51 files changed, 334 insertions, 152 deletions

diff --git a/.github/ISSUE_TEMPLATE/build_issue.md b/.github/ISSUE_TEMPLATE/build_issue.md
new file mode 100644
index 000000000..7e0b822bb
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/build_issue.md
@@ -0,0 +1,72 @@
+---
+name: Build issue
+about: There is an issue when trying to build the project from source
+title: 'build: '
+labels: ''
+assignees: ''
+
+---
+
+<!--
+See the following links for help with formatting:
+
+https://guides.github.com/features/mastering-markdown/
+https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax
+-->
+
+### Description
+
+_Describe the bug_
+
+### Steps to Reproduce
+
+<!--
+Note: If the output is too long to embed it into the comment, you can post it
+in a gist at <https://gist.github.com/> and link it here or upload the build
+log as a file.
+
+Note: Make sure to include the exact command-line used for all commands and to
+include the full output of ./configure.
+
+Feel free to include only the errors in the make output if they are
+self-explanatory (for example, with `make >/dev/null`).
+-->
+
+_Post the commands used to reproduce the issue and their output_
+
+Example:
+
+```console
+$ ./configure --prefix=/usr --enable-apparmor
+checking for gcc... gcc
+checking whether the C compiler works... yes
+[...]
+$ make
+make -C src/lib
+gcc [...]
+[...]
+```
+
+_If ./configure fails, include the output of config.log_
+
+Example:
+
+```console
+$ cat config.log
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+[...]
+```
+
+### Additional context
+
+_(Optional) Any other detail that may help to understand/debug the problem_
+
+### Environment
+
+- Name/version/arch of the Linux kernel (e.g. the output of `uname -srm`)
+- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux")
+- Name/version of the C compiler (e.g. "gcc 14.1.1-1")
+- Name/version of the libc (e.g. "glibc 2.40-1")
+- Version of the Linux API headers (e.g. "linux-api-headers 6.10-1" on Arch Linux)
+- Version of the source code being built (e.g. the output of `git rev-parse HEAD`)
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index ccc5c9bf7..775a3c947 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -44,7 +44,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e7752f3d3..0c1317ed8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -60,7 +60,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
index a0b7245e5..d3c9a8abf 100644
--- a/.github/workflows/check-c.yml
+++ b/.github/workflows/check-c.yml
@@ -46,7 +46,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -79,7 +79,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -109,7 +109,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -143,7 +143,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         disable-sudo: true
         egress-policy: block
@@ -161,7 +161,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c
+      uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a
       with:
         languages: cpp
 
@@ -172,4 +172,4 @@ jobs:
       run: make -j "$(nproc)"
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c
+      uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml
index 38cb1f29b..040d3ab1c 100644
--- a/.github/workflows/check-profiles.yml
+++ b/.github/workflows/check-profiles.yml
@@ -33,7 +33,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         disable-sudo: true
         egress-policy: block
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml
index 838414498..3d233bc02 100644
--- a/.github/workflows/check-python.yml
+++ b/.github/workflows/check-python.yml
@@ -31,7 +31,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         disable-sudo: true
         egress-policy: block
@@ -51,9 +51,9 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c
+      uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a
       with:
         languages: python
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c
+      uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index 6e0fe73d2..1bf714d65 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -24,7 +24,7 @@ jobs:
     timeout-minutes: 5
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index c1ee00934..0cc1eea3e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -54,7 +54,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -103,7 +103,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -143,7 +143,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -183,7 +183,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -225,7 +225,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/README b/README
index b55cf3ef8..d64554f9a 100644
--- a/README
+++ b/README
@@ -171,7 +171,7 @@ aoand (https://github.com/aoand)
 Arne Welzel (https://github.com/awelzel)
         - ignore SIGTTOU during flush_stdin()
 archaon616 (https://github.com/archaon616)
-        - steam.profile: Allow Factorio
+        - steam.profile: allow Factorio, Zomboid
 Atrate (https://github.com/Atrate)
         - BetterDiscord support
 Austin Morton (https://github.com/apmorton)
@@ -326,6 +326,8 @@ curiosityseeker (https://github.com/curiosityseeker - new)
         - fixed conky profile
         - thunderbird.profile: harden and enable the rules necessary to make
           Firefox open links
+D357R0Y3R (https://github.com/D357R0Y3R)
+        - added floorp to firejail.config
 da2x (https://github.com/da2x)
         - matched RPM license tag
 Daan Bakker (https://github.com/dbakker)
@@ -371,6 +373,8 @@ DiGitHubCap (https://github.com/DiGitHubCap)
         - fix qt5ct colour schemes and QSS
 Dieter Plaetinck (https://github.com/Dieterbe)
         - qutebrowser: update MPRIS name for qutebrowser-qt6
+        - fix email-common.profile
+        - fix claws-mail profile
 Disconnect3d (https://github.com/disconnect3d)
         - code cleanup
 dm9pZCAq (https://github.com/dm9pZCAq)
@@ -408,13 +412,18 @@ Fabian Würfl (https://github.com/BafDyce)
         - Liferea profile
 Felipe Barriga Richards (https://github.com/fbarriga)
         - --private-etc fix
+Felix Pehla (https://github.com/FelixPehla)
+        - fix fractal profile
 fenuks (https://github.com/fenuks)
         - fix sound in games using FMOD
         - allow /opt/tor-browser for Tor Browser profile
 fkrone (https://github.com/fkrone)
         - fix Zoom profile
 Fidel Ramos (https://github.com/haplo)
-        - Ledger Live profile
+        - added Ledger Live profile
+        - fixed geeqie profile
+        - added rawtherapee profile
+        - added electron-cache profile
 Florian Begusch (https://github.com/florianbegusch)
         - (la)tex profiles
         - fixed transmission-common.profile
@@ -567,6 +576,9 @@ Haowei Yu (https://github.com/sfc-gh-hyu)
 Icaro Perseo (https://github.com/icaroperseo)
         - Icecat profile
         - several profile fixes
+Ilya Pankratov (https://github.com/i-pankrat)
+        - profstats fix
+        - fix various memory resource leaks
 Igor Bukanov (https://github.com/ibukanov)
         - found/fiixed privilege escalation in --hosts-file option
 iiotx (https://github.com/iiotx)
@@ -739,6 +751,8 @@ Liorst4 (https://github.com/Liorst4)
         - minetest fixes
 Lockdis (https://github.com/Lockdis)
         - Added crow, nyx, and google-earth-pro profiles
+luca0N (https://github.com/luca0N)
+        - fixed crawl profile
 Lukáš Krejčí (https://github.com/lskrejci)
         - fixed parsing of --keep-var-tmp
 luzpaz (https://github.com/luzpaz)
@@ -794,6 +808,8 @@ Michael Haas (https://github.com/mhaas)
         - bugfixes
 Michael Hoffmann (https://github.com/brisad)
         - added support for subdirs in private-etc
+Michele Sorcinelli (https://github.com/michelesr)
+        - fix ssh profile
 Mike Frysinger (vapier@gentoo.org)
         - Gentoo compile patch
 minus7 (https://github.com/minus7)
@@ -855,6 +871,7 @@ nolanl (https://github.com/nolanl)
 nutta-git (https://github.com/nutta-git)
         - steam.profile: allow process_vm_readv syscall
         - lutris.profile: allow more syscalls
+        - steam.profile: update novideo comment for webcam motion trackers
 nyancat18 (https://github.com/nyancat18)
         - added ardour4, dooble, karbon, krita profiles
 nya1 (https://github.com/nya1)
@@ -949,6 +966,8 @@ pszxzsd (https://github.com/pszxzsd)
         -uGet profile
 pwnage-pineapple (https://github.com/pwnage-pineapple)
         - update Okular profile
+qdii (https://github.com/qdii)
+        - added notpm command & keep tpm devices in private-dev
 Quentin Retornaz (https://github.com/qretornaz-adapei42)
         - microsoft-edge profiles fixes
 Quentin Minster (https://github.com/laomaiweng)
@@ -1003,6 +1022,8 @@ rootalc (https://github.com/rootalc)
         - add nolocal6.net filter
 Ruan (https://github.com/ruany)
         - fixed hexchat profile
+RundownRhino (https://github.com/RundownRhino)
+        - firefox profile fix
 rusty-snake (https://github.com/rusty-snake)
         - added profiles: thunderbird-wayland, supertuxkart, ghostwriter
         - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano
@@ -1040,18 +1061,17 @@ Serphentas (https://github.com/Serphentas)
         - add Paradox Launcher to Steam profile
 Slava Monich (https://github.com/monich)
         - added configure option to disable man pages
-Tobias Schmidl (https://github.com/schtobia)
-        - added profile for webui-aria2
 Simon Peter (https://github.com/probonopd)
         - set $APPIMAGE and $APPDIR environment variables
         - AppImage version detection
         - Leafppad type v1 and v2 appimage packages in test/appimage
         - GitHub/Travis CI integration
+Simo Piiroinen (https://github.com/spiiroin)
+        - Jolla/SailfishOS patches
+        - fix startup race condition for /run/firejail directory
 sinkuu (https://github.com/sinkuu)
         - blacklisting kwalletd
         - fix symlink invocation for programs placing symlinks in $PATH
-Simo Piiroinen (https://github.com/spiiroin)
-        - Jolla/SailfishOS patches
 slowpeek (https://github.com/slowpeek)
         - refine appimage example in docs
         - allow resolution of .local names with avahi-daemon in the apparmor profile
@@ -1059,6 +1079,9 @@ slowpeek (https://github.com/slowpeek)
         - make appimage examples consistent with --appimage option short description
         - blacklist google-drive-ocamlfuse config
         - blacklist sendgmail config
+Shahriar Heidrich (https://github.com/smheidrich)
+        - fix manpages
+        - fix i3 profile and disable-programs.profile
 smitsohu (https://github.com/smitsohu)
         - read-only kde4 services directory
         - enhanced mediathekview profile
@@ -1187,6 +1210,8 @@ Tomasz Jan Góralczyk (https://github.com/tjg)
         - fixed Steam profile
 Tomi Leppänen (https://github.com/Tomin1)
         - Jolla/SailfishOS patches
+Tobias Schmidl (https://github.com/schtobia)
+        - added profile for webui-aria2
 Topi Miettinen (https://github.com/topimiettinen)
         - improved seccomp printing
         - improve mount handling, fix /run/user handling
@@ -1201,6 +1226,8 @@ Ted Robertson (https://github.com/tredondo)
         - various documentation fixes
         - blacklist Exodus wallet
         - blacklist monero-project directory
+tools200ms (https://github.com/tools200ms)
+        - fixed allow-ssh.inc
 Tus1688 (https://github.com/Tus1688)
         - added neovim profile
 user1024 (user1024@tut.by)
diff --git a/RELNOTES b/RELNOTES
index 2e1fbf0b5..4e55f9447 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -17,6 +17,9 @@ firejail (0.9.73) baseline; urgency=low
   * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200
     #6228 #6260 #6302 #6305)
   * feature: add support for comm, coredump, and prctl procevents in firemon
+    (#6414 #6415)
+  * feature: add notpm command & keep tpm devices in private-dev (#6379 #6390)
+  * feature: fshaper.sh: support tc on NixOS (#6426 #6431)
   * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
   * modif: Prevent sandbox name (--name=) and host name (--hostname=)
     from containing only digits (#5578 #5741)
@@ -31,7 +34,8 @@ firejail (0.9.73) baseline; urgency=low
   * modif: drop deprecated 'shell' option references (#5894)
   * modif: keep pipewire group unless nosound is used (#5992 #5993)
   * modif: fcopy: Use lstat when copying directory (#5957)
-  * modif: populate /run/firejail while holding flock (#6307)
+  * modif: private-dev: keep /dev/kfd unless no3d is used (#6380)
+  * modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387)
   * removal: LTS and FIRETUNNEL support
   * bugfix: fix --hostname and --hosts-file commands
   * bugfix: fix examples in firejail-local AppArmor profile (#5717)
@@ -40,8 +44,10 @@ firejail (0.9.73) baseline; urgency=low
     (#5965 #5976)
   * bugfix: firejail --ls reports wrong file sizes for large files (#5982
     #6086)
+  * bugfix: fix startup race condition for /run/firejail directory (#6307)
   * bugfix: fix various resource leaks (#6367)
   * bugfix: profstats: fix restrict-namespaces max count (#6369)
+  * bugfix: remove --noautopulse from --help and zsh comp (#6401)
   * build: auto-generate syntax files (#5627)
   * build: mark all phony targets as such (#5637)
   * build: mkdeb.sh: pass all arguments to ./configure (#5654)
@@ -52,8 +58,7 @@ firejail (0.9.73) baseline; urgency=low
   * build: disable all built-in implicit make rules (#5864)
   * build: organize and standardize make vars and targets (#5866)
   * build: fix seccomp filters and man pages always being rebuilt when running
-    make
-  * build: simplify code related to man pages (#5898)
+    make (#5156 #5898)
   * build: fix hardcoded make & remove unnecessary distclean targets (#5911)
   * build: dist and asc improvements (#5916)
   * build: fix some shellcheck issues & use config.sh in more scripts (#5927)
@@ -77,6 +82,7 @@ firejail (0.9.73) baseline; urgency=low
   * build: remove clean dependency from cppcheck targets (#6343)
   * build: allow overriding common tools (#6354)
   * build: standardize install commands (#6366)
+  * build: improve reliability/portability of date command usage (#6403 #6404)
   * ci: always update the package db before installing packages (#5742)
   * ci: fix codeql unable to download its own bundle (#5783)
   * ci: split configure/build/install commands on gitlab (#5784)
@@ -104,6 +110,10 @@ firejail (0.9.73) baseline; urgency=low
   * docs: add uninstall instructions to README.md (#5812)
   * docs: add precedence info to manpage & fix noblacklist example (#6358
     #6359)
+  * docs: bug_report.md: use absolute path in 'steps to reproduce' (#6382)
+  * docs: man: format and sort some private- items (#6398)
+  * docs: man: improve blacklist/whitelist examples with spaces (#6425)
+  * docs: add build_issue.md issue template (#6423)
   * legal: selinux.c: Split Copyright notice & use same license as upstream
     (#5667)
   * profiles: qutebrowser: fix links not opening in the existing instance
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list
index 0ac70e5cf..13adfeddc 100644
--- a/contrib/syntax/lists/profile_commands_arg0.list
+++ b/contrib/syntax/lists/profile_commands_arg0.list
@@ -27,6 +27,7 @@ nonewprivs
 noprinters
 noroot
 nosound
+notpm
 notv
 nou2f
 novideo
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 14f7d8cf7..faae99543 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -171,6 +171,10 @@ blacklist ${RUNUSER}/gsconnect
 blacklist ${RUNUSER}/i3/ipc-socket.*
 blacklist /tmp/i3-*/ipc-socket.*
 
+# sway IPC socket (allows arbitrary shell script execution)
+blacklist ${RUNUSER}/sway-ipc.*
+blacklist /tmp/sway-ipc.*
+
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile
index 8b70756ba..6217af780 100644
--- a/etc/profile-a-l/abrowser.profile
+++ b/etc/profile-a-l/abrowser.profile
@@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/abrowser
 whitelist ${HOME}/.mozilla
 whitelist /usr/share/abrowser
 
-# private-etc must first be enabled in firefox-common.profile
-#private-etc abrowser
+private-etc abrowser
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile
index 7d2fe143c..f5595274e 100644
--- a/etc/profile-a-l/basilisk.profile
+++ b/etc/profile-a-l/basilisk.profile
@@ -19,8 +19,7 @@ seccomp
 ignore seccomp
 
 #private-bin basilisk
-# private-etc must first be enabled in firefox-common.profile
-#private-etc basilisk
+private-etc basilisk
 #private-opt basilisk
 
 restrict-namespaces
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index e596ec9d2..7afccf5cd 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -59,5 +59,8 @@ dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.freedesktop.Tracker1
 dbus-system none
 
-env WEBKIT_FORCE_SANDBOX=0
+# Warning: Disabling the webkit sandbox may be needed to make firejail work
+# with webkit2gtk, but this is not recommended (see #2995).
+# Add the following line to bijiben.local at your own risk:
+#env WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1
 restrict-namespaces
diff --git a/etc/profile-a-l/bitwarden-desktop.profile b/etc/profile-a-l/bitwarden-desktop.profile
new file mode 100644
index 000000000..4c1994c50
--- /dev/null
+++ b/etc/profile-a-l/bitwarden-desktop.profile
@@ -0,0 +1,11 @@
+# Firejail profile for bitwarden-desktop
+# Description: A secure and free password manager for all of your devices
+# This file is overwritten after every install/update.
+# Persistent local customisations
+include bitwarden-desktop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include bitwarden.profile
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index 1572ca572..9ed48b02d 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -6,13 +6,13 @@ include bitwarden.local
 # Persistent global definitions
 include globals.local
 
-# Disabled until someone reported positive feedback
-ignore include whitelist-usr-share-common.inc
-
 ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Bitwarden
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Bitwarden
diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile
index 05e1a69f1..6218dbbe8 100644
--- a/etc/profile-a-l/cachy-browser.profile
+++ b/etc/profile-a-l/cachy-browser.profile
@@ -26,9 +26,7 @@ whitelist /usr/share/cachy-browser
 
 # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).
 #private-bin dbus-launch,dbus-send,cachy-browser,sh
-# Add the next line to your cachy-browser.local to enable private-etc.
-# Note: private-etc must first be enabled in firefox-common.local.
-#private-etc cachy-browser
+private-etc cachy-browser
 
 dbus-user filter
 dbus-user.own org.mozilla.cachybrowser.*
diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile
index d0bf9797e..bded735a9 100644
--- a/etc/profile-a-l/cliqz.profile
+++ b/etc/profile-a-l/cliqz.profile
@@ -17,8 +17,7 @@ whitelist ${HOME}/.cliqz
 whitelist ${HOME}/.config/cliqz
 whitelist /usr/share/cliqz
 
-# private-etc must first be enabled in firefox-common.profile
-#private-etc cliqz
+private-etc cliqz
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
index c7a42e0eb..173c5b4a5 100644
--- a/etc/profile-a-l/cyberfox.profile
+++ b/etc/profile-a-l/cyberfox.profile
@@ -16,8 +16,7 @@ whitelist /usr/share/8pecxstudios
 whitelist /usr/share/cyberfox
 
 #private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
-# private-etc must first be enabled in firefox-common.profile
-#private-etc cyberfox
+private-etc cyberfox
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 75338eb6d..e11134616 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -12,45 +12,16 @@ noblacklist ${HOME}/.config/d-feet
 include allow-python2.inc
 include allow-python3.inc
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
-
 mkdir ${HOME}/.config/d-feet
 whitelist ${HOME}/.config/d-feet
 whitelist /usr/share/d-feet
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
-apparmor
-caps.drop all
-ipc-namespace
-#net none # breaks on Ubuntu
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
+# breaks on Ubuntu
+ignore net none
 
-disable-mnt
 private-bin d-feet,python*
-private-cache
-private-dev
-private-etc dbus-1
-private-tmp
 
 #memory-deny-write-execute # breaks on Arch (see issue #1803)
-restrict-namespaces
+
+# Redirect
+include dbus-debug-common.profile
diff --git a/etc/profile-a-l/d-spy.profile b/etc/profile-a-l/d-spy.profile
index 9ff429ecb..2c9ef52cb 100644
--- a/etc/profile-a-l/d-spy.profile
+++ b/etc/profile-a-l/d-spy.profile
@@ -6,43 +6,7 @@ include d-spy.local
 # Persistent global definitions
 include globals.local
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-proc.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
-
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-ipc-namespace
-net none
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-
-disable-mnt
 private-bin d-spy
-private-cache
-private-dev
-private-etc dbus-1
-private-tmp
 
-read-only ${HOME}
-restrict-namespaces
+# Redirect
+include dbus-debug-common.profile
diff --git a/etc/profile-a-l/dbus-debug-common.profile b/etc/profile-a-l/dbus-debug-common.profile
new file mode 100644
index 000000000..0ef060f3a
--- /dev/null
+++ b/etc/profile-a-l/dbus-debug-common.profile
@@ -0,0 +1,49 @@
+# Firejail profile for dbus-debug-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dbus-debug-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc dbus-1
+private-tmp
+
+read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index b0ae2d49f..659d9755e 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -37,6 +37,7 @@ noinput
 nonewprivs
 noroot
 #nosound
+#notpm
 notv
 #nou2f
 novideo
diff --git a/etc/profile-a-l/dtui.profile b/etc/profile-a-l/dtui.profile
new file mode 100644
index 000000000..b85ae451b
--- /dev/null
+++ b/etc/profile-a-l/dtui.profile
@@ -0,0 +1,15 @@
+# Firejail profile for dtui
+# Description: TUI D-Bus debugger
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include dtui.local
+# Persistent global definitions
+include globals.local
+
+private-bin dtui
+
+memory-deny-write-execute
+
+# Redirect
+include dbus-debug-common.profile
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index 1af2884b6..52a439c48 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.config/Element
 mkdir ${HOME}/.config/Element
 whitelist ${HOME}/.config/Element
 whitelist /opt/Element
+whitelist /usr/share/element
 
 dbus-user filter
 dbus-user.talk org.freedesktop.Notifications
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index ccc2dc7f6..5e3d0983d 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -92,8 +92,7 @@ include allow-python3.inc
 #private-bin keepassxc-proxy
 
 # Flash plugin
-# private-etc must first be enabled in firefox-common.profile and in profiles including it.
-#private-etc adobe
+private-etc adobe
 
 # ff2mpv
 #ignore noexec ${HOME}
diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile
index b0a42fb77..19bda5454 100644
--- a/etc/profile-a-l/icecat.profile
+++ b/etc/profile-a-l/icecat.profile
@@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/icecat
 whitelist ${HOME}/.mozilla
 whitelist /usr/share/icecat
 
-# private-etc must first be enabled in firefox-common.profile
-#private-etc icecat
+private-etc icecat
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/iceweasel.profile b/etc/profile-a-l/iceweasel.profile
index badd2648a..d6a925a77 100644
--- a/etc/profile-a-l/iceweasel.profile
+++ b/etc/profile-a-l/iceweasel.profile
@@ -6,8 +6,7 @@ include iceweasel.local
 # added by included profile
 #include globals.local
 
-# private-etc must first be enabled in firefox-common.profile
-#private-etc iceweasel
+private-etc iceweasel
 
 # Redirect
 include firefox.profile
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index 65a4a3787..8db82d364 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -27,9 +27,7 @@ whitelist /usr/share/librewolf
 
 # Add the next line to your librewolf.local to enable private-bin (Arch Linux).
 #private-bin dbus-launch,dbus-send,librewolf,sh
-# Add the next line to your librewolf.local to enable private-etc.
-# Note: private-etc must first be enabled in firefox-common.local.
-#private-etc librewolf
+private-etc librewolf
 
 dbus-user filter
 dbus-user.own io.gitlab.librewolf.*
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index 9f4990246..645510124 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -58,7 +58,7 @@ protocol unix
 seccomp
 tracelog
 
-private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
+private-bin kbuildsycoca4,kdeinit4,lpr,okular,ps2pdf,unar,unrar
 private-dev
 private-etc @x11,cups
 # on KDE we need access to the real /tmp for data exchange with email clients
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
index 8917a9bc5..8e1a5daf5 100644
--- a/etc/profile-m-z/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
@@ -21,8 +21,7 @@ seccomp
 ignore seccomp
 
 #private-bin palemoon
-# private-etc must first be enabled in firefox-common.profile
-#private-etc palemoon
+private-etc palemoon
 
 restrict-namespaces
 ignore restrict-namespaces
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 62efa28db..1c4d85ea0 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -19,7 +19,8 @@ include disable-exec.inc
 include disable-programs.inc
 
 whitelist ${RUNUSER}/gcr/ssh
-whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
+whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup
+whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh # custom gpg homedir setup
 whitelist ${RUNUSER}/keyring/ssh
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile
index f71905150..b7f90f6ad 100644
--- a/etc/profile-m-z/sway.profile
+++ b/etc/profile-m-z/sway.profile
@@ -10,6 +10,10 @@ include globals.local
 noblacklist ${HOME}/.config/sway
 # sway uses ~/.config/i3 as fallback if there is no ~/.config/sway
 noblacklist ${HOME}/.config/i3
+# allow creation of IPC socket
+noblacklist ${RUNUSER}/sway-ipc.*
+noblacklist /tmp/sway-ipc.*
+
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile
index bf6f45e41..cf2fced64 100644
--- a/etc/profile-m-z/waterfox.profile
+++ b/etc/profile-m-z/waterfox.profile
@@ -21,9 +21,7 @@ whitelist /usr/share/waterfox
 # waterfox requires a shell to launch on Arch. We can possibly remove sh though.
 # Add the next line to your waterfox.local to enable private-bin.
 #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which
-# Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be
-# enabled in your firefox-common.local.
-#private-etc waterfox
+private-etc waterfox
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
index 306212f85..430934df2 100644
--- a/etc/profile-m-z/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -19,6 +19,7 @@ ignore dbus-system none
 noblacklist ${HOME}/.config/zoom.conf
 noblacklist ${HOME}/.config/zoomus.conf
 noblacklist ${HOME}/.zoom
+noblacklist ${DOCUMENTS}
 
 nowhitelist ${DOWNLOADS}
 
@@ -26,10 +27,12 @@ mkdir ${HOME}/.cache/zoom
 mkfile ${HOME}/.config/zoom.conf
 mkfile ${HOME}/.config/zoomus.conf
 mkdir ${HOME}/.zoom
+mkdir ${HOME}/Documents/Zoom
 whitelist ${HOME}/.cache/zoom
 whitelist ${HOME}/.config/zoom.conf
 whitelist ${HOME}/.config/zoomus.conf
 whitelist ${HOME}/.zoom
+whitelist ${HOME}/Documents/Zoom
 
 # Disable for now, see https://github.com/netblue30/firejail/issues/3726
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 459baf51a..d7c170303 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -175,6 +175,7 @@ include globals.local
 #noprinters
 #noroot
 #nosound
+#notpm
 #notv
 #nou2f
 #novideo
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index ab6eaf1dd..089dff663 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -138,6 +138,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                 fprintf(fp, "#noinput\t# disable input devices\n");
                 fprintf(fp, "nonewprivs\n");
                 fprintf(fp, "noroot\n");
+                fprintf(fp, "#notpm\t# disable TPM devices\n");
                 fprintf(fp, "#notv\t# disable DVB TV devices\n");
                 fprintf(fp, "#nou2f\t# disable U2F devices\n");
                 fprintf(fp, "#novideo\t# disable video capture devices\n");
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 8d0a30521..08170bee6 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -97,10 +97,11 @@ basilisk
 bcompare
 beaker
 bibletime
-bijiben
+#bijiben # webkit2gtk-4.x requires bwrap (see #3647)
 bitcoin-qt
 bitlbee
 bitwarden
+bitwarden-desktop
 bleachbit
 blender
 blender-2.8
@@ -227,6 +228,7 @@ dragon
 drawio
 drill
 dropbox
+dtui
 easystroke
 ebook-convert
 ebook-edit
@@ -824,7 +826,7 @@ soffice
 sol
 sound-juicer
 soundconverter
-spectacle
+#spectacle # may be broken on wayland (see #5127)
 spectral
 spotify
 sqlitebrowser
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 736af018d..8683e0f77 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -368,6 +368,7 @@ extern int arg_noprofile;	// use default.profile if none other found/specified
 extern int arg_memory_deny_write_execute;       // block writable and executable memory
 extern int arg_notv;    // --notv
 extern int arg_nodvd;   // --nodvd
+extern int arg_notpm;   // --notpm
 extern int arg_nou2f;   // --nou2f
 extern int arg_noinput; // --noinput
 extern int arg_deterministic_exit_code; // always exit with first child's exit status
@@ -646,6 +647,7 @@ void fs_dev_disable_3d(void);
 void fs_dev_disable_video(void);
 void fs_dev_disable_tv(void);
 void fs_dev_disable_dvd(void);
+void fs_dev_disable_tpm(void);
 void fs_dev_disable_u2f(void);
 void fs_dev_disable_input(void);
 
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index e8e486f12..34a26464a 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -39,6 +39,7 @@ typedef enum {
         DEV_VIDEO,
         DEV_TV,
         DEV_DVD,
+        DEV_TPM,
         DEV_U2F,
         DEV_INPUT
 } DEV_TYPE;
@@ -79,6 +80,12 @@ static DevEntry dev[] = {
         {"/dev/video9", RUN_DEV_DIR "/video9", DEV_VIDEO},
         {"/dev/dvb", RUN_DEV_DIR "/dvb", DEV_TV}, // DVB (Digital Video Broadcasting) - TV device
         {"/dev/sr0", RUN_DEV_DIR "/sr0", DEV_DVD}, // for DVD and audio CD players
+        {"/dev/tpm0", RUN_DEV_DIR "/tpm0", DEV_TPM}, // TPM (Trusted Platform Module) devices
+        {"/dev/tpm1", RUN_DEV_DIR "/tpm1", DEV_TPM},
+        {"/dev/tpm2", RUN_DEV_DIR "/tpm2", DEV_TPM},
+        {"/dev/tpm3", RUN_DEV_DIR "/tpm3", DEV_TPM},
+        {"/dev/tpm4", RUN_DEV_DIR "/tpm4", DEV_TPM},
+        {"/dev/tpm5", RUN_DEV_DIR "/tpm5", DEV_TPM},
         {"/dev/hidraw0", RUN_DEV_DIR "/hidraw0", DEV_U2F},
         {"/dev/hidraw1", RUN_DEV_DIR "/hidraw1", DEV_U2F},
         {"/dev/hidraw2", RUN_DEV_DIR "/hidraw2", DEV_U2F},
@@ -105,6 +112,7 @@ static void deventry_mount(void) {
                             (dev[i].type == DEV_VIDEO && arg_novideo == 0) ||
                             (dev[i].type == DEV_TV && arg_notv == 0) ||
                             (dev[i].type == DEV_DVD && arg_nodvd == 0) ||
+                            (dev[i].type == DEV_TPM && arg_notpm == 0) ||
                             (dev[i].type == DEV_U2F && arg_nou2f == 0) ||
                             (dev[i].type == DEV_INPUT && arg_noinput == 0)) {
 
@@ -384,6 +392,15 @@ void fs_dev_disable_dvd(void) {
         }
 }
 
+void fs_dev_disable_tpm(void) {
+        int i = 0;
+        while (dev[i].dev_fname != NULL) {
+                if (dev[i].type == DEV_TPM)
+                        disable_file_or_dir(dev[i].dev_fname);
+                i++;
+        }
+}
+
 void fs_dev_disable_u2f(void) {
         int i = 0;
         while (dev[i].dev_fname != NULL) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index acbb4bf38..27ae68eb0 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -155,6 +155,7 @@ int arg_noprofile = 0; // use default.profile if none other found/specified
 int arg_memory_deny_write_execute = 0;          // block writable and executable memory
 int arg_notv = 0;       // --notv
 int arg_nodvd = 0; // --nodvd
+int arg_notpm = 0; // --notpm
 int arg_nou2f = 0; // --nou2f
 int arg_noinput = 0; // --noinput
 int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
@@ -2209,6 +2210,8 @@ int main(int argc, char **argv, char **envp) {
                         arg_notv = 1;
                 else if (strcmp(argv[i], "--nodvd") == 0)
                         arg_nodvd = 1;
+                else if (strcmp(argv[i], "--notpm") == 0)
+                        arg_notpm = 1;
                 else if (strcmp(argv[i], "--nou2f") == 0)
                         arg_nou2f = 1;
                 else if (strcmp(argv[i], "--noinput") == 0)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 4c6830250..1bb008f5f 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -618,6 +618,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 1;
         }
+        else if (strcmp(ptr, "notpm") == 0) {
+                arg_notpm = 1;
+                return 0;
+        }
         else if (strcmp(ptr, "nou2f") == 0) {
                 arg_nou2f = 1;
                 return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9e2b10d9c..57c90d489 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1101,6 +1101,9 @@ int sandbox(void* sandbox_arg) {
         if (arg_nodvd)
                 fs_dev_disable_dvd();
 
+        if (arg_notpm)
+                fs_dev_disable_tpm();
+
         if (arg_nou2f)
                 fs_dev_disable_u2f();
 
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 248b35853..01a7330fd 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -189,8 +189,8 @@ static const char *const usage_str =
         "    --noroot - install a user namespace with only the current user.\n"
 #endif
         "    --nosound - disable sound system.\n"
-        "    --noautopulse - disable automatic ~/.config/pulse init.\n"
         "    --novideo - disable video devices.\n"
+        "    --notpm - disable TPM devices.\n"
         "    --nou2f - disable U2F devices.\n"
         "    --nowhitelist=filename - disable whitelist for file or directory.\n"
         "    --oom=value - configure OutOfMemory killer for the sandbox\n"
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 430730374..1a6f23919 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -396,6 +396,8 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
                                         sprintf(lineptr, " sid ");
                                         break;
 
+// Note: PROC_EVENT_COREDUMP only exists since Linux 3.10 (see #6414).
+#ifdef PROC_EVENT_COREDUMP
                                 case PROC_EVENT_COREDUMP:
                                         pid = proc_ev->event_data.coredump.process_tgid;
 #ifdef DEBUG_PRCTL
@@ -403,6 +405,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
 #endif
                                         sprintf(lineptr, " coredump ");
                                         break;
+#endif /* PROC_EVENT_COREDUMP */
 
                                 case PROC_EVENT_COMM:
                                         pid = proc_ev->event_data.comm.process_tgid;
diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh
index cd2bf79bf..16a2485bf 100755
--- a/src/fshaper/fshaper.sh
+++ b/src/fshaper/fshaper.sh
@@ -3,13 +3,9 @@
 # Copyright (C) 2014-2024 Firejail Authors
 # License GPL v2
 
-TCFILE=""
-if [ -x "/usr/sbin/tc" ]; then
-        TCFILE="/usr/sbin/tc"
-elif [ -x "/sbin/tc" ]; then
-        TCFILE="/sbin/tc";
-else
-        echo "Error: traffic control utility (tc) not found";
+TCFILE="$(PATH=/usr/sbin:/sbin:/run/current-system/sw/bin command -v tc)"
+if [ -z "$TCFILE" ]; then
+        echo "Error: traffic control utility (tc) not found"
         exit 1
 fi
 
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in
index 8c039eb46..89784a984 100644
--- a/src/man/firejail-profile.5.in
+++ b/src/man/firejail-profile.5.in
@@ -382,9 +382,11 @@ Set working directory inside jail to the home directory, and failing that, the r
 Set working directory inside the jail. Full directory path is required. Symbolic links are not allowed.
 .TP
 \fBprivate-dev
-Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx,
-random, snd, urandom, video, log, shm and usb devices are available.
-Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional restrictions.
+Create a new /dev directory.
+Only disc, dri, dvb, full, hidraw, log, null, ptmx, pts, random, shm, snd, tpm,
+tty, urandom, usb, video and zero devices are available.
+Use the options no3d, nodvd, nosound, notpm, notv, nou2f and novideo for
+additional restrictions.
 
 .TP
 \fBprivate-etc file,directory
@@ -817,6 +819,9 @@ Disable input devices.
 \fBnosound
 Disable sound system.
 .TP
+\fBnotpm
+Disable Trusted Platform Module (TPM) devices.
+.TP
 \fBnotv
 Disable DVB (Digital Video Broadcasting) TV devices.
 .TP
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index fa2329d67..4edb0902e 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -207,7 +207,7 @@ $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
 .br
 $ firejail \-\-blacklist=~/.mozilla
 .br
-$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
+$ firejail \-\-blacklist="/home/username/My Virtual Machines"
 .br
 $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
 .TP
@@ -1919,6 +1919,16 @@ Example:
 $ firejail \-\-nosound firefox
 
 .TP
+\fB\-\-notpm
+Disable Trusted Platform Module (TPM) devices.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-notpm
+
+.TP
 \fB\-\-notv
 Disable DVB (Digital Video Broadcasting) TV devices.
 .br
@@ -2108,7 +2118,7 @@ File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 Example:
 .br
-$ firejail \-\-private-bin=bash,sed,ls,cat
+$ firejail \-\-private-bin=bash,cat,ls,sed
 .br
 Parent pid 20841, child pid 20842
 .br
@@ -2172,8 +2182,11 @@ $ pwd
 
 .TP
 \fB\-\-private-dev
-Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log, shm and usb devices are available.
-Use the options --no3d, --nodvd, --nosound, --notv, --nou2f and --novideo for additional restrictions.
+Create a new /dev directory.
+Only disc, dri, dvb, full, hidraw, log, null, ptmx, pts, random, shm, snd, tpm,
+tty, urandom, usb, video and zero devices are available.
+Use the options \-\-no3d, \-\-nodvd, \-\-nosound, \-\-notpm, \-\-notv,
+\-\-nou2f and \-\-novideo for additional restrictions.
 .br
 
 .br
@@ -2191,7 +2204,7 @@ cdrom  cdrw  dri  dvd  dvdrw  full  log  null  ptmx  pts  random  shm  snd  sr0
 .br
 $
 .TP
-\fB\-\-private-etc, \-\-private-etc=file,directory,@group
+\fB\-\-private-etc, \-\-private-etc=@group,file,directory
 The files installed by \-\-private-etc are copies of the original system files from /etc directory.
 By default, the command brings in a skeleton of files and directories used by most console tools:
 
@@ -3130,7 +3143,9 @@ $ firejail \-\-noprofile \-\-whitelist=~/.mozilla
 .br
 $ firejail \-\-whitelist=/tmp/.X11-unix \-\-whitelist=/dev/null
 .br
-$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
+$ firejail \-\-whitelist="/home/username/My Virtual Machines"
+.br
+$ firejail \-\-whitelist=/home/username/My\\ Virtual\\ Machines
 .br
 $ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
 
diff --git a/src/man/mkman.sh b/src/man/mkman.sh
index 00c4ffe72..d854b6537 100755
--- a/src/man/mkman.sh
+++ b/src/man/mkman.sh
@@ -5,8 +5,15 @@
 
 set -e
 
-MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)"
-YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)"
+test -z "$SOURCE_DATE_EPOCH" && SOURCE_DATE_EPOCH="$(date +%s)"
+
+format='+%b %Y'
+date="$(LC_ALL=C date -u -d "@$SOURCE_DATE_EPOCH" "$format" 2>/dev/null ||
+        LC_ALL=C date -u -r "$SOURCE_DATE_EPOCH" "$format" 2>/dev/null ||
+        LC_ALL=C date -u "$format")"
+
+MONTH="$(printf '%s\n' "$date" | cut -f 1 -d ' ')"
+YEAR="$(printf '%s\n' "$date" | cut -f 2 -d ' ')"
 
 sed \
   -e "s/VERSION/$1/g" \
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 15e9a5111..ecfe2ffdf 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -124,7 +124,6 @@ _firejail_args=(
     # many would enjoy getting a list from -20..20
     '--nice=-[set nice value]: :(1 10 15 20)'
     '--no3d[disable 3D hardware acceleration]'
-    '--noautopulse[disable automatic ~/.config/pulse init]'
     '--noblacklist=-[disable blacklist for file or directory]: :_files'
     '--nodbus[disable D-Bus access]'
     '--nodvd[disable DVD and audio CD devices]'
@@ -134,6 +133,7 @@ _firejail_args=(
     '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
     '--noprinters[disable printers]'
     '--nosound[disable sound system]'
+    '--notpm[disable TPM devices]'
     '--nou2f[disable U2F devices]'
     '--novideo[disable video devices]'
     '--private[temporary home directory]'