43 files changed, 405 insertions, 293 deletions

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 37056a1ce..ec1b4a10f 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -47,10 +47,11 @@ _Any other detail that may help to understand/debug the problem_
 
 ### Environment
 
-- Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")
-- Firejail version (`firejail --version`).
+- Name/version/arch of the Linux kernel (`uname -srm`):
+- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"):
+- Version of Firejail (`firejail --version`):
 - If you use a development version of firejail, also the commit from which it
-  was compiled (`git rev-parse HEAD`).
+  was compiled (`git rev-parse HEAD`):
 
 ### Checklist
 
diff --git a/.github/ISSUE_TEMPLATE/build_issue.md b/.github/ISSUE_TEMPLATE/build_issue.md
new file mode 100644
index 000000000..e9a0b2410
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/build_issue.md
@@ -0,0 +1,73 @@
+---
+name: Build issue
+about: There is an issue when trying to build the project from source
+title: 'build: '
+labels: ''
+assignees: ''
+
+---
+
+<!--
+See the following links for help with formatting:
+
+https://guides.github.com/features/mastering-markdown/
+https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax
+-->
+
+### Description
+
+_Describe the bug_
+
+### Steps to Reproduce
+
+<!--
+Note: If the output is too long to embed it into the comment, you can post it
+in a gist at <https://gist.github.com/> and link it here or upload the build
+log as a file.
+
+Note: Make sure to include the exact command-line used for all commands and to
+include the full output of ./configure.
+
+Feel free to include only the errors in the make output if they are
+self-explanatory (for example, with `make >/dev/null`).
+-->
+
+_Post the commands used to reproduce the issue and their output_
+
+Example:
+
+```console
+$ ./configure --prefix=/usr --enable-apparmor
+checking for gcc... gcc
+checking whether the C compiler works... yes
+[...]
+$ make
+make -C src/lib
+gcc [...]
+[...]
+```
+
+_If ./configure fails, include the output of config.log_
+
+Example:
+
+```console
+$ cat config.log
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+[...]
+```
+
+### Additional context
+
+_(Optional) Any other detail that may help to understand/debug the problem_
+
+### Environment
+
+- Name/version/arch of the Linux kernel (`uname -srm`):
+- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"):
+- Name/version of the C compiler (e.g. "gcc 14.1.1-1"):
+- Name/version of the libc (e.g. "glibc 2.40-1"):
+- Name/version of the Linux API headers (e.g. "linux-api-headers 6.10-1" on
+  Arch Linux):
+- Version of the source code being built (`git rev-parse HEAD`):
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
index ce1b70e39..08a5678e2 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -22,3 +22,11 @@ _A clear and concise description of any alternative solutions or features you've
 ### Additional context
 
 _Add any other context or screenshots about the feature request here._
+
+### Environment
+
+- Name/version/arch of the Linux kernel (`uname -srm`):
+- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"):
+- Version of Firejail (`firejail --version`):
+- If you use a development version of firejail, also the commit from which it:
+  was compiled (`git rev-parse HEAD`):
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 775a3c947..8ad73bb45 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -44,7 +44,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0c1317ed8..e8bfd0c16 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -60,7 +60,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
index d3c9a8abf..1b35f684f 100644
--- a/.github/workflows/check-c.yml
+++ b/.github/workflows/check-c.yml
@@ -46,7 +46,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -79,7 +79,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -109,7 +109,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -143,7 +143,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         disable-sudo: true
         egress-policy: block
@@ -161,7 +161,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a
+      uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93
       with:
         languages: cpp
 
@@ -172,4 +172,4 @@ jobs:
       run: make -j "$(nproc)"
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a
+      uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml
index 040d3ab1c..cb9d9ce87 100644
--- a/.github/workflows/check-profiles.yml
+++ b/.github/workflows/check-profiles.yml
@@ -33,7 +33,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         disable-sudo: true
         egress-policy: block
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml
index 3d233bc02..ed317a86f 100644
--- a/.github/workflows/check-python.yml
+++ b/.github/workflows/check-python.yml
@@ -31,7 +31,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         disable-sudo: true
         egress-policy: block
@@ -51,9 +51,9 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a
+      uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93
       with:
         languages: python
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a
+      uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index 1bf714d65..27c6ab125 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -24,7 +24,7 @@ jobs:
     timeout-minutes: 5
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 0cc1eea3e..92eb212e4 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -54,7 +54,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -103,7 +103,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -143,7 +143,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -183,7 +183,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -225,7 +225,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/RELNOTES b/RELNOTES
index 3181f79c5..4965ae392 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -19,13 +19,13 @@ firejail (0.9.73) baseline; urgency=low
   * feature: add support for comm, coredump, and prctl procevents in firemon
     (#6414 #6415)
   * feature: add notpm command & keep tpm devices in private-dev (#6379 #6390)
+  * feature: fshaper.sh: support tc on NixOS (#6426 #6431)
   * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
   * modif: Prevent sandbox name (--name=) and host name (--hostname=)
     from containing only digits (#5578 #5741)
   * modif: Escape control characters of the command line (#5613)
   * modif: Allow mostly only ASCII letters and digits for sandbox name
     (--name=) and host name (--hostname=) (#5708 #5856)
-  * modif: remove firemon --interface option (duplicating --net.print option)
   * modif: make private-lib a configure-time option, disabled by default (see
     --enable-private-lib) (#5727 #5732)
   * modif: Improve --version/--help & print version on startup (#5829 #6172)
@@ -35,7 +35,9 @@ firejail (0.9.73) baseline; urgency=low
   * modif: fcopy: Use lstat when copying directory (#5957)
   * modif: private-dev: keep /dev/kfd unless no3d is used (#6380)
   * modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387)
-  * removal: LTS and FIRETUNNEL support
+  * removal: firemon: remove --interface option (it duplicates the firejail
+    --net.print= option) (0e48f9933)
+  * removal: remove support for LTS and firetunnel (db09546f2)
   * bugfix: fix --hostname and --hosts-file commands
   * bugfix: fix examples in firejail-local AppArmor profile (#5717)
   * bugfix: arp.c: ensure positive timeout on select(2) (#5806)
@@ -57,8 +59,7 @@ firejail (0.9.73) baseline; urgency=low
   * build: disable all built-in implicit make rules (#5864)
   * build: organize and standardize make vars and targets (#5866)
   * build: fix seccomp filters and man pages always being rebuilt when running
-    make
-  * build: simplify code related to man pages (#5898)
+    make (#5156 #5898)
   * build: fix hardcoded make & remove unnecessary distclean targets (#5911)
   * build: dist and asc improvements (#5916)
   * build: fix some shellcheck issues & use config.sh in more scripts (#5927)
@@ -112,6 +113,12 @@ firejail (0.9.73) baseline; urgency=low
     #6359)
   * docs: bug_report.md: use absolute path in 'steps to reproduce' (#6382)
   * docs: man: format and sort some private- items (#6398)
+  * docs: man: improve blacklist/whitelist examples with spaces (#6425)
+  * docs: add build_issue.md issue template (#6423)
+  * docs: man: sort commands (firejail.1) (#6451)
+  * docs: man: fix bold in command TPs (#6472)
+  * docs: man: fix wrong escapes (#6474)
+  * docs: github: streamline environment in issue templates (#6471)
   * legal: selinux.c: Split Copyright notice & use same license as upstream
     (#5667)
   * profiles: qutebrowser: fix links not opening in the existing instance
@@ -138,6 +145,7 @@ firejail (0.9.73) baseline; urgency=low
   * profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309)
   * profiles: libreoffice: support signing documents with GPG (#6352 #6353)
   * profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361)
+  * profiles: librewolf: add new dbus name (io.gitlab.firefox) (#6413 #6473)
   * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater
  -- netblue30 <netblue30@yahoo.com>  Mon, 17 Jan 2023 09:00:00 -0500
 
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 49ca3836f..371680b7b 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -728,6 +728,7 @@ blacklist ${HOME}/.dillo
 blacklist ${HOME}/.dooble
 blacklist ${HOME}/.dosbox
 blacklist ${HOME}/.dropbox*
+blacklist ${HOME}/.dvdcss
 blacklist ${HOME}/.easystroke
 blacklist ${HOME}/.electron-cache
 blacklist ${HOME}/.electron-cash
@@ -1261,6 +1262,7 @@ blacklist ${RUNUSER}/qutebrowser
 blacklist /etc/ssmtp
 blacklist /tmp/.wine-*
 blacklist /tmp/akonadi-*
+blacklist /tmp/evolution-*
 blacklist /tmp/i3-*
 blacklist /tmp/lwjgl_*
 blacklist /var/games/nethack
diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile
index 8b70756ba..6217af780 100644
--- a/etc/profile-a-l/abrowser.profile
+++ b/etc/profile-a-l/abrowser.profile
@@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/abrowser
 whitelist ${HOME}/.mozilla
 whitelist /usr/share/abrowser
 
-# private-etc must first be enabled in firefox-common.profile
-#private-etc abrowser
+private-etc abrowser
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile
index 7d2fe143c..f5595274e 100644
--- a/etc/profile-a-l/basilisk.profile
+++ b/etc/profile-a-l/basilisk.profile
@@ -19,8 +19,7 @@ seccomp
 ignore seccomp
 
 #private-bin basilisk
-# private-etc must first be enabled in firefox-common.profile
-#private-etc basilisk
+private-etc basilisk
 #private-opt basilisk
 
 restrict-namespaces
diff --git a/etc/profile-a-l/bitwarden-desktop.profile b/etc/profile-a-l/bitwarden-desktop.profile
new file mode 100644
index 000000000..4c1994c50
--- /dev/null
+++ b/etc/profile-a-l/bitwarden-desktop.profile
@@ -0,0 +1,11 @@
+# Firejail profile for bitwarden-desktop
+# Description: A secure and free password manager for all of your devices
+# This file is overwritten after every install/update.
+# Persistent local customisations
+include bitwarden-desktop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include bitwarden.profile
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index 1572ca572..9ed48b02d 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -6,13 +6,13 @@ include bitwarden.local
 # Persistent global definitions
 include globals.local
 
-# Disabled until someone reported positive feedback
-ignore include whitelist-usr-share-common.inc
-
 ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Bitwarden
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Bitwarden
diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile
index 05e1a69f1..6218dbbe8 100644
--- a/etc/profile-a-l/cachy-browser.profile
+++ b/etc/profile-a-l/cachy-browser.profile
@@ -26,9 +26,7 @@ whitelist /usr/share/cachy-browser
 
 # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).
 #private-bin dbus-launch,dbus-send,cachy-browser,sh
-# Add the next line to your cachy-browser.local to enable private-etc.
-# Note: private-etc must first be enabled in firefox-common.local.
-#private-etc cachy-browser
+private-etc cachy-browser
 
 dbus-user filter
 dbus-user.own org.mozilla.cachybrowser.*
diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile
index d0bf9797e..bded735a9 100644
--- a/etc/profile-a-l/cliqz.profile
+++ b/etc/profile-a-l/cliqz.profile
@@ -17,8 +17,7 @@ whitelist ${HOME}/.cliqz
 whitelist ${HOME}/.config/cliqz
 whitelist /usr/share/cliqz
 
-# private-etc must first be enabled in firefox-common.profile
-#private-etc cliqz
+private-etc cliqz
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
index c7a42e0eb..173c5b4a5 100644
--- a/etc/profile-a-l/cyberfox.profile
+++ b/etc/profile-a-l/cyberfox.profile
@@ -16,8 +16,7 @@ whitelist /usr/share/8pecxstudios
 whitelist /usr/share/cyberfox
 
 #private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
-# private-etc must first be enabled in firefox-common.profile
-#private-etc cyberfox
+private-etc cyberfox
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 517bb6206..e703938eb 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -6,6 +6,7 @@ include evolution.local
 # Persistent global definitions
 include globals.local
 
+noblacklist /tmp/evolution-*
 noblacklist /var/mail
 noblacklist /var/spool/mail
 noblacklist ${HOME}/.bogofilter
@@ -41,7 +42,7 @@ protocol unix,inet,inet6
 seccomp
 
 private-dev
-private-tmp
+#private-tmp
 writable-var
 
 restrict-namespaces
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index af9d556db..895a7dbfb 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -9,6 +9,7 @@ include globals.local
 
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
+noblacklist ${HOME}/.dvdcss
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index ccc2dc7f6..5e3d0983d 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -92,8 +92,7 @@ include allow-python3.inc
 #private-bin keepassxc-proxy
 
 # Flash plugin
-# private-etc must first be enabled in firefox-common.profile and in profiles including it.
-#private-etc adobe
+private-etc adobe
 
 # ff2mpv
 #ignore noexec ${HOME}
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile
index e0ef23cce..0853a8d77 100644
--- a/etc/profile-a-l/handbrake.profile
+++ b/etc/profile-a-l/handbrake.profile
@@ -7,6 +7,7 @@ include handbrake.local
 include globals.local
 
 noblacklist ${HOME}/.config/ghb
+noblacklist ${HOME}/.dvdcss
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 
diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile
index b0a42fb77..19bda5454 100644
--- a/etc/profile-a-l/icecat.profile
+++ b/etc/profile-a-l/icecat.profile
@@ -14,8 +14,7 @@ whitelist ${HOME}/.cache/mozilla/icecat
 whitelist ${HOME}/.mozilla
 whitelist /usr/share/icecat
 
-# private-etc must first be enabled in firefox-common.profile
-#private-etc icecat
+private-etc icecat
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/iceweasel.profile b/etc/profile-a-l/iceweasel.profile
index badd2648a..d6a925a77 100644
--- a/etc/profile-a-l/iceweasel.profile
+++ b/etc/profile-a-l/iceweasel.profile
@@ -6,8 +6,7 @@ include iceweasel.local
 # added by included profile
 #include globals.local
 
-# private-etc must first be enabled in firefox-common.profile
-#private-etc iceweasel
+private-etc iceweasel
 
 # Redirect
 include firefox.profile
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index 65a4a3787..650048807 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -27,11 +27,10 @@ whitelist /usr/share/librewolf
 
 # Add the next line to your librewolf.local to enable private-bin (Arch Linux).
 #private-bin dbus-launch,dbus-send,librewolf,sh
-# Add the next line to your librewolf.local to enable private-etc.
-# Note: private-etc must first be enabled in firefox-common.local.
-#private-etc librewolf
+private-etc librewolf
 
 dbus-user filter
+dbus-user.own io.gitlab.firefox.*
 dbus-user.own io.gitlab.librewolf.*
 dbus-user.own org.mozilla.librewolf.*
 # Add the next line to your librewolf.local to enable native notifications.
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index e7dba9cd5..023071f68 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -7,9 +7,10 @@ include QOwnNotes.local
 include globals.local
 
 noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/Nextcloud/Notes
 noblacklist ${HOME}/.config/PBE
 noblacklist ${HOME}/.local/share/PBE
+noblacklist ${HOME}/Nextcloud
+noblacklist ${HOME}/Nextcloud/Notes
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,13 +20,13 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-mkdir ${HOME}/Nextcloud/Notes
 mkdir ${HOME}/.config/PBE
 mkdir ${HOME}/.local/share/PBE
+mkdir ${HOME}/Nextcloud/Notes
 whitelist ${DOCUMENTS}
-whitelist ${HOME}/Nextcloud/Notes
 whitelist ${HOME}/.config/PBE
 whitelist ${HOME}/.local/share/PBE
+whitelist ${HOME}/Nextcloud/Notes
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index bdb9fa51d..c4f989a77 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -6,6 +6,7 @@ include mplayer.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.dvdcss
 noblacklist ${HOME}/.mplayer
 
 include disable-common.inc
@@ -16,6 +17,7 @@ include disable-programs.inc
 
 read-only ${DESKTOP}
 mkdir ${HOME}/.mplayer
+whitelist ${HOME}/.dvdcss
 whitelist ${HOME}/.mplayer
 include whitelist-common.inc
 include whitelist-player-common.inc
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index b85002b00..1d03e894c 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -29,6 +29,7 @@ noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.config/yt-dlp
 noblacklist ${HOME}/.config/yt-dlp.conf
+noblacklist ${HOME}/.dvdcss
 noblacklist ${HOME}/.local/state/mpv
 noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/yt-dlp.conf
@@ -60,6 +61,7 @@ whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.config/youtube-dl
 whitelist ${HOME}/.config/yt-dlp
 whitelist ${HOME}/.config/yt-dlp.conf
+whitelist ${HOME}/.dvdcss
 whitelist ${HOME}/.local/state/mpv
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/yt-dlp.conf
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index 960c494db..b6453f6a9 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -6,9 +6,10 @@ include nextcloud.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/Nextcloud
 noblacklist ${HOME}/.config/Nextcloud
 noblacklist ${HOME}/.local/share/Nextcloud
+noblacklist ${HOME}/Nextcloud
+noblacklist ${HOME}/Nextcloud/Notes
 # Add the next lines to your nextcloud.local to allow sync in more directories.
 #noblacklist ${DOCUMENTS}
 #noblacklist ${MUSIC}
@@ -23,12 +24,12 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-mkdir ${HOME}/Nextcloud
 mkdir ${HOME}/.config/Nextcloud
 mkdir ${HOME}/.local/share/Nextcloud
-whitelist ${HOME}/Nextcloud
+mkdir ${HOME}/Nextcloud
 whitelist ${HOME}/.config/Nextcloud
 whitelist ${HOME}/.local/share/Nextcloud
+whitelist ${HOME}/Nextcloud
 whitelist /usr/share/nextcloud
 # Add the next lines to your nextcloud.local to allow sync in more directories.
 #whitelist ${DOCUMENTS}
@@ -61,15 +62,15 @@ tracelog
 disable-mnt
 private-bin nextcloud,nextcloud-desktop
 private-cache
-private-etc @tls-ca,@x11,Nextcloud,host.conf,os-release
 private-dev
+private-etc @tls-ca,@x11,Nextcloud,host.conf,os-release
 private-tmp
 
 # IMPORTANT: create ~/.local/share/dbus-1/services/com.nextcloudgmbh.Nextcloud.service
 # referencing the firejailed /usr/local/bin/nextcloud to keep nextcloud running sandboxed
 # even when its dbus name gets activated
 # see https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-sandbox-applications-started-via-systemd-or-d-bus-services
-dbus-user filter 
+dbus-user filter
 dbus-user.own com.nextcloudgmbh.Nextcloud
 dbus-user.talk org.freedesktop.secrets
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
index 8917a9bc5..8e1a5daf5 100644
--- a/etc/profile-m-z/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
@@ -21,8 +21,7 @@ seccomp
 ignore seccomp
 
 #private-bin palemoon
-# private-etc must first be enabled in firefox-common.profile
-#private-etc palemoon
+private-etc palemoon
 
 restrict-namespaces
 ignore restrict-namespaces
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index ece191b73..d2e872c5c 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${HOME}/.config/smplayer
 noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.dvdcss
 noblacklist ${HOME}/.mplayer
 
 # Allow lua (blacklisted by disable-interpreters.inc)
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 62efa28db..018e05230 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -19,10 +19,11 @@ include disable-exec.inc
 include disable-programs.inc
 
 whitelist ${RUNUSER}/gcr/ssh
-whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
+whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh # custom gpg homedir setup
+whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup
 whitelist ${RUNUSER}/keyring/ssh
-include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 
 apparmor
 caps.drop all
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index 73d3b0b6f..4d5f4a1f0 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -14,6 +14,7 @@ include allow-lua.inc
 include allow-python3.inc
 
 noblacklist ${HOME}/.config/totem
+noblacklist ${HOME}/.dvdcss
 noblacklist ${HOME}/.local/share/totem
 
 include disable-common.inc
@@ -27,6 +28,7 @@ read-only ${DESKTOP}
 mkdir ${HOME}/.config/totem
 mkdir ${HOME}/.local/share/totem
 whitelist ${HOME}/.config/totem
+whitelist ${HOME}/.dvdcss
 whitelist ${HOME}/.local/share/totem
 whitelist /usr/share/totem
 include whitelist-common.inc
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
index 34e580085..3fc36a625 100644
--- a/etc/profile-m-z/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.cache/vlc
 noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.config/aacs
+noblacklist ${HOME}/.dvdcss
 noblacklist ${HOME}/.local/share/vlc
 
 include disable-common.inc
@@ -24,6 +25,7 @@ mkdir ${HOME}/.local/share/vlc
 whitelist ${HOME}/.cache/vlc
 whitelist ${HOME}/.config/vlc
 whitelist ${HOME}/.config/aacs
+whitelist ${HOME}/.dvdcss
 whitelist ${HOME}/.local/share/vlc
 include whitelist-common.inc
 include whitelist-player-common.inc
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile
index bf6f45e41..cf2fced64 100644
--- a/etc/profile-m-z/waterfox.profile
+++ b/etc/profile-m-z/waterfox.profile
@@ -21,9 +21,7 @@ whitelist /usr/share/waterfox
 # waterfox requires a shell to launch on Arch. We can possibly remove sh though.
 # Add the next line to your waterfox.local to enable private-bin.
 #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which
-# Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be
-# enabled in your firefox-common.local.
-#private-etc waterfox
+private-etc waterfox
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile
index b6f29cfbf..90de16bdb 100644
--- a/etc/profile-m-z/wesnoth.profile
+++ b/etc/profile-m-z/wesnoth.profile
@@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/wesnoth
 noblacklist ${HOME}/.config/wesnoth
 noblacklist ${HOME}/.local/share/wesnoth
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
index 306212f85..430934df2 100644
--- a/etc/profile-m-z/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -19,6 +19,7 @@ ignore dbus-system none
 noblacklist ${HOME}/.config/zoom.conf
 noblacklist ${HOME}/.config/zoomus.conf
 noblacklist ${HOME}/.zoom
+noblacklist ${DOCUMENTS}
 
 nowhitelist ${DOWNLOADS}
 
@@ -26,10 +27,12 @@ mkdir ${HOME}/.cache/zoom
 mkfile ${HOME}/.config/zoom.conf
 mkfile ${HOME}/.config/zoomus.conf
 mkdir ${HOME}/.zoom
+mkdir ${HOME}/Documents/Zoom
 whitelist ${HOME}/.cache/zoom
 whitelist ${HOME}/.config/zoom.conf
 whitelist ${HOME}/.config/zoomus.conf
 whitelist ${HOME}/.zoom
+whitelist ${HOME}/Documents/Zoom
 
 # Disable for now, see https://github.com/netblue30/firejail/issues/3726
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 84bf32625..08170bee6 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -101,6 +101,7 @@ bibletime
 bitcoin-qt
 bitlbee
 bitwarden
+bitwarden-desktop
 bleachbit
 blender
 blender-2.8
diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh
index cd2bf79bf..16a2485bf 100755
--- a/src/fshaper/fshaper.sh
+++ b/src/fshaper/fshaper.sh
@@ -3,13 +3,9 @@
 # Copyright (C) 2014-2024 Firejail Authors
 # License GPL v2
 
-TCFILE=""
-if [ -x "/usr/sbin/tc" ]; then
-        TCFILE="/usr/sbin/tc"
-elif [ -x "/sbin/tc" ]; then
-        TCFILE="/sbin/tc";
-else
-        echo "Error: traffic control utility (tc) not found";
+TCFILE="$(PATH=/usr/sbin:/sbin:/run/current-system/sw/bin command -v tc)"
+if [ -z "$TCFILE" ]; then
+        echo "Error: traffic control utility (tc) not found"
         exit 1
 fi
 
diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in
index a50ed765e..e47014702 100644
--- a/src/man/firecfg.1.in
+++ b/src/man/firecfg.1.in
@@ -139,29 +139,6 @@ $ sudo firecfg --clean
 /usr/local/bin/vlc removed
 .br
 [...]
-.SH FILES
-.PP
-Configuration files are searched for and parsed in the following paths:
-.PP
-.RS
-1. /etc/firejail/firecfg.d/*.conf (in alphabetical order)
-.br
-2. /etc/firejail/firecfg.config
-.RE
-.PP
-The programs that are supported by default are listed in
-/etc/firejail/firecfg.config.
-It is recommended to leave it as is and put all customizations inside
-/etc/firejail/firecfg.d/.
-.PP
-Profile files are also searched in the user configuration directory:
-.PP
-.RS
-3. ~/.config/firejail/*.profile
-.RE
-.PP
-For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a
-symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file.
 .SH SYNTAX
 Configuration file syntax:
 .PP
@@ -200,6 +177,29 @@ following lines can to be used to ignore both:
 .br
 !spectacle
 .RE
+.SH FILES
+.PP
+Configuration files are searched for and parsed in the following paths:
+.PP
+.RS
+1. /etc/firejail/firecfg.d/*.conf (in alphabetical order)
+.br
+2. /etc/firejail/firecfg.config
+.RE
+.PP
+The programs that are supported by default are listed in
+/etc/firejail/firecfg.config.
+It is recommended to leave it as is and put all customizations inside
+/etc/firejail/firecfg.d/.
+.PP
+Profile files are also searched in the user configuration directory:
+.PP
+.RS
+3. ~/.config/firejail/*.profile
+.RE
+.PP
+For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a
+symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file.
 .SH LICENSE
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in
index 89784a984..a6856212e 100644
--- a/src/man/firejail-profile.5.in
+++ b/src/man/firejail-profile.5.in
@@ -243,7 +243,7 @@ host filesystem. Each line describes a file/directory that is inaccessible
 a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),
 or mount-bind a directory or file on top of another directory or file (\fBbind\fR).
 Use \fBprivate\fR to set private mode.  File globbing is supported, and PATH and
-HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR section
+HOME directories are searched, see the \fBfirejail\fR(1) \fBFILE GLOBBING\fR section
 for more details.
 Examples:
 .TP
@@ -511,30 +511,30 @@ Blacklist all Linux capabilities.
 Whitelist given Linux capabilities.
 #ifdef HAVE_LANDLOCK
 .TP
-\fBlandlock.enforce (experimental)
+\fBlandlock.enforce\fR (experimental)
 Enforce the Landlock ruleset.
 .PP
 Without it, the other Landlock commands have no effect.
 .TP
-\fBlandlock.fs.read path (experimental)
+\fBlandlock.fs.read path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a read access
 rule for path.
 .TP
-\fBlandlock.fs.write path (experimental)
+\fBlandlock.fs.write path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a write access
 rule for path.
 .TP
-\fBlandlock.fs.makeipc path (experimental)
+\fBlandlock.fs.makeipc path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a rule that
 allows the creation of named pipes (FIFOs) and Unix domain sockets beneath
 the given path.
 .TP
-\fBlandlock.fs.makedev path (experimental)
+\fBlandlock.fs.makedev path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a rule that
 allows the creation of block devices and character devices beneath the given
 path.
 .TP
-\fBlandlock.fs.execute path (experimental)
+\fBlandlock.fs.execute path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add an execution
 permission rule for path.
 #endif
@@ -668,20 +668,20 @@ Enable filtered access to the system DBus. Filters can be specified with the dbu
 \fBdbus-system none
 Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering.
 .TP
+\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+.TP
+\fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+.TP
 \fBdbus-system.own org.gnome.ghex.*
 Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus.
 .TP
-\fBdbus-system.talk org.freedesktop.Notifications
-Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.
-.TP
 \fBdbus-system.see org.freedesktop.Notifications
 Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus.
 .TP
-\fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
-.TP
-\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+\fBdbus-system.talk org.freedesktop.Notifications
+Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.
 .TP
 \fBdbus-user filter
 Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
@@ -689,22 +689,22 @@ Enable filtered access to the session DBus. Filters can be specified with the db
 \fBdbus-user none
 Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering.
 .TP
+\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
+.TP
+\fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
+.TP
 \fBdbus-user.own org.gnome.ghex.*
 Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus.
 .TP
-\fBdbus-user.talk org.freedesktop.Notifications
-Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.
-.TP
 \fBdbus-user.see org.freedesktop.Notifications
 Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus.
 .TP
-\fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
-.TP
-\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
+\fBdbus-user.talk org.freedesktop.Notifications
+Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.
 .TP
-\fBnodbus \fR(deprecated)
+\fBnodbus\fR (deprecated)
 Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none.
 .TP
 .br
@@ -804,7 +804,7 @@ name browser
 \fBno3d
 Disable 3D hardware acceleration.
 .TP
-\fBnoautopulse \fR(deprecated)
+\fBnoautopulse\fR (deprecated)
 See keep-config-pulse.
 .TP
 \fBnodvd
@@ -867,20 +867,6 @@ net eth0
 ip 10.10.20.56
 
 .TP
-\fBip none
-No IP address and no default gateway are configured for the last interface
-defined by a net command. Use this option
-in case you intend to start an external DHCP client in the sandbox.
-.br
-
-.br
-Example:
-.br
-net eth0
-.br
-ip none
-
-.TP
 \fBip dhcp
 Acquire an IP address and default gateway for the last interface defined by a
 net command, as well as set the DNS servers according to the DHCP response.
@@ -908,6 +894,20 @@ a DHCP client and releasing the lease manually in conjunction with the
 net none command.
 
 .TP
+\fBip none
+No IP address and no default gateway are configured for the last interface
+defined by a net command. Use this option
+in case you intend to start an external DHCP client in the sandbox.
+.br
+
+.br
+Example:
+.br
+net eth0
+.br
+ip none
+
+.TP
 \fBip6 address
 Assign IPv6 addresses to the last network interface defined by a net command.
 .br
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 4edb0902e..47cb7ccde 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -611,8 +611,9 @@ Example:
 $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
 
 .TP
-\fB\-\-dbus-user.talk=name
-Allows the application to talk to the specified well-known name on the session DBus.
+\fB\-\-dbus-user.see=name
+Allows the application to see, but not talk to the specified well-known name on
+the session DBus.
 The name may have a .* suffix to match all names underneath it, including itself
 (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
 not "foobar").
@@ -621,14 +622,13 @@ not "foobar").
 .br
 Example:
 .br
-$ firejail --dbus-user=filter --dbus-user.talk=\\
+$ firejail --dbus-user=filter --dbus-user.see=\\
 .br
 org.freedesktop.Notifications
 
 .TP
-\fB\-\-dbus-user.see=name
-Allows the application to see, but not talk to the specified well-known name on
-the session DBus.
+\fB\-\-dbus-user.talk=name
+Allows the application to talk to the specified well-known name on the session DBus.
 The name may have a .* suffix to match all names underneath it, including itself
 (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
 not "foobar").
@@ -637,7 +637,7 @@ not "foobar").
 .br
 Example:
 .br
-$ firejail --dbus-user=filter --dbus-user.see=\\
+$ firejail --dbus-user=filter --dbus-user.talk=\\
 .br
 org.freedesktop.Notifications
 #endif
@@ -888,6 +888,32 @@ Example:
 .br
 $ firejail \-\-hosts-file=~/myhosts firefox
 
+.TP
+\fB\-\-icmptrace[=name|pid]
+Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
+created with \-\-net are supported. This option is only available when running the sandbox as root.
+.br
+
+.br
+Without a name/pid, Firejail will monitor the main system network namespace.
+.br
+
+.br
+Example
+.br
+$ sudo firejail --icmptrace
+.br
+20:53:54  192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
+.br
+20:53:54  142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
+.br
+20:53:55  192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
+.br
+20:53:55  142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
+.br
+20:53:55  192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
+.br
+
 #ifdef HAVE_IDS
 .TP
 \fB\-\-ids-check
@@ -925,33 +951,7 @@ $ firejail \-\-ignore="net eth0" firefox
 #endif
 
 .TP
-\fB\-\-icmptrace[=name|pid]
-Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
-created with \-\-net are supported. This option is only available when running the sandbox as root.
-.br
-
-.br
-Without a name/pid, Firejail will monitor the main system network namespace.
-.br
-
-.br
-Example
-.br
-$ sudo firejail --icmptrace
-.br
-20:53:54  192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
-.br
-20:53:54  142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
-.br
-20:53:55  192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo request/0
-.br
-20:53:55  142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo reply/0
-.br
-20:53:55  192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
-.br
-
-.TP
-\fB\-\-\include=file.profile
+\fB\-\-include=file.profile
 Include a profile file before the regular profiles are used.
 .br
 
@@ -984,23 +984,6 @@ Example:
 $ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox
 
 .TP
-\fB\-\-ip=none
-No IP address and no default gateway are configured for the last interface
-defined by a \-\-net option. Use this option
-in case you intend to start an external DHCP client in the sandbox.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-net=eth0 \-\-\ip=none
-.br
-
-.br
-If the corresponding interface doesn't have an IP address configured, this
-option is enabled by default.
-
-.TP
 \fB\-\-ip=dhcp
 Acquire an IP address and default gateway for the last interface defined by a
 \-\-net option, as well as set the DNS servers according to the DHCP response.
@@ -1026,6 +1009,23 @@ a DHCP client and releasing the lease manually in conjunction with the
 \-\-net=none option.
 
 .TP
+\fB\-\-ip=none
+No IP address and no default gateway are configured for the last interface
+defined by a \-\-net option. Use this option
+in case you intend to start an external DHCP client in the sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=eth0 \-\-ip=none
+.br
+
+.br
+If the corresponding interface doesn't have an IP address configured, this
+option is enabled by default.
+
+.TP
 \fB\-\-ip6=address
 Assign IPv6 addresses to the last network interface defined by a \-\-net option.
 .br
@@ -1070,7 +1070,7 @@ default gateway is assigned by default.
 .br
 Example:
 .br
-$ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150
+$ firejail \-\-net=eth0 \-\-iprange=192.168.1.100,192.168.1.150
 
 .TP
 \fB\-\-ipc-namespace
@@ -1241,30 +1241,30 @@ $ firejail --keep-var-tmp
 
 #ifdef HAVE_LANDLOCK
 .TP
-\fB\-\-landlock.enforce (experimental)
+\fB\-\-landlock.enforce\fR (experimental)
 Enforce the Landlock ruleset.
 Without it, the other Landlock commands have no effect.
 See the \fBLANDLOCK\fR section for more information.
 .TP
-\fB\-\-landlock.fs.read=path (experimental)
+\fB\-\-landlock.fs.read=path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a read access
 rule for path.
 .TP
-\fB\-\-landlock.fs.write=path (experimental)
+\fB\-\-landlock.fs.write=path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a write access
 rule for path.
 .TP
-\fB\-\-landlock.fs.makeipc=path (experimental)
+\fB\-\-landlock.fs.makeipc=path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a rule that
 allows the creation of named pipes (FIFOs) and Unix domain sockets beneath
 the given path.
 .TP
-\fB\-\-landlock.fs.makedev=path (experimental)
+\fB\-\-landlock.fs.makedev=path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a rule that
 allows the creation of block devices and character devices beneath the given
 path.
 .TP
-\fB\-\-landlock.fs.execute=path (experimental)
+\fB\-\-landlock.fs.execute=path\fR (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add an execution
 permission rule for path.
 .br
@@ -1324,6 +1324,21 @@ Example:
 $ firejail \-\-machine-id
 
 .TP
+\fB\-\-memory-deny-write-execute
+Install a seccomp filter to block attempts to create memory mappings
+that are both writable and executable, to change mappings to be
+executable, or to create executable shared memory. The filter examines
+the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
+and shmat system calls and returns error EPERM to the process (or
+kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
+.br
+
+.br
+Note: shmat is not implemented
+as a system call on some platforms including i386, and it cannot be
+handled by seccomp-bpf.
+
+.TP
 \fB\-\-mkdir=dirname
 Create a directory in user home. Parent directories are created as needed.
 .br
@@ -1343,20 +1358,6 @@ Example:
 .br
 $ firejail --mkfile=~/work/project/readme
 
-.TP
-\fB\-\-memory-deny-write-execute
-Install a seccomp filter to block attempts to create memory mappings
-that are both writable and executable, to change mappings to be
-executable, or to create executable shared memory. The filter examines
-the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
-and shmat system calls and returns error EPERM to the process (or
-kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
-.br
-
-.br
-Note: shmat is not implemented
-as a system call on some platforms including i386, and it cannot be
-handled by seccomp-bpf.
 #ifdef HAVE_NETWORK
 .TP
 \fB\-\-mtu=number
@@ -1726,7 +1727,7 @@ Example:
 $ firejail --no3d firefox
 
 .TP
-\fB\-\-noautopulse \fR(deprecated)
+\fB\-\-noautopulse\fR (deprecated)
 See --keep-config-pulse.
 
 .TP
@@ -1772,7 +1773,7 @@ $ nc dict.org 2628
 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
 .br
 .TP
-\fB\-\-nodbus \fR(deprecated)
+\fB\-\-nodbus\fR (deprecated)
 #ifdef HAVE_DBUSPROXY
 Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none.
 .br
@@ -1792,15 +1793,6 @@ Example:
 .br
 $ firejail \-\-nodvd
 .TP
-\fB\-\-noinput
-Disable input devices.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-noinput
-.TP
 \fB\-\-noexec=dirname_or_filename
 Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
@@ -1845,6 +1837,16 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
 $
 
 .TP
+\fB\-\-noinput
+Disable input devices.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-noinput
+
+.TP
 \fB\-\-nonewprivs
 Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
 cannot acquire new privileges using execve(2);  in particular,
@@ -3353,16 +3355,6 @@ $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
 .br
 #endif
 .\" Note: Keep this in sync with invalid_name() in src/firejail/util.c.
-.SH NAME VALIDATION
-For simplicity, the same name validation is used for multiple options.
-Rules:
-.PP
-The name must be 1-253 characters long.
-The name can only contain ASCII letters, digits and the special characters
-"-._" (that is, the name cannot contain spaces or control characters).
-The name cannot contain only digits.
-The first and last characters must be an ASCII letter or digit and the name
-may contain special characters in the middle.
 #ifdef HAVE_APPARMOR
 .SH APPARMOR
 .TP
@@ -3408,64 +3400,6 @@ To enable AppArmor confinement on top of your current Firejail security features
 $ firejail --apparmor firefox
 #endif
 
-#ifdef HAVE_LANDLOCK
-.SH LANDLOCK
-Warning: Landlock support in firejail is considered experimental and unstable.
-The contents of landlock-common.inc are likely to change and the feature is
-still being expanded upon in the Linux kernel.
-Also, note that its functionality overlaps with existing firejail features,
-such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands.
-Its filesystem access rules can currently only restrict direct access to paths;
-it is not able to make only select paths appear in the sandbox such as with the
-\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD).
-Lastly, note that depending on the Linux kernel version, Landlock may not
-protect all of the relevant syscalls (see the kernel's Landlock documentation
-for details).
-Therefore, it is recommended to treat Landlock as an extra layer of protection,
-to be used together with other firejail features (rather than as a bulletproof
-mechanism by itself).
-.PP
-Landlock is a Linux security module first introduced in version 5.13 of the
-Linux kernel.
-It allows unprivileged processes to restrict their access to the filesystem.
-Once imposed, these restrictions can never be removed, and all child processes
-created by a Landlock-restricted processes inherit these restrictions.
-Firejail supports Landlock as an additional sandboxing feature.
-It can be used to ensure that a sandboxed application can only access files and
-directories that it was explicitly allowed to access.
-Firejail supports populating the ruleset with both a basic set of rules (see
-landlock-common.inc) and with a custom set of rules.
-.TP
-Important notes:
-.PP
-.RS
-- Currently only Landlock ABI version 1 is supported.
-.PP
-- If "lsm=" is used in the kernel command line, it should contain "landlock"
-(such as "lsm=apparmor,landlock"), or else it will be disabled.
-.PP
-- A process can install a Landlock ruleset only if it has either
-\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New
-Privileges" restriction enabled.
-Because of this, enabling the Landlock feature will also cause Firejail to
-enable the "No New Privileges" restriction, regardless of the profile or the
-\fB\-\-nonewprivs\fR command line option.
-.PP
-- Access to the /etc directory is automatically allowed.
-To override this, use the \fB\-\-writable\-etc\fR command line option.
-You can also use the \fB\-\-private\-etc\fR option to restrict access to the
-/etc directory.
-.RE
-.PP
-To enable Landlock self-restriction on top of your current Firejail security
-features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line.
-Without it, the other Landlock commands have no effect.
-Example:
-.PP
-$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc
-.PP
-To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR.
-#endif
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
 The symbolic link should be placed in the first $PATH position. On most systems, a good place
@@ -3519,37 +3453,37 @@ $ firejail --tree
       1221:netblue:/usr/lib/firefox/firefox
 .RE
 
-We provide a tool that automates all this integration, please see \&\flfirecfg\fR\|(1) for more details.
+We provide a tool that automates all this integration, please see \fBfirecfg\fR(1) for more details.
 
 .SH EXAMPLES
 .TP
-\f\firejail
+\fBfirejail
 Sandbox a regular shell session.
 .TP
-\f\firejail firefox
+\fBfirejail firefox
 Start Mozilla Firefox.
 .TP
-\f\firejail \-\-debug firefox
+\fBfirejail \-\-debug firefox
 Debug Firefox sandbox.
 .TP
-\f\firejail \-\-private firefox
+\fBfirejail \-\-private firefox
 Start Firefox with a new, empty home directory.
 .TP
-\f\firejail --net=none vlc
+\fBfirejail --net=none vlc
 Start VLC in an unconnected network namespace.
 #ifdef HAVE_NETWORK
 .TP
-\f\firejail \-\-net=eth0 firefox
+\fBfirejail \-\-net=eth0 firefox
 Start Firefox in a new network namespace. An IP address is
 assigned automatically.
 .TP
-\f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
+\fBfirejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
 Start a shell session in a new network namespace and connect it
 to br0, br1, and br2 host bridge devices. IP addresses are assigned
 automatically for the interfaces connected to br1 and b2
 #endif
 .TP
-\f\firejail \-\-list
+\fBfirejail \-\-list
 List all sandboxed processes.
 
 .SH FILE GLOBBING
@@ -3713,6 +3647,65 @@ Currently while scanning the file system, symbolic links are not followed, and f
 The program can also be run as root (sudo firejail --ids-init/--ids-check).
 #endif
 
+#ifdef HAVE_LANDLOCK
+.SH LANDLOCK
+Warning: Landlock support in firejail is considered experimental and unstable.
+The contents of landlock-common.inc are likely to change and the feature is
+still being expanded upon in the Linux kernel.
+Also, note that its functionality overlaps with existing firejail features,
+such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands.
+Its filesystem access rules can currently only restrict direct access to paths;
+it is not able to make only select paths appear in the sandbox such as with the
+\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD).
+Lastly, note that depending on the Linux kernel version, Landlock may not
+protect all of the relevant syscalls (see the kernel's Landlock documentation
+for details).
+Therefore, it is recommended to treat Landlock as an extra layer of protection,
+to be used together with other firejail features (rather than as a bulletproof
+mechanism by itself).
+.PP
+Landlock is a Linux security module first introduced in version 5.13 of the
+Linux kernel.
+It allows unprivileged processes to restrict their access to the filesystem.
+Once imposed, these restrictions can never be removed, and all child processes
+created by a Landlock-restricted processes inherit these restrictions.
+Firejail supports Landlock as an additional sandboxing feature.
+It can be used to ensure that a sandboxed application can only access files and
+directories that it was explicitly allowed to access.
+Firejail supports populating the ruleset with both a basic set of rules (see
+landlock-common.inc) and with a custom set of rules.
+.TP
+Important notes:
+.PP
+.RS
+- Currently only Landlock ABI version 1 is supported.
+.PP
+- If "lsm=" is used in the kernel command line, it should contain "landlock"
+(such as "lsm=apparmor,landlock"), or else it will be disabled.
+.PP
+- A process can install a Landlock ruleset only if it has either
+\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New
+Privileges" restriction enabled.
+Because of this, enabling the Landlock feature will also cause Firejail to
+enable the "No New Privileges" restriction, regardless of the profile or the
+\fB\-\-nonewprivs\fR command line option.
+.PP
+- Access to the /etc directory is automatically allowed.
+To override this, use the \fB\-\-writable\-etc\fR command line option.
+You can also use the \fB\-\-private\-etc\fR option to restrict access to the
+/etc directory.
+.RE
+.PP
+To enable Landlock self-restriction on top of your current Firejail security
+features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line.
+Without it, the other Landlock commands have no effect.
+Example:
+.PP
+$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc
+.PP
+To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR.
+#endif
+
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
 for each process entry is as follows:
@@ -3770,6 +3763,17 @@ Sandbox running time in hours:minutes:seconds format.
 USER
 The owner of the sandbox.
 
+.SH NAME VALIDATION
+For simplicity, the same name validation is used for multiple options.
+Rules:
+.PP
+The name must be 1-253 characters long.
+The name can only contain ASCII letters, digits and the special characters
+"-._" (that is, the name cannot contain spaces or control characters).
+The name cannot contain only digits.
+The first and last characters must be an ASCII letter or digit and the name
+may contain special characters in the middle.
+
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
 /etc/passwd file for each user that needs to be restricted. Alternatively,