40 files changed, 338 insertions, 229 deletions

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 53066013d..fc74640d4 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -22,7 +22,8 @@ _Describe the bug_
 
 _Steps to reproduce the behavior_
 
-1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody)
+1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent
+   output in English that can be understood by everybody)
 2. Click on '....'
 3. Scroll down to '....'
 4. See error `ERROR`
@@ -37,7 +38,8 @@ _What actually happened_
 
 ### Behavior without a profile
 
-_What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_
+_What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a
+terminal?_
 
 ### Additional context
 
@@ -47,7 +49,8 @@ _Any other detail that may help to understand/debug the problem_
 
 - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")
 - Firejail version (`firejail --version`).
-- If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`).
+- If you use a development version of firejail, also the commit from which it
+  was compiled (`git rev-parse HEAD`).
 
 ### Checklist
 
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
index a723cdbde..ce1b70e39 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -4,6 +4,7 @@ about: Suggest an idea for this project
 title: ''
 labels: ''
 assignees: ''
+
 ---
 
 ### Is your feature request related to a problem? Please describe.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 3c256dd87..4a7998e87 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,17 +1,21 @@
-If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.
+If your PR isn't about profiles or you have no idea how to do one of these,
+skip the following and go ahead with this PR.
 
-If you submit a PR for new profiles or changing profiles, please do the following:
- - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
-   > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository.
- - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py).
- The path to it depends on your distro:
+If you submit a PR for new profiles or changing profiles, please do the
+following:
 
-   | Distro | Path |
-   | ------ | ---- |
-   | Arch/Fedora | `/usr/lib64/firejail/sort.py` |
-   | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` |
-   | local git clone | `contrib/sort.py` |
+- The ordering of options follow the rules described in
+  [etc/templates/profile.template](../blob/master/etc/templates/profile.template)
+  (/usr/share/doc/firejail/profile.template when installed).
+- Order the arguments of options alphabetically.  You can easily do this with
+  [sort.py](../blob/master/contrib/sort.py).
 
-   Note also that the sort.py script exists only since firejail `0.9.61`.
+  The path to it depends on your distro:
 
-See also [CONTRIBUTING.md](/CONTRIBUTING.md).
+  | Distro | Path |
+  | ------ | ---- |
+  | Arch/Fedora | `/usr/lib64/firejail/sort.py` |
+  | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` |
+  | local git clone | `contrib/sort.py` |
+
+See also [CONTRIBUTING.md](../blob/master/CONTRIBUTING.md).
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index d31aec004..8ee48310f 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -54,7 +54,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+      uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -77,7 +77,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+      uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -96,7 +96,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+      uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -115,7 +115,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+      uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -132,7 +132,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+      uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9008408ae..7d2652b78 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -44,7 +44,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+      uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index cdbf1f2bf..4f06a3f26 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -74,13 +74,14 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+      uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f
       with:
         disable-sudo: true
         egress-policy: block
         allowed-endpoints: >
           api.github.com:443
           github.com:443
+          objects.githubusercontent.com:443
           uploads.github.com:443
 
     - name: Checkout repository
@@ -88,7 +89,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@04df1262e6247151b5ac09cd2c303ac36ad3f62b
+      uses: github/codeql-action/init@d186a2a36cc67bfa1b860e6170d37fb9634742c7
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -99,7 +100,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@04df1262e6247151b5ac09cd2c303ac36ad3f62b
+      uses: github/codeql-action/autobuild@d186a2a36cc67bfa1b860e6170d37fb9634742c7
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -113,4 +114,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@04df1262e6247151b5ac09cd2c303ac36ad3f62b
+      uses: github/codeql-action/analyze@d186a2a36cc67bfa1b860e6170d37fb9634742c7
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index 8212c646e..54188c787 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+      uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f
       with:
         disable-sudo: true
         egress-policy: block
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6dcb40e67..b30dd9ee4 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -12,7 +12,7 @@ build_ubuntu_package:
         - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config python3 gawk
         - ./configure && make deb && dpkg -i firejail*.deb
         - command -V firejail && firejail --version
-        - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
+        # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
 build_debian_package:
     image: debian:stretch
@@ -37,7 +37,7 @@ build_fedora_package:
         - dnf install -y rpm-build gcc make
         - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm
         - command -V firejail && firejail --version
-        - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
+        # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
 build_src_package:
     image: alpine:latest
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 76d3e709b..1ae293264 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,38 +1,58 @@
+# Contributing
+
 Welcome to firejail, and thank you for your interest in contributing!
 
-# Opening an issue:
-We welcome issues, whether to ask a question, provide information, request a new profile or
-feature, or to report a suspected bug or problem.
+## Opening an issue
+
+We welcome issues, whether to ask a question, provide information, request a
+new profile or feature, or to report a suspected bug or problem.
+
+If you want to request a program profile that we don't already have, please add
+a comment in our dedicated issue:
 
-If you want to request a program profile that we don't already have, please add a comment in
-our [dedicated issue](https://github.com/netblue30/firejail/issues/1139).
+- [Profile requests](https://github.com/netblue30/firejail/issues/1139)
 
 When submitting a bug report, please provide the following information so that
 we can handle the report more easily:
-- firejail version. If you're not sure, open a terminal and type `firejail --version`.
+
+- firejail version.  If you're not sure, open a terminal and type `firejail
+  --version`.
 - Linux distribution (so that we can try to reproduce it, if necessary).
-- If you know that the problem did not exist in an earlier version of firejail, please mention it.
-- If you are reporting that a program does not work with firejail, please also run firejail with
-the `--noprofile` argument.
-For example, if `firejail firefox` does not work, please also run `firejail --noprofile firefox` and
-let us know if it runs correctly or not.
-- You may also try disabling various options provided in `/etc/firejail/<ProgramName.profile>` until you find out which one causes problems. It will significantly help to find solution for your issue.
-
-Please note: if you are running Debian, Ubuntu, Linux Mint, or another related
+- If you know that the problem did not exist in an earlier version of firejail,
+  please mention it.
+- If you are reporting that a program does not work with firejail, please also
+  run firejail with the `--noprofile` argument.  For example, if `firejail
+  firefox` does not work, please also run `firejail --noprofile firefox` and
+  let us know if it runs correctly or not.
+- You may also try disabling various options provided in
+  `/etc/firejail/<ProgramName.profile>` until you find out which one causes
+  problems.  It will significantly help in finding a solution for your issue.
+
+Please note: If you are running Debian, Ubuntu, Linux Mint, or another related
 distribution and you installed firejail from your distro's repositories, please
-ensure that **both** of the following were installed:
-`firejail` and `firejail-profiles`. A common source of issues is that
-firejail-profiles was not installed when installing firejail.
+ensure that **all** of the following packages were installed:
+
+- firejail
+- firejail-profiles
 
-We take security bugs very seriously. If you believe you have found one, please report it by
-emailing us at netblue30@protonmail.com
+A common source of issues is that firejail-profiles was not installed when
+installing firejail.
+
+## Security vulnerabilities
+
+See [SECURITY.md](SECURITY.md).
+
+## Opening a pull request
 
-# Opening an pull request:
 Pull requests with enhancements, bugfixes or new profiles are very welcome.
 
 If you want to write a new profile, the easiest way to do this is to use the
-[profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
-If you have already written a profile, please make sure it follows the rules described in the template.
+profile template:
+
+- [etc/templates/profile.template](etc/templates/profile.template)
+
+If you have already written a profile, please make sure it follows the rules
+described in the template.
 
 If you add a new command, here's the checklist:
 
@@ -41,6 +61,7 @@ If you add a new command, here's the checklist:
 - [ ] Update syntax files (run `make syntax` or just `make`)
 - [ ] Update --help
 
-# Editing the wiki
+## Editing the wiki
 
-You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki).
+You are highly encouraged to add your own tips and tricks to the
+[wiki](https://github.com/netblue30/firejail/wiki).
diff --git a/README b/README
index 4647a70c4..0d402a854 100644
--- a/README
+++ b/README
@@ -1,13 +1,14 @@
-Firejail is a SUID sandbox program that reduces the risk of security
-breaches by restricting the running environment of untrusted applications
-using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
-Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission,
-VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
-DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove,
-Pidgin, Quassel, and XChat.
+Firejail is a SUID sandbox program that reduces the risk of security breaches
+by restricting the running environment of untrusted applications using Linux
+namespaces and seccomp-bpf.
+
+It includes sandbox profiles for many programs, including Iceweasel/Mozilla
+Firefox, Chromium, Midori, Opera, Evince, Transmission, VLC, Audacious,
+Clementine, Rhythmbox, Totem, Deluge, qBittorrent, DeaDBeeF, Dropbox, Empathy,
+FileZilla, IceCat, Thunderbird/Icedove, Pidgin, Quassel, and XChat.
 
 Firejail also expands the restricted shell facility found in bash by adding
-Linux namespace support. It supports sandboxing specific users upon login.
+Linux namespace support.  It supports sandboxing specific users upon login.
 
 Download: https://sourceforge.net/projects/firejail/files/
 Build and install: ./configure && make && sudo make install
@@ -17,30 +18,33 @@ Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
 Development: https://github.com/netblue30/firejail
 License: GPL v2
 
-Please report all security vulnerabilities at netblue30@protonmail.com
+Please report all security vulnerabilities to:
+
+* <netblue30@protonmail.com>
 
-Compile and install mainline version from GitHub:
+Compile and install the mainline version from GitHub:
 
-$ git clone https://github.com/netblue30/firejail.git
-$ cd firejail
-$ ./configure && make && sudo make install-strip
+    git clone https://github.com/netblue30/firejail.git
+    cd firejail
+    ./configure && make && sudo make install-strip
 
-On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor
-development libraries and pkg-config are required when using --enable-apparmor
+On Debian/Ubuntu you will need to install git and gcc.  AppArmor development
+libraries and pkg-config are required when using the --enable-apparmor
 ./configure option:
 
-$ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
+    sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
 
 For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).
 
-We build our release firejail.tar.xz and firejail.deb packages using the following command:
-$ make distclean && ./configure && make deb
+We build our release firejail.tar.xz and firejail.deb packages using the
+following commands:
 
+    make distclean && ./configure && make deb
 
 Maintainer:
 - netblue30 (netblue30@protonmail.com)
 
-Committers
+Committers:
 - chiraag-nataraj (https://github.com/chiraag-nataraj)
 - crass (https://github.com/crass)
 - ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
@@ -55,15 +59,16 @@ Committers
 - rusty-snake (https://github.com/rusty-snake)
 - smitsohu (https://github.com/smitsohu)
 - SkewedZeppelin (https://github.com/SkewedZeppelin)
-- startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer)
+- startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches
+  maintainer)
 - Topi Miettinen (https://github.com/topimiettinen)
 - veloute (https://github.com/veloute)
 - Vincent43 (https://github.com/Vincent43)
 - netblue30 (netblue30@protonmail.com)
 
+---
 
-
-Firejail Authors (alphabetical order)
+Firejail Authors (alphabetical order):
 
 0x7969 (https://github.com/0x7969)
         - fix wire-desktop.profile
@@ -313,7 +318,8 @@ curiosityseeker (https://github.com/curiosityseeker - new)
         - updated keypassxc profile
         - added syscalls.sh, which determine the necessary syscalls for a program
         - fixed conky profile
-        - thunderbird.profile: harden and enable the rules necessary to make Firefox open links
+        - thunderbird.profile: harden and enable the rules necessary to make
+          Firefox open links
 da2x (https://github.com/da2x)
         - matched RPM license tag
 Daan Bakker (https://github.com/dbakker)
@@ -358,7 +364,8 @@ Disconnect3d (https://github.com/disconnect3d)
 dm9pZCAq (https://github.com/dm9pZCAq)
         - fix for compilation under musl
 dmfreemon (https://github.com/dmfreemon)
-        - add sandbox name or name of private directory to the window title when xpra is used
+        - add sandbox name or name of private directory to the window title
+          when xpra is used
         - handle malloc() failures; use gnu_basename() instead of basenaem()
 Dmitriy Chestnykh (https://github.com/chestnykh)
         - add ability to disable user profiles at compile time
@@ -1030,7 +1037,8 @@ soredake (https://github.com/soredake)
         - add localtime to private-etc to make qtox show correct time
         - fixes for the keepassxc 2.2.5 version
 SkewedZeppelin (https://github.com/SkewedZeppelin)
-        - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
+        - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI,
+          Lollypop, MultiMC5 profiles
         - added PDFSam, Pithos, and Xonotic profiles
         - disabled Go, Rust, and OpenSSL in disable-devel.conf
         - added dino profile
@@ -1048,7 +1056,8 @@ SkewedZeppelin (https://github.com/SkewedZeppelin)
         - added IntelliJ IDEA and Android Studio profiles
         - added arm profile
         - lots of profile improvements/tightening
-        - added apktool, baobab, dex2jar, gitg, hashcat, obs, picard, remmina, sdat2img,
+        - added apktool, baobab, dex2jar, gitg, hashcat, obs, picard, remmina,
+          sdat2img,
         soundconverter, sqlitebrowser, and truecraft profiles
         - added gnome-twitch profile
         - Unified all 341 profiles
@@ -1085,10 +1094,12 @@ SYN-cook (https://github.com/SYN-cook)
         - gnome-calculator changes
 startx2017 (https://github.com/startx2017)
         - syscall list update
-        - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module,
-          settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old
+        - updated default seccomp filters - added bpf, clock_settime,
+          personality, process_vm_writev, query_module, settimeofday, stime,
+          umount, userfaultfd, ustat, vm86, and vm86old
         - enable/disable join support in /etc/firejail/firejail.config
-        - firecfg fix: create ~/.local/share/applications directory if it doesn't exist
+        - firecfg fix: create ~/.local/share/applications directory if it
+          doesn't exist
         - firejail.config cleanup
         - --quiet fixes
         - bugfixes branches maintainer
@@ -1250,10 +1261,9 @@ Zack Weinberg (https://github.com/zackw)
         - wait_for_other function rewrite
         - Xvfb X11 server support
         - Xvfb and Xephyr profiles, modified Xpra profile
-        - support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes when started
-          with firejail --x11
+        - support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes
+          when started with firejail --x11
         - support for xpra-extra-params in firejail.config
-
 zupatisc (https://github.com/zupatisc)
         - patch-util fix
 
diff --git a/README.md b/README.md
index 22e2fa291..09a3276e6 100644
--- a/README.md
+++ b/README.md
@@ -1,79 +1,91 @@
 # Firejail
-[![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/)
-[![CodeQL](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL)
-[![Build CI](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22)
-[![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions)
-
-Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting
-the running environment of untrusted applications using Linux namespaces, seccomp-bpf
-and Linux capabilities. It allows a process and all its descendants to have their own private
-view of the globally shared kernel resources, such as the network stack, process table, mount table.
-Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.
-
-Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel
-version or newer. It can sandbox any type of processes: servers, graphical applications, and even
-user login sessions. The software includes sandbox profiles for a number of more common Linux programs,
+
+[![Build CI (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines)
+[![Build CI (GitHub)](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22)
+[![CodeQL CI](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL)
+[![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions)
+
+Firejail is a SUID sandbox program that reduces the risk of security breaches
+by restricting the running environment of untrusted applications using Linux
+namespaces, seccomp-bpf and Linux capabilities.  It allows a process and all
+its descendants to have their own private view of the globally shared kernel
+resources, such as the network stack, process table, mount table.  Firejail can
+work in a SELinux or AppArmor environment, and it is integrated with Linux
+Control Groups.
+
+Written in C with virtually no dependencies, the software runs on any Linux
+computer with a 3.x kernel version or newer.  It can sandbox any type of
+processes: servers, graphical applications, and even user login sessions.  The
+software includes sandbox profiles for a number of more common Linux programs,
 such as Mozilla Firefox, Chromium, VLC, Transmission etc.
 
-The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit,
-no socket connections open, no daemons running in the background. All security features are
-implemented directly in Linux kernel and available on any Linux computer.
+The sandbox is lightweight, the overhead is low.  There are no complicated
+configuration files to edit, no socket connections open, no daemons running in
+the background.  All security features are implemented directly in Linux kernel
+and available on any Linux computer.
+
+## Videos
 
-<table><tr>
+<table>
+<tr>
 
 <td>
 <a href="https://odysee.com/@netblue30:9/firefox:c" target="_blank">
 <img src="https://thumbs.odycdn.com/acf4b1c66737feb97640fb1d28a7daa6.png"
-alt="Advanced Browser Security" width="240" height="142" border="10" /><br/>Advanced Browser Security</a>
+alt="Advanced Browser Security" width="240" height="142" border="10" />
+<br/>Advanced Browser Security
+</a>
 </td>
 
 <td>
 <a href="https://odysee.com/@netblue30:9/nonet:7" target="_blank">
 <img src="https://thumbs.odycdn.com/5be2964201c31689ee8f78cb9f35e89a.png"
-alt="How To Disable Network Access" width="240" height="142" border="10" /><br/>How To Disable Network Access</a>
+alt="How To Disable Network Access" width="240" height="142" border="10" />
+<br/>How To Disable Network Access
+</a>
 </td>
 
 <td>
 <a href="https://odysee.com/@netblue30:9/divested:2" target="_blank">
 <img src="https://thumbs.odycdn.com/f30ece33a6547af9ae48244f4ba73028.png"
-alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a>
+alt="Deep Dive" width="240" height="142" border="10" />
+<br/>Deep Dive
+</a>
 </td>
 
-</tr></table>
-
-Project webpage: https://firejail.wordpress.com/
-
-IRC: https://web.libera.chat/#firejail
-
-Download and Installation: https://firejail.wordpress.com/download-2/
-
-Features: https://firejail.wordpress.com/features-3/
+</tr>
+</table>
 
-Documentation: https://firejail.wordpress.com/documentation-2/
+## Links
 
-FAQ: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
-
-Wiki: https://github.com/netblue30/firejail/wiki
-
-GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/
-
-Video Channel: https://odysee.com/@netblue30:9?order=new
-
-Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
+* Project webpage: <https://firejail.wordpress.com/>
+* IRC: <https://web.libera.chat/#firejail>
+* Download and Installation: <https://firejail.wordpress.com/download-2/>
+* Features: <https://firejail.wordpress.com/features-3/>
+* Documentation: <https://firejail.wordpress.com/documentation-2/>
+* FAQ: <https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions>
+* Wiki: <https://github.com/netblue30/firejail/wiki>
+* GitHub Actions: <https://github.com/netblue30/firejail/actions>
+* GitLab CI: <https://gitlab.com/Firejail/firejail_ci/pipelines>
+* Video Channel: <https://odysee.com/@netblue30:9?order=new>
+* Backup Video Channel: <https://www.bitchute.com/profile/JSBsA1aoQVfW/>
 
 ## Security vulnerabilities
 
-We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com
+See [SECURITY.md](SECURITY.md).
 
 ## Installing
 
 ### Debian
 
-Debian stable (bullseye): We recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package.
+Debian stable (bullseye): We recommend to use the
+[backports](https://packages.debian.org/bullseye-backports/firejail) package.
 
 ### Ubuntu
 
-For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly advised** to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail).
+For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly
+advised** to use the
+[PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail).
 
 How to add and install from the PPA:
 
@@ -83,140 +95,186 @@ sudo apt-get update
 sudo apt-get install firejail firejail-profiles
 ```
 
-Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to CVE-2021-26910 for months after a patch for it was posted on Launchpad:
+Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to
+CVE-2021-26910 for months after a patch for it was posted on Launchpad:
 
-* [firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767)
+* [CVE-2021-26910](https://github.com/advisories/GHSA-2q4h-h5jp-942w)
+* [firejail version in Ubuntu 20.04 LTS is vulnerable to
+  CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767)
 
 See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>:
 
 > What software is supported by the Ubuntu Security team?
 >
 > Ubuntu is currently divided into four components: main, restricted, universe
-> and multiverse. All binary packages in main and restricted are supported by
+> and multiverse.  All binary packages in main and restricted are supported by
 > the Ubuntu Security team for the life of an Ubuntu release, while binary
 > packages in universe and multiverse are supported by the Ubuntu community.
 
-Additionally, the PPA version is likely to be more recent and to contain more profile fixes.
+Additionally, the PPA version is likely to be more recent and to contain more
+profile fixes.
 
 See the following discussions for details:
 
-* [Should I keep using the version of firejail available in my distro repos?](https://github.com/netblue30/firejail/discussions/4666)
-* [How to install the latest version on Ubuntu and derivatives](https://github.com/netblue30/firejail/discussions/4663)
+* [Should I keep using the version of firejail available in my distro
+  repos?](https://github.com/netblue30/firejail/discussions/4666)
+* [How to install the latest version on Ubuntu and
+  derivatives](https://github.com/netblue30/firejail/discussions/4663)
 
 ### Other
 
-Firejail is included in a large number of Linux distributions.
+Firejail is available in multiple Linux distributions:
+
+<details>
+<summary>Repology</summary>
+<p>
+
+[![Packaging status (Repology)](https://repology.org/badge/vertical-allrepos/firejail.svg)](https://repology.org/project/firejail/versions)
 
-You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually:
+</p>
+</details>
 
-`````
-$ git clone https://github.com/netblue30/firejail.git
-$ cd firejail
-$ ./configure && make && sudo make install-strip
-`````
-On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor
-development libraries and pkg-config are required when using `--enable-apparmor`
+Other than the [aforementioned exceptions](#installing), as long as your
+distribution provides a [supported version](SECURITY.md) of firejail, it's
+generally a good idea to install it from the distribution.
+
+The version can be checked with `firejail --version` after installing.
+
+You can also install one of the [released
+packages](https://github.com/netblue30/firejail/releases).
+
+Or clone the source code from our git repository and build manually:
+
+```sh
+git clone https://github.com/netblue30/firejail.git
+cd firejail
+./configure && make && sudo make install-strip
+```
+
+On Debian/Ubuntu you will need to install git and gcc.  AppArmor development
+libraries and pkg-config are required when using the `--enable-apparmor`
 ./configure option:
-`````
-$ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
-`````
+
+```sh
+sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
+```
+
 For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora).
 
-Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git).
+Detailed information on using firejail from git is available on the
+[wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git).
 
 ## Running the sandbox
 
 To start the sandbox, prefix your command with `firejail`:
 
-`````
-$ firejail firefox            # starting Mozilla Firefox
-$ firejail transmission-gtk   # starting Transmission BitTorrent
-$ firejail vlc                # starting VideoLAN Client
-$ sudo firejail /etc/init.d/nginx start
-`````
-Run `firejail --list` in a terminal to list all active sandboxes. Example:
-`````
+```sh
+firejail firefox            # starting Mozilla Firefox
+firejail transmission-gtk   # starting Transmission BitTorrent
+firejail vlc                # starting VideoLAN Client
+sudo firejail /etc/init.d/nginx start
+```
+
+Run `firejail --list` in a terminal to list all active sandboxes.  Example:
+
+```console
 $ firejail --list
 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr
 7719:netblue:/usr/bin/firejail /usr/bin/transmission-qt
 7779:netblue:/usr/bin/firejail /usr/bin/galculator
 7874:netblue:/usr/bin/firejail /usr/bin/vlc --started-from-file file:///home/netblue/firejail-whitelist.mp4
 7916:netblue:firejail --list
-`````
+```
 
 ## Desktop integration
 
 Integrate your sandbox into your desktop by running the following two commands:
-`````
-$ firecfg --fix-sound
-$ sudo firecfg
-`````
 
-The first command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9.
-The second command integrates Firejail into your desktop. You would need to logout and login back to apply
-PulseAudio changes.
+```sh
+firecfg --fix-sound
+sudo firecfg
+```
+
+The first command solves some shared memory/PID namespace bugs in PulseAudio
+software prior to version 9.  The second command integrates Firejail into your
+desktop.  You would need to logout and login back to apply PulseAudio changes.
+
+Start your programs the way you are used to: desktop manager menus, file
+manager, desktop launchers.
 
-Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers.
-The integration applies to any program supported by default by Firejail. There are about 250 default applications
-in current Firejail version, and the number goes up with every new release.
-We keep the application list in [/etc/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file.
+The integration applies to any program supported by default by Firejail.  There
+are over 900 default applications in the current Firejail version, and the
+number goes up with every new release.
+
+We keep the application list in
+[src/firecfg/firecfg.config](src/firecfg/firecfg.config)
+(/etc/firejail/firecfg.config when installed).
 
 ## Security profiles
 
-Most Firejail command line options can be passed to the sandbox using profile files.
-You can find the profiles for all supported applications in [/etc/firejail](https://github.com/netblue30/firejail/tree/master/etc) directory.
+Most Firejail command line options can be passed to the sandbox using profile
+files.
+
+You can find the profiles for all supported applications in [etc/](etc/)
+(/etc/firejail/ when installed).
+
+We also keep a list of profile fixes for previous released versions in
+[etc-fixes/](etc-fixes/).
 
-If you keep additional Firejail security profiles in a public repository, please give us a link:
+If you keep additional Firejail security profiles in a public repository,
+please give us a link:
 
-* https://github.com/chiraag-nataraj/firejail-profiles
+* <https://github.com/chiraag-nataraj/firejail-profiles>
+* <https://github.com/triceratops1/fe>
 
-* https://github.com/triceratops1/fe
+Use this issue to request new profiles:
 
-Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139)
+* [Profile requests](https://github.com/netblue30/firejail/issues/1139)
 
-You can also use this tool to get a list of syscalls needed by a program: [contrib/syscalls.sh](contrib/syscalls.sh).
+You can also use this tool to get a list of syscalls needed by a program:
 
-We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
+* [contrib/syscalls.sh](contrib/syscalls.sh)
 
 ## Latest released version: 0.9.72
 
 ## Current development version: 0.9.73
 
 ### --keep-shell-rc
-`````
+
+```text
        --keep-shell-rc
               By default, when using a private home directory, firejail copies
               files  from the system's user home template (/etc/skel) into it,
               which overrides attempts to whitelist the original  files  (such
               as  ~/.bashrc and ~/.zshrc).  This option disables this feature,
               and enables the user to whitelist the original files.
-
-`````
+```
 
 ### private-etc rework
-`````
+
+```text
        --private-etc, --private-etc=file,directory,@group
-              The files installed by --private-etc are copies of the  original
-              system  files  from  /etc  directory.   By  default, the command
-              brings in a skeleton of files and directories used by most  con‐
-              sole tools:
+              The files installed by --private-etc are copies of the original
+              system files from /etc directory.  By default, the command
+              brings in a skeleton of files and directories used by most
+              console tools:
 
               $ firejail --private-etc dig debian.org
 
-              For  X11/GTK/QT/Gnome/KDE   programs add @x11 group as a parame‐
-              ter. Example:
+              For X11/GTK/QT/Gnome/KDE  programs add @x11 group as a
+              parameter. Example:
 
               $ firejail --private-etc=@x11,gcrypt,python* gimp
 
-              gcrypt and /etc/python* directories are not part of the  generic
+              gcrypt and /etc/python* directories are not part of the generic
               @x11 group.  File globbing is supported.
 
               For games, add @games group:
 
               $ firejail --private-etc=@games,@x11 warzone2100
 
-              Sound  and  networking  files are included automatically, unless
-              --nosound or --net=none  are  specified.   Files  for  encrypted
+              Sound and networking files are included automatically, unless
+              --nosound or --net=none are specified.  Files for encrypted
               TLS/SSL protocol are in @tls-ca group.
 
               $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
@@ -225,22 +283,29 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
               by your program is using strace utility:
 
               $ strace /usr/bin/transmission-qt 2>&1 | grep open | grep etc
+```
+
+We keep the list of groups in
+[src/include/etc_groups.h](src/include/etc_groups.h).
 
-`````
-We keep the list of groups in [src/include/etc_groups.h](https://github.com/netblue30/firejail/blob/master/src/include/etc_groups.h)
-Discussion: https://github.com/netblue30/firejail/discussions/5610
+Discussion:
+
+* [private-etc rework](https://github.com/netblue30/firejail/discussions/5610)
 
 ### Profile Statistics
 
-A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
+A small tool to print profile statistics.  Compile and install as usual.  The
+tool is installed in the /usr/lib/firejail directory.
+
 Run it over the profiles in /etc/profiles:
-```
+
+```console
 $ /usr/lib/firejail/profstats /etc/firejail/*.profile
 No include .local found in /etc/firejail/noprofile.profile
 Warning: multiple caps in /etc/firejail/transmission-daemon.profile
 
 Stats:
-     profiles                   1209
+    profiles                    1209
     include local profile       1208   (include profile-name.local)
     include globals             1181   (include globals.local)
     blacklist ~/.ssh            1079   (include disable-common.inc)
@@ -266,5 +331,4 @@ Stats:
     dbus-user filter            141
     dbus-system none            851
     dbus-system filter          12
-
 ```
diff --git a/RELNOTES b/RELNOTES
index c0b91d7b9..ce20654f6 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -21,14 +21,16 @@ firejail (0.9.73) baseline; urgency=low
   * build: deb: enable apparmor by default & remove deb-apparmor (#5668)
   * build: Fix whitespace and add .editorconfig (#5674)
   * ci: always update the package db before installing packages (#5742)
+  * ci: fix codeql unable to download its own bundle (#5783)
   * test: split individual test groups in github workflows
   * test: add chroot, appimage and network tests in github workflows
   * docs: remove apparmor options in --help when building without apparmor
     support (#5589)
-  * docs: selinux.c: Split Copyright notice & use same license as upstream
+  * docs: markdown formatting and misc improvements (#5757)
+  * legal: selinux.c: Split Copyright notice & use same license as upstream
     (#5667)
   * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes
- -- netblue30 <netblue30@yahoo.com>  Mon, 16 Jan 2023 09:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Mon, 17 Jan 2023 09:00:00 -0500
 
 firejail (0.9.72) baseline; urgency=low
   * feature: On failing to remount a fuse filesystem, give warning instead of
diff --git a/SECURITY.md b/SECURITY.md
index 734d04ccf..2a9cc7f6f 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -26,4 +26,8 @@
 
 ## Security vulnerabilities
 
-We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@@protonmail.com
+We take security bugs very seriously.
+
+If you believe you have found one, please report it to:
+
+* <netblue30@protonmail.com>
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 5f4233363..4277100ce 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -69,6 +69,9 @@ blacklist ${HOME}/.xsessionrc
 blacklist /etc/X11/Xsession.d
 blacklist /etc/xdg/autostart
 read-only ${HOME}/.Xauthority
+read-only ${HOME}/.config/awesome/autorun.sh
+read-only ${HOME}/.config/openbox/autostart
+read-only ${HOME}/.config/openbox/environment
 
 # Session manager
 # see #3358
@@ -123,6 +126,7 @@ read-only ${HOME}/.config/kio_httprc
 read-only ${HOME}/.config/kiorc
 read-only ${HOME}/.config/kioslaverc
 read-only ${HOME}/.config/ksslcablacklist
+read-only ${HOME}/.config/lxqt
 read-only ${HOME}/.kde/share/apps/konsole
 read-only ${HOME}/.kde/share/apps/kssl
 read-only ${HOME}/.kde/share/config/*notifyrc
@@ -329,6 +333,7 @@ read-only ${HOME}/.ssh/config.d
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
 read-only ${HOME}/.cargo/env
+read-only ${HOME}/.config/mpv
 read-only ${HOME}/.config/nano
 read-only ${HOME}/.config/nvim
 read-only ${HOME}/.config/pkcs11
@@ -337,6 +342,7 @@ read-only ${HOME}/.elinks
 read-only ${HOME}/.emacs
 read-only ${HOME}/.emacs.d
 read-only ${HOME}/.exrc
+read-only ${HOME}/.gnupg/gpg.conf
 read-only ${HOME}/.gvimrc
 read-only ${HOME}/.homesick
 read-only ${HOME}/.iscreenrc
@@ -345,6 +351,7 @@ read-only ${HOME}/.local/share/cool-retro-term
 read-only ${HOME}/.local/share/nvim
 read-only ${HOME}/.local/state/nvim
 read-only ${HOME}/.mailcap
+read-only ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.msmtprc
 read-only ${HOME}/.mutt/muttrc
 read-only ${HOME}/.muttrc
@@ -366,6 +373,10 @@ read-only ${HOME}/_gvimrc
 read-only ${HOME}/_vimrc
 read-only ${HOME}/dotfiles
 
+# System package managers and AUR helpers
+blacklist ${HOME}/.config/cower
+read-only ${HOME}/.config/cower/config
+
 # Make directories commonly found in $PATH read-only
 read-only ${HOME}/.bin
 read-only ${HOME}/.cargo/bin
@@ -391,6 +402,11 @@ read-only ${HOME}/.config/user-dirs.dirs
 read-only ${HOME}/.config/user-dirs.locale
 read-only ${HOME}/.local/share/mime
 
+# Configuration files that do not allow arbitrary command execution but that
+# are intended to be modified manually (in a text editor and/or by a program
+# dedicated to managing them)
+read-only ${HOME}/.config/MangoHud
+
 # Write-protection for thumbnailer dir
 read-only ${HOME}/.local/share/thumbnailers
 
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index c7e2f2ca9..211111aaa 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -402,7 +402,6 @@ blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/cointop
 blacklist ${HOME}/.config/com.github.bleakgrey.tootle
 blacklist ${HOME}/.config/corebird
-blacklist ${HOME}/.config/cower
 blacklist ${HOME}/.config/coyim
 blacklist ${HOME}/.config/d-feet
 blacklist ${HOME}/.config/darktable
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc
index c9f21b2dc..cae059f89 100644
--- a/etc/inc/whitelist-common.inc
+++ b/etc/inc/whitelist-common.inc
@@ -10,16 +10,12 @@ whitelist ${HOME}/.asoundrc
 whitelist ${HOME}/.config/ibus
 whitelist ${HOME}/.config/mimeapps.list
 whitelist ${HOME}/.config/pkcs11
-read-only ${HOME}/.config/pkcs11
 whitelist ${HOME}/.config/user-dirs.dirs
-read-only ${HOME}/.config/user-dirs.dirs
 whitelist ${HOME}/.config/user-dirs.locale
-read-only ${HOME}/.config/user-dirs.locale
 whitelist ${HOME}/.drirc
 whitelist ${HOME}/.icons
 ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
 whitelist ${HOME}/.local/share/applications
-read-only ${HOME}/.local/share/applications
 whitelist ${HOME}/.local/share/icons
 whitelist ${HOME}/.local/share/mime
 whitelist ${HOME}/.mime.types
@@ -68,6 +64,7 @@ whitelist ${HOME}/.config/kdeglobals
 whitelist ${HOME}/.config/kio_httprc
 whitelist ${HOME}/.config/kioslaverc
 whitelist ${HOME}/.config/ksslcablacklist
+whitelist ${HOME}/.config/lxqt
 whitelist ${HOME}/.config/qt5ct
 whitelist ${HOME}/.config/qt6ct
 whitelist ${HOME}/.config/qtcurve
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile
index 231b5bca0..f05653719 100644
--- a/etc/profile-a-l/ani-cli.profile
+++ b/etc/profile-a-l/ani-cli.profile
@@ -35,7 +35,5 @@ private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohu
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
 
-read-only ${HOME}/.config/mpv
-
 # Redirect
 include mpv.profile
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile
index d8c073c8d..910dd8a91 100644
--- a/etc/profile-a-l/awesome.profile
+++ b/etc/profile-a-l/awesome.profile
@@ -16,5 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp !chroot
 
-read-only ${HOME}/.config/awesome/autorun.sh
 #restrict-namespaces
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index e896f3537..9b05b4416 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -45,5 +45,4 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-read-only ${HOME}/.config/cower/config
 restrict-namespaces
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 9f4fabd68..766fe523b 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -24,7 +24,6 @@ whitelist ${HOME}/.config/electron-mail
 # there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 machine-id
 nosound
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 0a44a62a3..7d5c859e9 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -85,6 +85,5 @@ dbus-user.talk org.gnome.seahorse.*
 dbus-user.talk org.mozilla.*
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.signature
 restrict-namespaces
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 0e1d30958..42d59157c 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -14,6 +14,9 @@ include globals.local
 # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
 # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
 
+# (Ignore entry from disable-common.inc)
+ignore read-only ${HOME}/.mozilla/firefox/profiles.ini
+
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
 noblacklist ${RUNUSER}/*firefox*
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index a19a20ba7..ba0837780 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -91,5 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5
 dbus-user.talk org.mozilla.*
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 restrict-namespaces
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 5183a9327..5cf30ed40 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -77,5 +77,4 @@ dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 restrict-namespaces
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile
index 9157d910b..6ca8b8103 100644
--- a/etc/profile-a-l/linuxqq.profile
+++ b/etc/profile-a-l/linuxqq.profile
@@ -37,7 +37,5 @@ dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.mozilla.*
 ignore dbus-user none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
-
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile
index 01928c775..2b0fc5275 100644
--- a/etc/profile-a-l/lobster.profile
+++ b/etc/profile-a-l/lobster.profile
@@ -35,7 +35,5 @@ private-bin curl,cut,fzf,grep,head,lobster,mv,patch,rm,sed,sh,tail,tput,tr,uname
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
 
-read-only ${HOME}/.config/mpv
-
 # Redirect
 include mpv.profile
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index e9d245a6d..266d00395 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -19,7 +19,6 @@ blacklist ${RUNUSER}/wayland-*
 
 # Enable severely restricted access to ${HOME}/.gnupg
 noblacklist ${HOME}/.gnupg
-read-only ${HOME}/.gnupg/gpg.conf
 read-only ${HOME}/.gnupg/trustdb.gpg
 read-only ${HOME}/.gnupg/pubring.kbx
 blacklist ${HOME}/.gnupg/random_seed
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile
index 8ad94b949..74d630e24 100644
--- a/etc/profile-m-z/mov-cli.profile
+++ b/etc/profile-m-z/mov-cli.profile
@@ -25,7 +25,5 @@ private-bin ffmpeg,fzf,mov-cli
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
 
-read-only ${HOME}/.config/mpv
-
 # Redirect
 include mpv.profile
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile
index 2da867dec..9b566a42b 100644
--- a/etc/profile-m-z/openbox.profile
+++ b/etc/profile-m-z/openbox.profile
@@ -16,6 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp !chroot
 
-read-only ${HOME}/.config/openbox/autostart
-read-only ${HOME}/.config/openbox/environment
 #restrict-namespaces
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index a26b41524..3e1899ef3 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -14,7 +14,6 @@ noblacklist ${HOME}/.config/Signal
 # These lines are needed to allow Firefox to open links
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 mkdir ${HOME}/.config/Signal
 whitelist ${HOME}/.config/Signal
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 95dc35741..3fe0963a9 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -18,6 +18,10 @@ mkdir ${HOME}/Standard Notes Backups
 mkdir ${HOME}/.config/Standard Notes
 whitelist ${HOME}/Standard Notes Backups
 whitelist ${HOME}/.config/Standard Notes
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index a5b4d5d87..63d629a32 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -181,5 +181,4 @@ private-tmp
 #dbus-user none
 #dbus-system none
 
-read-only ${HOME}/.config/MangoHud
 #restrict-namespaces
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 1ac80bc9a..5df207e25 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -24,7 +24,6 @@ writable-run-user
 # These lines are needed to allow Firefox to load your profile when clicking a link in an email
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 noblacklist ${HOME}/.cache/thunderbird
 noblacklist ${HOME}/.gnupg
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 378c8a1b7..ba68ccb53 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -60,5 +60,4 @@ dbus-user filter
 dbus-user.talk org.freedesktop.secrets
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 restrict-namespaces
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
index 4793e9dbb..55e4a4392 100644
--- a/etc/profile-m-z/tutanota-desktop.profile
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -28,7 +28,6 @@ whitelist ${HOME}/.config/tutanota-desktop
 # there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 machine-id
 nosound
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index 9ef90eb92..d2b73ec4c 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -24,7 +24,6 @@ include allow-python3.inc
 # there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index caf9eab63..09a1d37a3 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -23,7 +23,6 @@ include disable-xdg.inc
 # This also requires dbus-user filtering (see below).
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 mkdir ${HOME}/.cache/Zeal
 mkdir ${HOME}/.config/Zeal
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index fd328f36c..b88566f54 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -221,6 +221,8 @@ include globals.local
 #dbus-user.talk org.freedesktop.Notifications
 #dbus-system none
 
+# Note: read-only entries should usually go in disable-common.inc (especially
+# entries for configuration files that allow arbitrary command execution).
 ##deterministic-shutdown
 ##env VAR=VALUE
 ##join-or-start NAME
diff --git a/src/firejail/env.c b/src/firejail/env.c
index ede5f812d..da3c3ac53 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -279,7 +279,8 @@ static void env_apply_list(const char * const *list, unsigned int num_items) {
 
         while (env) {
                 if (env->op == SETENV) {
-                        for (unsigned int i = 0; i < num_items; i++)
+                        unsigned int i;
+                        for (i = 0; i < num_items; i++)
                                 if (strcmp(env->name, list[i]) == 0) {
                                         // sanity check for whitelisted environment variables
                                         if (strlen(env->name) + strlen(env->value) >= MAX_ENV_LEN) {
diff --git a/src/firejail/util.c b/src/firejail/util.c
index b2a0c85f1..a0af3d4bf 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -56,7 +56,8 @@ long long unsigned parse_arg_size(char *str) {
         }
 
         /* checks for is value valid positive number */
-        for (int i = 0; i < len; i++) {
+        int i;
+        for (i = 0; i < len; i++) {
                 if (!isdigit(*(str+i))) {
                         return 0;
                 }