153 files changed, 415 insertions, 120 deletions
diff --git a/README b/README
index fcebecc31..b7687b494 100644
--- a/README
+++ b/README
@@ -117,6 +117,7 @@ bn0785ac (https://github.com/bn0785ac)
        - chromium canary (inox-family) fixes
        - allow multithreading for cin and natron
        - fix dbus access for libreoffice on KDE
+        - fix inox, add snox profile
 BogDan Vatra (https://github.com/bog-dan-ro)
        - zoom profile
 Bruno Nova (https://github.com/brunonova)
@@ -310,6 +311,10 @@ Jean Lucas (https://github.com/flacks)
        - add WebStorm profile
        - add XMind profile
        - add nvm to list of disabled interpreters
+        - fixes for tor-browser-* profiles
+        - alias for riot-desktop
+        - add gnome-mpv profile
+        - fix wire profile
 Jericho (https://github.com/attritionorg)
        - spelling
 Jesse Smith (https://github.com/slicer69)
diff --git a/README.md b/README.md
index 1c4ffc4aa..cf1384249 100644
--- a/README.md
+++ b/README.md
@@ -100,5 +100,38 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 `````
 # Current development version: 0.9.55
+## New commands:
+`````
+      (wireless support for --net)
+      --net=ethernet_interface|wireless_interface
+              Enable a new network namespace and connect it to this  ethernet
+              interface  using  the  standard  Linux  macvlan|ipvaln  driver.
+              Unless specified  with  option  --ip  and  --defaultgw,  an  IP
+              address and a default gateway will be assigned automatically to
+              the sandbox. The  IP  address  is  verified  using  ARP  before
+              assignment.  The  address  configured as default gateway is the
+              default gateway of the host. Up to four --net  options  can  be
+              specified.   Support  for ipvlan driver was introduced in Linux
+              kernel 3.19.
+              Example:
+              $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox
+              $ firejail --net=wlan0 firefox
+      --nou2f
+              Disable U2F devices.
+              Example:
+              $ firejail --nou2f
+      --private-cache
+               Mount an empty temporary filesystem on top of the .cache
+               directory in user home. All modifications are discarded
+               when the sandbox is closed.
+              Example:
+              $ firejail --private-cache
+`````
 ## New profiles
-Microsoft Office Online
+Microsoft Office Online, riot-desktop, gnome-mpv, snox, 
diff --git a/RELNOTES b/RELNOTES
index f1b7a6b0a..0cb390192 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,10 +1,11 @@
 firejail (0.9.55) baseline; urgency=low
  * work in progress
  * modif: removed CFG_CHROOT_DESKTOP configuration option
+  * add --private-cache to support private ~/.cache
  * support full paths in private-lib
  * globbing support in private-lib
  * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint
-  * new profiles: ms-skype, ms-word
+  * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox
 -- netblue30 <netblue30@yahoo.com>  Fri, 25 May 2018 08:00:00 -0500
 firejail (0.9.54) baseline; urgency=low
diff --git a/etc/7z.profile b/etc/7z.profile
index 0330e4dbf..e3f27b93f 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -4,7 +4,8 @@ quiet
 # Persistent local customizations
 include /etc/firejail/7z.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+# added by included default.profile
+#include /etc/firejail/globals.local
 blacklist /tmp/.X11-unix
diff --git a/etc/7za.profile b/etc/7za.profile
new file mode 100644
index 000000000..e035bf4f5
--- /dev/null
+++ b/etc/7za.profile
@@ -0,0 +1,10 @@
+# Firejail profile for 7za
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/7za.local
+# Persistent global definitions
+# added by included profile
+#include /etc/firejail/globals.local
+# Redirect
+include /etc/firejail/7z.profile
diff --git a/etc/7zr.profile b/etc/7zr.profile
new file mode 100644
index 000000000..e48c5494e
--- /dev/null
+++ b/etc/7zr.profile
@@ -0,0 +1,10 @@
+# Firejail profile for 7zr
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/7zr.local
+# Persistent global definitions
+# added by included profile
+#include /etc/firejail/globals.local
+# Redirect
+include /etc/firejail/7z.profile
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile
index 08c2860b3..f1336be3e 100644
--- a/etc/Cryptocat.profile
+++ b/etc/Cryptocat.profile
@@ -25,5 +25,6 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/android-studio.profile b/etc/android-studio.profile
index 5ff0b7c3a..d845bd4b9 100644
--- a/etc/android-studio.profile
+++ b/etc/android-studio.profile
@@ -32,6 +32,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
+private-cache
 # private-tmp
 # noexec /tmp breaks 'Android Profiler'
diff --git a/etc/apktool.profile b/etc/apktool.profile
index d5063d79b..ded17ca58 100644
--- a/etc/apktool.profile
+++ b/etc/apktool.profile
@@ -26,6 +26,7 @@ seccomp
 shell none
 private-bin apktool,bash,java,dirname,basename,expr,sh
+private-cache
 private-dev
 noexec ${HOME}
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile
index 70e02fc7b..0987ce149 100644
--- a/etc/arch-audit.profile
+++ b/etc/arch-audit.profile
@@ -32,6 +32,7 @@ shell none
 disable-mnt
 private
+private-cache
 private-bin arch-audit
 private-dev
 private-tmp
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
index df42dfaed..c2090af98 100644
--- a/etc/ardour5.profile
+++ b/etc/ardour5.profile
@@ -30,6 +30,7 @@ seccomp
 shell none
 #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm
+private-cache
 private-dev
 #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts
 private-tmp
diff --git a/etc/arduino.profile b/etc/arduino.profile
index 14741c964..c8850ccb0 100644
--- a/etc/arduino.profile
+++ b/etc/arduino.profile
@@ -35,6 +35,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
+private-cache
 private-tmp
 noexec ${HOME}
diff --git a/etc/ark.profile b/etc/ark.profile
index cd6e5d54f..0c7ef3dae 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -31,7 +31,7 @@ protocol unix
 seccomp
 shell none
-private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,unar,lsar,lrzip,lzop,lz4
+private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,dash,sh,tclsh
 #private-etc smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg
 private-dev
diff --git a/etc/atom.profile b/etc/atom.profile
index c513c7531..f7e30aeb4 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -27,6 +27,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/atool.profile b/etc/atool.profile
index 83b681437..06eace7d2 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -36,6 +36,7 @@ seccomp
 shell none
 tracelog
+private-cache
 # private-bin atool
 private-dev
 private-etc passwd,group
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 1cd5d6a69..6507aeadb 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -27,6 +27,7 @@ seccomp
 disable-mnt
 private
+private-cache
 private-dev
 private-tmp
 read-write /var/lib/bitlbee
diff --git a/etc/bless.profile b/etc/bless.profile
index 3fd04cae6..1dd756153 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -29,6 +29,7 @@ seccomp
 shell none
 # private-bin bless,sh,bash,mono
+private-cache
 private-dev
 private-etc fonts,mono
 private-tmp
diff --git a/etc/brackets.profile b/etc/brackets.profile
index 22a8dffea..8f1068506 100644
--- a/etc/brackets.profile
+++ b/etc/brackets.profile
@@ -26,4 +26,5 @@ protocol unix,inet,inet6,netlink
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplic
 shell none
+private-cache
 private-dev
diff --git a/etc/brasero.profile b/etc/brasero.profile
index 26074af22..a012d4715 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -27,6 +27,7 @@ shell none
 tracelog
 # private-bin brasero
+private-cache
 # private-dev
 # private-etc fonts
 # private-tmp
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index e33e010aa..c63cfad8d 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -34,6 +34,7 @@ seccomp
 shell none
 tracelog
+private-cache
 private-dev
 private-tmp
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index 8b25f4e60..c8132cd0f 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include /etc/firejail/chromium-common.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+# already included by caller profile
+#include /etc/firejail/globals.local
 noblacklist ${HOME}/.pki
diff --git a/etc/cin.profile b/etc/cin.profile
index e2410e3a5..92baef33a 100644
--- a/etc/cin.profile
+++ b/etc/cin.profile
@@ -29,6 +29,7 @@ seccomp
 shell none
 #private-bin cin,ffmpeg
+private-cache
 private-dev
 noexec ${HOME}
diff --git a/etc/clion.profile b/etc/clion.profile
index 115df72c4..bcb18114e 100644
--- a/etc/clion.profile
+++ b/etc/clion.profile
@@ -28,6 +28,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
+private-cache
 private-dev
 # private-tmp
diff --git a/etc/clipit.profile b/etc/clipit.profile
index e5660f859..3134fdc3e 100644
--- a/etc/clipit.profile
+++ b/etc/clipit.profile
@@ -29,6 +29,7 @@ seccomp
 shell none
 disable-mnt
+private-cache
 private-dev
 private-tmp
diff --git a/etc/code.profile b/etc/code.profile
index af7d379ed..ab69008f1 100644
--- a/etc/code.profile
+++ b/etc/code.profile
@@ -26,6 +26,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/conky.profile b/etc/conky.profile
index fe90ac099..af275b915 100644
--- a/etc/conky.profile
+++ b/etc/conky.profile
@@ -28,6 +28,7 @@ seccomp
 shell none
 disable-mnt
+private-cache
 private-dev
 private-tmp
diff --git a/etc/curl.profile b/etc/curl.profile
index 521cd20cc..1d2515f51 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -29,6 +29,7 @@ seccomp
 shell none
 # private-bin curl
+private-cache
 private-dev
 # private-etc resolv.conf
 private-tmp
diff --git a/etc/default.profile b/etc/default.profile
index 9a2fcae64..42c1056c5 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -33,6 +33,7 @@ seccomp
 # disable-mnt
 # private
 # private-bin program
+# private-cache
 # private-dev
 # private-etc none
 # private-lib
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
index 0634c0eaf..aeef46413 100644
--- a/etc/dex2jar.profile
+++ b/etc/dex2jar.profile
@@ -34,6 +34,7 @@ seccomp
 shell none
 private-bin dex2jar,java,sh,bash,expr,dirname,ls,uname,grep
+private-cache
 private-dev
 noexec ${HOME}
diff --git a/etc/dia.profile b/etc/dia.profile
index 49c6727f9..fca14236f 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -30,6 +30,7 @@ shell none
 disable-mnt
 #private-bin dia
+private-cache
 private-dev
 private-tmp
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 71d4ad97b..56121809a 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -383,3 +383,12 @@ blacklist /vmlinuz*
 # complement noexec ${HOME} and noexec /tmp
 noexec /tmp/.X11-unix
+# flatpak
+blacklist ${HOME}/*.config/flatpak
+blacklist ${HOME}/*.var
+blacklist ${HOME}/*.local/share/flatpak
+blacklist /var/lib/flatpak
+blacklist /usr/share/flatpak
+# most of the time bwrap is SUID binary
+blacklist /usr/bin/bwrap
+\ No newline at end of file
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 7eaa1c2ba..f72b5a5c3 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -132,6 +132,7 @@ blacklist ${HOME}/.config/geeqie
 blacklist ${HOME}/.config/ghb
 blacklist ${HOME}/.config/globaltime
 blacklist ${HOME}/.config/gnome-mplayer
+blacklist ${HOME}/.config/gnome-mpv
 blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
 blacklist ${HOME}/.config/google-chrome-unstable
diff --git a/etc/discord-common.profile b/etc/discord-common.profile
index 5cd8d6bb6..65a307681 100644
--- a/etc/discord-common.profile
+++ b/etc/discord-common.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include /etc/firejail/discord-common.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+# already included by caller profile
+#include /etc/firejail/globals.local
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 4d0afc159..0971451c4 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -27,6 +27,7 @@ seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,i
 disable-mnt
 private
+private-cache
 private-dev
 # mdwe can break modules/plugins
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index f71f5bb02..fc1209c1e 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -28,4 +28,5 @@ seccomp
 disable-mnt
 private
+private-cache
 private-dev
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 5d28ac0c8..6878c4fe0 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -31,6 +31,7 @@ shell none
 tracelog
 # private-bin elinks
+private-cache
 private-dev
 # private-etc none
 private-tmp
diff --git a/etc/empathy.profile b/etc/empathy.profile
index b9d682322..9d70afcb8 100644
--- a/etc/empathy.profile
+++ b/etc/empathy.profile
@@ -20,3 +20,6 @@ noroot
 notv
 protocol unix,inet,inet6
 seccomp
+private-cache
+private-tmp
diff --git a/etc/enchant.profile b/etc/enchant.profile
index 29472313d..a495122dc 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -30,6 +30,7 @@ shell none
 tracelog
 # private-bin enchant, enchant-*
+private-cache
 private-dev
 private-etc none
 private-tmp
diff --git a/etc/enox.profile b/etc/enox.profile
index 460143ad7..46f409346 100644
--- a/etc/enox.profile
+++ b/etc/enox.profile
@@ -8,8 +8,8 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/Enox
 noblacklist ${HOME}/.config/Enox
-mkdir ${HOME}/.cache/dnox
+#mkdir ${HOME}/.cache/dnox
-mkdir ${HOME}/.config/dnox
+#mkdir ${HOME}/.config/dnox
 mkdir ${HOME}/.cache/Enox
 mkdir ${HOME}/.config/Enox
 whitelist ${HOME}/.cache/Enox
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 2522a32a3..2666397f4 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -36,6 +36,7 @@ shell none
 tracelog
 # private-bin exiftool,perl
+private-cache
 private-dev
 private-etc none
 private-tmp
diff --git a/etc/feh.profile b/etc/feh.profile
index 657f05f3c..c79e98d1c 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -27,6 +27,7 @@ seccomp
 shell none
 private-bin feh,jpegexiforient,jpegtran
+private-cache
 private-dev
 private-etc feh
 private-tmp
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index b0de1f1a3..818f24e7e 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include /etc/firejail/firefox-common.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+# already included by caller profile
+#include /etc/firejail/globals.local
 # uncomment the following line to allow access to common programs/addons/plugins
 #include /etc/firejail/firefox-common-addons.inc
diff --git a/etc/firejail.config b/etc/firejail.config
index 42dfaf3c6..1f47f77d0 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -56,11 +56,6 @@
 # Remove /usr/local directories from private-bin list, default disabled.
 # private-bin-no-local no
-# Mount  an empty temporary filesystem on top of the .cache
-# directory in user home. All  modifications  are  discarded  when
-# the sandbox is closed. Default enabled.
-# private-cache yes
 # Enable or disable private-home feature, default enabled
 # private-home yes
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index e06107f0f..9d399931d 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -31,6 +31,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/fontforge.profile b/etc/fontforge.profile
index 088ed626b..c80588a8b 100644
--- a/etc/fontforge.profile
+++ b/etc/fontforge.profile
@@ -32,6 +32,7 @@ protocol unix
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/freecad.profile b/etc/freecad.profile
index dc5738e01..9ea4e0f2b 100644
--- a/etc/freecad.profile
+++ b/etc/freecad.profile
@@ -29,6 +29,7 @@ seccomp
 shell none
 private-bin freecad,freecadcmd
+private-cache
 private-dev
 private-tmp
diff --git a/etc/freshclam.profile b/etc/freshclam.profile
index 08eac5595..4e224dd3e 100644
--- a/etc/freshclam.profile
+++ b/etc/freshclam.profile
@@ -24,6 +24,7 @@ tracelog
 disable-mnt
 private
+private-cache
 private-dev
 private-tmp
 writable-var
diff --git a/etc/geany.profile b/etc/geany.profile
index 35e405319..9db533e8c 100644
--- a/etc/geany.profile
+++ b/etc/geany.profile
@@ -25,5 +25,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/git.profile b/etc/git.profile
index 7dac03b1b..1bf9e8e4b 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -34,4 +34,5 @@ protocol unix,inet,inet6
 seccomp
 shell none
+private-cache
 private-dev
diff --git a/etc/gitg.profile b/etc/gitg.profile
index 39cbdc53d..deee7c994 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -29,6 +29,7 @@ seccomp
 shell none
 private-bin gitg,git,ssh
+private-cache
 private-dev
 private-tmp
diff --git a/etc/globaltime.profile b/etc/globaltime.profile
index 19820ce85..0df6b5e63 100644
--- a/etc/globaltime.profile
+++ b/etc/globaltime.profile
@@ -28,6 +28,7 @@ seccomp
 shell none
 disable-mnt
+private-cache
 private-dev
 private-tmp
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile
index dfee1ae08..4ddfc456a 100644
--- a/etc/gnome-builder.profile
+++ b/etc/gnome-builder.profile
@@ -23,4 +23,5 @@ protocol unix,inet,inet6
 seccomp
 shell none
+private-cache
 private-dev
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile
index 9089d7ee8..8a67d6e5c 100644
--- a/etc/gnome-documents.profile
+++ b/etc/gnome-documents.profile
@@ -30,6 +30,7 @@ seccomp
 shell none
 tracelog
+private-cache
 private-dev
 private-tmp
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index 7cf97a79f..f54219174 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -22,6 +22,7 @@ seccomp
 shell none
 # private-bin gnome-mplayer,mplayer
+private-cache
 private-dev
 private-tmp
diff --git a/etc/gnome-mpv.profile b/etc/gnome-mpv.profile
new file mode 100644
index 000000000..e834e8ec7
--- /dev/null
+++ b/etc/gnome-mpv.profile
@@ -0,0 +1,32 @@
+# Firejail profile for gnome-mpv
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/gnome-mpv.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/gnome-mpv
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+nodbus
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin gnome-mpv
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 7f50e1e8d..85020fc2e 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -31,4 +31,5 @@ shell none
 tracelog
 # private-bin gpg-agent,gpg
+private-cache
 private-dev
diff --git a/etc/gpg.profile b/etc/gpg.profile
index 7eb8a3ac8..ab43152d8 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -31,4 +31,5 @@ shell none
 tracelog
 # private-bin gpg,gpg-agent
+private-cache
 private-dev
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index eb0c38ec2..77ce42b36 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -29,5 +29,6 @@ shell none
 tracelog
 private-bin gthumb
+private-cache
 private-dev
 private-tmp
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile
index 16ea2047d..60a13af3a 100644
--- a/etc/gucharmap.profile
+++ b/etc/gucharmap.profile
@@ -28,6 +28,7 @@ shell none
 disable-mnt
 private
+private-cache
 private-dev
 private-tmp
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 779067770..33892e5c9 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -4,7 +4,8 @@ quiet
 # Persistent local customizations
 include /etc/firejail/gzip.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+# added by included default.profile
+#include /etc/firejail/globals.local
 blacklist /tmp/.X11-unix
diff --git a/etc/hashcat.profile b/etc/hashcat.profile
index d61165a91..0fb8b8704 100644
--- a/etc/hashcat.profile
+++ b/etc/hashcat.profile
@@ -31,6 +31,7 @@ shell none
 disable-mnt
 private-bin hashcat
+private-cache
 private-dev
 private-tmp
diff --git a/etc/highlight.profile b/etc/highlight.profile
index a93019696..cd48df10c 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -30,6 +30,7 @@ shell none
 tracelog
 private-bin highlight
+private-cache
 private-dev
 # private-etc none
 private-tmp
diff --git a/etc/hugin.profile b/etc/hugin.profile
index 761c4e039..f92acac66 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -28,6 +28,7 @@ seccomp
 shell none
 private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend
+private-cache
 private-dev
 private-tmp
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile
index caec416e9..06328ccbf 100644
--- a/etc/idea.sh.profile
+++ b/etc/idea.sh.profile
@@ -32,6 +32,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
+private-cache
 private-dev
 # private-tmp
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index 1cc8d2953..bbefd8044 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -27,6 +27,7 @@ shell none
 tracelog
 # private-bin img2txt
+private-cache
 private-dev
 # private-etc none
 private-tmp
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 9a325d18b..ca23cedfa 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -36,6 +36,7 @@ seccomp
 shell none
 private-bin jd-gui,sh,bash
+private-cache
 private-dev
 private-tmp
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
index cb2f2092a..b3b09f4b1 100644
--- a/etc/jitsi.profile
+++ b/etc/jitsi.profile
@@ -31,4 +31,5 @@ shell none
 tracelog
 disable-mnt
+private-cache
 private-tmp
diff --git a/etc/keepass.profile b/etc/keepass.profile
index 9ae6abfb2..03f27d3fa 100644
--- a/etc/keepass.profile
+++ b/etc/keepass.profile
@@ -33,6 +33,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/kino.profile b/etc/kino.profile
index 054b185dd..5144ce448 100644
--- a/etc/kino.profile
+++ b/etc/kino.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/krita.profile b/etc/krita.profile
index 99fd235db..01f7b6ff8 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -36,6 +36,7 @@ protocol unix
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/less.profile b/etc/less.profile
index 9b04329f2..2b5449a7b 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -4,7 +4,8 @@ quiet
 # Persistent local customizations
 include /etc/firejail/less.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+# added by included default.profile
+#include /etc/firejail/globals.local
 blacklist /tmp/.X11-unix
@@ -24,6 +25,7 @@ writable-var-log
 # Enable private-bin and private-lib if you are not using any filter.
 # private-bin less
 # private-lib
+private-cache
 private-dev
 memory-deny-write-execute
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
index 8d55f5de2..8104a2886 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/luminance-hdr.profile
@@ -28,6 +28,7 @@ shell none
 tracelog
 #private-bin luminance-hdr,luminance-hdr-cli,align_image_stack
+private-cache
 private-dev
 private-tmp
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile
index 971d969ad..e50455532 100644
--- a/etc/lximage-qt.profile
+++ b/etc/lximage-qt.profile
@@ -27,6 +27,7 @@ protocol unix
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/lynx.profile b/etc/lynx.profile
index fec9661c6..ba5322787 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -29,6 +29,7 @@ shell none
 tracelog
 # private-bin lynx
+private-cache
 private-dev
 # private-etc none
 private-tmp
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
index bbef46567..6d20d7261 100644
--- a/etc/macrofusion.profile
+++ b/etc/macrofusion.profile
@@ -35,6 +35,7 @@ seccomp
 shell none
 private-bin python*,macrofusion,env,enfuse,exiftool,align_image_stack
+private-cache
 private-dev
 private-tmp
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index d79a0e886..48db03c27 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -30,6 +30,7 @@ shell none
 tracelog
 private-bin mediainfo
+private-cache
 private-dev
 private-etc none
 private-tmp
diff --git a/etc/meld.profile b/etc/meld.profile
index 78d9e0c76..1e85343df 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -28,6 +28,7 @@ seccomp
 shell none
 private-bin meld,python*
+private-cache
 private-dev
 private-tmp
diff --git a/etc/mpd.profile b/etc/mpd.profile
index 7f3e42e08..2ad520633 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -28,6 +28,7 @@ seccomp
 shell none
 #private-bin mpd,bash
+private-cache
 private-dev
 private-tmp
diff --git a/etc/obs.profile b/etc/obs.profile
index 9a0fab3f8..7529dd1bb 100644
--- a/etc/obs.profile
+++ b/etc/obs.profile
@@ -25,6 +25,7 @@ shell none
 tracelog
 private-bin obs
+private-cache
 private-dev
 private-tmp
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index 32d51f478..aea6b79d2 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -30,6 +30,7 @@ shell none
 tracelog
 private-bin odt2txt
+private-cache
 private-dev
 private-etc none
 private-tmp
diff --git a/etc/orage.profile b/etc/orage.profile
index 8e218eb2d..2ac420f05 100644
--- a/etc/orage.profile
+++ b/etc/orage.profile
@@ -29,6 +29,7 @@ seccomp
 shell none
 disable-mnt
+private-cache
 private-dev
 private-tmp
diff --git a/etc/p7zip.profile b/etc/p7zip.profile
new file mode 100644
index 000000000..b813bfda5
--- /dev/null
+++ b/etc/p7zip.profile
@@ -0,0 +1,10 @@
+# Firejail profile for p7zip
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/p7zip.local
+# Persistent global definitions
+# added by included profile
+#include /etc/firejail/globals.local
+# Redirect
+include /etc/firejail/7z.profile
diff --git a/etc/parole.profile b/etc/parole.profile
index c659614e3..36ae97726 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -22,4 +22,5 @@ seccomp
 shell none
 private-bin parole,dbus-launch
+private-cache
 private-etc passwd,group,fonts
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index a5d9c2d65..fbd7ec179 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -37,6 +37,7 @@ seccomp
 shell none
 private-bin pdfsam,sh,bash,java,archlinux-java,grep,awk,dirname,uname,which,sort,find,readlink,expr,ls,java-config
+private-cache
 private-dev
 private-tmp
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index ac2597a68..e0fd270af 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -26,6 +26,7 @@ shell none
 tracelog
 private-bin pidgin
+private-cache
 private-dev
 private-tmp
diff --git a/etc/pinta.profile b/etc/pinta.profile
index 73fabb95f..010de0d3e 100644
--- a/etc/pinta.profile
+++ b/etc/pinta.profile
@@ -29,6 +29,7 @@ seccomp
 shell none
 private-dev
+private-cache
 private-tmp
 noexec ${HOME}
diff --git a/etc/pix.profile b/etc/pix.profile
index ec495269d..dfc6d780e 100644
--- a/etc/pix.profile
+++ b/etc/pix.profile
@@ -30,5 +30,6 @@ shell none
 tracelog
 private-bin pix
+private-cache
 private-dev
 private-tmp
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile
index bbb907577..89bb9dadf 100644
--- a/etc/pycharm-community.profile
+++ b/etc/pycharm-community.profile
@@ -32,6 +32,7 @@ tracelog
 # private-etc fonts,passwd - minimal required to run but will probably break
 # program!
+private-cache
 private-dev
 private-tmp
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile
index 20b14c0ca..263c71535 100644
--- a/etc/qemu-launcher.profile
+++ b/etc/qemu-launcher.profile
@@ -23,6 +23,7 @@ seccomp
 shell none
 tracelog
+private-cache
 private-tmp
 noexec /tmp
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile
index 7a60007fe..3ab25e92e 100644
--- a/etc/qemu-system-x86_64.profile
+++ b/etc/qemu-system-x86_64.profile
@@ -22,6 +22,7 @@ seccomp
 shell none
 tracelog
+private-cache
 private-tmp
 noexec /tmp
diff --git a/etc/qlipper.profile b/etc/qlipper.profile
index 237cd240b..079270909 100644
--- a/etc/qlipper.profile
+++ b/etc/qlipper.profile
@@ -28,6 +28,7 @@ seccomp
 shell none
 disable-mnt
+private-cache
 private-dev
 private-tmp
diff --git a/etc/quassel.profile b/etc/quassel.profile
index 6783d5a43..9c5bbe1d3 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -19,3 +19,6 @@ noroot
 notv
 protocol unix,inet,inet6
 seccomp
+private-cache
+private-tmp
diff --git a/etc/remmina.profile b/etc/remmina.profile
index 4cd93b567..50746c60e 100644
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@@ -28,6 +28,7 @@ seccomp
 # seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile
new file mode 100644
index 000000000..d38ab6876
--- /dev/null
+++ b/etc/riot-desktop.profile
@@ -0,0 +1,9 @@
+# Firejail profile for riot-desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/riot-desktop.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# Redirect
+include /etc/firejail/riot-web.profile
diff --git a/etc/riot-web.profile b/etc/riot-web.profile
index 06dbbe9d9..1779d0b7c 100644
--- a/etc/riot-web.profile
+++ b/etc/riot-web.profile
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.config/Riot
+mkdir ${HOME}/.config/Riot
 whitelist ${HOME}/.config/Riot
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/ristretto.profile b/etc/ristretto.profile
index 7628d386f..08c9dbf2d 100644
--- a/etc/ristretto.profile
+++ b/etc/ristretto.profile
@@ -29,6 +29,7 @@ protocol unix
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index 57e933467..b4a2921ff 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -26,5 +26,6 @@ seccomp
 shell none
 private-bin rtorrent
+private-cache
 private-dev
 private-tmp
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index a0674acbc..fbe1b2de5 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -34,6 +34,7 @@ seccomp
 shell none
 private-bin sdat2img,env,python*
+private-cache
 private-dev
 noexec ${HOME}
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index d76c486ea..e5a8ce4df 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -26,6 +26,7 @@ seccomp
 shell none
 #private-bin shotcut,melt,qmelt,nice
+private-cache
 private-dev
 #noexec ${HOME}
diff --git a/etc/skype.profile b/etc/skype.profile
index f08542079..04f15b454 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -26,6 +26,7 @@ shell none
 disable-mnt
 #private-bin skype,bash
+private-cache
 private-dev
 private-tmp
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index c2270ce39..c675f0345 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -25,6 +25,7 @@ seccomp
 shell none
 disable-mnt
+private-cache
 # private-dev - needs /dev/disk
 private-tmp
diff --git a/etc/snox.profile b/etc/snox.profile
new file mode 100644
index 000000000..22bb0cdb0
--- /dev/null
+++ b/etc/snox.profile
@@ -0,0 +1,19 @@
+# Firejail profile for snox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/snox.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.cache/snox
+noblacklist ${HOME}/.config/snox
+#mkdir ${HOME}/.cache/dnox
+#mkdir ${HOME}/.config/dnox
+mkdir ${HOME}/.cache/snox
+mkdir ${HOME}/.config/snox
+whitelist ${HOME}/.cache/snox
+whitelist ${HOME}/.config/snox
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile
index 3d231cf5b..b15ba266b 100644
--- a/etc/soundconverter.profile
+++ b/etc/soundconverter.profile
@@ -31,6 +31,7 @@ protocol unix
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 9711276c8..7bb7080e3 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -29,6 +29,7 @@ seccomp
 shell none
 private-bin sqlitebrowser
+private-cache
 private-dev
 private-tmp
diff --git a/etc/ssh.profile b/etc/ssh.profile
index df86a276e..dfaeb9688 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -29,6 +29,7 @@ seccomp
 shell none
 tracelog
+private-cache
 private-dev
 # private-tmp # Breaks when exiting
diff --git a/etc/strings.profile b/etc/strings.profile
index 8995ad2a6..5bea9525f 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -4,7 +4,8 @@ quiet
 # Persistent local customizations
 include /etc/firejail/strings.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+# added by included default.profile
+#include /etc/firejail/globals.local
 blacklist /tmp/.X11-unix
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 677920266..dcfd730ee 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -29,6 +29,7 @@ seccomp
 shell none
 #private-bin synfigstudio,synfig,ffmpeg
+private-cache
 private-dev
 private-tmp
diff --git a/etc/tar.profile b/etc/tar.profile
index 5f54bf02d..35dbb3378 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -4,7 +4,8 @@ quiet
 # Persistent local customizations
 include /etc/firejail/tar.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+# added by included default.profile
+#include /etc/firejail/globals.local
 blacklist /tmp/.X11-unix
diff --git a/etc/telegram.profile b/etc/telegram.profile
index db055a898..9ffb9f287 100644
--- a/etc/telegram.profile
+++ b/etc/telegram.profile
@@ -23,6 +23,7 @@ protocol unix,inet,inet6
 seccomp
 disable-mnt
+private-cache
 private-tmp
 noexec ${HOME}
diff --git a/etc/tilp.profile b/etc/tilp.profile
index a9cccbd7b..7d63df630 100644
--- a/etc/tilp.profile
+++ b/etc/tilp.profile
@@ -28,6 +28,7 @@ tracelog
 disable-mnt
 private-bin tilp
+private-cache
 private-etc fonts
 private-tmp
diff --git a/etc/tor-browser-ar.profile b/etc/tor-browser-ar.profile
index 36eda5704..a668a05d4 100644
--- a/etc/tor-browser-ar.profile
+++ b/etc/tor-browser-ar.profile
@@ -2,6 +2,8 @@
 # This file is overwritten after every install/update
 noblacklist ${HOME}/.tor-browser-ar
+mkdir ${HOME}/.tor-browser-ar
 whitelist ${HOME}/.tor-browser-ar
 # Redirect
diff --git a/etc/tor-browser-en-us.profile b/etc/tor-browser-en-us.profile
index f3ca8a74d..195377f0f 100644
--- a/etc/tor-browser-en-us.profile
+++ b/etc/tor-browser-en-us.profile
@@ -2,6 +2,8 @@
 # This file is overwritten after every install/update
 noblacklist ${HOME}/.tor-browser-en-us
+mkdir ${HOME}/.tor-browser-en-us
 whitelist ${HOME}/.tor-browser-en-us
 # Redirect
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile
index fb2c2f9c9..75aad1a09 100644
--- a/etc/tor-browser-en.profile
+++ b/etc/tor-browser-en.profile
@@ -2,6 +2,8 @@
 # This file is overwritten after every install/update
 noblacklist ${HOME}/.tor-browser-en
+mkdir ${HOME}/.tor-browser-en
 whitelist ${HOME}/.tor-browser-en
 # Redirect
diff --git a/etc/tor-browser-es-es.profile b/etc/tor-browser-es-es.profile
index c6c0d6e92..b6e5dedbc 100644
--- a/etc/tor-browser-es-es.profile
+++ b/etc/tor-browser-es-es.profile
@@ -1,8 +1,10 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
-noblacklist ${HOME}/.tor-browser-en-es
+noblacklist ${HOME}/.tor-browser-es-es
-whitelist ${HOME}/.tor-browser-en-es
+mkdir ${HOME}/.tor-browser-es-es
+whitelist ${HOME}/.tor-browser-es-es
 # Redirect
 include /etc/firejail/torbrowser-launcher.profile
diff --git a/etc/tor-browser-es.profile b/etc/tor-browser-es.profile
index 1fe940f72..c607c93e3 100644
--- a/etc/tor-browser-es.profile
+++ b/etc/tor-browser-es.profile
@@ -2,6 +2,8 @@
 # This file is overwritten after every install/update
 noblacklist ${HOME}/.tor-browser-es
+mkdir ${HOME}/.tor-browser-es
 whitelist ${HOME}/.tor-browser-es
 # Redirect
diff --git a/etc/tor-browser-fa.profile b/etc/tor-browser-fa.profile
index 292c82de0..3ce689c21 100644
--- a/etc/tor-browser-fa.profile
+++ b/etc/tor-browser-fa.profile
@@ -2,6 +2,8 @@
 # This file is overwritten after every install/update
 noblacklist ${HOME}/.tor-browser-fa
+mkdir ${HOME}/.tor-browser-fa
 whitelist ${HOME}/.tor-browser-fa
 # Redirect
diff --git a/etc/tor-browser-fr.profile b/etc/tor-browser-fr.profile
index b7b5a3d26..369184aba 100644
--- a/etc/tor-browser-fr.profile
+++ b/etc/tor-browser-fr.profile
@@ -2,6 +2,8 @@
 # This file is overwritten after every install/update
 noblacklist ${HOME}/.tor-browser-fr
+mkdir ${HOME}/.tor-browser-fr
 whitelist ${HOME}/.tor-browser-fr
 # Redirect
diff --git a/etc/tor-browser-it.profile b/etc/tor-browser-it.profile
index bcaff3305..e5d54617d 100644
--- a/etc/tor-browser-it.profile
+++ b/etc/tor-browser-it.profile
@@ -2,6 +2,8 @@
 # This file is overwritten after every install/update
 noblacklist ${HOME}/.tor-browser-it
+mkdir ${HOME}/.tor-browser-it
 whitelist ${HOME}/.tor-browser-it
 # Redirect
diff --git a/etc/tor-browser-ja.profile b/etc/tor-browser-ja.profile
index ffb98b874..a3cfa1987 100644
--- a/etc/tor-browser-ja.profile
+++ b/etc/tor-browser-ja.profile
@@ -2,6 +2,8 @@
 # This file is overwritten after every install/update
 noblacklist ${HOME}/.tor-browser-ja
+mkdir ${HOME}/.tor-browser-ja
 whitelist ${HOME}/.tor-browser-ja
 # Redirect
diff --git a/etc/tor-browser-ko.profile b/etc/tor-browser-ko.profile
index c1a29f84e..6a7fe905c 100644
--- a/etc/tor-browser-ko.profile
+++ b/etc/tor-browser-ko.profile
@@ -2,6 +2,8 @@
 # This file is overwritten after every install/update
 noblacklist ${HOME}/.tor-browser-ko
+mkdir ${HOME}/.tor-browser-ko
 whitelist ${HOME}/.tor-browser-ko
 # Redirect
diff --git a/etc/tor-browser-pl.profile b/etc/tor-browser-pl.profile
index d2b8ea3bc..e72d64a3e 100644
--- a/etc/tor-browser-pl.profile
+++ b/etc/tor-browser-pl.profile
@@ -2,6 +2,8 @@
 # This file is overwritten after every install/update
 noblacklist ${HOME}/.tor-browser-pl
+mkdir ${HOME}/.tor-browser-pl
 whitelist ${HOME}/.tor-browser-pl
 # Redirect
diff --git a/etc/tor-browser-pt-br.profile b/etc/tor-browser-pt-br.profile
index 55794401e..d3a5d1b79 100644
--- a/etc/tor-browser-pt-br.profile
+++ b/etc/tor-browser-pt-br.profile
@@ -2,6 +2,8 @@
 # This file is overwritten after every install/update
 noblacklist ${HOME}/.tor-browser-pt-br
+mkdir ${HOME}/.tor-browser-pt-br
 whitelist ${HOME}/.tor-browser-pt-br
 # Redirect
diff --git a/etc/tor-browser-ru.profile b/etc/tor-browser-ru.profile
index 21c6bc042..22b772b28 100644
--- a/etc/tor-browser-ru.profile
+++ b/etc/tor-browser-ru.profile
@@ -2,6 +2,8 @@
 # This file is overwritten after every install/update
 noblacklist ${HOME}/.tor-browser-ru
+mkdir ${HOME}/.tor-browser-ru
 whitelist ${HOME}/.tor-browser-ru
 # Redirect
diff --git a/etc/tor-browser-vi.profile b/etc/tor-browser-vi.profile
index b0284814c..cd1c5b0b3 100644
--- a/etc/tor-browser-vi.profile
+++ b/etc/tor-browser-vi.profile
@@ -2,6 +2,8 @@
 # This file is overwritten after every install/update
 noblacklist ${HOME}/.tor-browser-vi
+mkdir ${HOME}/.tor-browser-vi
 whitelist ${HOME}/.tor-browser-vi
 # Redirect
diff --git a/etc/tor-browser-zh-cn.profile b/etc/tor-browser-zh-cn.profile
index 330574dd3..bf1bc75d6 100644
--- a/etc/tor-browser-zh-cn.profile
+++ b/etc/tor-browser-zh-cn.profile
@@ -2,6 +2,8 @@
 # This file is overwritten after every install/update
 noblacklist ${HOME}/.tor-browser-zh-cn
+mkdir ${HOME}/.tor-browser-zh-cn
 whitelist ${HOME}/.tor-browser-zh-cn
 # Redirect
diff --git a/etc/tor.profile b/etc/tor.profile
index 5029cf9b1..e37fd232c 100644
--- a/etc/tor.profile
+++ b/etc/tor.profile
@@ -41,6 +41,7 @@ writable-var
 disable-mnt
 private
 private-bin tor,bash
+private-cache
 private-dev
 private-etc tor,passwd
 private-tmp
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index a33707ee4..9e3e0ef49 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -41,7 +41,7 @@ shell none
 tracelog
 disable-mnt
-private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,tclsh,test,tor-browser-en,torbrowser-launcher
+private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,tar,tclsh,test,tor-browser-en,torbrowser-launcher,xz
 private-dev
 private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
 private-tmp
diff --git a/etc/totem.profile b/etc/totem.profile
index fecf12a4c..0b9252d6c 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -28,6 +28,7 @@ seccomp
 shell none
 private-bin totem
+private-cache
 private-dev
 # private-etc fonts
 private-tmp
diff --git a/etc/uefitool.profile b/etc/uefitool.profile
index 2ab2d2652..70d694ac9 100644
--- a/etc/uefitool.profile
+++ b/etc/uefitool.profile
@@ -27,6 +27,7 @@ protocol unix
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/unrar.profile b/etc/unrar.profile
index ba2a86f4c..40ee277e0 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -4,7 +4,8 @@ quiet
 # Persistent local customizations
 include /etc/firejail/unrar.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+# added by included default.profile
+#include /etc/firejail/globals.local
 blacklist /tmp/.X11-unix
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 95c27e976..1a1142fe8 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -4,7 +4,8 @@ quiet
 # Persistent local customizations
 include /etc/firejail/unzip.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+# added by included default.profile
+#include /etc/firejail/globals.local
 blacklist /tmp/.X11-unix
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index b64ecaa3e..f71f0150d 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -4,7 +4,8 @@ quiet
 # Persistent local customizations
 include /etc/firejail/uudeview.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+# added by included default.profile
+#include /etc/firejail/globals.local
 hostname uudeview
 ignore noroot
@@ -18,6 +19,7 @@ shell none
 tracelog
 private-bin uudeview
+private-cache
 private-dev
 private-etc ld.so.preload
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index d867e0e05..ce4983337 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -34,6 +34,7 @@ shell none
 tracelog
 private-bin viewnior
+private-cache
 private-dev
 private-etc fonts
 private-tmp
diff --git a/etc/w3m.profile b/etc/w3m.profile
index 59544f5b5..bfc7874cf 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -31,6 +31,7 @@ shell none
 tracelog
 # private-bin w3m
+private-cache
 private-dev
 private-etc resolv.conf,ssl,pki,ca-certificates,crypto-policies
 private-tmp
diff --git a/etc/webstorm.profile b/etc/webstorm.profile
index 93bcb50bb..1a77fd833 100644
--- a/etc/webstorm.profile
+++ b/etc/webstorm.profile
@@ -35,5 +35,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 5130a4e64..8ab672279 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -8,6 +8,11 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.config/wireshark
 noblacklist ${HOME}/.wireshark
+# Wireshark can use Lua for scripting
+noblacklist ${PATH}/lua*
+noblacklist /usr/lib/lua
+noblacklist /usr/include/lua*
+noblacklist /usr/share/lua
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile
index 0be0b56a5..fc5294d5b 100644
--- a/etc/xfce4-dict.profile
+++ b/etc/xfce4-dict.profile
@@ -28,6 +28,7 @@ seccomp
 shell none
 disable-mnt
+private-cache
 private-dev
 private-tmp
diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile
index 484b66722..5749b7832 100644
--- a/etc/xfce4-notes.profile
+++ b/etc/xfce4-notes.profile
@@ -30,6 +30,7 @@ seccomp
 shell none
 disable-mnt
+private-cache
 private-dev
 private-tmp
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 5913fd07a..93b6d5093 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -4,7 +4,8 @@ quiet
 # Persistent local customizations
 include /etc/firejail/xzdec.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+# added by included default.profile
+#include /etc/firejail/globals.local
 blacklist /tmp/.X11-unix
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 028e15ef5..6cdbbe99b 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -29,6 +29,7 @@ seccomp
 shell none
 private-bin zathura
+private-cache
 private-dev
 private-etc fonts,machine-id
 private-tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index da614ae90..718c2f973 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -15,7 +15,6 @@ Natron
 Telegram
 Viber
 VirtualBox
-Wire
 Xephyr
 XMind
 abrowser
@@ -173,6 +172,7 @@ gnome-font-viewer
 gnome-logs
 gnome-maps
 gnome-mplayer
+gnome-mpv
 gnome-music
 gnome-photos
 gnome-recipes
@@ -341,6 +341,7 @@ redeclipse
 remmina
 rhythmbox
 ricochet
+riot-desktop
 riot-web
 ristretto
 rocketchat
@@ -433,7 +434,7 @@ weechat-curses
 wesnoth
 wget
 wine
-wire
+wire-desktop
 wireshark
 wireshark-gtk
 wireshark-qt
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 6dc28b9bb..68e93e16e 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -175,15 +175,6 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
-                        // private-cache
-                        else if (strncmp(ptr, "private-cache ", 14) == 0) {
-                                if (strcmp(ptr + 14, "yes") == 0)
-                                        cfg_val[CFG_PRIVATE_CACHE] = 1;
-                                else if (strcmp(ptr + 14, "no") == 0)
-                                        cfg_val[CFG_PRIVATE_CACHE] = 0;
-                                else
-                                        goto errout;
-                        }
                        // seccomp
                        else if (strncmp(ptr, "seccomp ", 8) == 0) {
                                if (strcmp(ptr + 8, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 3e05591b8..f554c8ddf 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -104,7 +104,7 @@
 // profiles
 #define DEFAULT_USER_PROFILE    "default"
 #define DEFAULT_ROOT_PROFILE    "server"
-#define MAX_INCLUDE_LEVEL 6             // include levels in profile files
+#define MAX_INCLUDE_LEVEL 16            // include levels in profile files
 #define ASSERT_PERMS(file, uid, gid, mode) \
@@ -227,7 +227,6 @@ typedef struct config_t {
        char *lib_private_keep; // keep list for private bin directory
        char *cwd;              // current working directory
        char *overlay_dir;
-        char *private_template; // template dir for tmpfs home
        // networking
        char *name;             // sandbox name
@@ -307,7 +306,7 @@ static inline int any_interface_configured(void) {
 }
 extern int arg_private;         // mount private /home
-extern int arg_private_template; // private /home template
+extern int arg_private_cache;   // private home/.cache
 extern int arg_debug;           // print debug messages
 extern int arg_debug_blacklists;        // print debug messages for blacklists
 extern int arg_debug_whitelists;        // print debug messages for whitelists
@@ -566,12 +565,8 @@ void fs_dev_disable_u2f(void);
 void fs_private(void);
 // private mode (--private=homedir)
 void fs_private_homedir(void);
-// private template (--private-template=templatedir)
-void fs_private_template(void);
 // check new private home directory (--private= option) - exit if it fails
 void fs_check_private_dir(void);
-// check new private template home directory (--private-template= option) exit if it fails
-void fs_check_private_template(void);
 void fs_private_home_list(void);
@@ -753,7 +748,6 @@ enum {
        CFG_PRIVATE_LIB,
        CFG_APPARMOR,
        CFG_DBUS,
-        CFG_PRIVATE_CACHE,
        CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 68b09dcbd..24ff553d7 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -27,12 +27,7 @@
 #include <glob.h>
 #include <dirent.h>
 #include <errno.h>
-// on Debian 7 we are missing O_PATH definition
 #include <fcntl.h>
-#ifndef O_PATH
-#define O_PATH          010000000
-#endif
 // check noblacklist statements not matched by a proper blacklist in disable-*.inc files
 //#define TEST_NO_BLACKLIST_MATCHING
@@ -1353,8 +1348,10 @@ void fs_private_cache(void) {
                fwarning("user .cache is a symbolic link, tmpfs not mounted\n");
                return;
        }
-        if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode))
+        if (stat(cache, &s) == -1 || !S_ISDIR(s.st_mode)) {
+                fwarning("no user .cache directory found, tmpfs not mounted\n");
                return;
+        }
        if (s.st_uid != getuid()) {
                fwarning("user .cache is not owned by current user, tmpfs not mounted\n");
                return;
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 9ef80e5c3..d52b3996a 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -196,7 +196,6 @@ static void whitelist_path(ProfileEntry *entry) {
        const char *fname;
        char *wfile = NULL;
-        EUID_USER();
        if (entry->home_dir) {
                if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) {
                        fname = path + strlen(cfg.homedir);
@@ -204,7 +203,8 @@ static void whitelist_path(ProfileEntry *entry) {
                                goto errexit;
                }
                else
-                        fname = path;
+                        // symlink pointing outside /home, skip the mount
+                        return;
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1)
                        errExit("asprintf");
@@ -236,17 +236,27 @@ static void whitelist_path(ProfileEntry *entry) {
                        errExit("asprintf");
        }
        else if (entry->var_dir) {
-                fname = path + 5; // strlen("/var/")
+                if (strncmp(path, "/var/", 5) == 0) {
-                if (*fname == '\0')
+                        fname = path + 5; // strlen("/var/")
-                        goto errexit;
+                        if (*fname == '\0')
+                                goto errexit;
+                }
+                else
+                        // symlink pointing outside /var, skip the mount
+                        return;
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1)
                        errExit("asprintf");
        }
        else if (entry->dev_dir) {
-                fname = path + 5; // strlen("/dev/")
+                if (strncmp(path, "/dev/", 5) == 0) {
-                if (*fname == '\0')
+                        fname = path + 5; // strlen("/dev/")
-                        goto errexit;
+                        if (*fname == '\0')
+                                goto errexit;
+                }
+                else
+                        // symlink pointing outside /dev, skip the mount
+                        return;
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1)
                        errExit("asprintf");
@@ -268,9 +278,14 @@ static void whitelist_path(ProfileEntry *entry) {
                        errExit("asprintf");
        }
        else if (entry->etc_dir) {
-                fname = path + 5; // strlen("/etc/")
+                if (strncmp(path, "/etc/", 5) == 0) {
-                if (*fname == '\0')
+                        fname = path + 5; // strlen("/etc/")
-                        goto errexit;
+                        if (*fname == '\0')
+                                goto errexit;
+                }
+                else
+                        // symlink pointing outside /etc, skip the mount
+                        return;
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_ETC_DIR, fname) == -1)
                        errExit("asprintf");
@@ -291,20 +306,22 @@ static void whitelist_path(ProfileEntry *entry) {
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1)
                        errExit("asprintf");
        }
+        assert(wfile);
        // check if the file exists
-        assert(wfile);
+        EUID_USER();
        struct stat s;
        if (stat(wfile, &s) == 0) {
                if (arg_debug || arg_debug_whitelists)
                        printf("Whitelisting %s\n", path);
        }
        else {
+                free(wfile);
                EUID_ROOT();
                return;
        }
        EUID_ROOT();
        // create the path if necessary
        mkpath(path, s.st_mode);
        fs_logger2("whitelist", path);
@@ -329,8 +346,10 @@ static void whitelist_path(ProfileEntry *entry) {
                        SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
                        fclose(fp);
                }
-                else
+                else {
+                        free(wfile);
                        return; // the file is already present
+                }
        }
        // mount
@@ -565,22 +584,25 @@ void fs_whitelist(void) {
                        entry->var_dir = 1;
                        var_dir = 1;
                        // both path and absolute path are under /var
-                        // exceptions: /var/run and /var/lock
+                        // exceptions: /var/tmp, /var/run and /var/lock
-                        if (strcmp(new_name, "/var/run")== 0)
+                        if (strcmp(new_name, "/var/run")== 0 && strcmp(fname, "/run") == 0);
-                                ;
+                        else if (strcmp(new_name, "/var/lock")== 0 && strcmp(fname, "/run/lock") == 0);
-                        else if (strcmp(new_name, "/var/lock")== 0)
+                        else if (strcmp(new_name, "/var/tmp")== 0 && strcmp(fname, "/tmp") == 0);
-                                ;
+                        else {
-                        else if (strncmp(fname, "/var/", 5) != 0) {
+                                // both path and absolute path are under /var
-                                goto errexit;
+                                if (strncmp(fname, "/var/", 5) != 0) {
+                                        goto errexit;
+                                }
                        }
                }
                else if (strncmp(new_name, "/dev/", 5) == 0) {
                        entry->dev_dir = 1;
                        dev_dir = 1;
                        // special handling for /dev/shm
                        // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm
                        if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0);
+                        // special handling for /dev/log, which can be a symlink to /run/systemd/journal/dev-log
+                        else if (strcmp(new_name, "/dev/log") == 0 && strcmp(fname, "/run/systemd/journal/dev-log") == 0);
                        // special processing for /proc/self/fd files
                        else if (strcmp(new_name, "/dev/fd") == 0 && strcmp(fname, "/proc/self/fd") == 0);
                        else if (strcmp(new_name, "/dev/stdin") == 0 && strcmp(fname, "/proc/self/fd/0") == 0);
@@ -897,38 +919,28 @@ void fs_whitelist(void) {
 //printf("here %d#%s#\n", __LINE__, entry->data);
                // whitelist the real file
-                if (strcmp(entry->data, "whitelist /run") == 0 &&
+                whitelist_path(entry);
-                    (strcmp(entry->link, "/var/run") == 0 || strcmp(entry->link, "/var/lock") == 0)) {
-                        int rv = symlink(entry->data + 10, entry->link);
+                // create the link if any
-                        if (rv)
+                if (entry->link) {
-                                fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
+                        // if the link is already there, do not bother
-                        else if (arg_debug || arg_debug_whitelists)
+                        struct stat s;
-                                printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
+                        if (stat(entry->link, &s) != 0) {
-                }
+                                // create the path if necessary
-                else {
+                                mkpath(entry->link, s.st_mode);
-                        whitelist_path(entry);
+                                int rv = symlink(entry->data + 10, entry->link);
-                        // create the link if any
+                                if (rv)
-                        if (entry->link) {
+                                        fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
-                                // if the link is already there, do not bother
+                                else if (arg_debug || arg_debug_whitelists)
-                                struct stat s;
+                                        printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
-                                if (stat(entry->link, &s) != 0) {
-                                        // create the path if necessary
+                                // check again for files in /tmp directory
-                                        mkpath(entry->link, s.st_mode);
+                                if (strncmp(entry->link, "/tmp/", 5) == 0) {
+                                        char *path = realpath(entry->link, NULL);
-                                        int rv = symlink(entry->data + 10, entry->link);
+                                        if (path == NULL || strncmp(path, "/tmp/", 5) != 0)
-                                        if (rv)
+                                                errLogExit("invalid whitelist symlink %s\n", entry->link);
-                                                fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
+                                        free(path);
-                                        else if (arg_debug || arg_debug_whitelists)
-                                                printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
-                                        // check again for files in /tmp directory
-                                        if (strncmp(entry->link, "/tmp/", 5) == 0) {
-                                                char *path = realpath(entry->link, NULL);
-                                                if (path == NULL || strncmp(path, "/tmp/", 5) != 0)
-                                                        errLogExit("invalid whitelist symlink %s\n", entry->link);
-                                                free(path);
-                                        }
                                }
                        }
                }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9babb72de..50b2da7b9 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -45,7 +45,7 @@ gid_t firejail_gid = 0;
 static char child_stack[STACK_SIZE];            // space for child's stack
 Config cfg;                                     // configuration
 int arg_private = 0;                            // mount private /home and /tmp directoryu
-int arg_private_template = 0;   // mount private /home using a template
+int arg_private_cache = 0;              // mount private home/.cache
 int arg_debug = 0;                              // print debug messages
 int arg_debug_blacklists = 0;                   // print debug messages for blacklists
 int arg_debug_whitelists = 0;                   // print debug messages for whitelists
@@ -1681,6 +1681,9 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--private-tmp") == 0) {
                        arg_private_tmp = 1;
                }
+                else if (strcmp(argv[i], "--private-cache") == 0) {
+                        arg_private_cache = 1;
+                }
                //*************************************
                // hostname, etc
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 88d27f09f..22db6f5fb 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -217,6 +217,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_allusers = 1;
                return 0;
        }
+        else if (strcmp(ptr, "private-cache") == 0) {
+                arg_private_cache = 1;
+                return 0;
+        }
        else if (strcmp(ptr, "private-dev") == 0) {
                arg_private_dev = 1;
                return 0;
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index e39f6f50c..521f144e8 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -23,13 +23,7 @@
 #include <sys/mount.h>
 #include <dirent.h>
 #include <sys/wait.h>
-// on Debian 7 we are missing O_PATH definition
 #include <fcntl.h>
-#ifndef O_PATH
-#define O_PATH          010000000
-#endif
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index a1400db34..7922da9b9 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -833,9 +833,14 @@ int sandbox(void* sandbox_arg) {
                }
        }
-        // private cache directory by default
+        if (arg_private_cache) {
-        if (checkcfg(CFG_PRIVATE_CACHE))
+                if (cfg.chrootdir)
-                fs_private_cache();
+                        fwarning("private-cache feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fwarning("private-cache feature is disabled in overlay\n");
+                else
+                        fs_private_cache();
+        }
        if (arg_private_tmp) {
                // private-tmp is implemented as a whitelist
diff --git a/src/firejail/util.c b/src/firejail/util.c
index f6233359a..eb59e36be 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -29,12 +29,7 @@
 #include <sys/ioctl.h>
 #include <termios.h>
 #include <sys/wait.h>
-// on Debian 7 we are missing O_PATH definition
 #include <fcntl.h>
-#ifndef O_PATH
-#define O_PATH          010000000
-#endif
 #define MAX_GROUPS 1024
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 62a769508..df6092dff 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -514,7 +514,7 @@ void x11_start_xephyr(int argc, char **argv) {
        assert(pos < (sizeof(server_argv)/sizeof(*server_argv)));
        assert(server_argv[pos-1] == NULL);       // last element is null
-        if (arg_debug) {
+        {
                size_t i = 0;
                printf("\n*** Starting xephyr server:");
                while (server_argv[i]!=NULL) {
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index c32fdf8f4..851eb1026 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -221,6 +221,10 @@ filesystem, and copy the files and directories in the list in the
 new home. All modifications are discarded when the sandbox is
 closed.
 .TP
+\fBprivate-cache
+Mount an empty temporary filesystem on top of the .cache directory in user home. All
+modifications are discarded when the sandbox is closed.
+.TP
 \fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 760249e70..d527c05d8 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1322,6 +1322,17 @@ Example:
 $ firejail \-\-private-home=.mozilla firefox
 .TP
+\fB\-\-private-cache
+Mount an empty temporary filesystem on top of the .cache directory in user home. All
+modifications are discarded when the sandbox is closed.
+.br
+.br
+Example:
+.br
+$ firejail \-\-private-cache openbox
+.TP
 \fB\-\-private-bin=file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 If no listed file is found, /bin directory will be empty.