provide a tool that automates all this integration, please see \&\flfirecfg\f
 .SH EXAMPLES
 .TP
 \f\firejail
-Sandbox a regular /bin/bash session.
+Sandbox a regular shell session.
 .TP
 \f\firejail firefox
 Start Mozilla Firefox.
@@ -3043,7 +3043,7 @@ Start Firefox in a new network namespace. An IP address is
 assigned automatically.
 .TP
 \f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
-Start a /bin/bash session in a new network namespace and connect it
+Start a shell session in a new network namespace and connect it
 to br0, br1, and br2 host bridge devices. IP addresses are assigned
 automatically for the interfaces connected to br1 and b2
 #endif