72 files changed, 1111 insertions, 78 deletions

diff --git a/README b/README
index 7e9a690bf..1a7f5cea0 100644
--- a/README
+++ b/README
@@ -58,6 +58,8 @@ Firejail Authors (alphabetical order)
         - fix flameshot raw screenshots
 1dnrr (https://github.com/1dnrr)
         - add pybitmessage profile
+Adrian L. Shaw (https://github.com/adrianlshaw)
+        - add profanity profile
 Aidan Gauland (https://github.com/aidalgol)
         - added electron and riot-web profiles
 Akhil Hans Maulloo (https://github.com/kouul)
@@ -735,6 +737,9 @@ startx2017 (https://github.com/startx2017)
         - kwrite and geary profiles
 StelFux (https://github.com/StelFux)
         - Fix youtube video in totem
+the-antz (https://github.com/the-antz)
+        - Fix libx265 encoding in ffmpeg profile
+        - Profile tweaks
 thewisenerd (https://github.com/thewisenerd)
         - allow multiple private-home commands
         - use $SHELL variable if the shell is not specified
diff --git a/README.md b/README.md
index 4ae9ef519..8d012fabf 100644
--- a/README.md
+++ b/README.md
@@ -18,8 +18,41 @@ The sandbox is lightweight, the overhead is low. There are no complicated config
 no socket connections open, no daemons running in the background. All security features are
 implemented directly in Linux kernel and available on any Linux computer.
 
-[![Firejail Firefox Demo](video.png)](https://www.youtube.com/watch?v=kCnAxD144nU)
-
+<table><tr>
+
+<td>
+<a href="http://www.youtube.com/watch?feature=player_embedded&v=7RMz7tePA98
+" target="_blank"><img src="http://img.youtube.com/vi/7RMz7tePA98/0.jpg"
+alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Firejail Intro</a>
+</td>
+
+<td>
+<a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU
+" target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg"
+alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Firejail Demo</a>
+</td>
+
+<td>
+<a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4
+" target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg"
+alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Debian Install</a>
+</td>
+
+
+</tr><tr>
+<td>
+<a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w
+" target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg"
+alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Arch Linux Install</a>
+
+</td>
+<td>
+<a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ
+" target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg"
+alt="Firejail Intro video" width="240" height="180" border="10" /><br/>Disable Network Access</a>
+
+</td>
+</tr></table>
 
 Project webpage: https://firejail.wordpress.com/
 
@@ -112,14 +145,14 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 `````
 
 `````
-## Latest released version: 0.9.60
+## Latest released version: 0.9.60 - release 0.9.62 pending
+
+The development for 0.9.62 is handled on release-0.9.62 branch.
 
-## Current development version: 0.9.61
+I had to cut the release branch again as of this commit - big fixes from @smitsohu and @glitsj16.
+Also problems with the configure script as reported by @matu3ba. I am reusing the same
+name for the release branch, release-0.9.62, so if you have an old release-0.9.62 branch around,
+get rid of it and load the new one.
 
-## New profiles:
 
-gnome-sound-recorder, godot, jerry, keepassxc-cli, keepassxc-proxy, klatexformula, klatexformula_cmdl, links, newsbeuter, OpenArena,
-pandoc, qgis, rhythmbox-client, tcpdump, teams-for-linux, tshark, xlinks, zeal, mpg123, conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump,
-mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss, mpg123-portaudio, mpg123-pulse, mpg123-strip, out123, pavucontrol-qt,
-gnome-characters, gnome-character-map, rsync, Whalebird, tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, kiwix-desktop, ar,
-gnome-latex, pngquant, kalgebra, kalgebramobile, signal-cli, amuled, kfind
+## Current development version: 0.9.63
diff --git a/RELNOTES b/RELNOTES
index f83aa803f..202d7a366 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -22,7 +22,9 @@ firejail (0.9.61) baseline; urgency=low
   * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat,
   * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless
   * new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra
-  * new profiles: kalgebramobile, signal-cli, amuled, kfind
+  * new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity
+  * new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc
+  * new profiles: electron-mail, gist, gist-paste
  -- netblue30 <netblue30@yahoo.com>  Sat, 1 Jun 2019 08:00:00 -0500
 
 firejail (0.9.60) baseline; urgency=low
diff --git a/configure b/configure
index fda292896..94f719710 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.61.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.63.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.61'
-PACKAGE_STRING='firejail 0.9.61'
+PACKAGE_VERSION='0.9.63'
+PACKAGE_STRING='firejail 0.9.63'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='https://firejail.wordpress.com'
 
@@ -1276,7 +1276,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.61 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.63 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1337,7 +1337,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.61:";;
+     short | recursive ) echo "Configuration of firejail 0.9.63:";;
    esac
   cat <<\_ACEOF
 
@@ -1450,7 +1450,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.61
+firejail configure 0.9.63
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1752,7 +1752,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.61, which was
+It was created by firejail $as_me 0.9.63, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3386,8 +3386,8 @@ if test "x$enable_apparmor" = "xyes"; then :
         HAVE_APPARMOR="-DHAVE_APPARMOR"
 
 pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libapparmor" >&5
-$as_echo_n "checking for libapparmor... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for AA" >&5
+$as_echo_n "checking for AA... " >&6; }
 
 if test -n "$AA_CFLAGS"; then
     pkg_cv_AA_CFLAGS="$AA_CFLAGS"
@@ -3427,7 +3427,7 @@ fi
 
 
 if test $pkg_failed = yes; then
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 
 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
@@ -3454,7 +3454,7 @@ Alternatively, you may set the environment variables AA_CFLAGS
 and AA_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
         { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
@@ -4701,7 +4701,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.61, which was
+This file was extended by firejail $as_me 0.9.63, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4755,7 +4755,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.61
+firejail config.status 0.9.63
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index 27dcb39c5..8ee2fbadc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -12,7 +12,7 @@
 #
 
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.61, netblue30@yahoo.com, , https://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.63, netblue30@yahoo.com, , https://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 
 AC_CONFIG_MACRO_DIR([m4])
diff --git a/etc/7z.profile b/etc/7z.profile
index 284aa37a2..5ff02e1c0 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -1,4 +1,5 @@
 # Firejail profile for 7z
+# Description: File archiver with high compression ratio
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
diff --git a/etc/7za.profile b/etc/7za.profile
index 14188e1f0..9cd04cad1 100644
--- a/etc/7za.profile
+++ b/etc/7za.profile
@@ -1,4 +1,5 @@
 # Firejail profile for 7za
+# Description: File archiver with high compression ratio
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
diff --git a/etc/7zr.profile b/etc/7zr.profile
index 2cb42fa40..bd3842900 100644
--- a/etc/7zr.profile
+++ b/etc/7zr.profile
@@ -1,4 +1,5 @@
 # Firejail profile for 7zr
+# Description: File archiver with high compression ratio
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
diff --git a/etc/audio-recorder.profile b/etc/audio-recorder.profile
new file mode 100644
index 000000000..afd1033de
--- /dev/null
+++ b/etc/audio-recorder.profile
@@ -0,0 +1,51 @@
+# Firejail profile for audio-recorder
+# Description: Audio Recorder Application
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include audio-recorder.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${MUSIC}
+whitelist ${DOWNLOADS}
+whitelist /usr/share/audio-recorder
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+# private-bin audio-recorder
+private-cache
+private-etc alternatives,fonts
+private-tmp
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/baobab.profile b/etc/baobab.profile
index c419aa202..79d4b23f9 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -6,7 +6,7 @@ include baobab.local
 # Persistent global definitions
 include globals.local
 
-include disable-common.inc
+# include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
diff --git a/etc/brasero.profile b/etc/brasero.profile
index 058253308..67fc07afb 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -32,5 +32,3 @@ tracelog
 private-cache
 # private-dev
 # private-tmp
-
-memory-deny-write-execute
diff --git a/etc/brave-browser-beta.profile b/etc/brave-browser-beta.profile
new file mode 100644
index 000000000..528a6402d
--- /dev/null
+++ b/etc/brave-browser-beta.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for brave (beta channel)
+# This file is overwritten after every install/update
+
+# Redirect
+include brave.profile
diff --git a/etc/brave-browser-dev.profile b/etc/brave-browser-dev.profile
new file mode 100644
index 000000000..4601de119
--- /dev/null
+++ b/etc/brave-browser-dev.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for brave (development channel)
+# This file is overwritten after every install/update
+
+# Redirect
+include brave.profile
diff --git a/etc/brave-browser-nightly.profile b/etc/brave-browser-nightly.profile
new file mode 100644
index 000000000..43d3cc724
--- /dev/null
+++ b/etc/brave-browser-nightly.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for brave (nightly channel)
+# This file is overwritten after every install/update
+
+# Redirect
+include brave.profile
diff --git a/etc/brave-browser-stable.profile b/etc/brave-browser-stable.profile
new file mode 100644
index 000000000..06d33dea4
--- /dev/null
+++ b/etc/brave-browser-stable.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for brave (release channel)
+# This file is overwritten after every install/update
+
+# Redirect
+include brave.profile
diff --git a/etc/brave.profile b/etc/brave.profile
index 984fab5a8..35c59f5a3 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -1,6 +1,6 @@
 # Firejail profile for brave
-# This file is overwritten after every install/update
 # Description: Web browser that blocks ads and trackers by default.
+# This file is overwritten after every install/update
 # Persistent local customizations
 include brave.local
 # Persistent global definitions
@@ -9,16 +9,24 @@ include globals.local
 # noexec /tmp is included in chromium-common.profile and breaks Brave
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/brave
+noblacklist ${HOME}/.cache/BraveSoftware
 noblacklist ${HOME}/.config/BraveSoftware
+noblacklist ${HOME}/.config/brave
+noblacklist ${HOME}/.config/brave-flags.conf
 # brave uses gpg for built-in password manager
 noblacklist ${HOME}/.gnupg
 
-mkdir ${HOME}/.config/brave
+mkdir ${HOME}/.cache/BraveSoftware
 mkdir ${HOME}/.config/BraveSoftware
-whitelist ${HOME}/.config/brave
+mkdir ${HOME}/.config/brave
+whitelist ${HOME}/.cache/BraveSoftware
 whitelist ${HOME}/.config/BraveSoftware
+whitelist ${HOME}/.config/brave
+whitelist ${HOME}/.config/brave-flags.conf
 whitelist ${HOME}/.gnupg
 
+# Brave sandbox needs read access to /proc/config.gz
+noblacklist /proc/config.gz
+
 # Redirect
 include chromium-common.profile
diff --git a/etc/cameramonitor.profile b/etc/cameramonitor.profile
new file mode 100644
index 000000000..1d7aa0f9c
--- /dev/null
+++ b/etc/cameramonitor.profile
@@ -0,0 +1,53 @@
+# Firejail profile for cameramonitor
+# Description: A little monitor to check your webcam status
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cameramonitor.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/cameramonitor
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+#nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin cameramonitor,python*
+private-cache
+private-etc alternatives,fonts
+private-tmp
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/ddgtk.profile b/etc/ddgtk.profile
new file mode 100644
index 000000000..ef65046e1
--- /dev/null
+++ b/etc/ddgtk.profile
@@ -0,0 +1,54 @@
+# Firejail profile for ddgtk
+# Description: A frontend GUI to dd for making bootable USB disks
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ddgtk.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+whitelist /usr/share/ddgtk
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr
+private-cache
+private-etc alternatives,fonts
+private-tmp
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index b2837b443..16f231108 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -376,7 +376,10 @@ blacklist ${PATH}/crontab
 blacklist ${PATH}/evtest
 blacklist ${PATH}/expiry
 blacklist ${PATH}/fusermount
+blacklist ${PATH}/gksu
+blacklist ${PATH}/gksudo
 blacklist ${PATH}/gpasswd
+blacklist ${PATH}/kdesudo
 blacklist ${PATH}/ksu
 blacklist ${PATH}/mount
 blacklist ${PATH}/mount.ecryptfs_private
@@ -449,3 +452,6 @@ blacklist ${HOME}/Mail
 blacklist ${HOME}/mail
 blacklist ${HOME}/postponed
 blacklist ${HOME}/sent
+
+# kernel configuration
+blacklist /proc/config.gz
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index fa98825f4..b1605e757 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -132,6 +132,7 @@ blacklist ${HOME}/.config/bnox
 blacklist ${HOME}/.config/borg
 blacklist ${HOME}/.config/brasero
 blacklist ${HOME}/.config/brave
+blacklist ${HOME}/.config/brave-flags.conf
 blacklist ${HOME}/.config/caja
 blacklist ${HOME}/.config/calibre
 blacklist ${HOME}/.config/cantata
@@ -158,7 +159,9 @@ blacklist ${HOME}/.config/dkl
 blacklist ${HOME}/.config/dnox
 blacklist ${HOME}/.config/dolphinrc
 blacklist ${HOME}/.config/dragonplayerrc
+blacklist ${HOME}/.config/draw.io
 blacklist ${HOME}/.config/d-feet
+blacklist ${HOME}/.config/electron-mail
 blacklist ${HOME}/.config/emaildefaults
 blacklist ${HOME}/.config/emailidentities
 blacklist ${HOME}/.config/enchant
@@ -181,6 +184,7 @@ blacklist ${HOME}/.config/ghb
 blacklist ${HOME}/.config/ghostwriter
 blacklist ${HOME}/.config/git
 blacklist ${HOME}/.config/globaltime
+blacklist ${HOME}/.config/gmpc
 blacklist ${HOME}/.config/gnome-builder
 blacklist ${HOME}/.config/gnome-latex
 blacklist ${HOME}/.config/gnome-mplayer
@@ -260,6 +264,7 @@ blacklist ${HOME}/.config/onionshare
 blacklist ${HOME}/.config/opera
 blacklist ${HOME}/.config/opera-beta
 blacklist ${HOME}/.config/orage
+blacklist ${HOME}/.config/org.gabmus.gfeeds.json
 blacklist ${HOME}/.config/org.kde.gwenviewrc
 blacklist ${HOME}/.config/pavucontrol-qt
 blacklist ${HOME}/.config/pavucontrol.ini
@@ -271,6 +276,7 @@ blacklist ${HOME}/.config/pix
 blacklist ${HOME}/.config/pluma
 blacklist ${HOME}/.config/ppsspp
 blacklist ${HOME}/.config/pragha
+blacklist ${HOME}/.config/profanity
 blacklist ${HOME}/.config/psi+
 blacklist ${HOME}/.config/qBittorrent
 blacklist ${HOME}/.config/qBittorrentrc
@@ -360,6 +366,7 @@ blacklist ${HOME}/.freecol
 blacklist ${HOME}/.freemind
 blacklist ${HOME}/.frozen-bubble
 blacklist ${HOME}/.gimp*
+blacklist ${HOME}/.gist
 blacklist ${HOME}/.gitconfig
 blacklist ${HOME}/.gnome/gnome-schedule
 blacklist ${HOME}/.googleearth/Cache
@@ -557,6 +564,7 @@ blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
 blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
+blacklist ${HOME}/.local/share/profanity
 blacklist ${HOME}/.local/share/psi+
 blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/qutebrowser
@@ -689,6 +697,7 @@ blacklist /var/lib/games/Maelstrom-Scores
 blacklist ${HOME}/.cache/0ad
 blacklist ${HOME}/.cache/8pecxstudios
 blacklist ${HOME}/.cache/Authenticator
+blacklist ${HOME}/.cache/BraveSoftware
 blacklist ${HOME}/.cache/Clementine
 blacklist ${HOME}/.cache/Enox
 blacklist ${HOME}/.cache/Enpass
@@ -701,6 +710,7 @@ blacklist ${HOME}/.cache/Zeal
 blacklist ${HOME}/.cache/akonadi*
 blacklist ${HOME}/.cache/atril
 blacklist ${HOME}/.cache/attic
+blacklist ${HOME}/.cache/babl
 blacklist ${HOME}/.cache/bnox
 blacklist ${HOME}/.cache/borg
 blacklist ${HOME}/.cache/calibre
@@ -713,6 +723,7 @@ blacklist ${HOME}/.cache/darktable
 blacklist ${HOME}/.cache/discover
 blacklist ${HOME}/.cache/dnox
 blacklist ${HOME}/.cache/dolphin
+blacklist ${HOME}/.cache/ephemeral
 blacklist ${HOME}/.cache/epiphany
 blacklist ${HOME}/.cache/evolution
 blacklist ${HOME}/.cache/falkon
@@ -721,6 +732,7 @@ blacklist ${HOME}/.cache/font-manager
 blacklist ${HOME}/.cache/fossamail
 blacklist ${HOME}/.cache/freecol
 blacklist ${HOME}/.cache/gajim
+blacklist ${HOME}/.cache/gegl-0.4
 blacklist ${HOME}/.cache/geeqie
 blacklist ${HOME}/.cache/gimp
 blacklist ${HOME}/.cache/godot
@@ -769,6 +781,7 @@ blacklist ${HOME}/.cache/netsurf
 blacklist ${HOME}/.cache/okular
 blacklist ${HOME}/.cache/opera
 blacklist ${HOME}/.cache/opera-beta
+blacklist ${HOME}/.cache/org.gabmus.gfeeds
 blacklist ${HOME}/.cache/org.gnome.Books
 blacklist ${HOME}/.cache/org.gnome.Maps
 blacklist ${HOME}/.cache/pdfmod
diff --git a/etc/drawio.profile b/etc/drawio.profile
new file mode 100644
index 000000000..d4fd735a1
--- /dev/null
+++ b/etc/drawio.profile
@@ -0,0 +1,51 @@
+# Firejail profile for drawio
+# Description: Diagram drawing application built on web technology - desktop version
+# This file is overwritten after every install/update
+# Persistent local customizations
+include drawio.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/draw.io
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/draw.io
+whitelist ${HOME}/.config/draw.io
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp !chroot
+shell none
+# tracelog - breaks on Arch
+
+private-bin drawio
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-tmp
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/electron-mail.profile b/etc/electron-mail.profile
new file mode 100644
index 000000000..bde8978df
--- /dev/null
+++ b/etc/electron-mail.profile
@@ -0,0 +1,52 @@
+# Firejail profile for electron-mail
+# Description: Unofficial desktop app for several E2E encrypted email providers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include electron-mail.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/electron-mail
+
+whitelist ${DOWNLOADS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/electron-mail
+whitelist ${HOME}/.config/electron-mail
+
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+# nodbus - breaks tray functionality
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+# tracelog - breaks on Arch
+
+private-bin electron-mail
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-opt ElectronMail
+private-tmp
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/ephemeral.profile b/etc/ephemeral.profile
new file mode 100644
index 000000000..fa7746da5
--- /dev/null
+++ b/etc/ephemeral.profile
@@ -0,0 +1,61 @@
+# Firejail profile for ephemeral
+# Description: The always-incognito web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ephemeral.local
+# Persistent global definitions
+include globals.local
+
+# enforce private-cache
+#noblacklist ${HOME}/.cache/ephemeral
+
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+# enforce private-cache
+#mkdir ${HOME}/.cache/ephemeral
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+# enforce private-cache
+#whitelist ${HOME}/.cache/ephemeral
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
+#machine-id
+netfilter
+# nodbus breaks preferences
+#nodbus
+nodvd
+nogroups
+nonewprivs
+# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
+noroot
+notv
+?BROWSER_DISABLE_U2F: nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+# private-etc below works fine on most distributions. There are some problems on CentOS.
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index 19d9a7644..67c0ed311 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -18,6 +18,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+whitelist /usr/share/devedeng
 whitelist /usr/share/ffmpeg
 whitelist /usr/share/qtchooser
 include whitelist-usr-share-common.inc
@@ -38,7 +39,8 @@ notv
 nou2f
 novideo
 protocol inet,inet6
-seccomp
+# allow set_mempolicy, which is required to encode using libx265
+seccomp !set_mempolicy
 shell none
 tracelog
 
diff --git a/etc/firefox-wayland.profile b/etc/firefox-wayland.profile
index 068da5ee3..17c9f059e 100644
--- a/etc/firefox-wayland.profile
+++ b/etc/firefox-wayland.profile
@@ -1,4 +1,4 @@
-# Firejail profile for firefox-wayland
+# Firejail profile alias for firefox-wayland
 # This file is overwritten after every install/update
 # Persistent local customizations
 include firefox-wayland.local
diff --git a/etc/firejail-default b/etc/firejail-default
index a012f5440..2987e538c 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -57,6 +57,9 @@ owner /{,var/}run/media/** w,
 # Allow access to cups printing socket.
 /{,var/}run/cups/cups.sock w,
 
+# Allow access to pcscd socket (smartcards)
+/{,var/}run/pcscd/pcscd.comm w,
+
 # Needed for firefox sandbox
 /proc/@{PID}/{uid_map,gid_map,setgroups} w,
 
@@ -148,14 +151,6 @@ capability setfcap,
 #capability mac_override,
 #capability mac_admin,
 
-##########
-# We let Firejail deal with mount/umount functionality.
-##########
-mount,
-remount,
-umount,
-pivot_root,
-
 # Site-specific additions and overrides. See local/README for details.
 #include <local/firejail-local>
 }
diff --git a/etc/gconf.profile b/etc/gconf.profile
index 2f930235c..25145c77d 100644
--- a/etc/gconf.profile
+++ b/etc/gconf.profile
@@ -52,7 +52,7 @@ private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,
 private-cache
 private-dev
 private-etc alternatives,fonts,gconf
-private-lib libpython*,python2*
+private-lib GConf,libpython*,python2*
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/gfeeds.profile b/etc/gfeeds.profile
new file mode 100644
index 000000000..dcb33bc38
--- /dev/null
+++ b/etc/gfeeds.profile
@@ -0,0 +1,56 @@
+# Firejail profile for gfeeds
+# Description: RSS/Atom feed reader for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gfeeds.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/org.gabmus.gfeeds
+noblacklist ${HOME}/.config/org.gabmus.gfeeds.json
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/org.gabmus.gfeeds
+mkfile ${HOME}/.config/org.gabmus.gfeeds.json
+whitelist ${HOME}/.cache/org.gabmus.gfeeds
+whitelist ${HOME}/.config/org.gabmus.gfeeds.json
+whitelist /usr/share/gfeeds
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+#nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin gfeeds,python3*
+# private-cache -- feeds are stored in ~/.cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 81ae95645..5c0631eb2 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -11,6 +11,8 @@ include globals.local
 # or put 'noexec ${HOME}' in your gimp.local
 ignore noexec ${HOME}
 
+noblacklist ${HOME}/.cache/babl
+noblacklist ${HOME}/.cache/gegl-0.4
 noblacklist ${HOME}/.cache/gimp
 noblacklist ${HOME}/.config/GIMP
 noblacklist ${HOME}/.gimp*
@@ -23,8 +25,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+whitelist /usr/share/gegl-0.4
 whitelist /usr/share/gimp
 whitelist /usr/share/mypaint-data
+whitelist /usr/share/lensfun
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gist-paste.profile b/etc/gist-paste.profile
new file mode 100644
index 000000000..56b3176ed
--- /dev/null
+++ b/etc/gist-paste.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gist-paste
+# Description: Potentially the best command line gister
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gist-paste.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gist.profile
diff --git a/etc/gist.profile b/etc/gist.profile
new file mode 100644
index 000000000..7413238c8
--- /dev/null
+++ b/etc/gist.profile
@@ -0,0 +1,58 @@
+# Firejail profile for gist
+# Description: Potentially the best command line gister
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gist.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+
+noblacklist ${HOME}/.gist
+
+# Allow ruby (blacklisted by disable-interpreters.inc)
+include allow-ruby.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.gist
+whitelist ${HOME}/.gist
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/gmpc.profile b/etc/gmpc.profile
new file mode 100644
index 000000000..b1546db30
--- /dev/null
+++ b/etc/gmpc.profile
@@ -0,0 +1,53 @@
+# Firejail profile for gmpc
+# Description: MPD client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gmpc.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/gmpc
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/gmpc
+whitelist ${HOME}/.config/gmpc
+whitelist ${MUSIC}
+whitelist /usr/share/gmpc
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+#nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+#private-bin gmpc
+private-cache
+private-etc alternatives,fonts
+private-tmp
+writable-run-user
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 36e50370e..c11773147 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -1,6 +1,7 @@
 # Firejail profile for gpg-agent
 # Description: GNU privacy guard - cryptographic agent
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include gpg-agent.local
 # Persistent global definitions
diff --git a/etc/gpg.profile b/etc/gpg.profile
index 1ed5e484a..5eb18a0bc 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -1,6 +1,7 @@
 # Firejail profile for gpg
 # Description: GNU Privacy Guard -- minimalist public key operations
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include gpg.local
 # Persistent global definitions
diff --git a/etc/gpg2.profile b/etc/gpg2.profile
new file mode 100644
index 000000000..b831b0f62
--- /dev/null
+++ b/etc/gpg2.profile
@@ -0,0 +1,13 @@
+# Firejail profile for gpg2
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gpg2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# private-bin gpg2
+
+# Redirect
+include gpg.profile
diff --git a/etc/gtk-update-icon-cache.profile b/etc/gtk-update-icon-cache.profile
new file mode 100644
index 000000000..fd35a563b
--- /dev/null
+++ b/etc/gtk-update-icon-cache.profile
@@ -0,0 +1,51 @@
+# Firejail profile for gtk-update-icon-cache
+# Description: Icon theme caching utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gtk-update-icon-cache.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin gtk-update-icon-cache
+private-cache
+private-dev
+private-etc none
+private-lib
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/gzexe.profile b/etc/gzexe.profile
new file mode 100644
index 000000000..bb570d553
--- /dev/null
+++ b/etc/gzexe.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gzexe
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gzexe.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/ooffice.profile b/etc/ooffice.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/ooffice.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/ooviewdoc.profile b/etc/ooviewdoc.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/ooviewdoc.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/openoffice.org.profile b/etc/openoffice.org.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/openoffice.org.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/p7zip.profile b/etc/p7zip.profile
index 7e0069afc..652fac7bd 100644
--- a/etc/p7zip.profile
+++ b/etc/p7zip.profile
@@ -1,5 +1,5 @@
 # Firejail profile for p7zip
-# Description: 7zr file archiver with high compression ratio
+# Description: File archiver with high compression ratio
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
diff --git a/etc/profanity.profile b/etc/profanity.profile
new file mode 100644
index 000000000..6ca9314e9
--- /dev/null
+++ b/etc/profanity.profile
@@ -0,0 +1,50 @@
+# Firejail profile for profanity
+# Description: profanity is an XMPP chat client for the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include profanity.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/profanity
+noblacklist ${HOME}/.local/share/profanity
+
+# Allow Python
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin profanity
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile
index 4bf23c512..96ff74edf 100644
--- a/etc/seahorse-tool.profile
+++ b/etc/seahorse-tool.profile
@@ -7,9 +7,9 @@ include seahorse-tool.local
 # added by included profile
 #include globals.local
 
+# private-etc workaround for: #2877
+private-etc firejail,login.defs,passwd
 private-tmp
 
-memory-deny-write-execute
-
 # Redirect
 include seahorse.profile
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index 6acf8aa5d..5a742d05f 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -20,17 +20,19 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-mkdir ${HOME}/.gnupg
-mkdir ${HOME}/.ssh
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.ssh
+# whitelisting in ${HOME} breaks file encryption feature of nautilus.
+# once #2882 is fixed this can be uncommented and nowhitelisted in seahorse-tool.profile
+#mkdir ${HOME}/.gnupg
+#mkdir ${HOME}/.ssh
+#whitelist ${HOME}/.gnupg
+#whitelist ${HOME}/.ssh
 whitelist /tmp/ssh-*
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /usr/share/seahorse
 whitelist /usr/share/seahorse-nautilus
+#include whitelist-common.inc
 include whitelist-usr-share-common.inc
-include whitelist-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/thunderbird-wayland.profile b/etc/thunderbird-wayland.profile
index 031d331e7..9fbb80d29 100644
--- a/etc/thunderbird-wayland.profile
+++ b/etc/thunderbird-wayland.profile
@@ -1,5 +1,10 @@
 # Firejail profile alias for thunderbird-wayland
 # This file is overwritten after every install/update
+# Persistent local customizations
+include thunderbird-wayland.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
 
 # Redirect
 include thunderbird.profile
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index ea6e3855d..e30b57498 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -14,7 +14,7 @@ noblacklist ${HOME}/.gnupg
 # noblacklist ${HOME}/.icedove
 noblacklist ${HOME}/.thunderbird
 
-# Uncomment the next 4 lines or put they in your thunderbird.local to
+# Uncomment the next 4 lines or put them in your thunderbird.local to
 # allow Firefox to load your profile when clicking a link in an email
 #noblacklist ${HOME}/.cache/mozilla
 #noblacklist ${HOME}/.mozilla
@@ -39,7 +39,7 @@ whitelist ${HOME}/.thunderbird
 
 # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
 ignore private-tmp
-# machine-id breaks audio in browsers; enable it when sound is not required
+# machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required
 # machine-id
 read-only ${HOME}/.config/mimeapps.list
 # writable-run-user and dbus are needed by enigmail
diff --git a/etc/uncompress.profile b/etc/uncompress.profile
new file mode 100644
index 000000000..f659d8e87
--- /dev/null
+++ b/etc/uncompress.profile
@@ -0,0 +1,11 @@
+# Firejail profile for uncompress
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include uncompress.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/unf.profile b/etc/unf.profile
new file mode 100644
index 000000000..1f0b2aa32
--- /dev/null
+++ b/etc/unf.profile
@@ -0,0 +1,54 @@
+# Firejail profile for unf
+# Description: UNixize Filename -- replace annoying anti-unix characters in filenames
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unf.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+hostname unf
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin unf
+private-cache
+?HAS_APPIMAGE: ignore private-dev
+private-dev
+private-etc alternatives
+private-lib libgcc_s.so.*
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc
index f1b7bd960..322bdefe9 100644
--- a/etc/whitelist-usr-share-common.inc
+++ b/etc/whitelist-usr-share-common.inc
@@ -15,6 +15,7 @@ whitelist /usr/share/enchant
 whitelist /usr/share/enchant-2
 whitelist /usr/share/fontconfig
 whitelist /usr/share/fonts
+whitelist /usr/share/gir-1.0
 whitelist /usr/share/gjs-1.0
 whitelist /usr/share/glib-2.0
 whitelist /usr/share/glvnd
@@ -40,6 +41,7 @@ whitelist /usr/share/p11-kit
 whitelist /usr/share/pixmaps
 whitelist /usr/share/pki
 whitelist /usr/share/plasma
+whitelist /usr/share/publicsuffix
 whitelist /usr/share/qt
 whitelist /usr/share/qt4
 whitelist /usr/share/qt5
diff --git a/etc/wine.profile b/etc/wine.profile
index 29e79c3f5..67e3952e1 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -18,8 +18,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-# uncomment next line if seccomp breaks a program
-# allow-debuggers
+# some applications don't need allow-debuggers, comment the next line
+# if it is not necessary (or put 'ignore allow-debuggers' in your wine.local)
+allow-debuggers
 caps.drop all
 # net none
 netfilter
diff --git a/etc/zcat.profile b/etc/zcat.profile
new file mode 100644
index 000000000..12932ea92
--- /dev/null
+++ b/etc/zcat.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zcat
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/zcmp.profile b/etc/zcmp.profile
new file mode 100644
index 000000000..795cdae2a
--- /dev/null
+++ b/etc/zcmp.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zcmp
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zcmp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/zdiff.profile b/etc/zdiff.profile
new file mode 100644
index 000000000..1e75e38fe
--- /dev/null
+++ b/etc/zdiff.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zdiff
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zdiff.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/zegrep.profile b/etc/zegrep.profile
new file mode 100644
index 000000000..54dc6b2a0
--- /dev/null
+++ b/etc/zegrep.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zegrep
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zegrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/zfgrep.profile b/etc/zfgrep.profile
new file mode 100644
index 000000000..73b22f2e8
--- /dev/null
+++ b/etc/zfgrep.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zfgrep
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zfgrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/zforce.profile b/etc/zforce.profile
new file mode 100644
index 000000000..d62e57065
--- /dev/null
+++ b/etc/zforce.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zforce
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zforce.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/zgrep.profile b/etc/zgrep.profile
new file mode 100644
index 000000000..b39a58420
--- /dev/null
+++ b/etc/zgrep.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zgrep
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zgrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/zless.profile b/etc/zless.profile
new file mode 100644
index 000000000..0a26cda1f
--- /dev/null
+++ b/etc/zless.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zless
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zless.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/zmore.profile b/etc/zmore.profile
new file mode 100644
index 000000000..3a8f63562
--- /dev/null
+++ b/etc/zmore.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zmore
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zmore.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/znew.profile b/etc/znew.profile
new file mode 100644
index 000000000..a8593e58e
--- /dev/null
+++ b/etc/znew.profile
@@ -0,0 +1,11 @@
+# Firejail profile for znew
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include znew.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index e997598af..e8ec20273 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -57,6 +57,7 @@ atril-previewer
 atril-thumbnailer
 audacious
 audacity
+audio-recorder
 authenticator
 autokey-gtk
 autokey-qt
@@ -82,6 +83,10 @@ brackets
 brasero
 brave
 brave-browser
+brave-browser-beta
+brave-browser-dev
+brave-browser-nightly
+brave-browser-stable
 bunzip2
 bzcat
 bzflag
@@ -96,6 +101,7 @@ calligraplanwork
 calligrasheets
 calligrastage
 calligrawords
+cameramonitor
 cantata
 catfish
 celluloid
@@ -132,6 +138,7 @@ cvlc
 cyberfox
 darktable
 dconf-editor
+ddgtk
 deadbeef
 deluge
 devhelp
@@ -151,10 +158,12 @@ dooble
 dooble-qt4
 dosbox
 dragon
+drawio
 dropbox
 d-feet
 easystroke
 ebook-viewer
+electron-mail
 electrum
 elinks
 empathy
@@ -167,6 +176,7 @@ enox
 enpass
 eog
 eom
+ephemeral
 #epiphany
 etr
 evince
@@ -222,16 +232,20 @@ geary
 gedit
 geekbench
 geeqie
+gfeeds
 ghb
 ghostwriter
 gimp
 gimp-2.10
 gimp-2.8
+gist
+gist-paste
 gitg
 github-desktop
 gitter
 gjs
 globaltime
+gmpc
 gnome-2048
 gnome-books
 gnome-builder
@@ -445,9 +459,12 @@ odt2txt
 oggsplt
 okular
 onionshare-gui
+ooffice
+ooviewdoc
 open-invaders
 openarena
 opencity
+openoffice.org
 openshot
 openshot-qt
 openttd
@@ -482,6 +499,7 @@ pngquant
 polari
 ppsspp
 pragha
+profanity
 psi-plus
 pybitmessage
 # pycharm-community - FB note: may enable later
@@ -627,6 +645,7 @@ udiskie
 uefitool
 uget-gtk
 unbound
+unf
 unknown-horizons
 unzstd
 utox
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 3f5921322..9a2efebd2 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -443,15 +443,33 @@ int main(int argc, char **argv) {
         // set new symlinks based on /usr/lib/firejail/firecfg.cfg
         set_links_firecfg();
 
-        // add user to firejail access database - only for root
         if (getuid() == 0) {
+                // add user to firejail access database - only for root
                 printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR);
                 // temporarily set the umask, access database must be world-readable
                 mode_t orig_umask = umask(022);
                 firejail_user_add(user);
                 umask(orig_umask);
+
+#ifdef HAVE_APPARMOR
+                // enable firejail apparmor profile
+                struct stat s;
+                if (stat("/sbin/apparmor_parser", &s) == 0) {
+                        char *cmd;
+
+                        // SYSCONFDIR points to /etc/firejail, we have to go on level up (..)
+                        printf("\nLoading AppArmor profile\n");
+                        if (asprintf(&cmd, "/sbin/apparmor_parser -r /etc/apparmor.d/firejail-default %s/../apparmor.d/firejail-default", SYSCONFDIR) == -1)
+                                errExit("asprintf");
+                        int rv = system(cmd);
+                        (void) rv;
+                        free(cmd);
+                }
+#endif
         }
 
+
+
         // set new symlinks based on ~/.config/firejail directory
         set_links_homedir(home);
 
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index e886e81da..520960db2 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -113,12 +113,12 @@ void appimage_set(const char *appimage) {
         EUID_ROOT();
         if (size == 0) {
                 fmessage("Mounting appimage type 1\n");
-                if (mount(devloop, mntdir, "iso9660", flags,  mode) < 0)
+                if (mount(devloop, mntdir, "iso9660", flags, mode) < 0)
                         errExit("mounting appimage");
         }
         else {
                 fmessage("Mounting appimage type 2\n");
-                if (mount(devloop, mntdir, "squashfs", flags,  mode) < 0)
+                if (mount(devloop, mntdir, "squashfs", flags, NULL) < 0)
                         errExit("mounting appimage");
         }
 
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 1f0ccac1a..316057ec5 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -535,6 +535,14 @@ void fs_remount(const char *dir, OPERATION op, unsigned check_mnt) {
 
 void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) {
         assert(dir);
+        struct stat s;
+        if (stat(dir, &s) != 0)
+                return;
+        if (!S_ISDIR(s.st_mode)) {
+                // no need to search in /proc/self/mountinfo for submounts if not a directory
+                fs_remount(dir, op, check_mnt);
+                return;
+        }
         // get mount point of the directory
         int mountid = get_mount_id(dir);
         if (mountid == -1)
@@ -634,7 +642,8 @@ void fs_proc_sys_dev_boot(void) {
         // various /proc files
         disable_file(BLACKLIST_FILE, "/proc/irq");
         disable_file(BLACKLIST_FILE, "/proc/bus");
-        disable_file(BLACKLIST_FILE, "/proc/config.gz");
+        // move /proc/config.gz to disable-common.inc
+        //disable_file(BLACKLIST_FILE, "/proc/config.gz");
         disable_file(BLACKLIST_FILE, "/proc/sched_debug");
         disable_file(BLACKLIST_FILE, "/proc/timer_list");
         disable_file(BLACKLIST_FILE, "/proc/timer_stats");
@@ -1139,6 +1148,9 @@ void fs_overlayfs(void) {
 
 // this function is called from sandbox.c before blacklist/whitelist functions
 void fs_private_tmp(void) {
+        if (arg_debug)
+                printf("Generate private-tmp whitelist commands\n");
+
         // check XAUTHORITY file, KDE keeps it under /tmp
         char *xauth = getenv("XAUTHORITY");
         if (xauth) {
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index eb03eb35f..082f8b4a0 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -189,5 +189,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
                 errExit("mount bind");
         fs_logger2("mount", private_dir);
 
+        // mask private_run_dir (who knows if there are writable paths, and it is mounted exec)
+        if (mount("tmpfs", private_run_dir, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mounting tmpfs");
+        fs_logger2("tmpfs", private_run_dir);
+
         fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end());
 }
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index d09f92697..cfa0af078 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -315,7 +315,7 @@ void fs_private_homedir(void) {
                         errExit("mounting /root directory");
                 fs_logger("tmpfs /root");
         }
-        if (u == 0 || strncmp(homedir, "/home/", 6) != 0) {
+        if (u == 0 && !arg_allusers) {
                 // mask /home
                 if (arg_debug)
                         printf("Mounting a new /home directory\n");
@@ -606,7 +606,7 @@ void fs_private_home_list(void) {
                         errExit("mounting /root directory");
                 fs_logger("tmpfs /root");
         }
-        if (uid == 0 || strncmp(homedir, "/home/", 6) != 0) {
+        if (uid == 0 && !arg_allusers) {
                 // mask /home
                 if (arg_debug)
                         printf("Mounting a new /home directory\n");
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1786cfac2..179f8ddf9 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -55,7 +55,9 @@ uid_t firejail_uid = 0;
 gid_t firejail_gid = 0;
 
 #define STACK_SIZE (1024 * 1024)
-static char child_stack[STACK_SIZE] __attribute__((aligned(8)));                // space for child's stack
+#define STACK_ALIGNMENT 16
+static char child_stack[STACK_SIZE] __attribute__((aligned(STACK_ALIGNMENT)));          // space for child's stack
+
 Config cfg;                                     // configuration
 int arg_private = 0;                            // mount private /home and /tmp directoryu
 int arg_private_cache = 0;              // mount private home/.cache
@@ -143,6 +145,14 @@ int arg_nou2f = 0; // --nou2f
 int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
 int login_shell = 0;
 
+//**********************************************************************************
+// work in progress!!!
+//**********************************************************************************
+//#define POSTMORTEM
+#ifdef POSTMORTEM
+#include <grp.h>
+pid_t pm_child = 0;
+#endif
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -176,6 +186,20 @@ static void myexit(int rv) {
 static void my_handler(int s) {
         fmessage("\nParent received signal %d, shutting down the child process...\n", s);
         logsignal(s);
+
+#ifdef POSTMORTEM
+printf("attempt to kill %d\n", pm_child);
+        if (pm_child) {
+                if (waitpid(pm_child, NULL, WNOHANG) == 0) {
+                        if (has_handler(pm_child, s)) // signals are not delivered if there is no handler yet
+                                kill(pm_child, s);
+                        else
+                                kill(pm_child, SIGKILL);
+                        waitpid(pm_child, NULL, 0);
+                }
+        }
+#endif
+
         if (waitpid(child, NULL, WNOHANG) == 0) {
                 if (has_handler(child, s)) // signals are not delivered if there is no handler yet
                         kill(child, s);
@@ -2726,6 +2750,44 @@ int main(int argc, char **argv) {
         }
         EUID_USER();
 
+
+#ifdef POSTMORTEM
+        pm_child = fork();
+        if (pm_child == -1)
+                fprintf(stderr, "Error: cannot start POSTMORTEM process\n");
+        else if (pm_child == 0) {
+                // running --join as root
+                EUID_ROOT();
+                int rv = setgroups(0, NULL);
+                rv |= setuid(0);
+                rv |= setgid(0);
+                if (rv) {
+                        fprintf(stderr, "Error: cannot start POSTMORTEM process\n");
+                        exit(1);
+                }
+
+                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+/*problem???*/  sleep(1); // we need to give the sandbox some time to start the namespaces
+                char *joincmd;
+                if (asprintf(&joincmd, "--join-network=%d", child) == -1)
+                        errExit("asprintf");
+
+                // we join only the network ns, the filesystem is intact so we can find tcpdump
+                char *arg[] =  {
+                        "/usr/bin/firejail",
+                        joincmd,
+                        "/usr/sbin/tcpdump",
+                        "-n",
+                        "-q",
+                        NULL
+                };
+                execvp(arg[0], arg);
+                assert(0);
+printf("**********************************\n");
+                exit(1);
+        }
+#endif
+
         int status = 0;
         //*****************************
         // following code is signal-safe
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 2a4353d8d..18d121ca9 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1111,10 +1111,10 @@ unsigned extract_timeout(const char *str) {
 }
 
 void disable_file_or_dir(const char *fname) {
-        if (arg_debug)
-                printf("blacklist %s\n", fname);
         struct stat s;
         if (stat(fname, &s) != -1) {
+                if (arg_debug)
+                        printf("blacklist %s\n", fname);
                 if (is_dir(fname)) {
                         if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
                                 errExit("disable directory");
@@ -1123,8 +1123,8 @@ void disable_file_or_dir(const char *fname) {
                         if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
                                 errExit("disable file");
                 }
+                fs_logger2("blacklist", fname);
         }
-        fs_logger2("blacklist", fname);
 }
 
 void disable_file_path(const char *path, const char *file) {
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 944c24bc7..b390ad38e 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1248,10 +1248,10 @@ void x11_xorg(void) {
                                 disable_file_or_dir(rp);
                         free(rp);
                 }
-                // update environment variable, so our new .Xauthority file is used
-                if (setenv("XAUTHORITY", dest, 1) < 0)
-                        errExit("setenv");
         }
+        // set environment variable
+        if (setenv("XAUTHORITY", dest, 1) < 0)
+                errExit("setenv");
         free(dest);
 #endif
 }
diff --git a/src/lib/common.c b/src/lib/common.c
index 1678a4092..3a7f910e1 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -53,7 +53,7 @@ int join_namespace(pid_t pid, char *type) {
 
 errout:
         free(path);
-        fprintf(stderr, "Error: cannot join namespace %s\\n", type);
+        fprintf(stderr, "Error: cannot join namespace %s\n", type);
         return -1;
 
 }
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index cabc4f619..47f5ecbdf 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2768,6 +2768,15 @@ Sandbox running time in hours:minutes:seconds format.
 USER
 The owner of the sandbox.
 
+.SH RESTRICTED SHELL
+To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
+/etc/passwd file for each user that needs to be restricted. Alternatively,
+you can specify /usr/bin/firejail  in adduser command:
+
+adduser \-\-shell /usr/bin/firejail username
+
+Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file.
+
 .SH SECURITY PROFILES
 Several command line options can be passed to the program using
 profile files. Firejail chooses the profile file as follows:
@@ -2836,15 +2845,6 @@ Child process initialized
 
 See \fBman 5 firejail-profile\fR for profile file syntax information.
 
-.SH RESTRICTED SHELL
-To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
-/etc/passwd file for each user that needs to be restricted. Alternatively,
-you can specify /usr/bin/firejail  in adduser command:
-
-adduser \-\-shell /usr/bin/firejail username
-
-Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file.
-
 .SH TRAFFIC SHAPING
 Network bandwidth is an expensive resource shared among all sandboxes running on a system.
 Traffic shaping allows the user to increase network performance by controlling
diff --git a/video.png b/video.png
deleted file mode 100644
index bbebaa040..000000000
--- a/video.png
+++ /dev/null