53 files changed, 423 insertions, 217 deletions

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 6a2786427..b53b69f75 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -18,5 +18,11 @@ we can handle the report more easily:
  let us know if it runs correctly or not.
  - You may also try disabling various options provided in `/etc/firejail/<ProgramName.profile>` until you find out which one causes problems. It will significantly help to find solution for your issue.
 
+Please note: if you are running Debian, Ubuntu, Linux Mint, or another related
+distribution and you installed firejail from your distro's repositories, please
+ensure that **both** of the following were installed:
+`firejail` and `firejail-profiles`. A common source of issues is that
+firejail-profiles was not installed when installing firejail.
+
 We take security bugs very seriously. If you believe you have found one, please report it by
 emailing us at netblue30@yahoo.com
diff --git a/README b/README
index 4bcbdd4b2..d41ae967a 100644
--- a/README
+++ b/README
@@ -49,6 +49,8 @@ Committers
 
 Firejail Authors (alphabetical order)
 
+7twin (https://github.com/7twin_
+        - fix typos
 1dnrr (https://github.com/1dnrr)
         - add pybitmessage profile
 Aidan Gauland (https://github.com/aidalgol)
@@ -439,6 +441,7 @@ n1trux (https://github.com/n1trux)
         - fix flashpeak-slimjet profile typos
 Nick Fox (https://github.com/njfox)
         - add a profile alias for code-oss
+        - add code-oss config directory
 NickMolloy (https://github.com/NickMolloy)
         - ARP address length fix
 Niklas Haas (https://github.com/haasn)
@@ -450,6 +453,7 @@ Ondra Nekola (https://github.com/satai)
 Lorenzo "Palinuro" Faletra (https://github.com/PalinuroSec)
         - prevent thunderbird conflicts when firefox is running
         - add join-or-start to pluma to open multiple files in tabs
+        - fixes to keepassxc, thunderbird and pluma
 Panzerfather (https://github.com/Panzerfather)
         - allow eog to access user's trash
 Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/)
@@ -478,6 +482,8 @@ Petter Reinholdtsen (pere@hungry.com)
 PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb)
         - fix quiterss profile
         - added profile for gnome-ring
+pianoslum (https://github.com/pianoslum)
+        - nodbus breaking evince two-page-view warning
 pirate486743186 (https://github.com/pirate486743186)
         - KMail profile
         - mpsyt profile
@@ -536,9 +542,10 @@ rusty-snake (https://github.com/rusty-snake)
         - added profiles: thunderbird-wayland, supertuxkart, ghostwriter
         - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano
         - added profiles: gajim-history-manager, freemind, nomacs, kid3
-        - added profiles: kid3-qt, kid3-cli, anki, anki
+        - added profiles: kid3-qt, kid3-cli, anki
         - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse
         - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool
+        - fixed profiles: gnome-logs
         - hardened profiles: disable-common.inc, disable-programs.inc
         - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox
         - hardened profiles: gnome-clocks, meld, minetest, youtube-dl
@@ -552,6 +559,8 @@ sarneaud (https://github.com/sarneaud)
         - various enhancements and bug fixes
 Sergey Alirzaev (https://github.com/l29ah)
         - firejail.h enum fix
+Tobias Schmidl (https://github.com/schtobia)
+        - added profile for webui-aria2
 Simon Peter (https://github.com/probonopd)
         - set $APPIMAGE and $APPDIR environment variables
         - AppImage version detection
@@ -714,6 +723,12 @@ veloute (https://github.com/veloute)
         - fixed discord profile
         - fixes for various profiles
         - removed vim and ranger from firecfg
+        - fixing keepassxc auto-type, noexec /tmp
+        - fix ipc-namespace prblem in file-roller
+        - fix exiftool, viewnior, aria2c, ffmpegthumbnailer
+        - fix pavucontrol (ipcnamespace)
+        - fix gnuchess
+        - add anki profile
 Vincent43 (https://github.com/Vincent43)
         - apparmor enhancements
 vismir2 (https://github.com/vismir2)
diff --git a/README.md b/README.md
index 29a2fadff..429f3362c 100644
--- a/README.md
+++ b/README.md
@@ -102,5 +102,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 ## Current development version: 0.9.59
 
 ## New profiles:
-crow, nyx, klavaro, mypaint, celluoid, nano, transgui, sysprof, simplescreenrecorder, geekbench, xfce4-mixer, pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring, regextester, hardinfo, gnome-system-log, gnome-nettool, netactview, redshift, devhelp, assogiate, subdownloader, font-manager, exfalso, gconf-editor, dconf-editor, mpdris2, sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings, code-oss, pragha, Maelstrom, ostrichriders, bzflag, freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles, teeworlds, torcs, tremulous, warsow, lugaru, manaplus, pioneer, scorched3d, widelands, freemind, kid3, kid3-cli, kid3-qt, nomacs, freecol, opencity, openclonk, slashem, vulturesclaw, vultureseye, anki
-
+anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freemind, gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gsettings, kid3, kid3-cli, kid3-qt, klavaro, lincity-ng, lugaru, Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, sysprof-cli, teeworlds, torcs, tremulous, transgui, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer
diff --git a/RELNOTES b/RELNOTES
index 3e5329a52..a3cf6bea0 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -12,6 +12,7 @@ firejail (0.9.59) baseline; urgency=low
   * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
   * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
   * new profiles: vultureseye, vulturesclaw, anki
+  * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
   * memory-deny-write-execute now also blocks memfd_create
   * drop support for flatpak/snap packages
 
diff --git a/etc/0ad.profile b/etc/0ad.profile
index 674fb2c6a..88c9c453b 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/0ad
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -44,5 +45,3 @@ private-bin 0ad,pyrogenesis,sh,which
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile
index 10f354f19..2347039a6 100644
--- a/etc/2048-qt.profile
+++ b/etc/2048-qt.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/xiaoyong
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -39,6 +40,3 @@ shell none
 disable-mnt
 private-dev
 private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/Builder.profile b/etc/Builder.profile
new file mode 100644
index 000000000..128e0dfe3
--- /dev/null
+++ b/etc/Builder.profile
@@ -0,0 +1,7 @@
+# Firejail profile for gnome-builder
+# This file is overwritten after every install/update
+
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-builder.profile
diff --git a/etc/Documents.profile b/etc/Documents.profile
new file mode 100644
index 000000000..c965c55a8
--- /dev/null
+++ b/etc/Documents.profile
@@ -0,0 +1,7 @@
+# Firejail profile for gnome-documents
+# This file is overwritten after every install/update
+
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-documents.profile
diff --git a/etc/Logs.profile b/etc/Logs.profile
new file mode 100644
index 000000000..f82722ed4
--- /dev/null
+++ b/etc/Logs.profile
@@ -0,0 +1,7 @@
+# Firejail profile for gnome-logs
+# This file is overwritten after every install/update
+
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-logs.profile
diff --git a/etc/Maps.profile b/etc/Maps.profile
new file mode 100644
index 000000000..b3fc03e38
--- /dev/null
+++ b/etc/Maps.profile
@@ -0,0 +1,7 @@
+# Firejail profile for gnome-maps
+# This file is overwritten after every install/update
+
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-maps.profile
diff --git a/etc/assogiate.profile b/etc/assogiate.profile
index c579cc280..6a9848e83 100644
--- a/etc/assogiate.profile
+++ b/etc/assogiate.profile
@@ -7,6 +7,7 @@ include assogiate.local
 include globals.local
 
 noblacklist ${PICTURES}
+whitelist ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
@@ -15,9 +16,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-
-whitelist ${PICTURES}
 include whitelist-common.inc
+include whitelist-var-common.inc
 
 apparmor
 caps.drop all
@@ -39,7 +39,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin assogiate,gtk-update-icon-cache
+private-bin assogiate,gtk-update-icon-cache,update-mime-database
 private-cache
 private-dev
 private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.*
diff --git a/etc/atom.profile b/etc/atom.profile
index 995c5598d..1c0afb277 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.atom
 noblacklist ${HOME}/.config/Atom
 noblacklist ${HOME}/.cargo/config
 noblacklist ${HOME}/.cargo/registry
+noblacklist ${HOME}/.gitconfig
 
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/autokey-common.profile b/etc/autokey-common.profile
new file mode 100644
index 000000000..44c0a3c15
--- /dev/null
+++ b/etc/autokey-common.profile
@@ -0,0 +1,47 @@
+# Firejail profile for autokey
+# Description: Desktop automation utility
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-common.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/autokey
+noblacklist ${HOME}/.local/share/autokey
+
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
+noblacklist /usr/share/python2*
+noblacklist /usr/share/python3*
+
+include disable-common.inc
+include disable-devel.inc
+# disable-exec.inc might break scripting functionality
+#include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+# memory-deny-write-execute - Breaks on Arch
diff --git a/etc/autokey-gtk.profile b/etc/autokey-gtk.profile
new file mode 100644
index 000000000..86168ba0d
--- /dev/null
+++ b/etc/autokey-gtk.profile
@@ -0,0 +1,11 @@
+# Firejail profile for autokey-gtk
+# Description: Desktop automation utility (GTK version)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-gtk.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+#Redirect
+include autokey-common.profile
diff --git a/etc/autokey-qt.profile b/etc/autokey-qt.profile
new file mode 100644
index 000000000..f3877d829
--- /dev/null
+++ b/etc/autokey-qt.profile
@@ -0,0 +1,11 @@
+# Firejail profile for autokey-qt
+# Description: Desktop automation utility (Qt version)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-qt.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+#Redirect
+include autokey-common.profile
diff --git a/etc/autokey-run.profile b/etc/autokey-run.profile
new file mode 100644
index 000000000..b70239022
--- /dev/null
+++ b/etc/autokey-run.profile
@@ -0,0 +1,11 @@
+# Firejail profile for autokey-run
+# Description: Desktop automation utility (CLI version)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-run.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+#Redirect
+include autokey-common.profile
diff --git a/etc/autokey-shell.profile b/etc/autokey-shell.profile
new file mode 100644
index 000000000..5745fce77
--- /dev/null
+++ b/etc/autokey-shell.profile
@@ -0,0 +1,11 @@
+# Firejail profile for autokey-shell
+# Description: Desktop automation utility (CLI shell)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-shell.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+#Redirect
+include autokey-common.profile
diff --git a/etc/brackets.profile b/etc/brackets.profile
index cead6ec24..46870e1ad 100644
--- a/etc/brackets.profile
+++ b/etc/brackets.profile
@@ -9,8 +9,10 @@ noblacklist ${HOME}/.config/Brackets
 #noblacklist /opt/brackets/
 #noblacklist /opt/google/
 # Uncomment the the next two lines if you are developing rust.
+# or put it in your brackets.local
 #noblacklist ${HOME}/.cargo/config
 #noblacklist ${HOME}/.cargo/registry
+noblacklist ${HOME}/.gitconfig
 
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/calibre.profile b/etc/calibre.profile
index 5c7d3e1e7..363e9191d 100644
--- a/etc/calibre.profile
+++ b/etc/calibre.profile
@@ -12,6 +12,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
@@ -36,6 +37,3 @@ tracelog
 
 private-dev
 private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 22bda418a..44ef12aa2 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -19,6 +19,7 @@ noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -44,5 +45,3 @@ private-cache
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/clocks.profile b/etc/clocks.profile
new file mode 100644
index 000000000..dd234ce44
--- /dev/null
+++ b/etc/clocks.profile
@@ -0,0 +1,7 @@
+# Firejail profile for gnome-clocks
+# This file is overwritten after every install/update
+
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-clocks.profile
diff --git a/etc/eom.profile b/etc/eom.profile
index a6007f99c..745e650aa 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.steam
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -43,5 +44,3 @@ private-lib
 private-tmp
 
 #memory-deny-write-execute - breaks on Arch
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/evince.profile b/etc/evince.profile
index c3c6d4be0..b1f984784 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -23,7 +24,8 @@ machine-id
 # net none - breaks AppArmor on Ubuntu systems
 netfilter
 no3d
-nodbus # might break two-page-view on some systems
+# nodbus might break two-page-view on some systems
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,5 +47,3 @@ private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,li
 private-tmp
 
 # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803)
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index ed3b4490f..6de61840c 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -8,6 +8,13 @@ include globals.local
 
 noblacklist ${HOME}/.frozen-bubble
 
+# Allow perl (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/cpan*
+noblacklist ${PATH}/core_perl
+noblacklist ${PATH}/perl
+noblacklist /usr/lib/perl*
+noblacklist /usr/share/perl*
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/geany.profile b/etc/geany.profile
index a21e19329..7f96449c9 100644
--- a/etc/geany.profile
+++ b/etc/geany.profile
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${HOME}/.config/geany
 noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.gitconfig
 
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile
index 05ebea80c..d5e3cd435 100644
--- a/etc/gnome-builder.profile
+++ b/etc/gnome-builder.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.cargo/config
 noblacklist ${HOME}/.cargo/registry
 noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.gitconfig
 
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index dc5b62428..2f4626891 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/gnome-chess
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -37,6 +38,3 @@ private-bin fairymax,gnome-chess,hoichess,gnuchess
 private-dev
 private-etc alternatives,fonts,gnome-chess
 private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile
index 2a13b3b27..ac6d82451 100644
--- a/etc/gnome-contacts.profile
+++ b/etc/gnome-contacts.profile
@@ -10,6 +10,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -35,5 +36,3 @@ disable-mnt
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile
index c7cbd8388..9a12162db 100644
--- a/etc/gnome-logs.profile
+++ b/etc/gnome-logs.profile
@@ -26,6 +26,7 @@ nodbus
 nodvd
 # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
 # comment both 'nogroups' and 'noroot'
+# or put 'ignore nogroups' and 'ignore noroot' to your gnome-logs.local.
 nogroups
 nonewprivs
 noroot
@@ -46,7 +47,5 @@ private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.s
 private-tmp
 writable-var-log
 
-memory-deny-write-execute
-
 # comment this if you export logs to a file in your ${HOME}
 read-only ${HOME}
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index e8abf4b31..ee70e6655 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -19,6 +19,7 @@ noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -53,5 +54,3 @@ private-dev
 private-tmp
 
 # memory-deny-write-execute - breaks python
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/leafpad.profile b/etc/leafpad.profile
index 47ea5606a..56a792c8e 100644
--- a/etc/leafpad.profile
+++ b/etc/leafpad.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/leafpad
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -36,5 +37,3 @@ private-dev
 private-lib
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mousepad.profile b/etc/mousepad.profile
index 4500f74a5..3b9807b28 100644
--- a/etc/mousepad.profile
+++ b/etc/mousepad.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Mousepad
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/ping.profile b/etc/ping.profile
index bdd29c1a1..66574bab5 100644
--- a/etc/ping.profile
+++ b/etc/ping.profile
@@ -8,6 +8,7 @@ include globals.local
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -46,5 +47,3 @@ private-tmp
 
 # memory-deny-write-execute is built using seccomp; nonewprivs will kill it
 #memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/pinta.profile b/etc/pinta.profile
index 3dfe3cc1b..8151bc98f 100644
--- a/etc/pinta.profile
+++ b/etc/pinta.profile
@@ -12,6 +12,7 @@ noblacklist ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -37,5 +38,3 @@ private-dev
 private-cache
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/sol.profile b/etc/sol.profile
index c194eed05..ea1620b31 100644
--- a/etc/sol.profile
+++ b/etc/sol.profile
@@ -7,6 +7,7 @@ include globals.local
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -40,5 +41,3 @@ private-dev
 private-tmp
 
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/utox.profile b/etc/utox.profile
new file mode 100644
index 000000000..9216a6a05
--- /dev/null
+++ b/etc/utox.profile
@@ -0,0 +1,47 @@
+# Firejail profile for utox
+# Description: Lightweight Tox client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include utox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/tox
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/tox
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/tox
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin utox
+private-cache
+private-dev
+private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse,openal
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
index 1ef44dd5c..45f9949f3 100644
--- a/etc/virtualbox.profile
+++ b/etc/virtualbox.profile
@@ -14,6 +14,7 @@ noblacklist /usr/lib/virtualbox
 noblacklist /usr/lib64/virtualbox
 
 include disable-common.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index 816f2236c..85cbc5e43 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.warzone2100-3.*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/wget.profile b/etc/wget.profile
index c0a6f0d21..a7ef32e2c 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.wget-hsts
 noblacklist ${HOME}/.wgetrc
 
 include disable-common.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
@@ -38,5 +39,3 @@ private-dev
 # private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 # private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/xcalc.profile b/etc/xcalc.profile
index 1941787b1..0ad423d30 100644
--- a/etc/xcalc.profile
+++ b/etc/xcalc.profile
@@ -7,6 +7,7 @@ include globals.local
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -38,5 +39,3 @@ private-dev
 private-lib
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index a40b5a824..c8f684abc 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -56,8 +56,10 @@ static int have_profile(const char *filename, const char *homedir) {
         if (arg_debug)
                 printf("checking profile for %s\n", filename);
 
-        // we get strange names here, such as .org.gnom.gedit.desktop, com.uploadedlobster.peek.desktop,
+        // we get strange names here, such as .org.gnome.gedit.desktop, com.uploadedlobster.peek.desktop,
         // or io.github.Pithos.desktop; extract the word before .desktop
+        // TODO: implement proper fix for #2624 (names like org.gnome.Logs.desktop fall thru
+        // the 'last word' logic and don't get installed to ~/.local/share/applications
 
         char *tmpfname = strdup(filename);
         if (!tmpfname)
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index d5c502a67..7aec0f82a 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -4,15 +4,19 @@
 #qemu-system-x86_64
 0ad
 2048-qt
+Builder
 Cryptocat
 Cyberfox
 Discord
 DiscordCanary
+Documents
 FossaMail
 Fritzing
 Gitter
 JDownloader
+Logs
 Maelstrom
+Maps
 Mathematica
 Natron
 QMediathekView
@@ -50,6 +54,10 @@ atril-thumbnailer
 audacious
 audacity
 authenticator
+autokey-gtk
+autokey-qt
+autokey-run
+autokey-shell
 aweather
 baloo_file
 baloo_filemetadata_temp_extractor
@@ -100,6 +108,7 @@ clementine
 clion
 clipit
 cliqz
+clocks
 cmus
 code
 code-oss
@@ -557,6 +566,7 @@ uefitool
 uget-gtk
 unbound
 unknown-horizons
+utox
 uudeview
 uzbl-browser
 viewnior
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index d0f43041c..8cb994aca 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -2,7 +2,7 @@ all: firejail
 
 include ../common.mk
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
+%.o : %.c $(H_FILE_LIST) ../include/rundefs.h ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
         $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4cb10c875..b2c18d79f 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -21,90 +21,13 @@
 #define FIREJAIL_H
 #include "../include/common.h"
 #include "../include/euid_common.h"
+#include "../include/rundefs.h"
 #include <stdarg.h>
 #include <sys/stat.h>
 
 // debug restricted shell
 //#define DEBUG_RESTRICTED_SHELL
 
-// filesystem
-#define RUN_FIREJAIL_BASEDIR    "/run"
-#define RUN_FIREJAIL_DIR        "/run/firejail"
-#define RUN_FIREJAIL_APPIMAGE_DIR       "/run/firejail/appimage"
-#define RUN_FIREJAIL_NAME_DIR   "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place
-#define RUN_FIREJAIL_LIB_DIR            "/run/firejail/lib"
-#define RUN_FIREJAIL_X11_DIR    "/run/firejail/x11"
-#define RUN_FIREJAIL_NETWORK_DIR        "/run/firejail/network"
-#define RUN_FIREJAIL_BANDWIDTH_DIR      "/run/firejail/bandwidth"
-#define RUN_FIREJAIL_PROFILE_DIR                "/run/firejail/profile"
-#define RUN_NETWORK_LOCK_FILE   "/run/firejail/firejail-network.lock"
-#define RUN_DIRECTORY_LOCK_FILE "/run/firejail/firejail-run.lock"
-#define RUN_RO_DIR      "/run/firejail/firejail.ro.dir"
-#define RUN_RO_FILE     "/run/firejail/firejail.ro.file"
-#define RUN_MNT_DIR     "/run/firejail/mnt"     // a tmpfs is mounted on this directory before any of the files below are created
-#define RUN_CGROUP_CFG  "/run/firejail/mnt/cgroup"
-#define RUN_CPU_CFG     "/run/firejail/mnt/cpu"
-#define RUN_GROUPS_CFG  "/run/firejail/mnt/groups"
-#define RUN_PROTOCOL_CFG        "/run/firejail/mnt/protocol"
-#define RUN_NONEWPRIVS_CFG      "/run/firejail/mnt/nonewprivs"
-#define RUN_HOME_DIR    "/run/firejail/mnt/home"
-#define RUN_ETC_DIR     "/run/firejail/mnt/etc"
-#define RUN_OPT_DIR     "/run/firejail/mnt/opt"
-#define RUN_SRV_DIR     "/run/firejail/mnt/srv"
-#define RUN_BIN_DIR     "/run/firejail/mnt/bin"
-#define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
-#define RUN_LIB_DIR     "/run/firejail/mnt/lib"
-#define RUN_LIB_FILE    "/run/firejail/mnt/libfiles"
-#define RUN_DNS_ETC     "/run/firejail/mnt/dns-etc"
-
-#define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp"
-#define RUN_SECCOMP_LIST        "/run/firejail/mnt/seccomp/seccomp.list"        // list of seccomp files installed
-#define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp/seccomp.protocol"    // protocol filter
-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp"                     // configured filter
-#define RUN_SECCOMP_32          "/run/firejail/mnt/seccomp/seccomp.32"          // 32bit arch filter installed on 64bit architectures
-#define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp/seccomp.mdwx"                // filter for memory-deny-write-execute
-#define RUN_SECCOMP_BLOCK_SECONDARY     "/run/firejail/mnt/seccomp/seccomp.block_secondary"     // secondary arch blocking filter
-#define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp/seccomp.postexec"            // filter for post-exec library
-#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
-#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
-#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")                 // 32bit arch filter built during make
-#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx")             // filter for memory-deny-write-execute built during make
-#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary")       // secondary arch blocking filter built during make
-
-
-#define RUN_DEV_DIR             "/run/firejail/mnt/dev"
-#define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog"
-
-#define RUN_WHITELIST_X11_DIR   "/run/firejail/mnt/orig-x11"
-#define RUN_WHITELIST_HOME_DIR  "/run/firejail/mnt/orig-home"   // default home directory masking
-#define RUN_WHITELIST_RUN_DIR   "/run/firejail/mnt/orig-run"    // default run directory masking
-#define RUN_WHITELIST_HOME_USER_DIR     "/run/firejail/mnt/orig-home-user"      // home directory whitelisting
-#define RUN_WHITELIST_RUN_USER_DIR      "/run/firejail/mnt/orig-run-user"       // run directory whitelisting
-#define RUN_WHITELIST_TMP_DIR   "/run/firejail/mnt/orig-tmp"
-#define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media"
-#define RUN_WHITELIST_MNT_DIR   "/run/firejail/mnt/orig-mnt"
-#define RUN_WHITELIST_VAR_DIR   "/run/firejail/mnt/orig-var"
-#define RUN_WHITELIST_DEV_DIR   "/run/firejail/mnt/orig-dev"
-#define RUN_WHITELIST_OPT_DIR   "/run/firejail/mnt/orig-opt"
-#define RUN_WHITELIST_SRV_DIR   "/run/firejail/mnt/orig-srv"
-#define RUN_WHITELIST_ETC_DIR   "/run/firejail/mnt/orig-etc"
-#define RUN_WHITELIST_SHARE_DIR   "/run/firejail/mnt/orig-share"
-#define RUN_WHITELIST_MODULE_DIR   "/run/firejail/mnt/orig-module"
-
-#define RUN_XAUTHORITY_FILE     "/run/firejail/mnt/.Xauthority"
-#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority"
-#define RUN_ASOUNDRC_FILE       "/run/firejail/mnt/.asoundrc"
-#define RUN_HOSTNAME_FILE       "/run/firejail/mnt/hostname"
-#define RUN_HOSTS_FILE  "/run/firejail/mnt/hosts"
-#define RUN_MACHINEID   "/run/firejail/mnt/machine-id"
-#define RUN_LDPRELOAD_FILE      "/run/firejail/mnt/ld.so.preload"
-#define RUN_UTMP_FILE           "/run/firejail/mnt/utmp"
-#define RUN_PASSWD_FILE         "/run/firejail/mnt/passwd"
-#define RUN_GROUP_FILE          "/run/firejail/mnt/group"
-#define RUN_FSLOGGER_FILE               "/run/firejail/mnt/fslogger"
-#define RUN_UMASK_FILE          "/run/firejail/mnt/umask"
-#define RUN_OVERLAY_ROOT        "/run/firejail/mnt/oroot"
-#define RUN_READY_FOR_JOIN      "/run/firejail/mnt/ready-for-join"
 
 
 // profiles
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
new file mode 100644
index 000000000..67d7cfa4f
--- /dev/null
+++ b/src/include/rundefs.h
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2014-2019 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#ifndef RUNDEFS_H
+#define RUNDEFS_H
+// filesystem
+#define RUN_FIREJAIL_BASEDIR    "/run"
+#define RUN_FIREJAIL_DIR        "/run/firejail"
+#define RUN_FIREJAIL_APPIMAGE_DIR       "/run/firejail/appimage"
+#define RUN_FIREJAIL_NAME_DIR   "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place
+#define RUN_FIREJAIL_LIB_DIR            "/run/firejail/lib"
+#define RUN_FIREJAIL_X11_DIR    "/run/firejail/x11"
+#define RUN_FIREJAIL_NETWORK_DIR        "/run/firejail/network"
+#define RUN_FIREJAIL_BANDWIDTH_DIR      "/run/firejail/bandwidth"
+#define RUN_FIREJAIL_PROFILE_DIR                "/run/firejail/profile"
+#define RUN_NETWORK_LOCK_FILE   "/run/firejail/firejail-network.lock"
+#define RUN_DIRECTORY_LOCK_FILE "/run/firejail/firejail-run.lock"
+#define RUN_RO_DIR      "/run/firejail/firejail.ro.dir"
+#define RUN_RO_FILE     "/run/firejail/firejail.ro.file"
+#define RUN_MNT_DIR     "/run/firejail/mnt"     // a tmpfs is mounted on this directory before any of the files below are created
+#define RUN_CGROUP_CFG  "/run/firejail/mnt/cgroup"
+#define RUN_CPU_CFG     "/run/firejail/mnt/cpu"
+#define RUN_GROUPS_CFG  "/run/firejail/mnt/groups"
+#define RUN_PROTOCOL_CFG        "/run/firejail/mnt/protocol"
+#define RUN_NONEWPRIVS_CFG      "/run/firejail/mnt/nonewprivs"
+#define RUN_HOME_DIR    "/run/firejail/mnt/home"
+#define RUN_ETC_DIR     "/run/firejail/mnt/etc"
+#define RUN_OPT_DIR     "/run/firejail/mnt/opt"
+#define RUN_SRV_DIR     "/run/firejail/mnt/srv"
+#define RUN_BIN_DIR     "/run/firejail/mnt/bin"
+#define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
+#define RUN_LIB_DIR     "/run/firejail/mnt/lib"
+#define RUN_LIB_FILE    "/run/firejail/mnt/libfiles"
+#define RUN_DNS_ETC     "/run/firejail/mnt/dns-etc"
+
+#define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp"
+#define RUN_SECCOMP_LIST        "/run/firejail/mnt/seccomp/seccomp.list"        // list of seccomp files installed
+#define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp/seccomp.protocol"    // protocol filter
+#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp"                     // configured filter
+#define RUN_SECCOMP_32          "/run/firejail/mnt/seccomp/seccomp.32"          // 32bit arch filter installed on 64bit architectures
+#define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp/seccomp.mdwx"                // filter for memory-deny-write-execute
+#define RUN_SECCOMP_BLOCK_SECONDARY     "/run/firejail/mnt/seccomp/seccomp.block_secondary"     // secondary arch blocking filter
+#define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp/seccomp.postexec"            // filter for post-exec library
+#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
+#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
+#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")                 // 32bit arch filter built during make
+#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx")             // filter for memory-deny-write-execute built during make
+#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary")       // secondary arch blocking filter built during make
+
+
+#define RUN_DEV_DIR             "/run/firejail/mnt/dev"
+#define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog"
+
+#define RUN_WHITELIST_X11_DIR   "/run/firejail/mnt/orig-x11"
+#define RUN_WHITELIST_HOME_DIR  "/run/firejail/mnt/orig-home"   // default home directory masking
+#define RUN_WHITELIST_RUN_DIR   "/run/firejail/mnt/orig-run"    // default run directory masking
+#define RUN_WHITELIST_HOME_USER_DIR     "/run/firejail/mnt/orig-home-user"      // home directory whitelisting
+#define RUN_WHITELIST_RUN_USER_DIR      "/run/firejail/mnt/orig-run-user"       // run directory whitelisting
+#define RUN_WHITELIST_TMP_DIR   "/run/firejail/mnt/orig-tmp"
+#define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media"
+#define RUN_WHITELIST_MNT_DIR   "/run/firejail/mnt/orig-mnt"
+#define RUN_WHITELIST_VAR_DIR   "/run/firejail/mnt/orig-var"
+#define RUN_WHITELIST_DEV_DIR   "/run/firejail/mnt/orig-dev"
+#define RUN_WHITELIST_OPT_DIR   "/run/firejail/mnt/orig-opt"
+#define RUN_WHITELIST_SRV_DIR   "/run/firejail/mnt/orig-srv"
+#define RUN_WHITELIST_ETC_DIR   "/run/firejail/mnt/orig-etc"
+#define RUN_WHITELIST_SHARE_DIR   "/run/firejail/mnt/orig-share"
+#define RUN_WHITELIST_MODULE_DIR   "/run/firejail/mnt/orig-module"
+
+#define RUN_XAUTHORITY_FILE     "/run/firejail/mnt/.Xauthority"
+#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority"
+#define RUN_ASOUNDRC_FILE       "/run/firejail/mnt/.asoundrc"
+#define RUN_HOSTNAME_FILE       "/run/firejail/mnt/hostname"
+#define RUN_HOSTS_FILE  "/run/firejail/mnt/hosts"
+#define RUN_MACHINEID   "/run/firejail/mnt/machine-id"
+#define RUN_LDPRELOAD_FILE      "/run/firejail/mnt/ld.so.preload"
+#define RUN_UTMP_FILE           "/run/firejail/mnt/utmp"
+#define RUN_PASSWD_FILE         "/run/firejail/mnt/passwd"
+#define RUN_GROUP_FILE          "/run/firejail/mnt/group"
+#define RUN_FSLOGGER_FILE               "/run/firejail/mnt/fslogger"
+#define RUN_UMASK_FILE          "/run/firejail/mnt/umask"
+#define RUN_OVERLAY_ROOT        "/run/firejail/mnt/oroot"
+#define RUN_READY_FOR_JOIN      "/run/firejail/mnt/ready-for-join"
+
+#endif
diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in
index 92803342c..8d6dde4e0 100644
--- a/src/libpostexecseccomp/Makefile.in
+++ b/src/libpostexecseccomp/Makefile.in
@@ -13,13 +13,12 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
 
 all: libpostexecseccomp.so
 
-%.o : %.c $(H_FILE_LIST)
+%.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h
         $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 
 libpostexecseccomp.so: $(OBJS)
         $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
 
-
 clean:; rm -f $(OBJS) libpostexecseccomp.so
 
 distclean: clean
diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c
index e51445de4..3983510ec 100644
--- a/src/libpostexecseccomp/libpostexecseccomp.c
+++ b/src/libpostexecseccomp/libpostexecseccomp.c
@@ -17,19 +17,22 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "libpostexecseccomp.h"
 #include "../include/seccomp.h"
+#include "../include/rundefs.h"
 #include <fcntl.h>
 #include <linux/filter.h>
 #include <sys/mman.h>
 #include <sys/prctl.h>
 #include <unistd.h>
+#include <stdio.h>
 
 __attribute__((constructor))
 static void load_seccomp(void) {
         int fd = open(RUN_SECCOMP_POSTEXEC, O_RDONLY);
-        if (fd == -1)
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot open seccomp postexec filter file %s\n", RUN_SECCOMP_POSTEXEC);
                 return;
+        }
 
         off_t size = lseek(fd, 0, SEEK_END);
         if (size <= 0) {
@@ -40,11 +43,12 @@ static void load_seccomp(void) {
         struct sock_filter *filter = MAP_FAILED;
         if (size != 0)
                 filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
-
         close(fd);
 
-        if (filter == MAP_FAILED)
+        if (filter == MAP_FAILED) {
+                fprintf(stderr, "Error: cannot map seccomp postexec filter data\n");
                 return;
+        }
 
         // install filter
         struct sock_fprog prog = {
diff --git a/src/libpostexecseccomp/libpostexecseccomp.h b/src/libpostexecseccomp/libpostexecseccomp.h
deleted file mode 100644
index 908364d43..000000000
--- a/src/libpostexecseccomp/libpostexecseccomp.h
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Copyright (C) 2014-2019 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#ifndef LIBPOSTEXECSECCOMP_H
-#define LIBPOSTEXECSECCOMP_H
-
-#define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp.postexec"
-
-#endif
diff --git a/src/libtracelog/Makefile.in b/src/libtracelog/Makefile.in
index 3927c762a..5c27f3cb3 100644
--- a/src/libtracelog/Makefile.in
+++ b/src/libtracelog/Makefile.in
@@ -13,7 +13,7 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
 
 all: libtracelog.so
 
-%.o : %.c $(H_FILE_LIST)
+%.o : %.c $(H_FILE_LIST) ../include/rundefs.h
         $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 
 libtracelog.so: $(OBJS)
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c
index 420c9370c..3641a81af 100644
--- a/src/libtracelog/libtracelog.c
+++ b/src/libtracelog/libtracelog.c
@@ -32,6 +32,7 @@
 #include <syslog.h>
 #include <dirent.h>
 #include <limits.h>
+#include "../include/rundefs.h"
 
 //#define DEBUG
 
@@ -163,7 +164,6 @@ static char *storage_find(const char *str) {
 //
 // load blacklist form /run/firejail/mnt/fslogger
 //
-#define RUN_FSLOGGER_FILE               "/run/firejail/mnt/fslogger"
 #define MAXBUF 4096
 static int blacklist_loaded = 0;
 static char *sandbox_pid_str = NULL;
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp
index 39f836ed0..dc4bf34f2 100755
--- a/test/filters/seccomp-debug.exp
+++ b/test/filters/seccomp-debug.exp
@@ -13,7 +13,7 @@ after 100
 send --  "firejail --debug sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "seccomp entries in /run/firejail/mnt/seccomp"
+        "seccomp entries in /run/firejail/mnt/seccomp/seccomp"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
@@ -38,15 +38,15 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
@@ -58,15 +58,15 @@ after 100
 send --  "firejail --debug --ignore=seccomp sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
         "Child process initialized"
 }
 expect {
         timeout {puts "TESTING ERROR 13\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 15\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 15\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 16\n";exit}
@@ -78,18 +78,18 @@ after 100
 send --  "firejail --debug --ignore=protocol sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 17\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit}
         "Child process initialized"
 }
 expect {
         timeout {puts "TESTING ERROR 19\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 21\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 23\n";exit}
@@ -105,7 +105,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 25\n";exit}
-        "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 26\n";exit}
@@ -117,18 +117,18 @@ expect {
 send --  "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 27\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit}
         "Child process initialized"
 }
 expect {
         timeout {puts "TESTING ERROR 29\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 31\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 33\n";exit}
@@ -140,13 +140,13 @@ after 100
 send --  "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 33\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit}
         "Child process initialized"
 }
 expect {
         timeout {puts "TESTING ERROR 35\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 37\n";exit}
diff --git a/test/filters/seccomp-join.exp b/test/filters/seccomp-join.exp
index f9201f926..f1d57238b 100755
--- a/test/filters/seccomp-join.exp
+++ b/test/filters/seccomp-join.exp
@@ -20,15 +20,15 @@ set spawn_id $id1
 send --  "firejail --name=jointesting --debug\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 sleep 1
 
@@ -37,15 +37,15 @@ set spawn_id $id2
 send --  "firejail --debug --join=jointesting\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 sleep 1
 
@@ -64,16 +64,16 @@ set spawn_id $id1
 send --  "firejail --name=jointesting --seccomp.block-secondary --debug\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
-        "Installing /run/firejail/mnt/seccomp.block_secondary seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 13\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 sleep 1
 
@@ -81,15 +81,15 @@ set spawn_id $id2
 send --  "firejail --debug --join=jointesting\r"
 expect {
         timeout {puts "TESTING ERROR 14\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 15\n";exit}
-        "Installing /run/firejail/mnt/seccomp.block_secondary seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 16\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 sleep 1
 
@@ -106,7 +106,7 @@ set spawn_id $id1
 send --  "firejail --name=jointesting --noprofile --protocol=inet --debug\r"
 expect {
         timeout {puts "TESTING ERROR 22\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 sleep 1
 
@@ -115,9 +115,9 @@ set spawn_id $id2
 send --  "firejail --debug --join=jointesting\r"
 expect {
         timeout {puts "TESTING ERROR 23\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 24\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 25\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 24\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 25\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 sleep 1
 
@@ -134,7 +134,7 @@ set spawn_id $id1
 send --  "firejail --name=jointesting --noprofile --memory-deny-write-execute --debug\r"
 expect {
         timeout {puts "TESTING ERROR 32\n";exit}
-        "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
 }
 sleep 1
 
@@ -143,10 +143,10 @@ set spawn_id $id2
 send --  "firejail --debug --join=jointesting\r"
 expect {
         timeout {puts "TESTING ERROR 33\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 34\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 36\n";exit}
-        "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 34\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 36\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
 }
 sleep 1
 
diff --git a/test/filters/seccomp-run-files.exp b/test/filters/seccomp-run-files.exp
index afdd07bb0..3f4e506af 100755
--- a/test/filters/seccomp-run-files.exp
+++ b/test/filters/seccomp-run-files.exp
@@ -10,18 +10,18 @@ match_max 100000
 send --  "firejail --debug\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "/run/firejail/mnt/seccomp seccomp filter"
+        "/run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "/run/firejail/mnt/seccomp.32 seccomp filter"
+        "/run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "/run/firejail/mnt/seccomp.protocol seccomp filter"
+        "/run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 after 100
-send -- "ls -l /run/firejail/mnt | grep -c seccomp\r"
+send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "5"
@@ -32,13 +32,13 @@ sleep 1
 send --  "firejail --ignore=seccomp --debug\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "/run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 5\n";exit}
-        "/run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 6\n";exit}
-        "/run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 7\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+        "/run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 5\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 6\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp.64 seccomp filter" {puts "TESTING ERROR 7\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 after 100
-send -- "ls -l /run/firejail/mnt | grep -c seccomp\r"
+send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "3"
@@ -49,15 +49,15 @@ sleep 1
 send --  "firejail --ignore=protocol --debug\r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "/run/firejail/mnt/seccomp seccomp filter"
+        "/run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "/run/firejail/mnt/seccomp.32 seccomp filter"
+        "/run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
-        "/run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 12\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 12\n";exit}
         "monitoring"
 }
 after 100
@@ -72,22 +72,22 @@ sleep 1
 send --  "firejail --memory-deny-write-execute --debug\r"
 expect {
         timeout {puts "TESTING ERROR 14\n";exit}
-        "/run/firejail/mnt/seccomp.mdwx seccomp filter"
+        "/run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 15\n";exit}
-        "/run/firejail/mnt/seccomp seccomp filter"
+        "/run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 16\n";exit}
-        "/run/firejail/mnt/seccomp.32 seccomp filter"
+        "/run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 17\n";exit}
-        "/run/firejail/mnt/seccomp.protocol seccomp filter"
+        "/run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 after 100
-send -- "ls -l /run/firejail/mnt | grep -c seccomp\r"
+send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 18\n";exit}
         "6"