77 files changed, 196 insertions, 27 deletions

diff --git a/RELNOTES b/RELNOTES
index 3cdea6d9d..f623517b3 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.65) baseline; urgency=low
   * allow --tmpfs inside $HOME for unprivileged users
-  *  --disable-usertmpfs  compile time option
+  * --disable-usertmpfs  compile time option
+  * allow AF_BLUETOOTH via --protocol=bluetooth
   * new profiles: spectacle, chromium-browser-privacy
  -- netblue30 <netblue30@yahoo.com>  Wed, 21 Oct 2020 09:00:00 -0500
 
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 6fec4d24f..1268b4cd2 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -147,6 +147,8 @@ blacklist ${RUNUSER}/kdesud_*
 # gnome
 # contains extensions, last used times of applications, and notifications
 blacklist ${HOME}/.local/share/gnome-shell
+# contains recently used files and serials of static/removable storage
+blacklist ${HOME}/.local/share/gvfs-metadata
 # no direct modification of dconf database
 read-only ${HOME}/.config/dconf
 blacklist ${RUNUSER}/gnome-session-leader-fifo
@@ -266,9 +268,11 @@ read-only ${HOME}/.config/fish
 read-only ${HOME}/.csh_files
 read-only ${HOME}/.cshrc
 read-only ${HOME}/.forward
+read-only ${HOME}/.kshrc
 read-only ${HOME}/.local/share/fish
 read-only ${HOME}/.login
 read-only ${HOME}/.logout
+read-only ${HOME}/.mkshrc
 read-only ${HOME}/.oh-my-zsh
 read-only ${HOME}/.pam_environment
 read-only ${HOME}/.pgpkey
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 7e3c0b657..976f988b2 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -378,6 +378,7 @@ blacklist ${HOME}/.config/spotify
 blacklist ${HOME}/.config/sqlitebrowser
 blacklist ${HOME}/.config/stellarium
 blacklist ${HOME}/.config/strawberry
+blacklist ${HOME}/.config/straw-viewer
 blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/synfig
 blacklist ${HOME}/.config/teams
@@ -972,6 +973,7 @@ blacklist ${HOME}/.cache/smuxi
 blacklist ${HOME}/.cache/snox
 blacklist ${HOME}/.cache/spotify
 blacklist ${HOME}/.cache/strawberry
+blacklist ${HOME}/.cache/straw-viewer
 blacklist ${HOME}/.cache/supertuxkart
 blacklist ${HOME}/.cache/systemsettings
 blacklist ${HOME}/.cache/telepathy
diff --git a/etc/inc/disable-shell.inc b/etc/inc/disable-shell.inc
index fda528eb6..e66d23c9f 100644
--- a/etc/inc/disable-shell.inc
+++ b/etc/inc/disable-shell.inc
@@ -7,6 +7,7 @@ blacklist ${PATH}/csh
 blacklist ${PATH}/dash
 blacklist ${PATH}/fish
 blacklist ${PATH}/ksh
+blacklist ${PATH}/mksh
 blacklist ${PATH}/sh
 blacklist ${PATH}/tclsh
 blacklist ${PATH}/tcsh
diff --git a/etc/inc/firefox-common-addons.inc b/etc/inc/firefox-common-addons.inc
index 198941ac9..03f09fece 100644
--- a/etc/inc/firefox-common-addons.inc
+++ b/etc/inc/firefox-common-addons.inc
@@ -2,6 +2,8 @@
 # Persistent customizations should go in a .local file.
 include firefox-common-addons.local
 
+ignore include whitelist-runuser-common.inc
+
 noblacklist ${HOME}/.config/kgetrc
 noblacklist ${HOME}/.config/okularpartrc
 noblacklist ${HOME}/.config/okularrc
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
index f2a510e9d..7d9f106ef 100644
--- a/etc/inc/whitelist-runuser-common.inc
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -10,3 +10,4 @@ whitelist ${RUNUSER}/ICEauthority
 whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
 whitelist ${RUNUSER}/pulse/native
 whitelist ${RUNUSER}/wayland-0
+whitelist ${RUNUSER}/xauth_*
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index 6869ea631..c4e820078 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.cache/0ad
 mkdir ${HOME}/.config/0ad
@@ -40,6 +41,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
index 3937e1966..4401c9dfd 100644
--- a/etc/profile-a-l/baobab.profile
+++ b/etc/profile-a-l/baobab.profile
@@ -30,6 +30,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index c1c338536..dbde3e4de 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 8bf086ab4..56709a466 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -46,6 +46,7 @@ noroot
 nou2f
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 24954b2d8..69196c578 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -18,5 +18,10 @@ whitelist ${HOME}/.claws-mail
 
 whitelist /usr/share/doc/claws-mail
 
+# if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local)
+#ignore dbus-user none
+#dbus-user filter
+#dbus-user.talk org.freedesktop.Notifications
+
 # Redirect
 include email-common.profile
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index d6541850d..b41a73916 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -35,6 +35,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
index 52bf1c7f8..e409eb044 100644
--- a/etc/profile-a-l/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -9,16 +9,24 @@ include globals.local
 noblacklist ${HOME}/.dia
 noblacklist ${DOCUMENTS}
 
+include allow-python2.inc
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include allow-python2.inc
-include allow-python3.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+#mkdir ${HOME}/.dia
+#whitelist ${HOME}/.dia
+#whitelist ${DOCUMENTS}
+#include whitelist-common.inc
+whitelist /usr/share/dia
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -36,6 +44,7 @@ novideo
 protocol unix
 seccomp
 shell none
+tracelog
 
 disable-mnt
 #private-bin dia
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 3bc417557..df47f478d 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -58,6 +58,9 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 # encrypting and signing email
 writable-run-user
 
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index e8b49a395..e059f3b74 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -27,6 +27,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
+net none
 no3d
 nodvd
 nogroups
@@ -38,6 +39,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 77a48f0ba..c0c16e929 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index fb5c9ee57..c6e9ba095 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -41,6 +41,7 @@ novideo
 protocol inet,inet6
 # allow set_mempolicy, which is required to encode using libx265
 seccomp !set_mempolicy
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 745b8b8e9..2a1eb2001 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -34,6 +34,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 7c343c26d..fe0a27828 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -27,6 +27,7 @@ whitelist ${DOWNLOADS}
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 357354e70..851a7c747 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -45,6 +45,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index 653272499..23d259337 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 74b468020..e339f6abb 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -38,6 +38,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index 17b7ad563..30251fbe5 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index d97ab530b..b8d1b9608 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -49,6 +49,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index 5bb410278..c15174815 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -26,6 +26,7 @@ whitelist /usr/share/texlive
 whitelist /usr/share/pandoc*
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 apparmor
 caps.drop all
@@ -41,6 +42,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp !chroot
+seccomp.block-secondary
 shell none
 #tracelog -- breaks
 
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 71b8e9b11..3d80c1ed2 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -45,6 +45,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index ceb01f2a0..7780dfa65 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -38,6 +38,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index 3e815234c..9927fb869 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index f4f3ae2d7..4d53a67dd 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -39,6 +39,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index 7a38bdc8a..03b89e394 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -32,6 +32,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 
 disable-mnt
 private-dev
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 5ae7bbe01..bb5ef0eab 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -33,6 +33,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index ecbb74158..a0b9ef04e 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -9,8 +9,6 @@ include globals.local
 
 noblacklist ${HOME}/.gnupg
 
-whitelist ${HOME}/.gnupg
-whitelist ${DOWNLOADS}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -19,9 +17,15 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
+whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -41,6 +45,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
@@ -52,6 +57,6 @@ private-dev
 private-tmp
 
 # dbus-user none
-# dbus-system none
+dbus-system none
 
 memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 11d184bc6..87376da40 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index eb0030dda..23629df95 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -54,6 +54,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index ed430b654..073de47b9 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -43,6 +43,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 2af406af9..65cc23b5f 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -33,6 +33,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index 82fb1b658..2534eed5a 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -35,6 +35,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index a64ec25a9..2e063ebfe 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -33,6 +33,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index a181f1b9e..beed92a7d 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
index c46fbc1d9..56ed7a436 100644
--- a/etc/profile-a-l/gnome_games-common.profile
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -34,6 +34,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile
new file mode 100644
index 000000000..e2721360b
--- /dev/null
+++ b/etc/profile-a-l/gtk-straw-viewer.profile
@@ -0,0 +1,14 @@
+# Firejail profile for gtk-straw-viewer
+# Description: Gtk front-end to straw-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-straw-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include straw-viewer.profile
diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer.profile
index 023f10d3d..848979b52 100644
--- a/etc/profile-a-l/gtk-youtube-viewer
+++ b/etc/profile-a-l/gtk-youtube-viewer.profile
@@ -3,16 +3,12 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}/wayland-*
-noblacklist ${RUNUSER}
-
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer.profile
index 331e73218..dccadcf2e 100644
--- a/etc/profile-a-l/gtk2-youtube-viewer
+++ b/etc/profile-a-l/gtk2-youtube-viewer.profile
@@ -3,8 +3,8 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk2-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
@@ -15,4 +15,4 @@ noblacklist ${RUNUSER}
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer.profile
index 4c5bde55f..3d91e284d 100644
--- a/etc/profile-a-l/gtk3-youtube-viewer
+++ b/etc/profile-a-l/gtk3-youtube-viewer.profile
@@ -3,8 +3,8 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk3-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
@@ -15,4 +15,4 @@ noblacklist ${RUNUSER}
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index c0254b5ec..3df42d209 100644
--- a/etc/profile-a-l/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -35,6 +35,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 06447c3e6..58db056b2 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -55,6 +55,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index f9c92f6f6..031f0e19f 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -43,6 +43,8 @@ shell none
 # comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile
 tracelog
 
+#private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls
+private-cache
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
index 19f9edf05..37ac9e304 100644
--- a/etc/profile-m-z/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.megaglest
@@ -37,6 +38,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 385700648..6ceeb867f 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -62,6 +62,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index 3468bc22d..c70090a25 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -44,6 +44,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index a22d2c2e3..5678a781c 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -47,6 +47,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 389b64535..ce3bfe421 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -67,6 +67,7 @@ noroot
 nou2f
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 8663fb453..6cbaa66ad 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index eee42424f..2a7d0cec1 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -13,6 +13,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -40,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index 28a7da404..710a533a9 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 83905b108..3513e91cc 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -7,6 +7,8 @@ include pngquant.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${PICTURES}
+
 blacklist ${RUNUSER}/wayland-*
 
 include disable-common.inc
@@ -16,6 +18,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-xdg.inc
 
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index f906ec31d..e7f379509 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -45,10 +45,12 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 private-bin rhythmbox,rhythmbox-client
+private-cache
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 85d86d646..8bb1f53a7 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -63,6 +63,7 @@ private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ho
 writable-run-user
 
 dbus-user filter
+dbus-user.own org.gnome.seahorse
 dbus-user.own org.gnome.seahorse.Application
 dbus-user.talk org.freedesktop.secrets
 dbus-system none
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
index 6cd70c2ea..c67a88161 100644
--- a/etc/profile-m-z/shellcheck.profile
+++ b/etc/profile-m-z/shellcheck.profile
@@ -40,6 +40,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index cdb20b4e0..110434736 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -18,6 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -35,6 +36,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 
 private-bin sqlitebrowser
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
new file mode 100644
index 000000000..721ad38ee
--- /dev/null
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -0,0 +1,58 @@
+# Firejail profile for straw-viewer
+# Description: Fork of youtube-viewer acts like an invidious frontend
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include straw-viewer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/straw-viewer
+noblacklist ${HOME}/.config/straw-viewer
+
+include allow-lua.inc
+include allow-perl.inc
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/straw-viewer
+mkdir ${HOME}/.cache/straw-viewer
+whitelist ${HOME}/.cache/straw-viewer
+whitelist ${HOME}/.config/straw-viewer
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,ffmpeg,ffprobe,gtk-straw-viewer,mpv,perl,python*,sh,smplayer,straw-viewer,stty,vlc,wget,which,youtube-dl
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile
index 426b2dc1c..09ada1e25 100644
--- a/etc/profile-m-z/strings.profile
+++ b/etc/profile-m-z/strings.profile
@@ -38,6 +38,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index ceaae8fbf..9cc023765 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 40b996794..ff99c234e 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -43,6 +43,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index e3eb73730..2e7b69cec 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -6,6 +6,8 @@ include thunderbird.local
 # Persistent global definitions
 include globals.local
 
+ignore whitelist-runuser-common.inc
+
 # writable-run-user and dbus are needed by enigmail
 ignore dbus-user none
 ignore dbus-system none
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
index 9d2e8e990..d601f0f15 100644
--- a/etc/profile-m-z/transmission-common.profile
+++ b/etc/profile-m-z/transmission-common.profile
@@ -39,6 +39,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile
index 541942453..cd06b7f4c 100644
--- a/etc/profile-m-z/vivaldi.profile
+++ b/etc/profile-m-z/vivaldi.profile
@@ -29,6 +29,8 @@ whitelist ${HOME}/.config/vivaldi
 whitelist ${HOME}/.config/vivaldi-snapshot
 whitelist ${HOME}/.local/lib/vivaldi
 
+#private-bin bash,cat,dirname,readlink,rm,vivaldi,vivaldi-stable,vivaldi-snapshot
+
 # breaks vivaldi sync
 ignore dbus-user none
 ignore dbus-system none
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index cdb8f0b93..8a64d2d73 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -44,6 +44,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 2af1379e0..a9cecb18d 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -39,6 +39,7 @@ nou2f
 novideo
 protocol inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index b842b5307..0c6969e09 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index fd95ceb04..e198af8b2 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index db3535f78..d9dee6891 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -52,6 +52,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index 513cb0f6e..a3a2afa29 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -7,10 +7,6 @@ include youtube-viewer.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
-blacklist ${RUNUSER}
-
 noblacklist ${HOME}/.config/youtube-viewer
 
 include allow-perl.inc
@@ -47,11 +43,11 @@ shell none
 tracelog
 
 disable-mnt
-# private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer
+private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,sh,smplayer,stty,vlc,which,youtube-dl,youtube-viewer
 private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
 
 dbus-user none
-dbus-system none
\ No newline at end of file
+dbus-system none
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index d57306aee..3d37fc827 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -157,6 +157,7 @@ include globals.local
 #seccomp
 ##seccomp !chroot
 ##seccomp.drop SYSCALLS (see syscalls.txt)
+#seccomp.block-secondary
 #shell none
 #tracelog
 # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index b0a223911..8794076c6 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -334,6 +334,7 @@ gradio
 gramps
 gravity-beams-and-evaporating-stars
 gthumb
+gtk-straw-viewer
 gtk-youtube-viewer
 gtk2-youtube-viewer
 gtk3-youtube-viewer
@@ -682,6 +683,7 @@ steam-native
 steam-runtime
 stellarium
 strawberry
+straw-viewer
 strings
 studio.sh
 subdownloader
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index ef7dccbfb..9524254c1 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -412,7 +412,7 @@ There is no root account (uid 0) defined in the namespace.
 \fBprotocol protocol1,protocol2,protocol3
 Enable protocol filter. The filter is based on seccomp and  checks the
 first argument to socket system call. Recognized values: \fBunix\fR,
-\fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
+\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
 .TP
 \fBseccomp
 Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 219eba10e..8c73962fb 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2003,7 +2003,7 @@ $ firejail \-\-profile.print=browser
 .TP
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
-Recognized values: unix, inet, inet6, netlink and packet. This option is not supported for i386 architecture.
+Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture.
 .br
 
 .br