116 files changed, 695 insertions, 309 deletions

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
new file mode 100644
index 000000000..1468ef898
--- /dev/null
+++ b/.github/workflows/build-extra.yml
@@ -0,0 +1,52 @@
+name: Build-extra CI
+
+on:   
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md
+      - RELNOTES
+      - SECURITY.md
+      - 'etc/**'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md
+      - RELNOTES
+      - SECURITY.md
+      - 'etc/**'
+        
+jobs:
+  build-clang:
+    if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: configure
+      run: CC=clang-10 ./configure --enable-fatal-warnings
+    - name: make
+      run: make
+  scan-build:
+    if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: install clang-tools-10
+      run: sudo apt-get install clang-tools-10
+    - name: configure
+      run: CC=clang-10 ./configure --enable-fatal-warnings
+    - name: scan-build
+      run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make
+  cppcheck:
+    if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: install cppcheck
+      run: sudo apt-get install cppcheck
+    - name: cppcheck
+      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 71cb7f0b4..99b8a3be5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -3,11 +3,24 @@ name: Build CI
 on:
   push:
     branches: [ master ]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md
+      - RELNOTES
+      - SECURITY.md
   pull_request:
     branches: [ master ]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md
+      - RELNOTES
+      - SECURITY.md
 
 jobs:
   build_and_test:
+    if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
     runs-on: ubuntu-20.04
     steps:
     - uses: actions/checkout@v2
@@ -21,35 +34,3 @@ jobs:
       run: sudo make install
     - name: run tests
       run: SHELL=/bin/bash make test-github
-  build-clang:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: configure
-      run: CC=clang-10 ./configure --enable-fatal-warnings
-    - name: make
-      run: make
-  scan-build:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: install clang-tools-10
-      run: sudo apt-get install clang-tools-10
-    - name: configure
-      run: CC=clang-10 ./configure --enable-fatal-warnings
-    - name: scan-build
-      run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make
-  cppcheck:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: install cppcheck
-      run: sudo apt-get install cppcheck
-    - name: cppcheck
-      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
-  profile-sort:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: check profiles
-      run: ./contrib/sort.py etc/*/{*.inc,*.net,*.profile}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index a37bbb5c7..301c7fad2 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -8,9 +8,23 @@ name: "CodeQL"
 on:
   push:
     branches: [master]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md  
+      - RELNOTES
+      - SECURITY.md
+      - 'etc/**'
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [master]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md  
+      - RELNOTES
+      - SECURITY.md
+      - 'etc/**'
   schedule:
     - cron: '0 7 * * 2'
 
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
new file mode 100644
index 000000000..55ac065b6
--- /dev/null
+++ b/.github/workflows/sort.yml
@@ -0,0 +1,21 @@
+name: sort.py
+
+on:    
+  push: 
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+
+jobs:
+  profile-sort:
+    if: ${{ ! contains(github.event.commits[0].message, '[skip ci]') }}
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: check profiles
+      run: ./contrib/sort.py etc/*/{*.inc,*.profile}
+
diff --git a/README.md b/README.md
index cc50df2f7..6652a1e0a 100644
--- a/README.md
+++ b/README.md
@@ -194,4 +194,4 @@ Stats:
 
 ### New profiles:
 
-spectacle, chromium-browser-privacy
+spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs
diff --git a/RELNOTES b/RELNOTES
index 3cdea6d9d..9fa72d1d4 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,7 +1,11 @@
 firejail (0.9.65) baseline; urgency=low
   * allow --tmpfs inside $HOME for unprivileged users
-  *  --disable-usertmpfs  compile time option
-  * new profiles: spectacle, chromium-browser-privacy
+  * --disable-usertmpfs  compile time option
+  * allow AF_BLUETOOTH via --protocol=bluetooth
+  * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer
+  * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer
+  * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs
+
  -- netblue30 <netblue30@yahoo.com>  Wed, 21 Oct 2020 09:00:00 -0500
 
 firejail (0.9.64) baseline; urgency=low
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 1268b4cd2..bf40457a2 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -280,6 +280,7 @@ read-only ${HOME}/.plan
 read-only ${HOME}/.profile
 read-only ${HOME}/.project
 read-only ${HOME}/.tcshrc
+read-only ${HOME}/.zfunc
 read-only ${HOME}/.zlogin
 read-only ${HOME}/.zlogout
 read-only ${HOME}/.zprofile
@@ -302,6 +303,7 @@ read-only ${HOME}/.exrc
 read-only ${HOME}/.gvimrc
 read-only ${HOME}/.homesick
 read-only ${HOME}/.iscreenrc
+read-only ${HOME}/.local/lib
 read-only ${HOME}/.local/share/cool-retro-term
 read-only ${HOME}/.mailcap
 read-only ${HOME}/.msmtprc
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 7e3c0b657..976c2dab9 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -200,6 +200,7 @@ blacklist ${HOME}/.config/discord
 blacklist ${HOME}/.config/discordcanary
 blacklist ${HOME}/.config/dkl
 blacklist ${HOME}/.config/dnox
+blacklist ${HOME}/.config/dolphin-emu
 blacklist ${HOME}/.config/dolphinrc
 blacklist ${HOME}/.config/dragonplayerrc
 blacklist ${HOME}/.config/draw.io
@@ -293,6 +294,7 @@ blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
 blacklist ${HOME}/.config/linphone
 blacklist ${HOME}/.config/lugaru
+blacklist ${HOME}/.config/lutris
 blacklist ${HOME}/.config/lximage-qt
 blacklist ${HOME}/.config/mailtransports
 blacklist ${HOME}/.local/share/man
@@ -378,6 +380,7 @@ blacklist ${HOME}/.config/spotify
 blacklist ${HOME}/.config/sqlitebrowser
 blacklist ${HOME}/.config/stellarium
 blacklist ${HOME}/.config/strawberry
+blacklist ${HOME}/.config/straw-viewer
 blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/synfig
 blacklist ${HOME}/.config/teams
@@ -584,6 +587,7 @@ blacklist ${HOME}/.local/share/agenda
 blacklist ${HOME}/.local/share/apps/korganizer
 blacklist ${HOME}/.local/share/aspyr-media
 blacklist ${HOME}/.local/share/autokey
+blacklist ${HOME}/.local/share/authenticator-rs 
 blacklist ${HOME}/.local/share/backintime
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/barrier
@@ -603,6 +607,7 @@ blacklist ${HOME}/.local/share/data/nomacs
 blacklist ${HOME}/.local/share/data/qBittorrent
 blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
+blacklist ${HOME}/.local/share/dolphin-emu
 blacklist ${HOME}/.local/share/emailidentities
 blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
@@ -661,6 +666,7 @@ blacklist ${HOME}/.local/share/local-mail
 blacklist ${HOME}/.local/share/lollypop
 blacklist ${HOME}/.local/share/love
 blacklist ${HOME}/.local/share/lugaru
+blacklist ${HOME}/.local/share/lutris
 blacklist ${HOME}/.local/share/mana
 blacklist ${HOME}/.local/share/maps-places.json
 blacklist ${HOME}/.local/share/meld
@@ -883,6 +889,7 @@ blacklist ${HOME}/.cache/deja-dup
 blacklist ${HOME}/.cache/discover
 blacklist ${HOME}/.cache/dnox
 blacklist ${HOME}/.cache/dolphin
+blacklist ${HOME}/.cache/dolphin-emu
 blacklist ${HOME}/.cache/ephemeral
 blacklist ${HOME}/.cache/epiphany
 blacklist ${HOME}/.cache/evolution
@@ -932,6 +939,7 @@ blacklist ${HOME}/.cache/kube
 blacklist ${HOME}/.cache/kwin
 blacklist ${HOME}/.cache/libgweather
 blacklist ${HOME}/.cache/liferea
+blacklist ${HOME}/.cache/lutris
 blacklist ${HOME}/.cache/Mendeley Ltd.
 blacklist ${HOME}/.cache/midori
 blacklist ${HOME}/.cache/minetest
@@ -972,6 +980,7 @@ blacklist ${HOME}/.cache/smuxi
 blacklist ${HOME}/.cache/snox
 blacklist ${HOME}/.cache/spotify
 blacklist ${HOME}/.cache/strawberry
+blacklist ${HOME}/.cache/straw-viewer
 blacklist ${HOME}/.cache/supertuxkart
 blacklist ${HOME}/.cache/systemsettings
 blacklist ${HOME}/.cache/telepathy
@@ -986,6 +995,7 @@ blacklist ${HOME}/.cache/vmware
 blacklist ${HOME}/.cache/warsow-2.1
 blacklist ${HOME}/.cache/waterfox
 blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/winetricks
 blacklist ${HOME}/.cache/xmms2
 blacklist ${HOME}/.cache/xreader
 blacklist ${HOME}/.cache/yandex-browser
diff --git a/etc/inc/disable-write-mnt.inc b/etc/inc/disable-write-mnt.inc
index 3990cf760..01f57cb0f 100644
--- a/etc/inc/disable-write-mnt.inc
+++ b/etc/inc/disable-write-mnt.inc
@@ -2,7 +2,7 @@
 # Persistent customizations should go in a .local file.
 include disable-write-mnt.local
 
-read-only /mnt
 read-only /media
-read-only /run/mount
+read-only /mnt
 read-only /run/media
+read-only /run/mount
diff --git a/etc/inc/firefox-common-addons.inc b/etc/inc/firefox-common-addons.inc
index 198941ac9..03f09fece 100644
--- a/etc/inc/firefox-common-addons.inc
+++ b/etc/inc/firefox-common-addons.inc
@@ -2,6 +2,8 @@
 # Persistent customizations should go in a .local file.
 include firefox-common-addons.local
 
+ignore include whitelist-runuser-common.inc
+
 noblacklist ${HOME}/.config/kgetrc
 noblacklist ${HOME}/.config/okularpartrc
 noblacklist ${HOME}/.config/okularrc
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
index 7d9f106ef..d08d79eef 100644
--- a/etc/inc/whitelist-runuser-common.inc
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -10,4 +10,5 @@ whitelist ${RUNUSER}/ICEauthority
 whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
 whitelist ${RUNUSER}/pulse/native
 whitelist ${RUNUSER}/wayland-0
+whitelist ${RUNUSER}/wayland-1
 whitelist ${RUNUSER}/xauth_*
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index de4ae2101..785a1d7d4 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -60,6 +60,8 @@ whitelist /usr/share/texlive
 whitelist /usr/share/texmf
 whitelist /usr/share/themes
 whitelist /usr/share/thumbnail.so
+whitelist /usr/share/vulkan
 whitelist /usr/share/X11
 whitelist /usr/share/xml
+whitelist /usr/share/zenity
 whitelist /usr/share/zoneinfo
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index 6869ea631..c4e820078 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.cache/0ad
 mkdir ${HOME}/.config/0ad
@@ -40,6 +41,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
new file mode 100644
index 000000000..1eb802d9b
--- /dev/null
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -0,0 +1,55 @@
+# Firejail profile for authenticator-rs
+# Description: Rust based 2FA authentication program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include authenticator-rs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/authenticator-rs 
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/authenticator-rs
+whitelist ${HOME}/.local/share/authenticator-rs 
+whitelist ${DOWNLOADS} 
+whitelist /usr/share/uk.co.grumlimited.authenticator-rs
+include whitelist-common.inc 
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc 
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin authenticator-rs
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
index 3937e1966..4401c9dfd 100644
--- a/etc/profile-a-l/baobab.profile
+++ b/etc/profile-a-l/baobab.profile
@@ -30,6 +30,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index c1c338536..dbde3e4de 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 8bf086ab4..56709a466 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -46,6 +46,7 @@ noroot
 nou2f
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index 0ab5a7f78..2c6b15e02 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -46,5 +46,4 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-
 read-only ${HOME}/.config/cower/config
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index d6541850d..b41a73916 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -35,6 +35,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 7eb7660dd..2ecf1a45d 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -5,7 +5,7 @@ include default.local
 # Persistent global definitions
 include globals.local
 
-# generic gui profile
+# generic GUI profile
 # depending on your usage, you can enable some of the commands below:
 
 include disable-common.inc
@@ -14,12 +14,13 @@ include disable-common.inc
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+# include disable-shell.inc
 # include disable-write-mnt.inc
 # include disable-xdg.inc
 
 # include whitelist-common.inc
-# include whitelist-usr-share-common.inc
 # include whitelist-runuser-common.inc
+# include whitelist-usr-share-common.inc
 # include whitelist-var-common.inc
 
 # apparmor
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index b8b07469d..a47a71feb 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -50,5 +50,4 @@ private-tmp
 # dbus-system none
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
-
 read-only ${HOME}
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 1ab10a6f6..7c3ac50ad 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -56,5 +56,4 @@ dbus-user none
 dbus-system none
 
 memory-deny-write-execute
-
 read-only ${HOME}
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
index 52bf1c7f8..e409eb044 100644
--- a/etc/profile-a-l/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -9,16 +9,24 @@ include globals.local
 noblacklist ${HOME}/.dia
 noblacklist ${DOCUMENTS}
 
+include allow-python2.inc
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include allow-python2.inc
-include allow-python3.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+#mkdir ${HOME}/.dia
+#whitelist ${HOME}/.dia
+#whitelist ${DOCUMENTS}
+#include whitelist-common.inc
+whitelist /usr/share/dia
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -36,6 +44,7 @@ novideo
 protocol unix
 seccomp
 shell none
+tracelog
 
 disable-mnt
 #private-bin dia
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
new file mode 100644
index 000000000..13d830b55
--- /dev/null
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -0,0 +1,63 @@
+# Firejail profile for dolphin-emu
+# Description: An emulator for Gamecube and Wii games
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dolphin-emu.local
+# Persistent global definitions
+include globals.local
+
+# Note: you must whitelist your games folder in a dolphin-emu.local
+
+noblacklist ${HOME}/.cache/dolphin-emu
+noblacklist ${HOME}/.config/dolphin-emu
+noblacklist ${HOME}/.local/share/dolphin-emu
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/dolphin-emu
+mkdir ${HOME}/.config/dolphin-emu
+mkdir ${HOME}/.local/share/dolphin-emu
+whitelist ${HOME}/.cache/dolphin-emu
+whitelist ${HOME}/.config/dolphin-emu
+whitelist ${HOME}/.local/share/dolphin-emu
+whitelist /usr/share/dolphin-emu
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# uncomment the following line if you do not need NetPlay support
+# net none
+netfilter
+# uncomment the following line if you do not need disc support
+#nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink,bluetooth
+seccomp
+shell none
+tracelog
+
+private-bin bash,dolphin-emu,dolphin-emu-x11,sh
+private-cache
+# uncomment the following line if you do not need controller support
+#private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index c1aa821e3..2d56369cd 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -8,12 +8,9 @@ include element-desktop.local
 #include globals.local
 
 noblacklist ${HOME}/.config/Element
-noblacklist ${HOME}/.config/Element (Riot)
 
 mkdir ${HOME}/.config/Element
-mkdir ${HOME}/.config/Element (Riot)
 whitelist ${HOME}/.config/Element
-whitelist ${HOME}/.config/Element (Riot)
 whitelist /opt/Element
 
 private-opt Element
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index e8b49a395..e059f3b74 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -27,6 +27,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
+net none
 no3d
 nodvd
 nogroups
@@ -38,6 +39,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 77a48f0ba..c0c16e929 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 0024b6660..640b0e485 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -15,15 +15,20 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.cache/falkon
 mkdir ${HOME}/.config/falkon
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/falkon
 whitelist ${HOME}/.config/falkon
+whitelist /usr/share/falkon
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -37,7 +42,13 @@ protocol unix,inet,inet6,netlink
 seccomp !chroot
 # tracelog
 
+disable-mnt
+# private-bin falkon
+private-cache
 private-dev
-# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
-# private-tmp - interferes with the opening of downloaded files
+private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-tmp
 
+# dbus-user filter
+# dbus-user.own org.kde.Falkon
+dbus-system none
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index fb5c9ee57..c6e9ba095 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -41,6 +41,7 @@ novideo
 protocol inet,inet6
 # allow set_mempolicy, which is required to encode using libx265
 seccomp !set_mempolicy
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 745b8b8e9..2a1eb2001 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -34,6 +34,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 7c343c26d..fe0a27828 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -27,6 +27,7 @@ whitelist ${DOWNLOADS}
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 3472ac5c4..772aad7da 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -16,6 +16,7 @@ whitelist ${HOME}/.mozilla
 
 whitelist /usr/share/doc
 whitelist /usr/share/firefox
+whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
 whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/mozilla
 whitelist /usr/share/webext
@@ -29,6 +30,7 @@ include whitelist-usr-share-common.inc
 #private-etc firefox
 
 dbus-user filter
+dbus-user.own org.mozilla.Firefox.*
 dbus-user.own org.mozilla.firefox.*
 dbus-user.own org.mpris.MediaPlayer2.firefox.*
 # Uncomment or put in your firefox.local to enable native notifications.
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 357354e70..851a7c747 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -45,6 +45,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index 653272499..23d259337 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 74b468020..e339f6abb 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -38,6 +38,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index 17b7ad563..30251fbe5 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index e06a9afad..77287769a 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -51,5 +51,4 @@ dbus-user none
 dbus-system none
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
-
 read-only ${HOME}
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index d97ab530b..b8d1b9608 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -49,6 +49,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index 5bb410278..d56d6714e 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.local/share/ghostwriter
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -26,6 +28,7 @@ whitelist /usr/share/texlive
 whitelist /usr/share/pandoc*
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 apparmor
 caps.drop all
@@ -41,6 +44,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp !chroot
+seccomp.block-secondary
 shell none
 #tracelog -- breaks
 
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index ed27de7f5..bc5ef966c 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -52,7 +52,7 @@ nosound
 notv
 nou2f
 protocol unix
-seccomp
+seccomp !mbind
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 71b8e9b11..3d80c1ed2 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -45,6 +45,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index ceb01f2a0..7780dfa65 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -38,6 +38,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index 3e815234c..9927fb869 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index f4f3ae2d7..4d53a67dd 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -39,6 +39,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index 7a38bdc8a..03b89e394 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -32,6 +32,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 
 disable-mnt
 private-dev
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 5ae7bbe01..bb5ef0eab 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -33,6 +33,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index ecbb74158..a0b9ef04e 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -9,8 +9,6 @@ include globals.local
 
 noblacklist ${HOME}/.gnupg
 
-whitelist ${HOME}/.gnupg
-whitelist ${DOWNLOADS}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -19,9 +17,15 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
+whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -41,6 +45,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
@@ -52,6 +57,6 @@ private-dev
 private-tmp
 
 # dbus-user none
-# dbus-system none
+dbus-system none
 
 memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 11d184bc6..87376da40 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index eb0030dda..23629df95 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -54,6 +54,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index ed430b654..073de47b9 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -43,6 +43,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 2af406af9..65cc23b5f 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -33,6 +33,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index 82fb1b658..2534eed5a 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -35,6 +35,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index a64ec25a9..2e063ebfe 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -33,6 +33,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index 14b0f758e..9c0a26a02 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -53,7 +53,6 @@ writable-var-log
 # dbus-system none
 
 memory-deny-write-execute
-
-# comment this if you export logs to a file in your ${HOME}
+# Comment the line below if you export logs to a file in your ${HOME}
 # or put 'ignore read-only ${HOME}' in your gnome-system-log.local
 read-only ${HOME}
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index a181f1b9e..beed92a7d 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
index c46fbc1d9..56ed7a436 100644
--- a/etc/profile-a-l/gnome_games-common.profile
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -34,6 +34,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index 8324a4eb5..f37f345ba 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -38,7 +38,7 @@ tracelog
 # private-bin godot
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile
new file mode 100644
index 000000000..e2721360b
--- /dev/null
+++ b/etc/profile-a-l/gtk-straw-viewer.profile
@@ -0,0 +1,14 @@
+# Firejail profile for gtk-straw-viewer
+# Description: Gtk front-end to straw-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-straw-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include straw-viewer.profile
diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer.profile
index 023f10d3d..848979b52 100644
--- a/etc/profile-a-l/gtk-youtube-viewer
+++ b/etc/profile-a-l/gtk-youtube-viewer.profile
@@ -3,16 +3,12 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}/wayland-*
-noblacklist ${RUNUSER}
-
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer.profile
index 331e73218..dccadcf2e 100644
--- a/etc/profile-a-l/gtk2-youtube-viewer
+++ b/etc/profile-a-l/gtk2-youtube-viewer.profile
@@ -3,8 +3,8 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk2-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
@@ -15,4 +15,4 @@ noblacklist ${RUNUSER}
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer.profile
index 4c5bde55f..3d91e284d 100644
--- a/etc/profile-a-l/gtk3-youtube-viewer
+++ b/etc/profile-a-l/gtk3-youtube-viewer.profile
@@ -3,8 +3,8 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk3-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
@@ -15,4 +15,4 @@ noblacklist ${RUNUSER}
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index c0254b5ec..3df42d209 100644
--- a/etc/profile-a-l/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -35,6 +35,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 06447c3e6..58db056b2 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -55,6 +55,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index f9c92f6f6..031f0e19f 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -43,6 +43,8 @@ shell none
 # comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile
 tracelog
 
+#private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls
+private-cache
 private-dev
 private-tmp
 
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
new file mode 100644
index 000000000..652f571bb
--- /dev/null
+++ b/etc/profile-a-l/lutris.profile
@@ -0,0 +1,74 @@
+# Firejail profile for lutris
+# Description: Multi-library game handler with special support for Wine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lutris.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/llvm*
+noblacklist ${HOME}/Games
+noblacklist ${HOME}/.cache/lutris
+noblacklist ${HOME}/.cache/winetricks
+noblacklist ${HOME}/.config/lutris
+noblacklist ${HOME}/.local/share/lutris
+# noblacklist ${HOME}/.wine
+noblacklist /tmp/.wine-*
+
+ignore noexec ${HOME}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/Games
+mkdir ${HOME}/.cache/lutris
+mkdir ${HOME}/.cache/winetricks
+mkdir ${HOME}/.config/lutris
+mkdir ${HOME}/.local/share/lutris
+# mkdir ${HOME}/.wine
+whitelist ${HOME}/Downloads
+whitelist ${HOME}/Games
+whitelist ${HOME}/.cache/lutris
+whitelist ${HOME}/.cache/winetricks
+whitelist ${HOME}/.config/lutris
+whitelist ${HOME}/.local/share/lutris
+# whitelist ${HOME}/.wine
+whitelist /usr/share/lutris
+whitelist /usr/share/wine
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+# allow-debuggers
+# apparmor
+caps.drop all
+ipc-namespace
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+# uncomment the following line if you do not need controller support
+# private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index b2c0afbe7..ffde057d5 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -27,7 +27,7 @@ apparmor
 machine-id
 
 # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
-private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,mime.types,passwd,texmf,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
 
 # Redirect
 include latex-common.profile
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index 589dcfeb6..5ab302218 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -53,7 +53,7 @@ private-cache
 private-dev
 private-tmp
 
-# dbus-user none
-# dbus-system none
+dbus-user none
+dbus-system none
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
index 19f9edf05..37ac9e304 100644
--- a/etc/profile-m-z/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.megaglest
@@ -37,6 +38,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 385700648..6ceeb867f 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -62,6 +62,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index 3468bc22d..c70090a25 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -44,6 +44,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index a22d2c2e3..666af323d 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -47,12 +47,14 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 disable-mnt
-private-bin minetest
-private-cache
+private-bin minetest,rm
+# cache is used for storing assets when connecting to servers
+#private-cache
 private-dev
 # private-etc needs to be updated, see #1702
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 389b64535..ce3bfe421 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -67,6 +67,7 @@ noroot
 nou2f
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile
index cc44d5a48..3bfda7946 100644
--- a/etc/profile-m-z/ostrichriders.profile
+++ b/etc/profile-m-z/ostrichriders.profile
@@ -42,7 +42,7 @@ tracelog
 disable-mnt
 private-bin ostrichriders
 private-cache
-# private-dev should be commented for controllers
+# comment the following line if you need controller support
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 8663fb453..6cbaa66ad 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index eee42424f..2a7d0cec1 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -13,6 +13,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -40,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index 28a7da404..710a533a9 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 83905b108..3513e91cc 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -7,6 +7,8 @@ include pngquant.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${PICTURES}
+
 blacklist ${RUNUSER}/wayland-*
 
 include disable-common.inc
@@ -16,6 +18,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-xdg.inc
 
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index c62e53151..c71553bcd 100644
--- a/etc/profile-m-z/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -32,7 +32,7 @@ protocol unix,netlink
 seccomp
 shell none
 
-# private-dev is disabled to allow controller support
+# uncomment the following line if you do not need controller support
 #private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-opt ppsspp
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index f906ec31d..9fb7dc713 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -45,10 +45,12 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 private-bin rhythmbox,rhythmbox-client
+private-cache
 private-dev
 private-tmp
 
@@ -57,6 +59,7 @@ dbus-user.own org.gnome.Rhythmbox3
 dbus-user.own org.mpris.MediaPlayer2.rhythmbox
 dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox
 dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.*
 dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
 dbus-system filter
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
index 6cd70c2ea..c67a88161 100644
--- a/etc/profile-m-z/shellcheck.profile
+++ b/etc/profile-m-z/shellcheck.profile
@@ -40,6 +40,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index cdb20b4e0..110434736 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -18,6 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -35,6 +36,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 
 private-bin sqlitebrowser
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 7292f189c..adf9c9317 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -109,7 +109,7 @@ shell none
 # picture viewers are needed for viewing screenshots
 #private-bin eog,eom,gthumb,pix,viewnior,xviewer
 
-# private-dev should be commented for controllers
+# comment the following line if you need controller support
 private-dev
 # private-etc breaks a small selection of games on some systems, comment to support those
 private-etc alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
new file mode 100644
index 000000000..721ad38ee
--- /dev/null
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -0,0 +1,58 @@
+# Firejail profile for straw-viewer
+# Description: Fork of youtube-viewer acts like an invidious frontend
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include straw-viewer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/straw-viewer
+noblacklist ${HOME}/.config/straw-viewer
+
+include allow-lua.inc
+include allow-perl.inc
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/straw-viewer
+mkdir ${HOME}/.cache/straw-viewer
+whitelist ${HOME}/.cache/straw-viewer
+whitelist ${HOME}/.config/straw-viewer
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,ffmpeg,ffprobe,gtk-straw-viewer,mpv,perl,python*,sh,smplayer,straw-viewer,stty,vlc,wget,which,youtube-dl
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile
index 426b2dc1c..09ada1e25 100644
--- a/etc/profile-m-z/strings.profile
+++ b/etc/profile-m-z/strings.profile
@@ -38,6 +38,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index ceaae8fbf..9cc023765 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 40b996794..1b20f5d3d 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -41,15 +41,17 @@ noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,bluetooth
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 disable-mnt
 private-bin supertuxkart
 private-cache
-private-dev
+# uncomment the following line if you do not need controller support
+#private-dev
 private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl
 private-tmp
 private-opt none
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index e3eb73730..b478fbe1e 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -6,6 +6,8 @@ include thunderbird.local
 # Persistent global definitions
 include globals.local
 
+ignore include whitelist-runuser-common.inc
+
 # writable-run-user and dbus are needed by enigmail
 ignore dbus-user none
 ignore dbus-system none
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
index 9d2e8e990..d601f0f15 100644
--- a/etc/profile-m-z/transmission-common.profile
+++ b/etc/profile-m-z/transmission-common.profile
@@ -39,6 +39,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile
index 541942453..fdeb0307f 100644
--- a/etc/profile-m-z/vivaldi.profile
+++ b/etc/profile-m-z/vivaldi.profile
@@ -29,9 +29,13 @@ whitelist ${HOME}/.config/vivaldi
 whitelist ${HOME}/.config/vivaldi-snapshot
 whitelist ${HOME}/.local/lib/vivaldi
 
+#private-bin bash,cat,dirname,readlink,rm,vivaldi,vivaldi-stable,vivaldi-snapshot
+
 # breaks vivaldi sync
 ignore dbus-user none
 ignore dbus-system none
 
+read-write ${HOME}/.local/lib/vivaldi
+
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index bd33edd6a..0e172333a 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -7,6 +7,11 @@ include w3m.local
 # Persistent global definitions
 include globals.local
 
+# Uncomment or add to your w3m.local if you want to use w3m-img on a vconsole
+#ignore nogroups
+#ignore private-dev
+#ignore private-etc
+
 noblacklist ${HOME}/.w3m
 
 blacklist /tmp/.X11-unix
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index cdb8f0b93..8a64d2d73 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -44,6 +44,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 2af1379e0..a9cecb18d 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -39,6 +39,7 @@ nou2f
 novideo
 protocol inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 901340052..6ac74b9da 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -6,6 +6,7 @@ include wine.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/winetricks
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/steam
@@ -19,6 +20,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+# whitelist /usr/share/wine
+# include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 # some applications don't need allow-debuggers, comment the next line
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 6ff4a1103..78cb2862c 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 
 mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
 whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+whitelist /usr/share/gstreamer
 whitelist /usr/share/xfce4
 whitelist /usr/share/xfce4-mixer
 include whitelist-common.inc
@@ -48,7 +49,9 @@ private-dev
 private-etc alternatives,asound.conf,fonts,machine-id,pulse
 private-tmp
 
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.own org.xfce.xfce4-mixer
+dbus-user.talk org.xfce.Xfconf
+dbus-system none
 
-memory-deny-write-execute
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index b760b44dd..c9200304c 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -48,4 +48,4 @@ private-tmp
 dbus-user none
 dbus-system none
 
-memory-deny-write-execute
+# memory-deny-write-execute -- see #3790
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index b842b5307..0c6969e09 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index fd95ceb04..3ba1dca1a 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -20,7 +20,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/yelp
 whitelist ${HOME}/.config/yelp
 whitelist /usr/share/doc
+whitelist /usr/share/groff
 whitelist /usr/share/help
+whitelist /usr/share/man
 whitelist /usr/share/yelp
 whitelist /usr/share/yelp-tools
 whitelist /usr/share/yelp-xsl
@@ -41,14 +43,15 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 disable-mnt
-private-bin yelp
+private-bin groff,man,tbl,troff,yelp
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
 private-tmp
 
 dbus-system none
@@ -59,3 +62,4 @@ dbus-system none
 #  1. yelp --editor-mode
 #  2. saving the window geometry
 read-only ${HOME}
+read-write ${HOME}/.cache
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index db3535f78..d9dee6891 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -52,6 +52,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index 513cb0f6e..a3a2afa29 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -7,10 +7,6 @@ include youtube-viewer.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
-blacklist ${RUNUSER}
-
 noblacklist ${HOME}/.config/youtube-viewer
 
 include allow-perl.inc
@@ -47,11 +43,11 @@ shell none
 tracelog
 
 disable-mnt
-# private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer
+private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,sh,smplayer,stty,vlc,which,youtube-dl,youtube-viewer
 private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
 
 dbus-user none
-dbus-system none
\ No newline at end of file
+dbus-system none
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile
index 5274e5b42..86615341f 100644
--- a/etc/profile-m-z/zathura.profile
+++ b/etc/profile-m-z/zathura.profile
@@ -28,7 +28,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-ipc-namespace
 machine-id
 net none
 nodvd
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index d57306aee..3d37fc827 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -157,6 +157,7 @@ include globals.local
 #seccomp
 ##seccomp !chroot
 ##seccomp.drop SYSCALLS (see syscalls.txt)
+#seccomp.block-secondary
 #shell none
 #tracelog
 # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index b0a223911..000ed5258 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -63,6 +63,7 @@ audacious
 audacity
 audio-recorder
 authenticator
+authenticator-rs
 autokey-gtk
 autokey-qt
 autokey-run
@@ -173,6 +174,7 @@ dnox
 dnscrypt-proxy
 dnsmasq
 dolphin
+dolphin-emu
 dooble
 dooble-qt4
 dosbox
@@ -197,14 +199,14 @@ enpass
 eog
 eom
 ephemeral
-#epiphany
+#epiphany - see #2995
 equalx
 et
 etr
 evince
 evince-previewer
 evince-thumbnailer
-evolution
+#evolution - see #3647
 exfalso
 exiftool
 falkon
@@ -212,7 +214,7 @@ fbreader
 feedreader
 feh
 ferdi
-ffmpeg
+#ffmpeg
 ffmpegthumbnailer
 ffplay
 ffprobe
@@ -334,6 +336,7 @@ gradio
 gramps
 gravity-beams-and-evaporating-stars
 gthumb
+gtk-straw-viewer
 gtk-youtube-viewer
 gtk2-youtube-viewer
 gtk3-youtube-viewer
@@ -682,6 +685,7 @@ steam-native
 steam-runtime
 stellarium
 strawberry
+straw-viewer
 strings
 studio.sh
 subdownloader
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 76ec102c3..0d4e496e8 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -162,6 +162,13 @@ static void disable_file(OPERATION op, const char *filename) {
         }
         else if (op == MOUNT_TMPFS) {
                 if (S_ISDIR(s.st_mode)) {
+                        if (getuid()) {
+                                if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+                                    fname[strlen(cfg.homedir)] != '/') {
+                                        fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
+                                        exit(1);
+                                }
+                        }
                         fs_tmpfs(fname, getuid());
                         last_disable = SUCCESSFUL;
                 }
@@ -366,14 +373,6 @@ void fs_blacklist(void) {
                 else if (strncmp(entry->data, "tmpfs ", 6) == 0) {
                         ptr = entry->data + 6;
                         op = MOUNT_TMPFS;
-                        char *resolved_path = realpath(ptr, NULL);
-                        if (!resolved_path || strncmp(cfg.homedir, resolved_path, strlen(cfg.homedir)) != 0) {
-                                if (getuid() != 0) {
-                                        fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
-                                        exit(1);
-                                }
-                        }
-                        free(resolved_path);
                 }
                 else if (strncmp(entry->data, "mkdir ", 6) == 0) {
                         EUID_USER();
@@ -1262,28 +1261,3 @@ void fs_private_tmp(void) {
         }
         closedir(dir);
 }
-
-// this function is called from sandbox.c before blacklist/whitelist functions
-void fs_private_cache(void) {
-        char *cache;
-        if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1)
-                errExit("asprintf");
-        // check if ~/.cache is a valid destination
-        struct stat s;
-        if (lstat(cache, &s) == -1) {
-                fwarning("skipping private-cache: cannot find %s\n", cache);
-                free(cache);
-                return;
-        }
-        if (!S_ISDIR(s.st_mode)) {
-                if (S_ISLNK(s.st_mode))
-                        fwarning("skipping private-cache: %s is a symbolic link\n", cache);
-                else
-                        fwarning("skipping private-cache: %s is not a directory\n", cache);
-                free(cache);
-                return;
-        }
-        // do the mount
-        fs_tmpfs(cache, getuid()); // check ownership of ~/.cache
-        free(cache);
-}
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 64444bba2..5cfd33b42 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -378,6 +378,9 @@ void fs_private_lib(void) {
         // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail
         fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable
 
+        // install libraries needed by fcopy
+        fslib_install_list(PATH_FCOPY);
+
         fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries",
                 dir_cnt, (dir_cnt == 1)? "directory": "directories");
 
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 1a65c9ff0..e61edf427 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -26,6 +26,7 @@
 #include <dirent.h>
 #include <pwd.h>
 #include <grp.h>
+#include <fcntl.h>
 //#include <dirent.h>
 //#include <stdio.h>
 //#include <stdlib.h>
@@ -293,6 +294,41 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                 printf("file2 %s\n", fname2 ? fname2 : "(null)");
         }
 
+        // get file from sandbox and store it in the current directory
+        // implemented using --cat
+        if (op == SANDBOX_FS_GET) {
+                char *dest_fname = strrchr(fname1, '/');
+                if (!dest_fname || *(++dest_fname) == '\0') {
+                        fprintf(stderr, "Error: invalid file name %s\n", fname1);
+                        exit(1);
+                }
+                // create destination file if necessary
+                EUID_ASSERT();
+                int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWRITE);
+                if (fd == -1) {
+                        fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname);
+                        exit(1);
+                }
+                struct stat s;
+                if (fstat(fd, &s) == -1)
+                        errExit("fstat");
+                if (!S_ISREG(s.st_mode)) {
+                        fprintf(stderr, "Error: %s is no regular file\n", dest_fname);
+                        exit(1);
+                }
+                if (ftruncate(fd, 0) == -1)
+                        errExit("ftruncate");
+                // go quiet - messages on stdout will corrupt the file
+                arg_debug = 0;
+                arg_quiet = 1;
+                // redirection
+                if (dup2(fd, STDOUT_FILENO) == -1)
+                        errExit("dup2");
+                assert(fd != STDOUT_FILENO);
+                close(fd);
+                op = SANDBOX_FS_CAT;
+        }
+
         // sandbox root directory
         char *rootdir;
         if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
@@ -317,92 +353,6 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                 __gcov_flush();
 #endif
         }
-
-        // get file from sandbox and store it in the current directory
-        else if (op == SANDBOX_FS_GET) {
-                char *src_fname =fname1;
-                char *dest_fname = strrchr(fname1, '/');
-                if (!dest_fname || *(++dest_fname) == '\0') {
-                        fprintf(stderr, "Error: invalid file name %s\n", fname1);
-                        exit(1);
-                }
-
-                EUID_ROOT();
-                if (arg_debug)
-                        printf("copy %s to %s\n", src_fname, dest_fname);
-
-                // create a user-owned temporary file in /run/firejail directory
-                char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";
-                int fd = mkstemp(tmp_fname);
-                if (fd == -1) {
-                        fprintf(stderr, "Error: cannot create temporary file %s\n", tmp_fname);
-                        exit(1);
-                }
-                SET_PERMS_FD(fd, getuid(), getgid(), 0600);
-                close(fd);
-
-                // copy the source file into the temporary file - we need to chroot
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // chroot
-                        if (chroot(rootdir) < 0)
-                                errExit("chroot");
-                        if (chdir("/") < 0)
-                                errExit("chdir");
-
-                        // drop privileges
-                        drop_privs(0);
-
-                        // copy the file
-                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
-                                _exit(1);
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
-                        _exit(0);
-                }
-
-                // wait for the child to finish
-                int status = 0;
-                waitpid(child, &status, 0);
-                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
-                else {
-                        unlink(tmp_fname);
-                        exit(1);
-                }
-
-                // copy the temporary file into the destination file
-                child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // drop privileges
-                        drop_privs(0);
-
-                        // copy the file
-                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
-                                _exit(1);
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
-                        _exit(0);
-                }
-
-                // wait for the child to finish
-                status = 0;
-                waitpid(child, &status, 0);
-                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
-                else {
-                        unlink(tmp_fname);
-                        exit(1);
-                }
-
-                // remove the temporary file
-                unlink(tmp_fname);
-                EUID_USER();
-        }
         // get file from host and store it in the sandbox
         else if (op == SANDBOX_FS_PUT && path2) {
                 char *src_fname =fname1;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 676d04895..53300fe2d 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -161,7 +161,6 @@ int fullargc = 0;
 static pid_t child = 0;
 pid_t sandbox_pid;
 mode_t orig_umask = 022;
-unsigned long long start_timestamp;
 
 static void clear_atexit(void) {
         EUID_ROOT();
@@ -1026,7 +1025,7 @@ int main(int argc, char **argv, char **envp) {
         init_cfg(argc, argv);
 
         // get starting timestamp, process --quiet
-        start_timestamp = getticks();
+        timetrace_start();
         char *env_quiet = getenv("FIREJAIL_QUIET");
         if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0))
                 arg_quiet = 1;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5ddf6fdbb..ff8b47102 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1497,7 +1497,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 if (checkcfg(CFG_JOIN) || getuid() == 0) {
                         // try to join by name only
                         pid_t pid;
-                        if (!name2pid(ptr + 14, &pid)) {
+                        EUID_ROOT();
+                        int r = name2pid(ptr + 14, &pid);
+                        EUID_USER();
+                        if (!r) {
                                 if (!cfg.shell && !arg_shell_none)
                                         cfg.shell = guess_shell();
 
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 8bfe76603..5c7b5e556 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -400,19 +400,8 @@ static int monitor_application(pid_t app_pid) {
 }
 
 static void print_time(void) {
-        if (start_timestamp) {
-                unsigned long long end_timestamp = getticks();
-                // measure 1 ms
-                usleep(1000);
-                unsigned long long onems = getticks() - end_timestamp;
-                if (onems) {
-                        fmessage("Child process initialized in %.02f ms\n",
-                                (float) (end_timestamp - start_timestamp) / (float) onems);
-                        return;
-                }
-        }
-
-        fmessage("Child process initialized\n");
+        float delta = timetrace_end();
+        fmessage("Child process initialized in %.02f ms\n", delta);
 }
 
 
@@ -923,12 +912,9 @@ int sandbox(void* sandbox_arg) {
 
 #ifdef HAVE_USERTMPFS
         if (arg_private_cache) {
-                if (cfg.chrootdir)
-                        fwarning("private-cache feature is disabled in chroot\n");
-                else if (arg_overlay)
-                        fwarning("private-cache feature is disabled in overlay\n");
-                else
-                        fs_private_cache();
+                EUID_USER();
+                profile_add("tmpfs ${HOME}/.cache");
+                EUID_ROOT();
         }
 #endif
 
diff --git a/src/include/common.h b/src/include/common.h
index 2fa61cc91..5df51c5a9 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -118,21 +118,6 @@ static inline int mac_not_zero(const unsigned char mac[6]) {
         return 0;
 }
 
-// rtdsc timestamp on x86-64/amd64  processors
-static inline unsigned long long getticks(void) {
-#if defined(__x86_64__)
-        unsigned a, d;
-        asm volatile("rdtsc" : "=a" (a), "=d" (d));
-        return ((unsigned long long)a) | (((unsigned long long)d) << 32);
-#elif defined(__i386__)
-        unsigned long long ret;
-        __asm__ __volatile__("rdtsc" : "=A" (ret));
-        return ret;
-#else
-        return 0; // not implemented
-#endif
-}
-
 void timetrace_start(void);
 float timetrace_end(void);
 int join_namespace(pid_t pid, char *type);
diff --git a/src/lib/common.c b/src/lib/common.c
index 1fd317d4f..823442835 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -30,6 +30,7 @@
 #include <signal.h>
 #include <dirent.h>
 #include <string.h>
+#include <time.h>
 #include "../include/common.h"
 #define BUFLEN 4096
 
@@ -277,7 +278,7 @@ int pid_hidepid(void) {
                 if (strstr(buf, "proc /proc proc")) {
                         fclose(fp);
                         // check hidepid
-                        if (strstr(buf, "hidepid=2") || strstr(buf, "hidepid=1"))
+                        if (strstr(buf, "hidepid="))
                                 return 1;
                         return 0;
                 }
@@ -290,38 +291,42 @@ int pid_hidepid(void) {
 //**************************
 // time trace based on getticks function
 //**************************
-static int tt_not_implemented = 0; // not implemented for the current architecture
-static unsigned long long tt_1ms = 0;
-static unsigned long long tt = 0;       // start time
+typedef struct list_entry_t {
+        struct list_entry_t *next;
+        struct timespec ts;
+} ListEntry;
 
-void timetrace_start(void) {
-        if (tt_not_implemented)
-                return;
-        unsigned long long t1 = getticks();
-        if (t1 == 0) {
-                tt_not_implemented = 1;
-                return;
-        }
+static ListEntry *ts_list = NULL;
 
-        if (tt_1ms == 0) {
-                usleep(1000);   // sleep 1 ms
-                unsigned long long t2 = getticks();
-                tt_1ms = t2 - t1;
-                if (tt_1ms == 0) {
-                        tt_not_implemented = 1;
-                        return;
-                }
-        }
+static inline float msdelta(struct timespec *start, struct timespec *end) {
+        unsigned sec = end->tv_sec - start->tv_sec;
+        long nsec = end->tv_nsec - start->tv_nsec;
+        return (float) sec * 1000 + (float) nsec / 1000000;
+}
 
-        tt = getticks();
+void timetrace_start(void) {
+        ListEntry *t = malloc(sizeof(ListEntry));
+        if (!t)
+                errExit("malloc");
+        memset(t, 0, sizeof(ListEntry));
+        clock_gettime(CLOCK_MONOTONIC, &t->ts);
+
+        // add it to the list
+        t->next = ts_list;
+        ts_list = t;
 }
 
 float timetrace_end(void) {
-        if (tt_not_implemented)
+        if (!ts_list)
                 return 0;
 
-        unsigned long long delta = getticks() - tt;
-        assert(tt_1ms);
+        // remove start time  from the list
+        ListEntry *t = ts_list;
+        ts_list = t->next;
 
-        return (float) delta / (float) tt_1ms;
+        struct timespec end;
+        clock_gettime(CLOCK_MONOTONIC, &end);
+        float rv = msdelta(&t->ts, &end);
+        free(t);
+        return rv;
 }
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index ef7dccbfb..9524254c1 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -412,7 +412,7 @@ There is no root account (uid 0) defined in the namespace.
 \fBprotocol protocol1,protocol2,protocol3
 Enable protocol filter. The filter is based on seccomp and  checks the
 first argument to socket system call. Recognized values: \fBunix\fR,
-\fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
+\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
 .TP
 \fBseccomp
 Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 219eba10e..562b3eda3 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1558,7 +1558,7 @@ Parent pid 8553, child pid 8554
 Child process initialized
 .br
 [...]
-#if HAVE_USERNS
+#ifdef HAVE_USERNS
 .TP
 \fB\-\-noroot
 Install a user namespace with a single user - the current user.
@@ -2003,7 +2003,7 @@ $ firejail \-\-profile.print=browser
 .TP
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
-Recognized values: unix, inet, inet6, netlink and packet. This option is not supported for i386 architecture.
+Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture.
 .br
 
 .br
diff --git a/src/man/preproc.awk b/src/man/preproc.awk
index 20081b551..1471be3ec 100755
--- a/src/man/preproc.awk
+++ b/src/man/preproc.awk
@@ -23,7 +23,7 @@
 BEGIN {
         macros[0] = 0
         for (arg in ARGV) {
-                if (ARGV[arg] ~ /^-D[A-Z_]+$/) {
+                if (ARGV[arg] ~ /^-D[A-Z0-9_]+$/) {
                         macros[length(macros) + 1] = substr(ARGV[arg], 3)
                 }
                 ARGV[arg] = ""
@@ -31,7 +31,7 @@ BEGIN {
 
         include = 1
 }
-/^#ifdef [A-Z_]+$/ {
+/^#ifdef [A-Z0-9_]+$/ {
         macro = substr($0, 8)
         for (i in macros) {
                 if (macros[i] == macro) {
diff --git a/test/fs/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp
index ebd3eeb9c..818549fe2 100755
--- a/test/fs/fscheck-tmpfs.exp
+++ b/test/fs/fscheck-tmpfs.exp
@@ -7,12 +7,49 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-# ..
-send -- "firejail --tmpfs=fscheck-dir\r"
+send -- "mkdir -p ~/fjtest-dir/fjtest-dir\r"
+after 100
+send -- "mkdir /tmp/fjtest-dir\r"
+after 100
+
+if { ! [file exists ~/fjtest-dir/fjtest-dir] } {
+        puts "TESTING ERROR 1\n"
+        exit
+}
+if { ! [file exists /tmp/fjtest-dir] } {
+        puts "TESTING ERROR 2\n"
+        exit
+}
+
+send -- "firejail --noprofile --tmpfs=~/fjtest-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+after 500
+
+send -- "ls ~/fjtest-dir/fjtest-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "No such file or directory"
+}
+after 500
+
+send -- "exit\r"
+after 500
+
+send -- "firejail --noprofile --tmpfs=/tmp/fjtest-dir\r"
 expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
         "Error"
 }
+after 500
+
+# cleanup
+send -- "rm -fr ~/fjtest-dir\r"
 after 100
+send -- "rm -fr /tmp/fjtest-dir\r"
+after 100
+
 
 puts "\nall done\n"
diff --git a/test/fs/private-cache.exp b/test/fs/private-cache.exp
index 0597e8921..6e4c6bd1b 100755
--- a/test/fs/private-cache.exp
+++ b/test/fs/private-cache.exp
@@ -7,16 +7,17 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-if {[file exists ~/.cache]} {
-        puts "found .cache directory\n"
-} else {
-        send -- "mkdir --mode=755 ~/.cache\r"
-}
+send -- "mkdir --mode=700 ~/.cache\r"
 after 100
 
 send -- "touch ~/.cache/abcdefg\r"
 after 100
 
+if { ! [file exists ~/.cache/abcdefg] } {
+        puts "TESTING ERROR 0\n"
+        exit
+}
+
 send -- "firejail --noprofile --private-cache\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -34,23 +35,8 @@ after 100
 send -- "exit\r"
 sleep 1
 
-send -- "rm -v ~/.cache/abcdefg\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "removed"
-}
+# cleanup
+send -- "rm ~/.cache/abcdefg\r"
 after 100
 
-# redo the test with --private
-
-send -- "firejail --noprofile --private --private-cache\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Warning"
-}
-sleep 1
-
-send -- "exit\r"
-sleep 1
-
 puts "\nall done\n"
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh
index 75d961eb1..2d7d2a966 100755
--- a/test/profiles/profiles.sh
+++ b/test/profiles/profiles.sh
@@ -40,7 +40,7 @@ if [ -d "/run/user/$UID" ]; then
         PROFILES=`ls /etc/firejail/*.profile`
         echo "TESTING: default profiles installed in /etc"
 else
-        PROFILES=`ls /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile`
+        PROFILES=`ls /etc/firejail/transmission*.profile /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile`
         echo "TESTING: small number of default profiles installed in /etc"
 fi