36 files changed, 163 insertions, 71 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 19dd2b320..cc3614c99 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -20,12 +20,12 @@ build_debian_package:
         - apt-get install -y -qq build-essential lintian pkg-config
         - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb
 
-build_redhat_package:
-    image: centos:latest
-    script:
-        - yum update -y
-        - yum install -y rpm-build gcc make
-        - ./configure --prefix=/usr && make rpms && yum install -y firejail*.rpm
+#build_redhat_package:
+#    image: centos:latest
+#    script:
+#        - yum update -y
+#        - yum install -y rpm-build gcc make
+#        - ./configure --prefix=/usr && make rpms && yum install -y firejail*.rpm
 
 build_fedora_package:
     image: fedora:latest
@@ -74,6 +74,7 @@ debian_ci:
         - git config user.email "$GITLAB_USER_NAME" && git config user.name "$GITLAB_USER_EMAIL"
         - cd $CI_PROJECT_DIR/.. && (apt-get source --download-only -t experimental firejail || apt-get source --download-only firejail)
         - cd $CI_PROJECT_DIR && tar xf ../firejail_*.debian.tar.*
+        - rm -rf debian/patches/
         - VERSION=$(grep ^PACKAGE_VERSION= configure | cut -d"'" -f2) && dch -v ${VERSION}-0.1~ci "Non-maintainer upload." && git archive -o ../firejail_${VERSION}.orig.tar.gz HEAD && pristine-tar commit ../firejail_${VERSION}.orig.tar.gz ci_build && git branch -m pristine-tar origin/pristine-tar
         - git add debian && git commit -m "add debian/"
         - export CI_COMMIT_SHA=$(git rev-parse HEAD)
diff --git a/Makefile.in b/Makefile.in
index e065741f5..0285d8592 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -195,7 +195,7 @@ uninstall:
         rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
         @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)/$(sysconfdir)/firejail', see #2038."
 
-DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES"
+DISTFILES = "src etc m4 platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES"
 DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
 
 dist:
diff --git a/README b/README
index 1a7f5cea0..0fe479a8c 100644
--- a/README
+++ b/README
@@ -53,7 +53,7 @@ Committers
 
 Firejail Authors (alphabetical order)
 
-7twin (https://github.com/7twin_
+7twin (https://github.com/7twin_)
         - fix typos
         - fix flameshot raw screenshots
 1dnrr (https://github.com/1dnrr)
@@ -565,6 +565,8 @@ PizzaDude (https://github.com/pizzadude)
         - added profile for torbrowser-launcher
         - added profile for sayonara and qmmp
         - remove tracelog from Firefox profile
+polyzen (https://github.com/polyzen)
+        - fixed wusc issue with mpv/Vulkan
 probonopd (https://github.com/probonopd)
         - automatic build on Travis CI
 pshpsh (https://github.com/pshpsh)
diff --git a/etc/allow-ruby.inc b/etc/allow-ruby.inc
new file mode 100644
index 000000000..3165a981a
--- /dev/null
+++ b/etc/allow-ruby.inc
@@ -0,0 +1,2 @@
+noblacklist ${PATH}/ruby
+noblacklist /usr/lib/ruby
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
index 72e577d56..2fb6dd25f 100644
--- a/etc/aria2c.profile
+++ b/etc/aria2c.profile
@@ -8,6 +8,8 @@ include globals.local
 
 noblacklist ${HOME}/.aria2
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -39,7 +41,7 @@ private-bin aria2c,gzip
 # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772)
 #private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
 private-lib libreadline.so.*
 private-tmp
 
diff --git a/etc/artha.profile b/etc/artha.profile
index f1d30a415..31f8887c4 100644
--- a/etc/artha.profile
+++ b/etc/artha.profile
@@ -7,22 +7,28 @@ include artha.local
 include globals.local
 
 noblacklist ${HOME}/.config/artha.conf
+noblacklist ${HOME}/.config/artha.log
 noblacklist ${HOME}/.config/enchant
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
-mkdir ${HOME}/.config/artha.conf
-mkdir ${HOME}/.config/enchant
-whitelist ${HOME}/.config/artha.conf
-whitelist ${HOME}/.config/enchant
+# whitelisting in ${HOME} makes settings immutable, see #3112
+#mkfile ${HOME}/.config/artha.conf
+#mkdir ${HOME}/.config/enchant
+#whitelist ${HOME}/.config/artha.conf
+#whitelist ${HOME}/.config/artha.log
+#whitelist ${HOME}/.config/enchant
 whitelist /usr/share/artha
 whitelist /usr/share/wordnet
-include whitelist-common.inc
+#include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -43,6 +49,7 @@ novideo
 protocol unix
 seccomp
 shell none
+tracelog
 
 disable-mnt
 private-bin artha,enchant,notify-send
diff --git a/etc/baobab.profile b/etc/baobab.profile
index 79d4b23f9..e8287b448 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 caps.drop all
 net none
 no3d
-nodbus
+#nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/barrier.profile b/etc/barrier.profile
new file mode 100644
index 000000000..a35bb1e09
--- /dev/null
+++ b/etc/barrier.profile
@@ -0,0 +1,45 @@
+# Firejail profile for barrier
+# Description: Keyboard and mouse sharing application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include barrier.local
+# Persistent global definitions
+include globals.local 
+
+noblacklist ${HOME}/.config/Debauchee/Barrier.conf
+noblacklist ${HOME}/.local/share/barrier
+noblacklist ${PATH}/openssl
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-dev
+private-cache
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index 6b7db6b44..ab68c7f13 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -29,7 +29,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-nodbus
+# nodbus -- uses dconf
 nogroups
 nonewprivs
 noroot
@@ -41,7 +41,7 @@ tracelog
 
 private-bin celluloid,env,gnome-mpv,python*,youtube-dl
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
 private-dev
 private-tmp
 
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index 33c0a3369..f07e2039b 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -9,6 +9,9 @@ include globals.local
 noblacklist ${HOME}/.claws-mail
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.signature
+# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your claws-mail.local
+# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
+noblacklist ${HOME}/Mail
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +19,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/doc
+whitelist /usr/share/doc/claws-mail
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-usr-share-common.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 16f231108..f50e10a00 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -230,6 +230,7 @@ read-only ${HOME}/.bash_login
 read-only ${HOME}/.bash_logout
 read-only ${HOME}/.bash_profile
 read-only ${HOME}/.bashrc
+read-only ${HOME}/.config/environment.d
 read-only ${HOME}/.config/fish
 read-only ${HOME}/.csh_files
 read-only ${HOME}/.cshrc
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index b1605e757..1c97ed8d6 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -71,6 +71,7 @@ blacklist ${HOME}/.config/Code
 blacklist ${HOME}/.config/Code - OSS
 blacklist ${HOME}/.config/Code Industry
 blacklist ${HOME}/.config/Cryptocat
+blacklist ${HOME}/.config/Debauchee/Barrier.conf
 blacklist ${HOME}/.config/Enox
 blacklist ${HOME}/.config/Franz
 blacklist ${HOME}/.config/FreeCAD
@@ -119,6 +120,7 @@ blacklist ${HOME}/.config/ardour4
 blacklist ${HOME}/.config/ardour5
 blacklist ${HOME}/.config/arkrc
 blacklist ${HOME}/.config/artha.conf
+blacklist ${HOME}/.config/artha.log
 blacklist ${HOME}/.config/asunder
 blacklist ${HOME}/.config/atril
 blacklist ${HOME}/.config/audacious
@@ -487,6 +489,7 @@ blacklist ${HOME}/.local/share/apps/korganizer
 blacklist ${HOME}/.local/share/aspyr-media
 blacklist ${HOME}/.local/share/autokey
 blacklist ${HOME}/.local/share/baloo
+blacklist ${HOME}/.local/share/barrier
 blacklist ${HOME}/.local/share/bibletime
 blacklist ${HOME}/.local/share/caja-python
 blacklist ${HOME}/.local/share/cantata
diff --git a/etc/evince.profile b/etc/evince.profile
index 0ace1dc3e..570d7d63d 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -46,7 +46,7 @@ tracelog
 private-bin evince,evince-previewer,evince-thumbnailer
 private-cache
 private-dev
-private-etc alternatives,fonts,group,machine-id,passwd
+private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
 # private-lib might break two-page-view on some systems
-private-lib evince,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
+private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index e455d32c7..e9c7d290a 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -17,6 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /usr/share/perl5
+whitelist /usr/share/perl-image-exiftool
 include whitelist-usr-share-common.inc
 
 apparmor
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 837396654..7dd6f270e 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -42,6 +42,6 @@ tracelog
 
 # private-bin gedit
 private-dev
-private-lib aspell,gconv,gedit,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*
+private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
 
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile
index 726a74089..eaf48931d 100644
--- a/etc/gnome-builder.profile
+++ b/etc/gnome-builder.profile
@@ -31,5 +31,4 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
-private-cache
 private-dev
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index a625db948..78f5ddc3a 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -28,6 +28,7 @@ whitelist ${HOME}/.local/share/maps-places.json
 whitelist ${DOWNLOADS}
 whitelist ${PICTURES}
 whitelist /usr/share/gnome-maps
+whitelist /usr/share/libgweather
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -55,4 +56,3 @@ private-bin gjs,gnome-maps
 private-dev
 private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
-
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index d032c93e6..7723cbd6b 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.config/hexchat
 whitelist ${HOME}/.config/hexchat
@@ -26,14 +27,13 @@ include whitelist-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
-machine-id
+#machine-id -- breaks sound
 netfilter
 no3d
 nodvd
 nogroups
 nonewprivs
 noroot
-nosound
 notv
 nou2f
 novideo
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 6e587fc6a..56cd66199 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -27,6 +27,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+whitelist /usr/share/vulkan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 673c9fd0b..99945bdc9 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -32,14 +32,13 @@ nou2f
 novideo
 protocol unix
 seccomp
-# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
 shell none
 tracelog
 
 # private-bin mupdf,rm,sh,tempfile
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
 
-memory-deny-write-execute
+# memory-deny-write-execute
 read-only ${HOME}
diff --git a/etc/neverputt.profile b/etc/neverputt.profile
index 93fb14e07..d370d1218 100644
--- a/etc/neverputt.profile
+++ b/etc/neverputt.profile
@@ -5,5 +5,7 @@ include neverputt.local
 # added by included profile
 #include globals.local
 
+private-bin neverputt
+
 # Redirect
 include neverball.profile
diff --git a/etc/openshot.profile b/etc/openshot.profile
index 0222243ed..116cb56e4 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -24,7 +24,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-netfilter
+net none
 nodbus
 nodvd
 nogroups
@@ -32,9 +32,10 @@ nonewprivs
 noroot
 notv
 nou2f
-protocol unix,inet,inet6,netlink
+protocol unix,netlink
 seccomp
 shell none
+tracelog
 
 private-dev
 private-tmp
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile
index 5bbe1386f..0ae9f08af 100644
--- a/etc/pavucontrol.profile
+++ b/etc/pavucontrol.profile
@@ -16,11 +16,12 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-mkfile ${HOME}/.config/pavucontrol.ini
-whitelist ${HOME}/.config/pavucontrol.ini
+# whitelisting in ${HOME} is broken, see #3112
+#mkfile ${HOME}/.config/pavucontrol.ini
+#whitelist ${HOME}/.config/pavucontrol.ini
 whitelist /usr/share/pavucontrol
 whitelist /usr/share/pavucontrol-qt
-include whitelist-common.inc
+#include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -39,6 +40,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
 disable-mnt
 private-bin pavucontrol
@@ -48,4 +50,5 @@ private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
 private-lib
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+# mdwe is broken under Wayland, but works under Xorg.
+#memory-deny-write-execute
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index 95c189458..fc910b589 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -36,5 +36,5 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks qt webengine
-seccomp !chroot
+seccomp !chroot,!name_to_handle_at
 # tracelog
diff --git a/etc/sylpheed.profile b/etc/sylpheed.profile
index 64de64eb4..8e99fe1d6 100644
--- a/etc/sylpheed.profile
+++ b/etc/sylpheed.profile
@@ -4,29 +4,17 @@
 # Persistent local customizations
 include sylpheed.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 noblacklist ${HOME}/.sylpheed-2.0
+# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your sylpheed.local
+# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
 
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
+blacklist ${HOME}/.claws-mail
 
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
+nowhitelist /usr/share/doc/claws-mail
+whitelist /usr/share/sylpheed
 
-private-dev
-private-tmp
+# Redirect
+include claws-mail.profile
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index dcf6dd201..7bfc3cf0d 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -87,6 +87,9 @@ include globals.local
 # Allow lua (blacklisted by disable-interpreters.inc)
 #include allow-lua.inc
 
+# Allow ruby (blacklisted by disable-interpreters.inc)
+#include allow-ruby.inc
+
 # Allows files commonly used by IDEs
 #include allow-common-devel.inc
 
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 1183cd2f7..be03afdb5 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -48,7 +48,7 @@ shell none
 #tracelog
 
 disable-mnt
-private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
+private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/weechat.profile b/etc/weechat.profile
index a94275c2c..cc340124d 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.weechat
 include disable-common.inc
 include disable-programs.inc
 
+whitelist /usr/share/perl5
 include whitelist-usr-share-common.inc
 
 caps.drop all
diff --git a/etc/wget.profile b/etc/wget.profile
index 4bf354652..c1f7dfc3f 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -7,18 +7,28 @@ include wget.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/.wget-hsts
 noblacklist ${HOME}/.wgetrc
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local
+#include disable-xdg.inc
 
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
+ipc-namespace
+machine-id
+nodbus
 netfilter
 no3d
 nodvd
@@ -32,9 +42,13 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
-# private-bin wget
+private-bin wget
+private-cache
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl
-# private-tmp
+# depending on workflow you can uncomment the below or put this private-etc in your wget.local
+#private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc
+#private-tmp
 
+memory-deny-write-execute
diff --git a/etc/whois.profile b/etc/whois.profile
index fed3709e5..bd0870bea 100644
--- a/etc/whois.profile
+++ b/etc/whois.profile
@@ -7,19 +7,23 @@ include whois.local
 # Persistent global definitions
 include globals.local
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
-# include disable-devel.inc
+include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-#include disable-xdg.inc
+include disable-xdg.inc
 
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
-# ipc-namespace
+hostname whois
+ipc-namespace
+machine-id
 netfilter
 no3d
 nodbus
@@ -34,13 +38,14 @@ novideo
 protocol inet,inet6
 seccomp
 shell none
+tracelog
 
 disable-mnt
 private
 private-bin bash,sh,whois
 private-cache
 private-dev
-# private-etc alternatives,hosts,services,whois.conf
+private-etc alternatives,hosts,jwhois.conf,services,whois.conf
 private-lib
 private-tmp
 
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 74c07d96b..5fa72c9dc 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -56,7 +56,7 @@ tracelog
 private-bin env,ffmpeg,python*,youtube-dl
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
+private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
 private-tmp
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 96a755904..011d6c7e1 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -67,6 +67,7 @@ aweather
 baloo_file
 baloo_filemetadata_temp_extractor
 baobab
+barrier
 basilisk
 beaker
 bibletime
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 47f5ecbdf..32ac07d72 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1772,7 +1772,7 @@ system call groups are defined: @aio, @basic-io, @chown, @clock,
 @file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount,
 @network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
 @resources, @setuid, @swap, @sync, @system-service and @timer.
-More informations about groups can be found in /usr/share/doc/firejail/syscalls.txt
+More information about groups can be found in /usr/share/doc/firejail/syscalls.txt
 
 In addition, a system call can be specified by its number instead of
 name with prefix $, so for example $165 would be equal to mount on i386.
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp
index 1df8c361c..09448e03a 100755
--- a/test/fs/whitelist-dev.exp
+++ b/test/fs/whitelist-dev.exp
@@ -23,17 +23,17 @@ after 100
 send -- "exit\r"
 sleep 1
 
-send -- "firejail --whitelist=/dev/null --whitelist=/dev/shm --whitelist=/dev/random\r"
+send -- "firejail --whitelist=/dev/null --whitelist=/dev/random\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "find /dev | wc -l\r"
+send -- "ls /dev | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "1"
+        "2"
 }
 after 100
 send -- "exit\r"
diff --git a/test/utils/audit.exp b/test/utils/audit.exp
index 49d08d22d..15400da31 100755
--- a/test/utils/audit.exp
+++ b/test/utils/audit.exp
@@ -32,6 +32,10 @@ expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "dev directory seems to be fully populated"
 }
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "Parent is shutting down, bye..."
+}
 after 100
 
 
@@ -60,6 +64,10 @@ expect {
         timeout {puts "TESTING ERROR 11\n";exit}
         "dev directory seems to be fully populated"
 }
+expect {
+        timeout {puts "TESTING ERROR 11.1\n";exit}
+        "Parent is shutting down, bye..."
+}
 after 100
 
 send -- "firejail --audit=blablabla\r"
diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp
index eb691bbf8..0d5ec5d63 100755
--- a/test/utils/shutdown.exp
+++ b/test/utils/shutdown.exp
@@ -41,7 +41,7 @@ expect {
 }
 after 100
 
-send --  "firejail --shutdown=10\r"
+send --  "firejail --shutdown=1\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "this is not a firejail sandbox"