83 files changed, 229 insertions, 39 deletions

diff --git a/README b/README
index 8c254d313..4e9a92091 100644
--- a/README
+++ b/README
@@ -54,6 +54,9 @@ Committers
 
 Firejail Authors (alphabetical order)
 
+0x7969 (https://github.com/0x7969)
+        - fix wire-desktop.profile
+        - add ferdi.profile
 7twin (https://github.com/7twin_)
         - fix typos
         - fix flameshot raw screenshots
@@ -90,6 +93,8 @@ Alexander Gerasiov (https://github.com/gerasiov)
         - profile updates
 Alexander Stein (https://github.com/ajstein)
         - added profile for qutebrowser
+Amin Vakil (https://github.com/aminvakil)
+        - whois profile fix
 Andreas Hunkeler (https://github.com/Karneades)
         - Add profile for offical Linux Teams application
 Andrey Alekseenko (https://github.com/al42and)
@@ -107,6 +112,8 @@ Antonio Russo (https://github.com/aerusso)
         - wusc fixes
 aoand (https://github.com/aoand)
         - seccomp fix: allow numeric syscalls
+Atrate (https://github.com/Atrate)
+        - BetterDiscord support
 Austin Morton (https://github.com/apmorton)
         - deterministic-exit-code option
         - private-cwd options
@@ -160,6 +167,8 @@ BytesTuner (https://github.com/BytesTuner)
         - provided keepassxc profile
 caoliver (https://github.com/caoliver)
         - network system fixes
+Carlo Abelli (https://github.com/carloabelli)
+        - fixed udiskie profile
 Cat (https://github.com/ecat3)
         - prevent tmux connecting to an existing session
 creideiki (https://github.com/creideiki)
@@ -200,6 +209,7 @@ curiosity-seeker (https://github.com/curiosity-seeker)
         - added cantata profile
         - updated keypassxc profile
         - added syscalls.sh, which determine the necessary syscalls for a program
+        - fixed conky profile
 da2x (https://github.com/da2x)
         - matched RPM license tag
 Daan Bakker (https://github.com/dbakker)
@@ -227,6 +237,8 @@ DiGitHubCap (https://github.com/DiGitHubCap)
         - deluge profile fix
 Disconnect3d (https://github.com/disconnect3d)
         - code cleanup
+dmfreemon (https://github.com/dmfreemon)
+        - add sandbox name or name of private directory to the window title when xpra is used
 dshmgh (https://github.com/dshmgh)
         - overlayfs fix for systems with /home mounted on a separate partition
 Duncan Overbruck (https://github.com/Duncaen)
@@ -250,6 +262,7 @@ Felipe Barriga Richards (https://github.com/fbarriga)
 Florian Begusch (https://github.com/florianbegusch)
         - (la)tex profiles
         - fixed transmission-common.profile
+        - fixed standardnotes-desktop.profile
 floxo (https://github.com/floxo)
         - fixed qml disk cache issue
 Franco (nextime) Lanza (https://github.com/nextime)
@@ -357,6 +370,8 @@ haarp (https://github.com/haarp)
         - Allow sound for hexchat
 hamzadis (https://github.com/hamzadis)
         - added --overlay-named=name and --overlay-path=path
+Hans-Christoph Steiner (https://github.com/eighthave)
+        - added xournal profile
 hawkey116477 (https://github.com/hawkeye116477)
         - added Waterfox profile
         - updated Cyberfox profile
@@ -564,6 +579,8 @@ Peter Hogg (https://github.com/pigmonkey)
         - bitlbee profile fixes
         - mutt profile fixes
         - fixes for youtube-dl in mpv profile
+Peter Sanford (https://github.com/psanford)
+        - fix QtWebEngine in zoom
 Petter Reinholdtsen (pere@hungry.com)
         - Opera profile patch
 PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb)
@@ -760,6 +777,7 @@ StelFux (https://github.com/StelFux)
         - Fix youtube video in totem
 the-antz (https://github.com/the-antz)
         - Fix libx265 encoding in ffmpeg profile
+        - Fix Firefox profile
         - Profile tweaks
 thewisenerd (https://github.com/thewisenerd)
         - allow multiple private-home commands
diff --git a/README.md b/README.md
index d9707619f..720a25d31 100644
--- a/README.md
+++ b/README.md
@@ -157,18 +157,20 @@ $ make
 $ cd etc
 $ ./profstats *.profile
 Stats:
-    profiles                    925
-    include local profile       925   (include profile-name.local)
-    include globals             925   (include globals.local)
-    blacklist ~/.ssh            910   (include disable-common.inc)
-    seccomp                     868
-    capabilities                924
-    noexec                      785   (include disable-exec.inc)
-    apparmor                    426
-    private-dev                 788
-    private-tmp                 687
-    whitelist var directory     595   (include whitelist-var-common.inc)
-    net none                    274
+    profiles                    949
+    include local profile       949   (include profile-name.local)
+    include globals             949   (include globals.local)
+    blacklist ~/.ssh            934   (include disable-common.inc)
+    seccomp                     892
+    capabilities                948
+    noexec                      813   (include disable-exec.inc)
+    apparmor                    471
+    private-dev                 812
+    private-tmp                 711
+    whitelist var               621   (include whitelist-var-common.inc)
+    whitelist run/user          105   (include whitelist-runuser-common.inc)
+    whitelist usr/share         257   (include whitelist-usr-share-common.inc)
+    net none                    297
 `````
 
 Run ./profstats -h for help.
diff --git a/RELNOTES b/RELNOTES
index 584942853..b982202d6 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -3,6 +3,7 @@ firejail (0.9.63) baseline; urgency=low
   * DHCP client support
   * SELinux labeling support
   * 32-bit seccomp filter
+  * restrict ${RUNUSER} in serveral profiles
   * new condition: HAS_NOSOUND
   * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
   * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
diff --git a/etc/baobab.profile b/etc/baobab.profile
index d87de9d66..a2cfa6d67 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -14,6 +14,8 @@ include disable-passwdmgr.inc
 # include disable-programs.inc
 # include disable-xdg.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 net none
 no3d
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index d099ba11e..daed19634 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -24,6 +24,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/curl.profile b/etc/curl.profile
index a720aca9b..a33d084ce 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -10,6 +10,8 @@ include globals.local
 noblacklist ${HOME}/.curlrc
 
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/d-feet.profile b/etc/d-feet.profile
index 897bf5f5d..51df7b455 100644
--- a/etc/d-feet.profile
+++ b/etc/d-feet.profile
@@ -24,6 +24,7 @@ mkdir ${HOME}/.config/d-feet
 whitelist ${HOME}/.config/d-feet
 whitelist /usr/share/d-feet
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile
index a9d25128f..e7cc66e32 100644
--- a/etc/dconf-editor.profile
+++ b/etc/dconf-editor.profile
@@ -16,6 +16,7 @@ include disable-xdg.inc
 
 whitelist ${HOME}/.local/share/glib-2.0
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/dig.profile b/etc/dig.profile
index e6b7e46d9..270a95c05 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.digrc
 noblacklist ${PATH}/dig
 
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 82d1ba528..2a306d704 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -18,6 +18,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/enchant.profile b/etc/enchant.profile
index fa556c7d2..69e8b1e44 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -21,6 +21,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/enchant
 whitelist ${HOME}/.config/enchant
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/eo-common.profile b/etc/eo-common.profile
index 13f498c03..80c704c6b 100644
--- a/etc/eo-common.profile
+++ b/etc/eo-common.profile
@@ -18,6 +18,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/evince.profile b/etc/evince.profile
index 143a347e6..68ef5eb9a 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -21,6 +21,7 @@ whitelist /usr/share/doc
 whitelist /usr/share/evince
 whitelist /usr/share/poppler
 whitelist /usr/share/tracker
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/evolution.profile b/etc/evolution.profile
index 71a7a5600..4740bf935 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -23,6 +23,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 # no3d breaks under wayland
diff --git a/etc/feedreader.profile b/etc/feedreader.profile
index 5a72b60ea..7d3c7a8f4 100644
--- a/etc/feedreader.profile
+++ b/etc/feedreader.profile
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/feedreader
 whitelist ${HOME}/.local/share/feedreader
 whitelist /usr/share/feedreader
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 9d84f07de..70dd030ee 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -14,6 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /usr/share/file-roller
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/file.profile b/etc/file.profile
index 82b161d48..854586354 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -8,6 +8,7 @@ include file.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index d8d4c1746..6c7ab8f0d 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -17,6 +17,8 @@ include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
+
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/flameshot.profile b/etc/flameshot.profile
index 3aad9723b..9a3df98f4 100644
--- a/etc/flameshot.profile
+++ b/etc/flameshot.profile
@@ -17,6 +17,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 ipc-namespace
 netfilter
diff --git a/etc/gedit.profile b/etc/gedit.profile
index a4471077a..148b98c99 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 # apparmor - makes settings immutable
diff --git a/etc/gfeeds.profile b/etc/gfeeds.profile
index d332c1bbe..7de762e0d 100644
--- a/etc/gfeeds.profile
+++ b/etc/gfeeds.profile
@@ -29,6 +29,7 @@ whitelist ${HOME}/.cache/org.gabmus.gfeeds
 whitelist ${HOME}/.config/org.gabmus.gfeeds.json
 whitelist /usr/share/gfeeds
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gitg.profile b/etc/gitg.profile
index 3c6f9d72f..68f38c3ce 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -28,6 +28,7 @@ include disable-programs.inc
 #include whitelist-common.inc
 
 whitelist /usr/share/gitg
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gjs.profile b/etc/gjs.profile
index 85dd57f29..9c8848b8a 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -22,6 +22,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile
index eaf48931d..7a684dd59 100644
--- a/etc/gnome-builder.profile
+++ b/etc/gnome-builder.profile
@@ -17,6 +17,8 @@ include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 ipc-namespace
 netfilter
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 6709a331e..627ae368a 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -16,6 +16,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-characters.profile b/etc/gnome-characters.profile
index f02fe13f6..77b0c3c15 100644
--- a/etc/gnome-characters.profile
+++ b/etc/gnome-characters.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 
 whitelist /usr/share/org.gnome.Characters
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
index 025335a23..b865423c5 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@@ -17,6 +17,7 @@ include disable-xdg.inc
 whitelist /usr/share/gnome-clocks
 whitelist /usr/share/libgweather
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile
index ac6d82451..7c1e4bb58 100644
--- a/etc/gnome-contacts.profile
+++ b/etc/gnome-contacts.profile
@@ -17,6 +17,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/gnome-hexgl.profile b/etc/gnome-hexgl.profile
index 386c33d7f..a06ccc9c1 100644
--- a/etc/gnome-hexgl.profile
+++ b/etc/gnome-hexgl.profile
@@ -15,9 +15,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/mesa_shader_cache
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/wayland-0
 whitelist /usr/share/gnome-hexgl
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-latex.profile b/etc/gnome-latex.profile
index 1bf48c6ab..ea4151137 100644
--- a/etc/gnome-latex.profile
+++ b/etc/gnome-latex.profile
@@ -22,6 +22,7 @@ include disable-programs.inc
 whitelist /usr/share/gnome-latex
 whitelist /usr/share/perl5
 whitelist /usr/share/texlive
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 # May cause issues.
 #include whitelist-var-common.inc
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile
index 0c5bec144..31b7cfb4f 100644
--- a/etc/gnome-logs.profile
+++ b/etc/gnome-logs.profile
@@ -15,6 +15,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 whitelist /var/log/journal
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 12415a937..bf263efa9 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -35,6 +35,7 @@ whitelist ${PICTURES}
 whitelist /usr/share/gnome-maps
 whitelist /usr/share/libgweather
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index 9c3131162..36b46897c 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -21,6 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile
index d15299890..649473679 100644
--- a/etc/gnome-nettool.profile
+++ b/etc/gnome-nettool.profile
@@ -16,6 +16,7 @@ include disable-xdg.inc
 
 whitelist /usr/share/gnome-nettool
 #include whitelist-common.inc -- see #903
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-passwordsafe.profile b/etc/gnome-passwordsafe.profile
index de8f6ad7d..555a59d93 100644
--- a/etc/gnome-passwordsafe.profile
+++ b/etc/gnome-passwordsafe.profile
@@ -21,13 +21,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${RUNUSER}/bus
-# If you have a second wayland compositor, whitelist its socket here.
-whitelist ${RUNUSER}/wayland-0
-whitelist ${RUNUSER}/gdm/Xauthority
-
 whitelist /usr/share/cracklib
 whitelist /usr/share/passwordsafe
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index c28217efb..2af406af9 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -17,6 +17,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile
index c8dd8ead7..55913a2d7 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@@ -39,6 +39,7 @@ whitelist /usr/share/gnome-schedule
 whitelist /var/spool/atd
 whitelist /var/spool/cron
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-screenshot.profile b/etc/gnome-screenshot.profile
index c00aefdb7..cc5efb161 100644
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -17,11 +17,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${RUNUSER}/bus
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/gdm/Xauthority
-whitelist ${RUNUSER}/wayland-0
 include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index 10db6296b..a181f1b9e 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -21,6 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 16bda186e..adc8957e6 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -21,9 +21,12 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.gnupg
 whitelist ${HOME}/.gnupg
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gpg.profile b/etc/gpg.profile
index b408a0123..787f35f9e 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -18,9 +18,12 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /usr/share/pacman/keyrings
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile
index b3aa58d29..f3e3ab14d 100644
--- a/etc/gucharmap.profile
+++ b/etc/gucharmap.profile
@@ -15,6 +15,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/highlight.profile b/etc/highlight.profile
index 036de8d99..fc8b2f65a 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -7,6 +7,7 @@ include highlight.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/latex-common.profile b/etc/latex-common.profile
index 712ada722..84901e8ef 100644
--- a/etc/latex-common.profile
+++ b/etc/latex-common.profile
@@ -14,6 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /var/lib
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/less.profile b/etc/less.profile
index 00624e0f1..27e24c852 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -8,6 +8,7 @@ include less.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${HOME}/.lesshst
 
diff --git a/etc/links.profile b/etc/links.profile
index a31001c87..b2f94d3cf 100644
--- a/etc/links.profile
+++ b/etc/links.profile
@@ -24,6 +24,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.links
 whitelist ${HOME}/.links
 whitelist ${DOWNLOADS}
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/lynx.profile b/etc/lynx.profile
index fb6fe94ec..dbd0a61e5 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -16,6 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/meld.profile b/etc/meld.profile
index 9a320c13d..be13e9643 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -36,6 +36,8 @@ include disable-passwdmgr.inc
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 # Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share.
 #whitelist /usr/share/meld
 #include whitelist-usr-share-common.inc
diff --git a/etc/mutt.profile b/etc/mutt.profile
index 1fc412955..8ff547b52 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -40,6 +40,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/newsboat.profile b/etc/newsboat.profile
index e063abe53..eabd17b4b 100644
--- a/etc/newsboat.profile
+++ b/etc/newsboat.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.newsboat
 whitelist ${HOME}/.newsboat
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/nslookup.profile b/etc/nslookup.profile
index 40cb3b6d8..4aa1cfcbf 100644
--- a/etc/nslookup.profile
+++ b/etc/nslookup.profile
@@ -7,6 +7,10 @@ include nslookup.local
 # Persistent global definitions
 include globals.local
 
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
 noblacklist ${PATH}/nslookup
 
 include disable-common.inc
diff --git a/etc/pandoc.profile b/etc/pandoc.profile
index 9a8d82a96..9117b0c07 100644
--- a/etc/pandoc.profile
+++ b/etc/pandoc.profile
@@ -8,6 +8,7 @@ include pandoc.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
diff --git a/etc/patch.profile b/etc/patch.profile
index 4a3365378..95c92a3f5 100644
--- a/etc/patch.profile
+++ b/etc/patch.profile
@@ -8,6 +8,7 @@ include patch.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index 73ebf4615..a7112f1e8 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -7,6 +7,7 @@ include pdftotext.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
diff --git a/etc/ping.profile b/etc/ping.profile
index 75ad0ee31..3ef8ad64a 100644
--- a/etc/ping.profile
+++ b/etc/ping.profile
@@ -7,6 +7,10 @@ include ping.local
 # Persistent global definitions
 include globals.local
 
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/pitivi.profile b/etc/pitivi.profile
index 71032f2ee..c722e29b4 100644
--- a/etc/pitivi.profile
+++ b/etc/pitivi.profile
@@ -6,7 +6,6 @@ include pitivi.local
 # Persistent global definitions
 include globals.local
 
-
 noblacklist ${HOME}/.config/pitivi
 
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -20,6 +19,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/pngquant.profile b/etc/pngquant.profile
index f9ce43c4c..4695eee71 100644
--- a/etc/pngquant.profile
+++ b/etc/pngquant.profile
@@ -16,6 +16,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/polari.profile b/etc/polari.profile
index 939e2537e..87a53775f 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -28,6 +28,7 @@ whitelist ${HOME}/.local/share/TpLogger
 whitelist ${HOME}/.local/share/telepathy
 whitelist ${HOME}/.purple
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 
 caps.drop all
 netfilter
diff --git a/etc/remmina.profile b/etc/remmina.profile
index e85ceca13..6311c91df 100644
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@@ -19,6 +19,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index aff8b08e3..689fbe626 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -25,6 +25,7 @@ include disable-xdg.inc
 whitelist /usr/share/rhythmbox
 whitelist /usr/share/lua
 whitelist /usr/share/libquvi-scripts
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/rsync-download_only.profile b/etc/rsync-download_only.profile
index 84147f0a5..500656a4b 100644
--- a/etc/rsync-download_only.profile
+++ b/etc/rsync-download_only.profile
@@ -14,6 +14,7 @@ include globals.local
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index 5a742d05f..3a69086b5 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -31,7 +31,10 @@ whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /usr/share/seahorse
 whitelist /usr/share/seahorse-nautilus
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 #include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile
index 7b4041222..fb43c61e4 100644
--- a/etc/shellcheck.profile
+++ b/etc/shellcheck.profile
@@ -8,6 +8,7 @@ include shellcheck.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 1551c3fb6..cbd59c6e0 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -18,7 +18,10 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+whitelist ${RUNUSER}/keyring/ssh
+whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
 include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
 
 caps.drop all
 ipc-namespace
diff --git a/etc/strings.profile b/etc/strings.profile
index 7dc453b1f..7d2d035a4 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -8,6 +8,7 @@ include strings.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 #include disable-common.inc
 include disable-devel.inc
diff --git a/etc/teams.profile b/etc/teams.profile
index 8b60a941e..0e5a42be7 100644
--- a/etc/teams.profile
+++ b/etc/teams.profile
@@ -9,6 +9,8 @@ include teams.local
 # added by included profile
 #include globals.local
 
+ignore nodbus
+
 noblacklist ${HOME}/.config/teams
 noblacklist ${HOME}/.config/Microsoft
 
@@ -30,7 +32,6 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-tmp
 
 # Redirect
 include electron.profile
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 0362b82af..4cb40027c 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -27,6 +27,7 @@
 #   ALLOW INCLUDES
 #   BLACKLISTS
 #   DISABLE INCLUDES
+#   NOWHITELISTS
 #   MKDIRS
 #   WHITELISTS
 #   WHITELIST INCLUDES
@@ -62,6 +63,8 @@ include globals.local
 #blacklist /tmp/.X11-unix
 # Disable Wayland
 #blacklist ${RUNUSER}/wayland-*
+# Disable RUNUSER (cli only)
+#blacklist ${RUNUSER}
 
 # It is common practice to add files/dirs containing program-specific configuration
 # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
@@ -116,6 +119,7 @@ include globals.local
 ##mkfile PATH
 #whitelist PATH
 #include whitelist-common.inc
+#GTK3 only: include whitelist-runuser-common.inc
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
 
diff --git a/etc/tracker.profile b/etc/tracker.profile
index d47185b1d..9030b1e01 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -17,6 +17,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 01bdeb4ef..baa970307 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -7,6 +7,8 @@ include transmission-gtk.local
 # Persistent global definitions
 include globals.local
 
+include whitelist-runuser-common.inc
+
 private-bin transmission-gtk
 
 ignore memory-deny-write-execute
diff --git a/etc/tshark.profile b/etc/tshark.profile
index 211f59f29..684a9491d 100644
--- a/etc/tshark.profile
+++ b/etc/tshark.profile
@@ -16,6 +16,7 @@ include disable-xdg.inc
 
 whitelist /usr/share/wireshark
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/vim.profile b/etc/vim.profile
index d27a9a633..e9a474239 100644
--- a/etc/vim.profile
+++ b/etc/vim.profile
@@ -17,6 +17,8 @@ include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/w3m.profile b/etc/w3m.profile
index 97465baa1..5215ee6f5 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -20,6 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/wget.profile b/etc/wget.profile
index d402316e9..ad7a14c41 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.wgetrc
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/whitelist-runuser-common.inc b/etc/whitelist-runuser-common.inc
new file mode 100644
index 000000000..de59d03d3
--- /dev/null
+++ b/etc/whitelist-runuser-common.inc
@@ -0,0 +1,10 @@
+# Local customizations come here
+include whitelist-runuser-common.local
+
+# common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
+
+whitelist ${RUNUSER}/bus
+whitelist ${RUNUSER}/dconf
+whitelist ${RUNUSER}/gdm/Xauthority
+whitelist ${RUNUSER}/pulse/native
+whitelist ${RUNUSER}/wayland-0
diff --git a/etc/whois.profile b/etc/whois.profile
index 9af6d6843..5fea610d8 100644
--- a/etc/whois.profile
+++ b/etc/whois.profile
@@ -9,6 +9,7 @@ include globals.local
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/yelp.profile b/etc/yelp.profile
index acd483209..7053f98e8 100644
--- a/etc/yelp.profile
+++ b/etc/yelp.profile
@@ -23,6 +23,7 @@ whitelist /usr/share/help
 whitelist /usr/share/yelp
 whitelist /usr/share/yelp-xsl
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 19effef47..6066313a3 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -22,6 +22,7 @@ include allow-python3.inc
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index bec22e5a6..dbc74bfff 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <linux/limits.h>
-#include <glob.h>
 #include <dirent.h>
 #include <errno.h>
 #include <sys/stat.h>
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index c5b066b12..3f3075570 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -346,6 +346,39 @@ static void whitelist_home(int topdir) {
 }
 
 
+static void globbing(const char *pattern) {
+        assert(pattern);
+
+        // globbing
+        glob_t globbuf;
+        int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
+        if (globerr) {
+                fprintf(stderr, "Error: failed to glob private-bin pattern %s\n", pattern);
+                exit(1);
+        }
+
+        size_t i;
+        for (i = 0; i < globbuf.gl_pathc; i++) {
+                assert(globbuf.gl_pathv[i]);
+                // testing for GLOB_NOCHECK - no pattern matched returns the original pattern
+                if (strcmp(globbuf.gl_pathv[i], pattern) == 0)
+                        continue;
+
+                // build the new profile command
+                char *newcmd;
+                if (asprintf(&newcmd, "whitelist %s", globbuf.gl_pathv[i]) == -1)
+                        errExit("asprintf");
+
+                // add the new profile command at the end of the list
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Adding new profile command: %s\n", newcmd);
+                profile_add(newcmd);
+        }
+
+        globfree(&globbuf);
+}
+
+
 void fs_whitelist(void) {
         ProfileEntry *entry = cfg.profile;
         if (!entry)
@@ -444,6 +477,13 @@ void fs_whitelist(void) {
                 else
                         fname = realpath(new_name, NULL);
 
+                // if this is not a real path, let's try globbing
+                // mark this entry as EMPTY_STRING and push the new paths at the end of profile entry list
+                // the new profile entries will be processed in this loop
+                // currently there is no globbing support for nowhitelist
+                if (!fname && !nowhitelist_flag)
+                        globbing(new_name);
+
                 if (!fname) {
                         // file not found, blank the entry in the list and continue
                         if (arg_debug || arg_debug_whitelists) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index c98ad3620..77bfea8c6 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -208,6 +208,7 @@ static char *usage_str =
         "\twhitelist the syscalls specified by the command.\n"
         "    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"
         "\tidentified by name or PID.\n"
+        "    --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
 #endif
         "    --shell=none - run the program directly without a user shell.\n"
         "    --shell=program - set default user shell.\n"
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 74de24b47..98ac184d9 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1235,16 +1235,15 @@ void x11_xorg(void) {
 
         // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted
         // automatically when the sandbox is closed (rename doesn't work)
-                                                  // root needed
-        if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) {
-                fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
-                exit(1);
-        }
+        if (arg_debug)
+                printf("Copying the new .Xauthority file\n");
+        copy_file_from_user_to_root(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600);
+        
         /* coverity[toctou] */
         unlink(tmpfname);
         umount("/tmp");
 
-        // remount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid
+        // mount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid
         fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0);
 
         // Ensure there is already a file in the usual location, so that bind-mount below will work.
@@ -1354,19 +1353,17 @@ void fs_x11(void) {
         if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0)
                 errExit("mount bind");
 
-        // This directory must be mode 1777, or Xlib will barf.
+        // This directory must be mode 1777
         if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs",
                 MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,
                 "mode=1777,uid=0,gid=0") < 0)
                 errExit("mounting tmpfs on /tmp/.X11-unix");
         fs_logger("tmpfs /tmp/.X11-unix");
 
-        // create an empty file which will have the desired socket bind-mounted over it
-        int fd = open(x11file, O_RDWR|O_CREAT|O_EXCL, x11stat.st_mode & ~S_IFMT);
+        // create an empty root-owned file which will have the desired socket bind-mounted over it
+        int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL, S_IRUSR | S_IWUSR);
         if (fd < 0)
                 errExit(x11file);
-        if (fchown(fd, x11stat.st_uid, x11stat.st_gid))
-                errExit("fchown");
         close(fd);
 
         // the mount source is under control of the user, so be careful and
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 13dcf09ee..1bed40015 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2346,6 +2346,10 @@ the same top directory. For user home, both the link and the real file should be
 .br
 
 .br
+File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+.br
+
+.br
 Example:
 .br
 $ firejail \-\-noprofile \-\-whitelist=~/.mozilla
@@ -2353,6 +2357,8 @@ $ firejail \-\-noprofile \-\-whitelist=~/.mozilla
 $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
 .br
 $ firejail "\-\-whitelist=/home/username/My Virtual Machines"
+.br
+$ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
 
 .TP
 \fB\-\-writable-etc
@@ -2722,7 +2728,7 @@ The globbing feature is implemented using glibc glob command. For more informati
 
 .br
 .TP
-The following command line options are supported: \-\-blacklist, \-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write, and \-\-tmpfs.
+The following command line options are supported: \-\-blacklist, \-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write, \-\-tmpfs, and \-\-whitelist.
 .br
 
 .br
diff --git a/src/profstats/main.c b/src/profstats/main.c
index 76b90f01b..f8818982f 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -35,6 +35,8 @@ static int cnt_noexec = 0;	// include disable-exec.inc
 static int cnt_privatedev = 0;
 static int cnt_privatetmp = 0;
 static int cnt_whitelistvar = 0;        // include whitelist-var-common.inc
+static int cnt_whitelistrunuser = 0;    // include whitelist-runuser-common.inc
+static int cnt_whitelistusrshare = 0;   // include whitelist-usr-share-common.inc
 static int cnt_ssh = 0;
 
 static int level = 0;
@@ -46,6 +48,8 @@ static int arg_noexec = 0;
 static int arg_privatedev = 0;
 static int arg_privatetmp = 0;
 static int arg_whitelistvar = 0;
+static int arg_whitelistrunuser = 0;
+static int arg_whitelistusrshare = 0;
 static int arg_ssh = 0;
 
 static char *profile = NULL;
@@ -63,6 +67,8 @@ static void usage(void) {
         printf("   --private-tmp - print profiles without private-tmp\n");
         printf("   --seccomp - print profiles without seccomp\n");
         printf("   --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
+        printf("   --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\"\n");
+        printf("   --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n");
         printf("   --debug\n");
         printf("\n");
 }
@@ -102,6 +108,10 @@ void process_file(const char *fname) {
                         cnt_noexec++;
                 else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0)
                         cnt_whitelistvar++;
+                else if (strncmp(ptr, "include whitelist-runuser-common.inc", 32) == 0)
+                        cnt_whitelistrunuser++;
+                else if (strncmp(ptr, "include whitelist-usr-share-common.inc", 32) == 0)
+                        cnt_whitelistusrshare++;
                 else if (strncmp(ptr, "include disable-common.inc", 26) == 0)
                         cnt_ssh++;
                 else if (strncmp(ptr, "net none", 8) == 0)
@@ -159,6 +169,10 @@ int main(int argc, char **argv) {
                         arg_privatetmp = 1;
                 else if (strcmp(argv[i], "--whitelist-var") == 0)
                         arg_whitelistvar = 1;
+                else if (strcmp(argv[i], "--whitelist-runuser") == 0)
+                        arg_whitelistrunuser = 1;
+                else if (strcmp(argv[i], "--whitelist-usrshare") == 0)
+                        arg_whitelistusrshare = 1;
                 else if (strcmp(argv[i], "--ssh") == 0)
                         arg_ssh = 1;
                 else if (*argv[i] == '-') {
@@ -188,6 +202,8 @@ int main(int argc, char **argv) {
                 int dotlocal = cnt_dotlocal;
                 int globalsdotlocal = cnt_globalsdotlocal;
                 int whitelistvar = cnt_whitelistvar;
+                int whitelistrunuser = cnt_whitelistrunuser;
+                int whitelistusrshare = cnt_whitelistusrshare;
                 int ssh = cnt_ssh;
 
                 // process file
@@ -220,6 +236,10 @@ int main(int argc, char **argv) {
                         printf("No private-tmp found in %s\n", argv[i]);
                 if (arg_whitelistvar && whitelistvar == cnt_whitelistvar)
                         printf("No include whitelist-var-common.inc found in %s\n", argv[i]);
+                if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser)
+                        printf("No include whitelist-runuser-common.inc found in %s\n", argv[i]);
+                if (arg_whitelistusrshare && whitelistusrshare == cnt_whitelistusrshare)
+                        printf("No include whitelist-usr-share-common.inc found in %s\n", argv[i]);
                 if (arg_ssh && ssh == cnt_ssh)
                         printf("No include disable-common.inc found in %s\n", argv[i]);
 
@@ -238,7 +258,9 @@ int main(int argc, char **argv) {
         printf("    apparmor\t\t\t%d\n", cnt_apparmor);
         printf("    private-dev\t\t\t%d\n", cnt_privatedev);
         printf("    private-tmp\t\t\t%d\n", cnt_privatetmp);
-        printf("    whitelist var directory\t%d   (include whitelist-var-common.inc)\n", cnt_whitelistvar);
+        printf("    whitelist var\t\t%d   (include whitelist-var-common.inc)\n", cnt_whitelistvar);
+        printf("    whitelist run/user\t\t%d   (include whitelist-runuser-common.inc)\n", cnt_whitelistrunuser);
+        printf("    whitelist usr/share\t\t%d   (include whitelist-usr-share-common.inc)\n", cnt_whitelistusrshare);
         printf("    net none\t\t\t%d\n", cnt_netnone);
         printf("\n");
         return 0;