26 files changed, 454 insertions, 31 deletions

diff --git a/Makefile.in b/Makefile.in
index 65dd430b5..8cbba12e9 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -89,7 +89,7 @@ distclean: clean
         for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
                 $(MAKE) -C $$dir distclean; \
         done
-        rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk
+        rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh
 
 realinstall:
         # firejail executable
@@ -176,7 +176,9 @@ DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcop
 
 dist:
         mv config.status config.status.old
+        mv mkdeb.sh mkdeb.sh.old
         make distclean
+        mv mkdeb.sh.old mkdeb.sh
         mv config.status.old config.status
         rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz
         mkdir -p $(NAME)-$(VERSION)/test
@@ -269,7 +271,7 @@ test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sy
 
 ##########################################
 # Individual tests, some of them require root access
-# The tests are very intrussive, by the time you are done
+# The tests are very intrusive, by the time you are done
 # with them you will need to restart your computer.
 ##########################################
 
@@ -294,7 +296,7 @@ test-network:
 test-stress:
         cd test/stress; ./stress.sh | grep TESTING
 
-# Tesets running a root user
+# Tests running a root user
 test-root:
         cd test/root; su -c ./root.sh | grep TESTING
 
diff --git a/README.md b/README.md
index 5c07954e9..c370368d7 100644
--- a/README.md
+++ b/README.md
@@ -196,4 +196,4 @@ gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnom
 penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword,
 four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars,
 hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers,
-seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication, xonotic-sdl-wrapper, openarena_ded
+seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication, xonotic-sdl-wrapper, openarena_ded, cawbird, freetube, homebank, mattermost-desktop, newsflash, com.gitlab.newsflash, element-desktop
diff --git a/RELNOTES b/RELNOTES
index eff6de2ad..d0cf88d4d 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -37,7 +37,8 @@ firejail (0.9.63) baseline; urgency=low
   * new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop
   * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im, strawberry
   * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
-  * new profiles: gapplication, openarena_ded, element-desktop
+  * new profiles: gapplication, openarena_ded, element-desktop, cawbird, freetube
+  * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash
  -- netblue30 <netblue30@yahoo.com>  Tue, 21 Apr 2020 08:00:00 -0500
 
 firejail (0.9.62) baseline; urgency=low
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 865eefb18..433699918 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -87,6 +87,7 @@ blacklist ${HOME}/.config/Enox
 blacklist ${HOME}/.config/Ferdi
 blacklist ${HOME}/.config/Franz
 blacklist ${HOME}/.config/FreeCAD
+blacklist ${HOME}/.config/FreeTube
 blacklist ${HOME}/.config/Fritzing
 blacklist ${HOME}/.config/GIMP
 blacklist ${HOME}/.config/GitHub Desktop
@@ -100,6 +101,7 @@ blacklist ${HOME}/.config/Jitsi Meet
 blacklist ${HOME}/.config/Kid3
 blacklist ${HOME}/.config/Kingsoft
 blacklist ${HOME}/.config/Luminance
+blacklist ${HOME}/.config/Mattermost
 blacklist ${HOME}/.config/Meltytech
 blacklist ${HOME}/.config/Mendeley Ltd.
 blacklist ${HOME}/.config/Min
@@ -162,6 +164,7 @@ blacklist ${HOME}/.config/caja
 blacklist ${HOME}/.config/calibre
 blacklist ${HOME}/.config/cantata
 blacklist ${HOME}/.config/catfish
+blacklist ${HOME}/.config/cawbird
 blacklist ${HOME}/.config/celluloid
 blacklist ${HOME}/.config/cherrytree
 blacklist ${HOME}/.config/chrome-beta-flags.conf
@@ -236,6 +239,7 @@ blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gummi
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
+blacklist ${HOME}/.config/homebank
 blacklist ${HOME}/.config/i2p
 blacklist ${HOME}/.config/inkscape
 blacklist ${HOME}/.config/inox
@@ -297,6 +301,7 @@ blacklist ${HOME}/.config/nautilus
 blacklist ${HOME}/.config/nemo
 blacklist ${HOME}/.config/netsurf
 blacklist ${HOME}/.config/newsbeuter
+blacklist ${HOME}/.config/newsflash
 blacklist ${HOME}/.config/nheko
 blacklist ${HOME}/.config/NitroShare
 blacklist ${HOME}/.config/nomacs
@@ -633,6 +638,7 @@ blacklist ${HOME}/.local/share/nautilus
 blacklist ${HOME}/.local/share/nautilus-python
 blacklist ${HOME}/.local/share/nemo
 blacklist ${HOME}/.local/share/nemo-python
+blacklist ${HOME}/.local/share/news-flash
 blacklist ${HOME}/.local/share/nomacs
 blacklist ${HOME}/.local/share/notes
 blacklist ${HOME}/.local/share/ocenaudio
@@ -681,6 +687,7 @@ blacklist ${HOME}/.mcabber
 blacklist ${HOME}/.mcabberrc
 blacklist ${HOME}/.mediathek3
 blacklist ${HOME}/.megaglest
+blacklist ${HOME}/.minecraft
 blacklist ${HOME}/.minetest
 blacklist ${HOME}/.mirrormagic
 blacklist ${HOME}/.moc
@@ -805,6 +812,7 @@ blacklist ${HOME}/.cache/Ferdi
 blacklist ${HOME}/.cache/Franz
 blacklist ${HOME}/.cache/INRIA
 blacklist ${HOME}/.cache/MusicBrainz
+blacklist ${HOME}/.cache/NewsFlashGTK
 blacklist ${HOME}/.cache/QuiteRss
 blacklist ${HOME}/.cache/Shortwave
 blacklist ${HOME}/.cache/Tox
diff --git a/etc/net/nolocal.net b/etc/net/nolocal.net
index 8955f740d..0eb9f9784 100644
--- a/etc/net/nolocal.net
+++ b/etc/net/nolocal.net
@@ -32,5 +32,5 @@
 -A OUTPUT -d 172.16.0.0/12 -j DROP
 
 # drop multicast traffic
--A OUTPUT -d 244.0.0.0/4 -j DROP
+-A OUTPUT -d 224.0.0.0/4 -j DROP
 COMMIT
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
new file mode 100644
index 000000000..3d29c3817
--- /dev/null
+++ b/etc/profile-a-l/cawbird.profile
@@ -0,0 +1,46 @@
+# Firejail profile for cawbird
+# Description: Open-source Twitter client for Linux
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cawbird.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/cawbird
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin cawbird
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
+private-tmp
+
+# dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/com.gitlab.newsflash.profile b/etc/profile-a-l/com.gitlab.newsflash.profile
new file mode 100644
index 000000000..0628d3d01
--- /dev/null
+++ b/etc/profile-a-l/com.gitlab.newsflash.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for newsflash
+# This file is overwritten after every install/update
+
+# Redirect
+include newsflash.profile
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index cbeef798f..35bea4aaa 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -32,7 +32,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp !chroot
 
-private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
+private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
new file mode 100644
index 000000000..91f0caf87
--- /dev/null
+++ b/etc/profile-a-l/freetube.profile
@@ -0,0 +1,31 @@
+# Firejail profile for freetube
+# Description: Youtube client with local subscription feature
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freetube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/FreeTube
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-shell.inc 
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/FreeTube
+whitelist ${HOME}/.config/FreeTube
+
+seccomp !chroot
+shell none
+
+disable-mnt
+private-bin freetube
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index b25b138ad..152396553 100644
--- a/etc/profile-a-l/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -30,7 +30,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 
 # Note: On debian-based distributions the binary might be located in
 # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index bc6626598..ceb01f2a0 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -25,7 +25,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
-# net none
+#net none -- breaks currency conversion
 netfilter
 no3d
 nodvd
@@ -39,6 +39,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
 disable-mnt
 private-bin gnome-calculator
@@ -47,8 +48,7 @@ private-dev
 #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.*
 private-tmp
 
-# makes settings immutable
-# dbus-user none
-# dbus-system none
-
-# memory-deny-write-execute
+dbus-user filter
+dbus-user.own org.gnome.Calculator
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index 2a5d2a231..a46e47759 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -50,7 +50,9 @@ private-tmp
 dbus-user filter
 dbus-user.own org.gnome.Pomodoro
 dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.gnome.Shell
+dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 
 read-only ${HOME}
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
new file mode 100644
index 000000000..8e600a2d7
--- /dev/null
+++ b/etc/profile-a-l/homebank.profile
@@ -0,0 +1,59 @@
+# Firejail profile for homebank
+# Description: Personal finance manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include homebank.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/homebank
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/homebank
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/homebank
+whitelist /usr/share/homebank
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+# net none
+netfilter
+nodvd
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin homebank
+private-cache
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile
new file mode 100644
index 000000000..e4487c8aa
--- /dev/null
+++ b/etc/profile-m-z/mattermost-desktop.profile
@@ -0,0 +1,46 @@
+# Firejail profile for mattermost-desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mattermost-desktop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Mattermost
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/Mattermost
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/Mattermost
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.keep sys_admin,sys_chroot
+netfilter
+nodvd
+nogroups
+notv
+nou2f
+novideo
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+
+# Not tested
+#dbus-user filter
+#dbus-user.own com.mattermost.Desktop
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-system none
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 84db8b785..385700648 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -70,6 +70,7 @@ private-cache
 private-dev
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc.
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
+# Comment the next line (or add 'ignore private-tmp to your meld.local') if you want to use it as a difftool (#3551)
 private-tmp
 
 read-only ${HOME}/.ssh
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
new file mode 100644
index 000000000..8c7d18c58
--- /dev/null
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -0,0 +1,58 @@
+# Firejail profile for minecraft-launcher
+# Description: Official Minecraft launcher from Mojang
+# This file is overwritten after every install/update
+# Persistent local customizations
+include minecraft-launcher.local
+# Persistent global definitions
+include globals.local
+
+# On some distros executable may be in '/opt/minecraft-launcher/', if so, run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it.
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.minecraft
+
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.minecraft
+whitelist ${HOME}/.minecraft
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin java,java-config,minecraft-launcher
+private-cache
+private-dev
+# If multiplayer or realms break add your own java folder from /etc or comment the line below.
+private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg
+private-opt minecraft-launcher
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index b0e493c5f..2fc027257 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -30,6 +30,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+whitelist /usr/share/lua
+whitelist /usr/share/lua*
 whitelist /usr/share/vulkan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -37,8 +39,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-
-# Seems to cause issues with Nvidia drivers sometimes
+# nogroups seems to cause issues with Nvidia drivers sometimes
 nogroups
 nonewprivs
 noroot
@@ -49,7 +50,7 @@ shell none
 tracelog
 
 private-bin env,mpv,python*,youtube-dl
-# Causes slow OSD, see #2838
+# private-cache causes slow OSD, see #2838
 #private-cache
 private-dev
 
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
new file mode 100644
index 000000000..d0ac83baf
--- /dev/null
+++ b/etc/profile-m-z/newsflash.profile
@@ -0,0 +1,60 @@
+# Firejail profile for newsflash
+# Description: Modern feed reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsflash.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/NewsFlashGTK
+noblacklist ${HOME}/.config/news-flash
+noblacklist ${HOME}/.local/share/news-flash
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/NewsFlashGTK
+mkdir ${HOME}/.config/news-flash
+mkdir ${HOME}/.local/share/news-flash
+whitelist ${HOME}/.cache/NewsFlashGTK
+whitelist ${HOME}/.config/news-flash
+whitelist ${HOME}/.local/share/news-flash
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin com.gitlab.newsflash,newsflash
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
+private-tmp
+
+dbus-user none
+#dbus-user.own com.gitlab.newsflash
+#dbus-user.talk org.freedesktop.Notifications
+dbus-system none
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 5d9225705..b51a86e7d 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -34,10 +34,12 @@ nodvd
 nogroups
 notv
 nou2f
+novideo
 shell none
 
 disable-mnt
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
index 326b97e4b..bd7faa80a 100644
--- a/etc/profile-m-z/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -1,14 +1,14 @@
 # Firejail profile for teams
 # Description: Official Microsoft Teams client for Linux using Electron.
 # This file is overwritten after every install/update
-# Known issues:
-#  * if Teams crashes on startup try using "ignore apparmor" in your local config
 # Persistent local customizations
 include teams.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
 
+# see #3404
+ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
 
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index e3af5600a..8e0741458 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -25,5 +25,5 @@ seccomp
 
 disable-mnt
 private-cache
+private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
-
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index c0dbc9116..12bef5d1f 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -14,9 +14,12 @@ noblacklist /usr/lib/virtualbox
 noblacklist /usr/lib64/virtualbox
 
 include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.config/VirtualBox
 mkdir ${HOME}/VirtualBox VMs
@@ -24,9 +27,23 @@ whitelist ${HOME}/.config/VirtualBox
 whitelist ${HOME}/VirtualBox VMs
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-caps.keep net_raw,sys_admin,sys_nice
+# For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
+
+caps.keep net_raw,sys_nice
 netfilter
 nodvd
+#nogroups
 notv
+shell none
+tracelog
+
+#disable-mnt
+private-cache
+private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
new file mode 100644
index 000000000..b760b44dd
--- /dev/null
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -0,0 +1,51 @@
+# Firejail profile for xfce4-screenshooter
+# Description: Xfce screenshot tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xfce4-screenshooter.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/xfce4
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin xfce4-screenshooter,xfconf-query
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
index 6eac10703..b3125ee50 100644
--- a/etc/profile-m-z/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -10,8 +10,11 @@ noblacklist ${HOME}/.zoom
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
+include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.cache/zoom
 mkfile ${HOME}/.config/zoomus.conf
@@ -20,14 +23,25 @@ whitelist ${HOME}/.cache/zoom
 whitelist ${HOME}/.config/zoomus.conf
 whitelist ${HOME}/.zoom
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
 netfilter
 nodvd
+nogroups
 nonewprivs
 noroot
 notv
+nou2f
 protocol unix,inet,inet6,netlink
 seccomp !chroot
+shell none
+tracelog
 
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 4cfbb5480..e9ecab925 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -111,6 +111,7 @@ calligrawords
 cameramonitor
 cantata
 catfish
+cawbird
 celluloid
 checkbashisms
 cheese
@@ -136,6 +137,7 @@ code
 code-oss
 com.github.dahenson.agenda
 com.github.johnfactotum.Foliate
+com.gitlab.newsflash
 conkeror
 conky
 conplay
@@ -238,6 +240,7 @@ freemind
 freeoffice-planmaker
 freeoffice-presentations
 freeoffice-textmaker
+freetube
 freshclam
 frogatto
 frozen-bubble
@@ -333,6 +336,7 @@ hedgewars
 hexchat
 highlight
 hitori
+homebank
 host
 hugin
 hyperrogue
@@ -436,6 +440,7 @@ mate-calculator
 mate-color-select
 mate-dictionary
 mathematica
+mattermost-desktop
 mcabber
 mediainfo
 mediathekview
@@ -448,6 +453,7 @@ meteo-qt
 midori
 min
 mindless
+minecraft-launcher
 minetest
 mirrormagic
 mocp
@@ -502,6 +508,7 @@ neverball
 neverputt
 newsbeuter
 newsboat
+newsflash
 nheko
 nicotine
 nitroshare
@@ -536,7 +543,7 @@ orage
 ostrichriders
 out123
 palemoon
-pandoc
+#pandoc
 parole
 patch
 pavucontrol
@@ -778,6 +785,7 @@ xfburn
 xfce4-dict
 xfce4-mixer
 xfce4-notes
+xfce4-screenshooter
 xiphos
 xlinks
 xmms
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 6bfc80903..3aa0584d6 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -957,16 +957,27 @@ int remove_overlay_directory(void) {
         return 0;
 }
 
+// flush stdin if it is connected to a tty and has input
 void flush_stdin(void) {
-        if (isatty(STDIN_FILENO)) {
-                int cnt = 0;
-                int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt);
-                if (rv == 0 && cnt) {
-                        fwarning("removing %d bytes from stdin\n", cnt);
-                        rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
-                        (void) rv;
-                }
-        }
+        if (!isatty(STDIN_FILENO))
+                return;
+
+        int cnt = 0;
+        int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt);
+        if (rv != 0 || cnt == 0)
+                return;
+
+        fwarning("removing %d bytes from stdin\n", cnt);
+
+        // If this process is backgrounded, below ioctl() will trigger
+        // SIGTTOU and stop us. We avoid this by ignoring SIGTTOU for
+        // the duration of the ioctl.
+        sighandler_t hdlr = signal(SIGTTOU, SIG_IGN);
+        rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
+        signal(SIGTTOU, hdlr);
+
+        if (rv)
+                fwarning("Flushing stdin failed: %s\n", strerror(errno));
 }
 
 // return 1 if new directory was created, else return 0