207 files changed, 2094 insertions, 589 deletions
diff --git a/.gitignore b/.gitignore
index 7f5913727..cad656506 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,7 @@
 *.rpm
 *.gcda
 *.gcno
+.directory
 Makefile
 autom4te.cache/
 config.log
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 737003874..07a9eef04 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -33,3 +33,7 @@ Pull requests with enhancements, bugfixes or new profiles are very welcome.
 If you want to write a new profile, the easiest way to do this is to use the
 [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
 If you have already written a profile, please make sure it follows the rules described in the template.
+# Editing the wiki
+You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki).
diff --git a/Makefile.in b/Makefile.in
index c6bacff31..44137c0bc 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -116,6 +116,7 @@ ifeq ($(HAVE_CONTRIB_INSTALL),yes)
        install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 contrib/fj-mkdeb.py $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 contrib/sort.py $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 contrib/syscalls.sh $(DESTDIR)/$(libdir)/firejail/.
 endif
        # documents
        install -m 0755 -d $(DESTDIR)/$(DOCDIR)
@@ -192,6 +193,7 @@ uninstall:
        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
+        @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)/$(sysconfdir)/firejail', see #2038."
 DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES"
 DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
diff --git a/README b/README
index ca6119c81..d34bebb2a 100644
--- a/README
+++ b/README
@@ -99,6 +99,8 @@ announ (https://github.com/announ)
 Antonio Russo (https://github.com/aerusso)
        - enumerate root directories in apparmor profile
        - fix join-or-start
+aoand (https://github.com/aoand)
+        - seccomp fix: allow numeric syscalls
 Austin Morton (https://github.com/apmorton)
        - deterministic-exit-code option
        - private-cwd options
@@ -165,6 +167,9 @@ Christian Stadelmann (https://github.com/genodeftest)
        - evolution profile fix
 Clayton Williams (https://github.com/gosre)
        - addition of RLIMIT_AS
+corecontingency (https://https://github.com/corecontingency)
+        - tighten private-bin and etc for torbrowser-launcher.profile
+        - added i2prouter profile
 crass (https://github.com/crass)
        - extract_command_name fixes
        - update appimage size calculation to newest code from libappimage
@@ -232,6 +237,8 @@ floxo (https://github.com/floxo)
        - fixed qml disk cache issue
 Franco (nextime) Lanza (https://github.com/nextime)
        - added --private-template/--private-home
+František Polášek (https://github.com/fandaa)
+        - fix QOwnNotes profile
 fuelflo (https://github.com/fuelflo)
    - added rambox profile
 Fred-Barclay (https://github.com/Fred-Barclay)
@@ -314,6 +321,8 @@ glitsj16 (https://github.com/glitsj16)
        - new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
        - new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
        - new profiles: masterpdfeditor
+gm10 (https://github.com/gm10)
+        - get_user() do not use the unreliable getlogin()
 graywolf (https://github.com/graywolf)
        - spelling fix
 greigdp (https://github.com/greigdp)
@@ -365,11 +374,14 @@ Jean Lucas (https://github.com/flacks)
        - add AnyDesk profile
        - add WebStorm profile
        - add XMind profile
+        - add Whalebird profile
+        - add zulip profile
        - add nvm to list of disabled interpreters
        - fixes for tor-browser-* profiles
        - alias for riot-desktop
        - add gnome-mpv profile
        - fix wire profile
+        - fix itch profile
        - add Beaker profile
        - fixes for gnome-music
        - allow reading of system-wide Flatpak locale in gajim profile
@@ -497,6 +509,8 @@ Lorenzo "Palinuro" Faletra (https://github.com/PalinuroSec)
        - fixes to keepassxc, thunderbird and pluma
 Panzerfather (https://github.com/Panzerfather)
        - allow eog to access user's trash
+Patrick Schleizer (https://github.com/adrelanos)
+        - fix tb-starter-wrapper profile
 Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/)
        - user namespace implementation
 Paul Moore <pmoore@redhat.com>
diff --git a/README.md b/README.md
index dbba09b43..b97d73e67 100644
--- a/README.md
+++ b/README.md
@@ -35,6 +35,8 @@ Wiki: https://github.com/netblue30/firejail/wiki
 Travis-CI status: https://travis-ci.org/netblue30/firejail
+GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/
 ## Security vulnerabilities
@@ -116,4 +118,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 ## New profiles:
-gnome-sound-recorder, godot, jerry, keepassxc-cli, keepassxc-proxy, klatexformula, klatexformula_cmdl, links, newsbeuter, OpenArena, pandoc, qgis, rhythmbox-client, tcpdump, teams-for-linux, tshark, xlinks, zeal, mpg123, conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss, mpg123-portaudio, mpg123-pulse, mpg123-strip, out123, pavucontrol-qt, gnome-characters, gnome-character-map
+gnome-sound-recorder, godot, jerry, keepassxc-cli, keepassxc-proxy, klatexformula, klatexformula_cmdl, links, newsbeuter, OpenArena, pandoc, qgis, rhythmbox-client, tcpdump, teams-for-linux, tshark, xlinks, zeal, mpg123, conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss, mpg123-portaudio, mpg123-pulse, mpg123-strip, out123, pavucontrol-qt, gnome-characters, gnome-character-map, rsync, Whalebird, tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, kiwix-desktop
diff --git a/RELNOTES b/RELNOTES
index fa8094f5b..5c50195e0 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,8 +1,10 @@
 firejail (0.9.61) baseline; urgency=low
  * work in progress
  * added file-copy-limit in /etc/firejail/firejail.config
-  * profile templates
+  * profile templates (/usr/share/doc/firejail)
  * allow-debuggers support in profiles
+  * several seccomp enhancements
+  * compiler flags autodetection
  * new scripts in conrib: gdb-firejail.sh and sort.py
  * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
  * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
@@ -11,7 +13,10 @@ firejail (0.9.61) baseline; urgency=low
  * new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123
  * new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss
  * new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt
-  * new profiles: gnome-characters, gnome-character-map
+  * new profiles: gnome-characters, gnome-character-map, rsync, Whalebird,
+  * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat,
+  * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless
+  * new profiles: zstdmt, unzstd, i2p
 -- netblue30 <netblue30@yahoo.com>  Sat, 1 Jun 2019 08:00:00 -0500
 firejail (0.9.60) baseline; urgency=low
diff --git a/contrib/fjclip.py b/contrib/fjclip.py
index 30323b1d5..e374479a1 100755
--- a/contrib/fjclip.py
+++ b/contrib/fjclip.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 import sys
 import subprocess
diff --git a/contrib/fjdisplay.py b/contrib/fjdisplay.py
index 7b2db549a..e6c1476f6 100755
--- a/contrib/fjdisplay.py
+++ b/contrib/fjdisplay.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 import re
 import sys
diff --git a/contrib/fjresize.py b/contrib/fjresize.py
index 95b76259d..b29b170ef 100755
--- a/contrib/fjresize.py
+++ b/contrib/fjresize.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 import sys
 import fjdisplay
diff --git a/contrib/sort.py b/contrib/sort.py
index d0fcabac2..97315fba8 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -78,6 +78,8 @@ def fix_profile(filename):
                fixed_line = f"{line[:10]}{sort_alphabetical(line[10:])}"
            elif line[:8] == "protocol":
                fixed_line = f"protocol {sort_protocol(line[9:])}"
+            elif line[:8] == "seccomp ":
+                fixed_line = f"{line[:8]}{sort_alphabetical(line[8:])}"
            else:
                fixed_line = line
            if fixed_line != line:
diff --git a/etc/0ad.profile b/etc/0ad.profile
index 88c9c453b..565d42567 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -24,6 +24,7 @@ whitelist ${HOME}/.cache/0ad
 whitelist ${HOME}/.config/0ad
 whitelist ${HOME}/.local/share/0ad
 include whitelist-common.inc
+include whitelist-var-common.inc
 caps.drop all
 netfilter
diff --git a/etc/7z.profile b/etc/7z.profile
index 15e99e936..284aa37a2 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -13,7 +13,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+apparmor
 caps.drop all
+hostname 7z
 ipc-namespace
 machine-id
 net none
@@ -33,4 +35,8 @@ shell none
 tracelog
 x11 none
+#private-bin 7z,7z*,p7zip
+private-cache
 private-dev
+memory-deny-write-execute
diff --git a/etc/7za.profile b/etc/7za.profile
index 28e483a8c..14188e1f0 100644
--- a/etc/7za.profile
+++ b/etc/7za.profile
@@ -1,5 +1,6 @@
 # Firejail profile for 7za
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include 7za.local
 # Persistent global definitions
diff --git a/etc/7zr.profile b/etc/7zr.profile
index 1b85badbc..2cb42fa40 100644
--- a/etc/7zr.profile
+++ b/etc/7zr.profile
@@ -1,5 +1,6 @@
 # Firejail profile for 7zr
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include 7zr.local
 # Persistent global definitions
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile
index ece681c35..eb21349a9 100644
--- a/etc/QMediathekView.profile
+++ b/etc/QMediathekView.profile
@@ -39,6 +39,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/QOwnNotes.profile b/etc/QOwnNotes.profile
index c774f3a60..af7c10448 100644
--- a/etc/QOwnNotes.profile
+++ b/etc/QOwnNotes.profile
@@ -20,7 +20,7 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/Nextcloud/Notes
-mkdir ${HOME}.config/PBE
+mkdir ${HOME}/.config/PBE
 mkdir ${HOME}/.local/share/PBE
 whitelist ${DOCUMENTS}
 whitelist ${HOME}/Nextcloud/Notes
diff --git a/etc/Viber.profile b/etc/Viber.profile
index ecc500769..925e130de 100644
--- a/etc/Viber.profile
+++ b/etc/Viber.profile
@@ -28,12 +28,10 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6
-seccomp
+seccomp !chroot
 shell none
 disable-mnt
 private-bin awk,bash,dig,sh,Viber
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
 private-tmp
-env QTWEBENGINE_DISABLE_SANDBOX=1
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index 5ef75022b..ab5fdf942 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -1,6 +1,7 @@
 # Firejail profile for Xephyr
 # This file is overwritten after every install/update
 # Persistent local customizations
+quiet
 include Xephyr.local
 # Persistent global definitions
 include globals.local
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index 3ecda698e..937d02d60 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -1,6 +1,7 @@
 # Firejail profile for Xvfb
 # Description: Virtual Framebuffer 'fake' X server
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include Xvfb.local
 # Persistent global definitions
@@ -30,6 +31,7 @@ nonewprivs
 nosound
 notv
 nou2f
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/acat.profile b/etc/acat.profile
index f35adf3dc..522d8db4e 100644
--- a/etc/acat.profile
+++ b/etc/acat.profile
@@ -1,5 +1,6 @@
 # Firejail profile for acat
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include acat.local
 # Persistent global definitions
diff --git a/etc/adiff.profile b/etc/adiff.profile
index f22a27e79..a80886d56 100644
--- a/etc/adiff.profile
+++ b/etc/adiff.profile
@@ -1,5 +1,6 @@
 # Firejail profile for adiff
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include adiff.local
 # Persistent global definitions
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
index 1c16f940e..ffc613f1e 100644
--- a/etc/akonadi_control.profile
+++ b/etc/akonadi_control.profile
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.local/share/apps/korganizer
 noblacklist ${HOME}/.local/share/contacts
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
+noblacklist /sbin
 noblacklist /tmp/akonadi-*
 noblacklist /usr/sbin
@@ -45,8 +46,8 @@ nosound
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6
+# protocol unix,inet,inet6,netlink
-# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+# seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set
 tracelog
 private-dev
diff --git a/etc/akregator.profile b/etc/akregator.profile
index 466eff22d..34933f283 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -36,7 +36,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 # chroot syscalls are needed for setting up the built-in sandbox
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/allow-common-devel.inc b/etc/allow-common-devel.inc
new file mode 100644
index 000000000..1d794462c
--- /dev/null
+++ b/etc/allow-common-devel.inc
@@ -0,0 +1,17 @@
+# Rust
+noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cargo/registry
+# Git
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+# Python
+noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
+# Java
+noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.java
diff --git a/etc/als.profile b/etc/als.profile
index aa7f29337..5eae228b6 100644
--- a/etc/als.profile
+++ b/etc/als.profile
@@ -1,5 +1,6 @@
 # Firejail profile for als
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include als.local
 # Persistent global definitions
diff --git a/etc/android-studio.profile b/etc/android-studio.profile
index ff7fb6711..2e4e564dd 100644
--- a/etc/android-studio.profile
+++ b/etc/android-studio.profile
@@ -7,17 +7,15 @@ include globals.local
 noblacklist ${HOME}/.AndroidStudio*
 noblacklist ${HOME}/.android
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.jack-server
 noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/JetBrains
 noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/aosp.profile b/etc/aosp.profile
index 701bf4733..a5b1ba9f1 100644
--- a/etc/aosp.profile
+++ b/etc/aosp.profile
@@ -7,18 +7,16 @@ include globals.local
 noblacklist ${HOME}/.android
 noblacklist ${HOME}/.bash_history
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.jack-server
 noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.repo_.gitconfig.json
 noblacklist ${HOME}/.repoconfig
 noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/apack.profile b/etc/apack.profile
index b09d3d718..9fef911af 100644
--- a/etc/apack.profile
+++ b/etc/apack.profile
@@ -1,5 +1,6 @@
 # Firejail profile for apack
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include apack.local
 # Persistent global definitions
diff --git a/etc/arepack.profile b/etc/arepack.profile
index d23fc21db..012f2f049 100644
--- a/etc/arepack.profile
+++ b/etc/arepack.profile
@@ -1,5 +1,6 @@
 # Firejail profile for arepack
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include arepack.local
 # Persistent global definitions
diff --git a/etc/asunder.profile b/etc/asunder.profile
index fc10739aa..1f3acd735 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -30,6 +30,7 @@ nodbus
 nonewprivs
 noroot
 nou2f
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/atom.profile b/etc/atom.profile
index 8928baf5d..b9cb49d08 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -8,18 +8,9 @@ include globals.local
 noblacklist ${HOME}/.atom
 noblacklist ${HOME}/.config/Atom
-# allow rust
-noblacklist ${HOME}/.cargo/config
+# Allows files commonly used by IDEs
-noblacklist ${HOME}/.cargo/registry
+include allow-common-devel.inc
-# allow git config files
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-# allow python dev files
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/atool.profile b/etc/atool.profile
index c9d950259..fb75c8408 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -1,7 +1,7 @@
 # Firejail profile for atool
 # Description: Tool for managing file archives of various types
-quiet
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include atool.local
 # Persistent global definitions
diff --git a/etc/aunpack.profile b/etc/aunpack.profile
index c119ed9ad..6ce4aa491 100644
--- a/etc/aunpack.profile
+++ b/etc/aunpack.profile
@@ -1,5 +1,6 @@
 # Firejail profile for aunpack
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include aunpack.local
 # Persistent global definitions
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index f46987cc7..6f7638fa3 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -39,7 +39,7 @@ nou2f
 novideo
 protocol unix
 # blacklisting of ioprio_set system calls breaks baloo_file
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 shell none
 # x11 xorg
diff --git a/etc/baobab.profile b/etc/baobab.profile
index d2980f75c..c419aa202 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -32,5 +32,3 @@ shell none
 private-bin baobab
 private-dev
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/basilisk.profile b/etc/basilisk.profile
index 5bc91dc74..8dc3847a0 100644
--- a/etc/basilisk.profile
+++ b/etc/basilisk.profile
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/basilisk
 whitelist ${HOME}/.moonchild productions
 # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
-ignore seccomp.drop
 seccomp
+ignore seccomp
 #private-bin basilisk
 # private-etc must first be enabled in firefox-common.profile
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 4f1b05c88..0de3bc480 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -42,7 +42,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/brackets.profile b/etc/brackets.profile
index 3e157d841..13a3bef79 100644
--- a/etc/brackets.profile
+++ b/etc/brackets.profile
@@ -8,13 +8,9 @@ include globals.local
 noblacklist ${HOME}/.config/Brackets
 #noblacklist /opt/brackets/
 #noblacklist /opt/google/
-# Uncomment the next two lines if you are developing rust.
-# or put it in your brackets.local
+# Allows files commonly used by IDEs
-#noblacklist ${HOME}/.cargo/config
+include allow-common-devel.inc
-#noblacklist ${HOME}/.cargo/registry
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
 include disable-common.inc
 include disable-passwdmgr.inc
@@ -31,7 +27,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot,!ioperm
 shell none
 private-cache
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile
index 1411ce7bd..17c67ed26 100644
--- a/etc/bsdtar.profile
+++ b/etc/bsdtar.profile
@@ -20,8 +20,8 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodvd
 nodbus
+nodvd
 nogroups
 nonewprivs
 # noroot
diff --git a/etc/bunzip2.profile b/etc/bunzip2.profile
index ff86cbdfc..37b47c2ce 100644
--- a/etc/bunzip2.profile
+++ b/etc/bunzip2.profile
@@ -1,6 +1,7 @@
 # Firejail profile for bunzip2
 # Description: A high-quality data compression program
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include bunzip2.local
 # Persistent global definitions
diff --git a/etc/bzcat.profile b/etc/bzcat.profile
new file mode 100644
index 000000000..edefb6bb8
--- /dev/null
+++ b/etc/bzcat.profile
@@ -0,0 +1,15 @@
+# Firejail profile for bzcat
+# Description: A high-quality data compression program
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bzcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+ignore read-write
+read-only ${HOME}
+# Redirect
+include gzip.profile
diff --git a/etc/bzip2.profile b/etc/bzip2.profile
index 0f2fdd35a..0756e0537 100644
--- a/etc/bzip2.profile
+++ b/etc/bzip2.profile
@@ -1,6 +1,7 @@
 # Firejail profile for bzip2
 # Description: A high-quality data compression program
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include bzip2.local
 # Persistent global definitions
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile
index fe3202cea..7b2d344e5 100644
--- a/etc/checkbashisms.profile
+++ b/etc/checkbashisms.profile
@@ -44,7 +44,7 @@ x11 none
 private-cache
 private-dev
-private-lib perl*
+private-lib libfreebl3.so,perl*
 private-tmp
 memory-deny-write-execute
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 147b0de4b..4d92157d0 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -27,7 +27,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 # blacklisting of ioprio_set system calls breaks clementine
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 private-dev
 private-tmp
diff --git a/etc/code.profile b/etc/code.profile
index 6faf429e1..7ac4e1619 100644
--- a/etc/code.profile
+++ b/etc/code.profile
@@ -5,20 +5,14 @@ include code.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cargo/config
-noblacklist ${HOME}/.cargo/registry
 noblacklist ${HOME}/.config/Code
 noblacklist ${HOME}/.config/Code - OSS
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 noblacklist ${HOME}/.vscode
 noblacklist ${HOME}/.vscode-oss
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/conplay.profile b/etc/conplay.profile
index 101ce2f17..d0ad7c753 100644
--- a/etc/conplay.profile
+++ b/etc/conplay.profile
@@ -1,4 +1,6 @@
 # Firejail profile for conplay
+# Description: MPEG audio player/decoder
+# This file is overwritten after every install/update
 # Persistent local customizations
 include conplay.local
 # Persistent global definitions
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile
index 7cd39ca6a..29f676535 100644
--- a/etc/dconf-editor.profile
+++ b/etc/dconf-editor.profile
@@ -41,5 +41,3 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
 private-lib
 private-tmp
-# memory-deny-write-execute
diff --git a/etc/devhelp.profile b/etc/devhelp.profile
index 60bebb0c9..02b752b5f 100644
--- a/etc/devhelp.profile
+++ b/etc/devhelp.profile
@@ -41,6 +41,6 @@ private-dev
 private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue 1803)
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
diff --git a/etc/dig.profile b/etc/dig.profile
index 6f2c1f755..611cbf026 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -1,7 +1,7 @@
 # Firejail profile for dig
 # Description: DNS lookup utility
-quiet
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include dig.local
 # Persistent global definitions
diff --git a/etc/dino.profile b/etc/dino.profile
index f7b220936..82ddf2819 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -1,4 +1,5 @@
 # Firejail profile for dino
+# Description: Modern XMPP Chat Client using GTK+/Vala
 # This file is overwritten after every install/update
 # Persistent local customizations
 include dino.local
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 7ca5a6b89..fe49ce2f4 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -67,6 +67,7 @@ blacklist ${HOME}/.config/khotkeysrc
 blacklist ${HOME}/.config/krunnerrc
 blacklist ${HOME}/.config/kscreenlockerrc
 blacklist ${HOME}/.config/ksslcertificatemanager
+blacklist ${HOME}/.config/kwalletrc
 blacklist ${HOME}/.config/kwinrc
 blacklist ${HOME}/.config/kwinrulesrc
 blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
@@ -79,6 +80,7 @@ blacklist ${HOME}/.kde/share/config/khotkeysrc
 blacklist ${HOME}/.kde/share/config/krunnerrc
 blacklist ${HOME}/.kde/share/config/kscreensaverrc
 blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
+blacklist ${HOME}/.kde/share/config/kwalletrc
 blacklist ${HOME}/.kde/share/config/kwinrc
 blacklist ${HOME}/.kde/share/config/kwinrulesrc
 blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
@@ -89,6 +91,7 @@ blacklist ${HOME}/.kde4/share/config/khotkeysrc
 blacklist ${HOME}/.kde4/share/config/krunnerrc
 blacklist ${HOME}/.kde4/share/config/kscreensaverrc
 blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
+blacklist ${HOME}/.kde4/share/config/kwalletrc
 blacklist ${HOME}/.kde4/share/config/kwinrc
 blacklist ${HOME}/.kde4/share/config/kwinrulesrc
 blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
@@ -281,8 +284,7 @@ read-only ${HOME}/bin
 read-only ${HOME}/.bin
 read-only ${HOME}/.local/bin
 read-only ${HOME}/.cargo/bin
-blacklist ${HOME}/.cargo/registry
+read-only ${HOME}/.cargo/env
-blacklist ${HOME}/.cargo/config
 # Write-protection for desktop entries
 read-only ${HOME}/.config/menus
@@ -297,11 +299,14 @@ blacklist ${HOME}/*.kdbx
 blacklist ${HOME}/*.key
 blacklist ${HOME}/.Private
 blacklist ${HOME}/.caff
+blacklist ${HOME}/.cargo/credentials
 blacklist ${HOME}/.cert
 blacklist ${HOME}/.config/keybase
 blacklist ${HOME}/.davfs2/secrets
 blacklist ${HOME}/.ecryptfs
 blacklist ${HOME}/.fetchmailrc
+blacklist ${HOME}/.git-credential-cache
+blacklist ${HOME}/.git-credentials
 blacklist ${HOME}/.gnome2/keyrings
 blacklist ${HOME}/.gnupg
 blacklist ${HOME}/.config/hub
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index cc6877693..e54b651a6 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -3,6 +3,7 @@
 include disable-programs.local
 blacklist ${HOME}/Arduino
+blacklist ${HOME}/i2p
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
 blacklist ${HOME}/SoftMaker
@@ -28,9 +29,9 @@ blacklist ${HOME}/.Steam
 blacklist ${HOME}/.Steampath
 blacklist ${HOME}/.Steampid
 blacklist ${HOME}/.TelegramDesktop
+blacklist ${HOME}/.VSCodium
 blacklist ${HOME}/.ViberPC
 blacklist ${HOME}/.VirtualBox
-blacklist ${HOME}/.VSCodium
 blacklist ${HOME}/.WebStorm*
 blacklist ${HOME}/.Wolfram Research
 blacklist ${HOME}/.ZAP
@@ -51,6 +52,8 @@ blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
 blacklist ${HOME}/.bogofilter
 blacklist ${HOME}/.bzf
+blacklist ${HOME}/.cargo/registry
+blacklist ${HOME}/.cargo/config
 blacklist ${HOME}/.claws-mail
 blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clonk
@@ -94,9 +97,9 @@ blacklist ${HOME}/.config/MusicBrainz
 blacklist ${HOME}/.config/Nathan Osman
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/PBE
-blacklist ${HOME}/.config/Qlipper
 blacklist ${HOME}/.config/QGIS
 blacklist ${HOME}/.config/QMediathekView
+blacklist ${HOME}/.config/Qlipper
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
 blacklist ${HOME}/.config/Rambox
@@ -179,10 +182,11 @@ blacklist ${HOME}/.config/ghb
 blacklist ${HOME}/.config/ghostwriter
 blacklist ${HOME}/.config/git
 blacklist ${HOME}/.config/globaltime
+blacklist ${HOME}/.config/gnome-builder
 blacklist ${HOME}/.config/gnome-mplayer
 blacklist ${HOME}/.config/gnome-mpv
-blacklist ${HOME}/.config/godot
 blacklist ${HOME}/.config/gnome-pie
+blacklist ${HOME}/.config/godot
 blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
 blacklist ${HOME}/.config/google-chrome-unstable
@@ -190,6 +194,7 @@ blacklist ${HOME}/.config/gpicview
 blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
+blacklist ${HOME}/.config/i2p
 blacklist ${HOME}/.config/inkscape
 blacklist ${HOME}/.config/inox
 blacklist ${HOME}/.config/iridium
@@ -231,8 +236,8 @@ blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/mfusion
 blacklist ${HOME}/.config/midori
 blacklist ${HOME}/.config/mono
-blacklist ${HOME}/.config/mpd
 blacklist ${HOME}/.config/mpDris2
+blacklist ${HOME}/.config/mpd
 blacklist ${HOME}/.config/mps-youtube
 blacklist ${HOME}/.config/mpv
 blacklist ${HOME}/.config/mupen64plus
@@ -253,8 +258,8 @@ blacklist ${HOME}/.config/opera
 blacklist ${HOME}/.config/opera-beta
 blacklist ${HOME}/.config/orage
 blacklist ${HOME}/.config/org.kde.gwenviewrc
-blacklist ${HOME}/.config/pavucontrol.ini
 blacklist ${HOME}/.config/pavucontrol-qt
+blacklist ${HOME}/.config/pavucontrol.ini
 blacklist ${HOME}/.config/pcmanfm
 blacklist ${HOME}/.config/pdfmod
 blacklist ${HOME}/.config/Pinta
@@ -302,6 +307,7 @@ blacklist ${HOME}/.config/vivaldi
 blacklist ${HOME}/.config/vivaldi-snapshot
 blacklist ${HOME}/.config/vlc
 blacklist ${HOME}/.config/wesnoth
+blacklist ${HOME}/.config/Whalebird
 blacklist ${HOME}/.config/wireshark
 blacklist ${HOME}/.config/xchat
 blacklist ${HOME}/.config/xed
@@ -322,6 +328,7 @@ blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/youtube-dl
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
+blacklist ${HOME}/.config/Zulip
 blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.crawl
 blacklist ${HOME}/.curlrc
@@ -350,8 +357,6 @@ blacklist ${HOME}/.freecol
 blacklist ${HOME}/.freemind
 blacklist ${HOME}/.frozen-bubble
 blacklist ${HOME}/.gimp*
-blacklist ${HOME}/.git-credentials
-blacklist ${HOME}/.git-credential-cache
 blacklist ${HOME}/.gitconfig
 blacklist ${HOME}/.gnome/gnome-schedule
 blacklist ${HOME}/.googleearth/Cache/
@@ -364,9 +369,11 @@ blacklist ${HOME}/.guayadeque
 blacklist ${HOME}/.hashcat
 blacklist ${HOME}/.hedgewars
 blacklist ${HOME}/.hugin
+blacklist ${HOME}/.i2p
 blacklist ${HOME}/.icedove
 blacklist ${HOME}/.imagej
 blacklist ${HOME}/.inkscape
+blacklist ${HOME}/.itch
 blacklist ${HOME}/.jack-server
 blacklist ${HOME}/.jack-settings
 blacklist ${HOME}/.jak
@@ -409,13 +416,13 @@ blacklist ${HOME}/.kde4/share/apps/kaffeine
 blacklist ${HOME}/.kde4/share/apps/kcookiejar
 blacklist ${HOME}/.kde4/share/apps/kget
 blacklist ${HOME}/.kde4/share/apps/khtml
-blacklist ${HOME}/.kde4/share/apps/konqueror
 blacklist ${HOME}/.kde4/share/apps/konqsidebartng
+blacklist ${HOME}/.kde4/share/apps/konqueror
 blacklist ${HOME}/.kde4/share/apps/kopete
 blacklist ${HOME}/.kde4/share/apps/ktorrent
 blacklist ${HOME}/.kde4/share/apps/okular
-blacklist ${HOME}/.kde4/share/config/baloorc
 blacklist ${HOME}/.kde4/share/config/baloofilerc
+blacklist ${HOME}/.kde4/share/config/baloorc
 blacklist ${HOME}/.kde4/share/config/digikam
 blacklist ${HOME}/.kde4/share/config/gwenviewrc
 blacklist ${HOME}/.kde4/share/config/k3brc
@@ -438,9 +445,9 @@ blacklist ${HOME}/.kinorc
 blacklist ${HOME}/.klatexformula
 blacklist ${HOME}/.kodi
 blacklist ${HOME}/.lincity-ng
+blacklist ${HOME}/.links
 blacklist ${HOME}/.linphone-history.db
 blacklist ${HOME}/.linphonerc
-blacklist ${HOME}/.links
 blacklist ${HOME}/.lmmsrc.xml
 blacklist ${HOME}/.local/lib/vivaldi
 blacklist ${HOME}/.local/share/0ad
@@ -494,6 +501,7 @@ blacklist ${HOME}/.local/share/geeqie
 blacklist ${HOME}/.local/share/gitg
 blacklist ${HOME}/.local/share/gnome-2048
 blacklist ${HOME}/.local/share/gnome-chess
+blacklist ${HOME}/.local/share/gnome-builder
 blacklist ${HOME}/.local/share/gnome-music
 blacklist ${HOME}/.local/share/gnome-photos
 blacklist ${HOME}/.local/share/gnome-recipes
@@ -502,10 +510,13 @@ blacklist ${HOME}/.local/share/gnome-twitch
 blacklist ${HOME}/.local/share/godot
 blacklist ${HOME}/.local/share/gradio
 blacklist ${HOME}/.local/share/gwenview
+blacklist ${HOME}/.local/share/i2p
 blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kate
 blacklist ${HOME}/.local/share/kdenlive
 blacklist ${HOME}/.local/share/kget
+blacklist ${HOME}/.local/share/kiwix
+blacklist ${HOME}/.local/share/kiwix-desktop
 blacklist ${HOME}/.local/share/klavaro
 blacklist ${HOME}/.local/share/kmail2
 blacklist ${HOME}/.local/share/knotes
@@ -626,8 +637,7 @@ blacklist ${HOME}/.teeworlds
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tilp
 blacklist ${HOME}/.tooling
-blacklist ${HOME}/.tor-browser-*
+blacklist ${HOME}/.tor-browser*
-blacklist ${HOME}/.tor-browser_*
 blacklist ${HOME}/.torcs
 blacklist ${HOME}/.tremulous
 blacklist ${HOME}/.ts3client
@@ -635,6 +645,8 @@ blacklist ${HOME}/.tuxguitar*
 blacklist ${HOME}/.unknown-horizons
 blacklist ${HOME}/.viking
 blacklist ${HOME}/.viking-maps
+blacklist ${HOME}/.vim
+blacklist ${HOME}/.vimrc
 blacklist ${HOME}/.vscode
 blacklist ${HOME}/.vscode-oss
 blacklist ${HOME}/.vst
@@ -704,6 +716,7 @@ blacklist ${HOME}/.cache/godot
 blacklist ${HOME}/.cache/google-chrome
 blacklist ${HOME}/.cache/google-chrome-beta
 blacklist ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.cache/gnome-builder
 blacklist ${HOME}/.cache/gnome-recipes
 blacklist ${HOME}/.cache/gnome-twitch
 blacklist ${HOME}/.cache/gradio
@@ -726,6 +739,7 @@ blacklist ${HOME}/.cache/libgweather
 blacklist ${HOME}/.cache/liferea
 blacklist ${HOME}/.cache/Mendeley Ltd.
 blacklist ${HOME}/.cache/midori
+blacklist ${HOME}/.cache/minetest
 blacklist ${HOME}/.cache/moonchild productions/basilisk
 blacklist ${HOME}/.cache/moonchild productions/pale moon
 blacklist ${HOME}/.cache/mozilla
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index c04451373..bba94e3cb 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -1,6 +1,7 @@
 # Firejail profile for dnscrypt-proxy
 # Description: Tool for securing communications between a client and a DNS resolver
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include dnscrypt-proxy.local
 # Persistent global definitions
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index daf4795c3..dfb1b61c1 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -1,6 +1,7 @@
 # Firejail profile for dnsmasq
 # Description: Small caching DNS proxy and DHCP/TFTP server
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include dnsmasq.local
 # Persistent global definitions
diff --git a/etc/emacs.profile b/etc/emacs.profile
index f8b451f02..ab378105e 100644
--- a/etc/emacs.profile
+++ b/etc/emacs.profile
@@ -11,10 +11,9 @@ noblacklist ${HOME}/.emacs.d
 # if you need gpg uncomment the following line
 # or put it into your emacs.local
 #noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
+# Allows files commonly used by IDEs
-noblacklist ${HOME}/.pythonhist
+include allow-common-devel.inc
-noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
 include disable-passwdmgr.inc
@@ -27,5 +26,6 @@ nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/eo-common.profile b/etc/eo-common.profile
index f4b263f50..c4ad8ced4 100644
--- a/etc/eo-common.profile
+++ b/etc/eo-common.profile
@@ -43,5 +43,3 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0
 private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/etr.profile b/etc/etr.profile
index d93d3de63..97a43bb59 100644
--- a/etc/etr.profile
+++ b/etc/etr.profile
@@ -1,4 +1,5 @@
 # Firejail profile for etr
+# Description: High speed arctic racing game
 # This file is overwritten after every install/update
 # Persistent local customizations
 include etr.local
@@ -29,6 +30,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,netlink
 seccomp
 shell none
diff --git a/etc/falkon.profile b/etc/falkon.profile
index cabf5aeba..0024b6660 100644
--- a/etc/falkon.profile
+++ b/etc/falkon.profile
@@ -34,9 +34,10 @@ notv
 nou2f
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks falkon
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 # tracelog
 private-dev
+# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
 # private-tmp - interferes with the opening of downloaded files
diff --git a/etc/feedreader.profile b/etc/feedreader.profile
index e453cc611..e381b12d6 100644
--- a/etc/feedreader.profile
+++ b/etc/feedreader.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.cache/feedreader
 mkdir ${HOME}/.local/share/feedreader
diff --git a/etc/ffmpegthumbnailer.profile b/etc/ffmpegthumbnailer.profile
index 3681c40f1..6d72c3b99 100644
--- a/etc/ffmpegthumbnailer.profile
+++ b/etc/ffmpegthumbnailer.profile
@@ -1,6 +1,7 @@
 # Firejail profile for ffmpegthumbnailer
 # Description: FFmpeg-based video thumbnailer
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include ffmpegthumbnailer.local
 # Persistent global definitions
diff --git a/etc/ffplay.profile b/etc/ffplay.profile
index b42cc29bc..71187a5b5 100644
--- a/etc/ffplay.profile
+++ b/etc/ffplay.profile
@@ -1,6 +1,7 @@
 # Firejail profile for ffplay
 # Description: FFmpeg-based media player
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include ffplay.local
 # Persistent global definitions
diff --git a/etc/ffprobe.profile b/etc/ffprobe.profile
index bd8643206..cb24a7d05 100644
--- a/etc/ffprobe.profile
+++ b/etc/ffprobe.profile
@@ -1,6 +1,7 @@
 # Firejail profile for ffprobe
 # Description: FFmpeg-based media prober
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include ffprobe.local
 # Persistent global definitions
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index db1426f36..496152540 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -37,5 +37,3 @@ tracelog
 # private-bin file-roller
 private-dev
 # private-tmp
-# memory-deny-write-execute
diff --git a/etc/file.profile b/etc/file.profile
index 69fa7d8cd..37c7ee9e7 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -33,10 +33,11 @@ shell none
 tracelog
 x11 none
-#private-bin file
+#private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd
 private-cache
 private-dev
 private-etc alternatives,localtime,magic,magic.mgc
-private-lib libarchive.so.*,libfakeroot,libmagic.so.*
+private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*
 memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 6ad4a9bc2..02d6199a0 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -46,7 +46,7 @@ notv
 ?BROWSER_DISABLE_U2F: nou2f
 protocol unix,inet,inet6,netlink
 # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
 #tracelog
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 84c647cb9..8d90a0917 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -16,6 +16,8 @@ whitelist ${HOME}/.mozilla
 # firefox requires a shell to launch on Arch.
 #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
+# Fedora use shell scripts to launch firefox, at least this is required
+#private-bin awk,basename,bash,cat,dbus-launch,dbus-send,dirname,env,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname,which
 # private-etc must first be enabled in firefox-common.profile
 #private-etc firefox
diff --git a/etc/firejail.config b/etc/firejail.config
index 1f80cedee..565796d5a 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -2,9 +2,6 @@
 # keyword-argument pairs, one per line. Most features are enabled by default.
 # Use 'yes' or 'no' as configuration values.
-# Resolve symbolic links in path of user home directories, default disabled.
-# homedir-symlink no
 # Enable AppArmor functionality, default enabled.
 # apparmor yes
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index 3931aa64a..6cef181c8 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -31,6 +31,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,netlink
 seccomp
 shell none
diff --git a/etc/geany.profile b/etc/geany.profile
index 2cffb8777..31599e32a 100644
--- a/etc/geany.profile
+++ b/etc/geany.profile
@@ -7,13 +7,9 @@ include geany.local
 include globals.local
 noblacklist ${HOME}/.config/geany
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
+# Allows files commonly used by IDEs
-noblacklist ${HOME}/.git-credentials
+include allow-common-devel.inc
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/gedit.profile b/etc/gedit.profile
index ed6efc3b6..837396654 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -8,13 +8,9 @@ include globals.local
 noblacklist ${HOME}/.config/enchant
 noblacklist ${HOME}/.config/gedit
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
+# Allows files commonly used by IDEs
-noblacklist ${HOME}/.git-credentials
+include allow-common-devel.inc
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile
index 1fb2d8f58..2479ec16d 100644
--- a/etc/ghostwriter.profile
+++ b/etc/ghostwriter.profile
@@ -35,9 +35,9 @@ protocol unix,inet,inet6,netlink
 shell none
 #tracelog -- breaks
-# Breaks Translation
+private-bin gettext,ghostwriter,pandoc
-#private-bin ghostwriter,pandoc
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
+# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
+private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
 private-tmp
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 762e743c8..fab7fa123 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -8,7 +8,7 @@ include globals.local
 # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
 # if you are not using external plugins, you can comment 'ignore noexec' statement below
-# or put 'ignore ignore noexec ${HOME}' in your gimp.local
+# or put 'noexec ${HOME}' in your gimp.local
 ignore noexec ${HOME}
 noblacklist ${HOME}/.config/GIMP
diff --git a/etc/git.profile b/etc/git.profile
index f7c812e65..8b1c81ca4 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -15,7 +15,6 @@ noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.nanorc
-noblacklist ${HOME}/.oh-my-zsh
 noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.vim
 noblacklist ${HOME}/.viminfo
diff --git a/etc/gitg.profile b/etc/gitg.profile
index f6f51ef6f..08c1c94b6 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -22,6 +22,7 @@ include disable-programs.inc
 include whitelist-var-common.inc
 caps.drop all
+netfilter
 no3d
 nodvd
 nogroups
@@ -39,6 +40,3 @@ private-bin git,gitg,ssh
 private-cache
 private-dev
 private-tmp
-# mdwe breaks diff in older versions
-#memory-deny-write-execute
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile
index dfa1a5da8..726a74089 100644
--- a/etc/gnome-builder.profile
+++ b/etc/gnome-builder.profile
@@ -6,15 +6,12 @@ include gnome-builder.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cache/gnome-builder
-noblacklist ${HOME}/.cargo/registry
+noblacklist ${HOME}/.config/gnome-builder
-noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.local/share/gnome-builder
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
+# Allows files commonly used by IDEs
-noblacklist ${HOME}/.python-history
+include allow-common-devel.inc
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/gnome-character-map.profile b/etc/gnome-character-map.profile
index 35db448f2..27804fdd0 100644
--- a/etc/gnome-character-map.profile
+++ b/etc/gnome-character-map.profile
@@ -6,4 +6,5 @@ include gnome-character-map.local
 # added by included profile
 #include globals.local
+# Redirect
 include gucharmap.profile
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index 3bbad67bb..aa0b7dbe3 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -28,6 +28,7 @@ noroot
 nosound
 notv
 nou2f
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile
index 6c9c83e5f..cbeb82465 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@@ -13,15 +13,9 @@ noblacklist ${PATH}/at
 noblacklist ${PATH}/crontab
 # Needs access to these files/dirs
-noblacklist /etc/at.allow
-noblacklist /etc/at.deny
 noblacklist /etc/cron.allow
 noblacklist /etc/cron.deny
-noblacklist /etc/fonts
-noblacklist /etc/ld.so.preload
-noblacklist /etc/pam.d
 noblacklist /etc/shadow
-noblacklist /var/spool/at
 noblacklist /var/spool/cron
 # cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc)
@@ -41,14 +35,6 @@ include disable-xdg.inc
 mkfile ${HOME}/.gnome/gnome-schedule
 whitelist ${HOME}/.gnome/gnome-schedule
-whitelist /etc/at.allow
-whitelist /etc/at.deny
-whitelist /etc/cron.allow
-whitelist /etc/cron.deny
-whitelist /etc/fonts
-whitelist /etc/pam.d
-whitelist /etc/ld.so.preload
-whitelist /etc/shadow
 whitelist /var/spool/atd
 whitelist /var/spool/cron
 include whitelist-common.inc
@@ -72,5 +58,6 @@ tracelog
 disable-mnt
 private-cache
 private-dev
+private-etc at.allow,at.deny,cron.allow,cron.deny,fonts,ld.so.preload,pam.d,shadow
 writable-var
diff --git a/etc/gnome-system-log.profile b/etc/gnome-system-log.profile
index f1347a8dc..b2907b32c 100644
--- a/etc/gnome-system-log.profile
+++ b/etc/gnome-system-log.profile
@@ -6,8 +6,6 @@ include gnome-system-log.local
 # Persistent global definitions
 include globals.local
-noblacklist /var/log
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/gunzip.profile b/etc/gunzip.profile
index aff990ec0..6e97c6b78 100644
--- a/etc/gunzip.profile
+++ b/etc/gunzip.profile
@@ -1,5 +1,6 @@
 # Firejail profile for gunzip
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include gunzip.local
 # Persistent global definitions
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 489be3931..5a5d81378 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -45,6 +45,6 @@ shell none
 private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
 private-dev
-private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
+private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg
 # memory-deny-write-execute
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
index 1e9f898e0..898a07a5f 100644
--- a/etc/hedgewars.profile
+++ b/etc/hedgewars.profile
@@ -26,6 +26,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 seccomp
 tracelog
diff --git a/etc/i2prouter.profile b/etc/i2prouter.profile
new file mode 100644
index 000000000..e46fb3317
--- /dev/null
+++ b/etc/i2prouter.profile
@@ -0,0 +1,71 @@
+# Firejail profile for I2P
+# Description: A distributed anonymous network
+# This file is overwritten after every install/update
+# Persistent local customizations
+include i2prouter.local
+# Persistent global definitions
+include globals.local
+# Notice: default browser will not be able to automatically open, due to sandbox.
+# Auto-opening default browser can be disabled in the I2P router console.
+# This profile will not currently work with any Arch User Repository i2p packages,
+# use the distro-independent official java installer instead
+# Only needed if i2prouter binary is in home directory, java installer does this
+ignore noexec ${HOME}
+noblacklist ${HOME}/.config/i2p
+noblacklist ${HOME}/.i2p
+noblacklist ${HOME}/.local/share/i2p
+noblacklist ${HOME}/i2p
+# Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this
+noblacklist /usr/sbin
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/i2p
+mkdir ${HOME}/.i2p
+mkdir ${HOME}/.local/share/i2p
+mkdir ${HOME}/i2p
+whitelist ${HOME}/.config/i2p
+whitelist ${HOME}/.i2p
+whitelist ${HOME}/.local/share/i2p
+whitelist ${HOME}/i2p
+# Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this
+whitelist /usr/sbin/wrapper*
+include whitelist-common.inc
+# May break I2P if wrapper is placed in the home directory
+# If using ubuntu official ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/
+#apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,i2p,java-8-openjdk,pki,ssl
+private-tmp
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile
index 4f3047e08..a7d0d531f 100644
--- a/etc/idea.sh.profile
+++ b/etc/idea.sh.profile
@@ -7,17 +7,15 @@ include globals.local
 noblacklist ${HOME}/.IdeaIC*
 noblacklist ${HOME}/.android
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.jack-server
 noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/JetBrains
 noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/itch.profile b/etc/itch.profile
index c0b4fe6ce..b3c78c810 100644
--- a/etc/itch.profile
+++ b/etc/itch.profile
@@ -8,6 +8,7 @@ include globals.local
 # itch.io has native firejail/sandboxing support bundled in
 # See https://itch.io/docs/itch/using/sandbox/linux.html
+noblacklist ${HOME}/.itch
 noblacklist ${HOME}/.config/itch
 include disable-common.inc
@@ -16,7 +17,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.itch
 mkdir ${HOME}/.config/itch
+whitelist ${HOME}/.itch
 whitelist ${HOME}/.config/itch
 include whitelist-common.inc
diff --git a/etc/kiwix-desktop.profile b/etc/kiwix-desktop.profile
new file mode 100644
index 000000000..8b7b12882
--- /dev/null
+++ b/etc/kiwix-desktop.profile
@@ -0,0 +1,49 @@
+# Firejail profile for kiwix-desktop
+# Description: view/manage ZIM files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kiwix-desktop.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/kiwix
+noblacklist ${HOME}/.local/share/kiwix-desktop
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.local/share/kiwix
+mkdir ${HOME}/.local/share/kiwix-desktop
+whitelist ${HOME}/.local/share/kiwix
+whitelist ${HOME}/.local/share/kiwix-desktop
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+# no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+# nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+disable-mnt
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 0b602c79a..198b05a11 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -51,7 +51,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
 # tracelog
 private-dev
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile
index ee07636d3..d512dd100 100644
--- a/etc/kwin_x11.profile
+++ b/etc/kwin_x11.profile
@@ -5,6 +5,9 @@ include kwin_x11.local
 # Persistent global definitions
 include globals.local
+# fix automatical kwin_x11 sandboxing:
+# echo KDEWM=kwin_x11 >> ~/.pam_environment
 noblacklist ${HOME}/.cache/kwin
 noblacklist ${HOME}/.config/kwinrc
 noblacklist ${HOME}/.config/kwinrulesrc
diff --git a/etc/less.profile b/etc/less.profile
index 0f31d344b..282b033a6 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -8,8 +8,6 @@ include less.local
 include globals.local
 noblacklist ${HOME}/.lesshst
-read-only ${HOME}
-read-write ${HOME}/.lesshst
 include disable-devel.inc
 include disable-exec.inc
@@ -45,3 +43,5 @@ private-dev
 writable-var-log
 memory-deny-write-execute
+read-only ${HOME}
+read-write ${HOME}/.lesshst
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index b8a6201b2..aa113883e 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -34,6 +34,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 # comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile
 protocol unix,inet,inet6
 # comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile
diff --git a/etc/lrunzip.profile b/etc/lrunzip.profile
index 72abec8bb..c010cbd96 100644
--- a/etc/lrunzip.profile
+++ b/etc/lrunzip.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lrunzip
 # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lrunzip.local
 # Persistent global definitions
diff --git a/etc/lrz.profile b/etc/lrz.profile
index c1f928bde..8077be945 100644
--- a/etc/lrz.profile
+++ b/etc/lrz.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lrz
 # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lrz.local
 # Persistent global definitions
diff --git a/etc/lrzcat.profile b/etc/lrzcat.profile
index edcd7f8cd..d05ee7aae 100644
--- a/etc/lrzcat.profile
+++ b/etc/lrzcat.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lrzcat
 # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lrzcat.local
 # Persistent global definitions
diff --git a/etc/lrzip.profile b/etc/lrzip.profile
index a69096e28..3767767f6 100644
--- a/etc/lrzip.profile
+++ b/etc/lrzip.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lrzip
 # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lrzip.local
 # Persistent global definitions
diff --git a/etc/lrztar.profile b/etc/lrztar.profile
index 54b04b4ec..673e9f62e 100644
--- a/etc/lrztar.profile
+++ b/etc/lrztar.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lrztar
 # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lrztar.local
 # Persistent global definitions
diff --git a/etc/lrzuntar.profile b/etc/lrzuntar.profile
index f21169b24..245d1c669 100644
--- a/etc/lrzuntar.profile
+++ b/etc/lrzuntar.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lrzuntar
 # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lrzuntar.local
 # Persistent global definitions
diff --git a/etc/mencoder.profile b/etc/mencoder.profile
index 136412d11..aac394a59 100644
--- a/etc/mencoder.profile
+++ b/etc/mencoder.profile
@@ -25,4 +25,5 @@ shell none
 private-bin mencoder
+# Redirect
 include mplayer.profile
diff --git a/etc/mousepad.profile b/etc/mousepad.profile
index 3b9807b28..20370a5b5 100644
--- a/etc/mousepad.profile
+++ b/etc/mousepad.profile
@@ -26,6 +26,7 @@ noroot
 nosound
 notv
 nou2f
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/mpd.profile b/etc/mpd.profile
index 0b5ebf705..6c5963793 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -31,7 +31,7 @@ novideo
 protocol unix,inet,inet6
 # blacklisting of ioprio_set system calls breaks auto-updating of
 # MPD's database when files in music_directory are changed
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 shell none
 #private-bin bash,mpd
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile
index 878a5f654..546755ecb 100644
--- a/etc/mpsyt.profile
+++ b/etc/mpsyt.profile
@@ -48,16 +48,22 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+nodbus
+nodvd
 # Seems to cause issues with Nvidia drivers sometimes
 nogroups
 nonewprivs
 noroot
+notv
+nou2f
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
 private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl
+#private-cache
 private-dev
 private-tmp
diff --git a/etc/mpv.profile b/etc/mpv.profile
index d8163d20a..289a3cd5d 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -16,6 +16,7 @@ include allow-python2.inc
 include allow-python3.inc
 noblacklist ${MUSIC}
+noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 include disable-common.inc
diff --git a/etc/mutt.profile b/etc/mutt.profile
index c424dbb85..92babd50f 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -17,7 +17,6 @@ noblacklist ${HOME}/.emacs
 noblacklist ${HOME}/.emacs.d
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.mail
-noblacklist ${HOME}/.mailcap
 noblacklist ${HOME}/.msmtprc
 noblacklist ${HOME}/.mutt
 noblacklist ${HOME}/.muttrc
diff --git a/etc/nano.profile b/etc/nano.profile
index 30a6e03e7..9965d8a6b 100644
--- a/etc/nano.profile
+++ b/etc/nano.profile
@@ -1,6 +1,7 @@
 # Firejail profile for nano
 # Description: nano is an easy text editor for the terminal
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include nano.local
 # Persistent global definitions
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile
index e1294153b..079f44ee7 100644
--- a/etc/nethack-vultures.profile
+++ b/etc/nethack-vultures.profile
@@ -7,7 +7,6 @@ include nethack.local
 include globals.local
 noblacklist ${HOME}/.vultures
-noblacklist /var/log
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/okular.profile b/etc/okular.profile
index 99357934d..56fd21fc8 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -49,7 +49,7 @@ tracelog
 private-bin kbuildsycoca4,kdeinit4,lpr,okular
 private-dev
-private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
+private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg
 # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
 # memory-deny-write-execute
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index d80b3d351..5925ccc09 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -27,6 +27,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,netlink
 seccomp
 shell none
diff --git a/etc/p7zip.profile b/etc/p7zip.profile
index 644292f2b..7e0069afc 100644
--- a/etc/p7zip.profile
+++ b/etc/p7zip.profile
@@ -1,6 +1,7 @@
 # Firejail profile for p7zip
 # Description: 7zr file archiver with high compression ratio
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include p7zip.local
 # Persistent global definitions
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index 11464e6cf..acb2ce176 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
 # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
-ignore seccomp.drop
 seccomp
+ignore seccomp
 #private-bin palemoon
 # private-etc must first be enabled in firefox-common.profile
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index c5016201d..f1a5741d0 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -1,4 +1,5 @@
 # Firejail profile for pdftotext
+# Description: Portable Document Format (PDF) to text converter
 # This file is overwritten after every install/update
 # Persistent local customizations
 include pdftotext.local
diff --git a/etc/ping.profile b/etc/ping.profile
index 00ac45c5a..4ff5250d7 100644
--- a/etc/ping.profile
+++ b/etc/ping.profile
@@ -1,4 +1,5 @@
 # Firejail profile for ping
+# Description: send ICMP ECHO_REQUEST to network hosts
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
diff --git a/etc/pingus.profile b/etc/pingus.profile
index 782ee200d..a3adc55a2 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -27,6 +27,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,netlink
 seccomp
 shell none
diff --git a/etc/pluma.profile b/etc/pluma.profile
index 81b2b1481..dadfcc44e 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -6,11 +6,11 @@ include pluma.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.config/enchant
 noblacklist ${HOME}/.config/pluma
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
+# Allows files commonly used by IDEs
-noblacklist ${HOME}/.pythonhist
+include allow-common-devel.inc
-noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
 include disable-devel.inc
@@ -42,7 +42,7 @@ tracelog
 private-bin pluma
 private-dev
-private-lib pluma
+private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma
 private-tmp
 memory-deny-write-execute
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile
index 116698312..970290002 100644
--- a/etc/ppsspp.profile
+++ b/etc/ppsspp.profile
@@ -8,8 +8,6 @@ include globals.local
 noblacklist ${HOME}/.config/ppsspp
 noblacklist ${DOCUMENTS}
-# with >=llvm-4 mesa drivers need llvm stuff
-noblacklist /usr/lib/llvm*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile
index 17218adee..9ee426a95 100644
--- a/etc/pycharm-community.profile
+++ b/etc/pycharm-community.profile
@@ -6,14 +6,13 @@ include pycharm-community.local
 include globals.local
 noblacklist ${HOME}/.PyCharmCE*
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-passwdmgr.inc
diff --git a/etc/pzstd.profile b/etc/pzstd.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/pzstd.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Redirect
+include zstd.profile
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile
index 1399328d3..47b9d6a9a 100644
--- a/etc/qemu-system-x86_64.profile
+++ b/etc/qemu-system-x86_64.profile
@@ -1,4 +1,5 @@
 # Firejail profile for qemu-system-x86_64
+# Description: QEMU system emulator for x86_64
 # This file is overwritten after every install/update
 # Persistent local customizations
 include qemu-system-x86_64.local
diff --git a/etc/qgis.profile b/etc/qgis.profile
index 80a10efce..88ed0cd81 100644
--- a/etc/qgis.profile
+++ b/etc/qgis.profile
@@ -45,7 +45,7 @@ notv
 nou2f
 novideo
 # blacklisting of mbind system calls breaks old version
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice
+seccomp !mbind
 protocol unix,inet,inet6,netlink
 shell none
 tracelog
diff --git a/etc/qt-faststart.profile b/etc/qt-faststart.profile
index cf459472a..2cdff33a6 100644
--- a/etc/qt-faststart.profile
+++ b/etc/qt-faststart.profile
@@ -1,6 +1,7 @@
 # Firejail profile for qt-faststart
 # Description: FFmpeg-based media utility
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include qt-faststart.local
 # Persistent global definitions
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index 954b1a3b4..3f3270dd6 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include qupzilla.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 noblacklist ${HOME}/.cache/qupzilla
 noblacklist ${HOME}/.config/qupzilla
@@ -17,26 +18,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/qupzilla
 mkdir ${HOME}/.config/qupzilla
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/qupzilla
 whitelist ${HOME}/.config/qupzilla
-include whitelist-common.inc
-include whitelist-var-common.inc
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-nou2f
-protocol unix,inet,inet6,netlink
-# blacklisting of chroot system calls breaks qupzilla
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
-# tracelog
-private-dev
-# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
 # private-tmp - interferes with the opening of downloaded files
+# Redirect
+include falkon.profile
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index e556ecf1f..95c189458 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -9,8 +9,6 @@ include globals.local
 noblacklist ${HOME}/.cache/qutebrowser
 noblacklist ${HOME}/.config/qutebrowser
 noblacklist ${HOME}/.local/share/qutebrowser
-# with >=llvm-4 mesa drivers need llvm stuff
-noblacklist /usr/lib/llvm*
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -38,5 +36,5 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks qt webengine
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 # tracelog
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile
index e6af4c2cb..4372fabe1 100644
--- a/etc/riot-desktop.profile
+++ b/etc/riot-desktop.profile
@@ -7,8 +7,7 @@ include riot-desktop.local
 # added by included profile
 #include globals.local
-ignore seccomp
+seccomp !chroot
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 # Redirect
 include riot-web.profile
diff --git a/etc/rnano.profile b/etc/rnano.profile
index 565c957e0..d9048982a 100644
--- a/etc/rnano.profile
+++ b/etc/rnano.profile
@@ -1,6 +1,7 @@
 # Firejail profile for rnano
 # Description: A restricted nano
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include rnano.local
 # Persistent global definitions
diff --git a/etc/rsync-download_only.profile b/etc/rsync-download_only.profile
new file mode 100644
index 000000000..bda3bca92
--- /dev/null
+++ b/etc/rsync-download_only.profile
@@ -0,0 +1,55 @@
+# Firejail profile for rsync
+# Description: a fast, versatile, remote (and local) file-copying tool
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include rsync.local
+# Persistent global definitions
+include globals.local
+# Warning: This profile is writte to use rsync as an client for downloading,
+# it is not writen to use rsync as an daemon (rsync --daemon) or to create backups.
+# Usage: firejail --profile=rsync-download_only rsync
+blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+# Uncomment or add to rsync.local to enable extra hardening
+#whitelist ${DOWNLOADS}
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin rsync
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+memory-deny-write-execute
diff --git a/etc/scallion.profile b/etc/scallion.profile
index 232ec4346..dee9e1f40 100644
--- a/etc/scallion.profile
+++ b/etc/scallion.profile
@@ -7,7 +7,6 @@ include scallion.local
 include globals.local
 noblacklist ${PATH}/llvm*
-noblacklist /usr/lib/llvm*
 noblacklist ${PATH}/openssl
 noblacklist ${PATH}/openssl-1.0
 noblacklist ${DOCUMENTS}
diff --git a/etc/scp.profile b/etc/scp.profile
index ca902061c..287b8029a 100644
--- a/etc/scp.profile
+++ b/etc/scp.profile
@@ -1,6 +1,7 @@
 # Firejail profile for scp
 # Description: Secure shell copy
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include scp.local
 # Persistent global definitions
diff --git a/etc/seahorse-daemon.profile b/etc/seahorse-daemon.profile
index 7c0e59c74..6410da4d8 100644
--- a/etc/seahorse-daemon.profile
+++ b/etc/seahorse-daemon.profile
@@ -1,6 +1,7 @@
 # Firejail profile for seahorse-daemon
 # Description: PGP encryption and signing
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include seahorse-daemon.local
 # Persistent global definitions
diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile
index 96f365a4b..4bf23c512 100644
--- a/etc/seahorse-tool.profile
+++ b/etc/seahorse-tool.profile
@@ -7,8 +7,6 @@ include seahorse-tool.local
 # added by included profile
 #include globals.local
-noblacklist ${DOWNLOADS}
 private-tmp
 memory-deny-write-execute
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index 0c824e95b..b9a0fd149 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -8,7 +8,6 @@ include globals.local
 blacklist /tmp/.X11-unix
-noblacklist ${HOME}/.config/dconf
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.ssh
 noblacklist /tmp/ssh-*
diff --git a/etc/sftp.profile b/etc/sftp.profile
index c980e1751..66dc2a57b 100644
--- a/etc/sftp.profile
+++ b/etc/sftp.profile
@@ -1,6 +1,7 @@
 # Firejail profile for sftp
 # Description: Secure file transport protocol
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include sftp.local
 # Persistent global definitions
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index e6c48561f..5b3c5439d 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -1,4 +1,5 @@
 # Firejail profile for shotcut
+# Description: A free, open source, cross-platform video editor
 # This file is overwritten after every install/update
 # Persistent local customizations
 include shotcut.local
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index 64441483d..a0c9e8303 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -27,7 +27,7 @@ notv
 # novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks simple-scan
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !ioperm
 shell none
 tracelog
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index 7febcde46..c6f5f70b0 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -27,6 +27,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index c10be717b..6f9bfd201 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -27,7 +27,7 @@ notv
 # novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks skanlite
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !ioperm
 shell none
 # private-bin kbuildsycoca4,kdeinit4,skanlite
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index eae7dada0..fe9ededa4 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -25,7 +25,7 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/slack.profile b/etc/slack.profile
index 5c10ef0ba..8b5338fa7 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -20,7 +20,6 @@ include whitelist-common.inc
 include whitelist-var-common.inc
 caps.drop all
-name slack
 netfilter
 nodvd
 nogroups
@@ -35,5 +34,5 @@ shell none
 disable-mnt
 private-bin locale,slack
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
 private-tmp
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 9cba69a77..d423bb65c 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -42,4 +42,4 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl
 private-tmp
-#memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index 15e2de9b0..9934e92b0 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -24,6 +24,7 @@ nodvd
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 7a9bb5abe..6949299af 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -30,6 +30,7 @@ nonewprivs
 nosound
 notv
 nou2f
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile
index 5703f932a..aa6902854 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/standardnotes-desktop.profile
@@ -34,7 +34,7 @@ nosound
 notv
 nou2f
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 disable-mnt
 private-dev
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile
index 9c3175ad7..2f73c9fee 100644
--- a/etc/start-tor-browser.desktop.profile
+++ b/etc/start-tor-browser.desktop.profile
@@ -6,8 +6,7 @@ include start-tor-browser.desktop.local
 # added by included profile
 #include globals.local
-noblacklist ${HOME}/.tor-browser-*
+noblacklist ${HOME}/.tor-browser*
-noblacklist ${HOME}/.tor-browser_*
 whitelist ${HOME}/.tor-browser-ar
 whitelist ${HOME}/.tor-browser-ca
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index 1c2a2cd10..a8b5d109e 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -28,7 +28,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # tracelog may cause issues, see github issue #1930
 #tracelog
diff --git a/etc/steam.profile b/etc/steam.profile
index 569f281a0..654ea825e 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -19,8 +19,6 @@ noblacklist ${HOME}/.local/share/vulkan
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.steampath
 noblacklist ${HOME}/.steampid
-# with >=llvm-4 mesa drivers need llvm stuff
-noblacklist /usr/lib/llvm*
 # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
 noblacklist /sbin
 noblacklist /usr/sbin
diff --git a/etc/strings.profile b/etc/strings.profile
index 621e8e177..0817d7331 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -1,4 +1,5 @@
 # Firejail profile for strings
+# Description: print the strings of printable characters in files
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
@@ -43,3 +44,4 @@ private-lib libfakeroot
 private-tmp
 memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile
index d0176a657..6de408740 100644
--- a/etc/subdownloader.profile
+++ b/etc/subdownloader.profile
@@ -31,6 +31,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index 287a078b3..4c64ee766 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -1,4 +1,5 @@
 # Firejail profile for supertux2
+# Description: Jump'n run like game
 # This file is overwritten after every install/update
 # Persistent local customizations
 include supertux2.local
@@ -27,6 +28,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,netlink
 seccomp
 shell none
diff --git a/etc/supertuxkart.profile b/etc/supertuxkart.profile
index 2cd5ec3ad..8a48eeac8 100644
--- a/etc/supertuxkart.profile
+++ b/etc/supertuxkart.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin supertuxkart
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,selinux,ssl,system-fips,xdg
+private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/tb-starter-wrapper.profile b/etc/tb-starter-wrapper.profile
index 8a7d45449..ffe9605b6 100644
--- a/etc/tb-starter-wrapper.profile
+++ b/etc/tb-starter-wrapper.profile
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.tb
 mkdir ${HOME}/.tb
 whitelist ${HOME}/.tb
-x11 xorg
+private-bin tb-starter-wrapper
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile
index 8d5917148..c1c666f58 100644
--- a/etc/teamspeak3.profile
+++ b/etc/teamspeak3.profile
@@ -33,7 +33,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 2fc5c3ef1..0d67e222f 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -87,6 +87,9 @@ include globals.local
 # Allow lua (blacklisted by disable-interpreters.inc)
 #include allow-lua.inc
+# Allows files commonly used by IDEs
+#include allow-common-devel.inc
 #include disable-common.inc
 #include disable-devel.inc
 #include disable-exec.inc
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 30ad6feea..bc45d9f9d 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -1,6 +1,9 @@
 Hints for writing seccomp.drop lines
 ====================================
+Definition of groups
+--------------------
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @module=delete_module,finit_module,init_module
 @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
@@ -20,6 +23,8 @@ Hints for writing seccomp.drop lines
 @default-keep=execve,prctl
+Inheritance of groups
+---------------------
 +---------+----------------+---------------+
 | @clock  | @cpu-emulation | @default-keep |
@@ -41,7 +46,28 @@ Hints for writing seccomp.drop lines
 | @default-nodebuggers |
 +----------------------+
+common used seccomp.drop lines
+------------------------------
 @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+Building a seccomp.drop line if seccomp breaks a programm
+---------------------------------------------------------
+```
+$ journalctl --grep=syscall --follow
+<...> audit[…]: SECCOMP <...> syscall=161 <...>
+$ firejail --debug-syscalls | grep 161
+161     - chroot
+```
+TODO: write a short explanation
+TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible
+see also
+--------
+ - contrib/syscalls.sh
+ - https://firejail.wordpress.com/documentation-2/seccomp-guide/
diff --git a/etc/tor-browser.profile b/etc/tor-browser.profile
new file mode 100644
index 000000000..0cd84abf5
--- /dev/null
+++ b/etc/tor-browser.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+noblacklist ${HOME}/.tor-browser
+mkdir ${HOME}/.tor-browser
+whitelist ${HOME}/.tor-browser
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 75bcb04b4..1183cd2f7 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -42,13 +42,13 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # tracelog may cause issues, see github issue #1930
 #tracelog
 disable-mnt
-private-bin bash,cat,cp,cut,dirname,env,expr,file,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,python*,readlink,realpath,rm,sed,sh,tail,tar,tclsh,test,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
+private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index 60732bcf2..486be5fe6 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -7,37 +7,8 @@ include transmission-cli.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/transmission
+private-bin transmission-cli
-noblacklist ${HOME}/.config/transmission
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-apparmor
-caps.drop all
-machine-id
-netfilter
-nodbus
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol inet,inet6
-seccomp
-shell none
-tracelog
-# private-bin transmission-cli
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
-private-lib
-private-tmp
-memory-deny-write-execute
+# Redirect
+include transmission-common.profile
diff --git a/etc/transmission-common.profile b/etc/transmission-common.profile
new file mode 100644
index 000000000..1b1fc4af7
--- /dev/null
+++ b/etc/transmission-common.profile
@@ -0,0 +1,46 @@
+# Firejail profile for transmission-common
+# Description: Fast, easy and free BitTorrent client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include transmission-common.local
+noblacklist ${HOME}/.cache/transmission
+noblacklist ${HOME}/.config/transmission
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.cache/transmission
+mkdir ${HOME}/.config/transmission
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/transmission
+whitelist ${HOME}/.config/transmission
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodbus
+nodvd
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-dev
+private-lib
+private-tmp
+memory-deny-write-execute
diff --git a/etc/transmission-create.profile b/etc/transmission-create.profile
index 9b84bc33a..8220b7887 100644
--- a/etc/transmission-create.profile
+++ b/etc/transmission-create.profile
@@ -1,11 +1,13 @@
 # Firejail profile for transmission-create
 # Description: CLI utility to create BitTorrent .torrent files
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include transmission-create.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+private-bin transmission-create
 # Redirect
-include transmission-cli.profile
+include transmission-common.profile
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile
index 9a6052ada..f1e7fcb17 100644
--- a/etc/transmission-daemon.profile
+++ b/etc/transmission-daemon.profile
@@ -7,38 +7,16 @@ include transmission-daemon.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/transmission
+whitelist /var/lib/transmission
-noblacklist ${HOME}/.config/transmission
-include disable-common.inc
+caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-apparmor
+private-bin transmission-daemon
-caps.drop all
-machine-id
-netfilter
-nodbus
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol inet,inet6
-seccomp
-shell none
-tracelog
-# private-bin transmission-daemon
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
-private-lib
-private-tmp
-memory-deny-write-execute
+read-write /var/lib/transmission
+writable-var-log
+writable-run-user
+# Redirect
+include transmission-common.profile
diff --git a/etc/transmission-edit.profile b/etc/transmission-edit.profile
index 07990aa15..df381b5cd 100644
--- a/etc/transmission-edit.profile
+++ b/etc/transmission-edit.profile
@@ -1,11 +1,13 @@
 # Firejail profile for transmission-edit
 # Description: CLI utility to modify BitTorrent .torrent files' announce URLs
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include transmission-edit.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+private-bin transmission-edit
 # Redirect
-include transmission-cli.profile
+include transmission-common.profile
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 29df63573..01bdeb4ef 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -1,50 +1,15 @@
 # Firejail profile for transmission-gtk
 # Description: Fast, easy and free BitTorrent client (GTK GUI)
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include transmission-gtk.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/transmission
-noblacklist ${HOME}/.config/transmission
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-mkdir ${HOME}/.cache/transmission
-mkdir ${HOME}/.config/transmission
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/transmission
-whitelist ${HOME}/.config/transmission
-include whitelist-common.inc
-include whitelist-var-common.inc
-apparmor
-caps.drop all
-machine-id
-netfilter
-nodbus
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
 private-bin transmission-gtk
-private-dev
-private-lib
-private-tmp
-# Causes freeze during opening file dialog in Archlinux, see issue #1855
+ignore memory-deny-write-execute
-# memory-deny-write-execute
+# Redirect
+include transmission-common.profile
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 9fda5245f..94f3c3a20 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -1,49 +1,18 @@
 # Firejail profile for transmission-qt
 # Description: Fast, easy and free BitTorrent client (Qt GUI)
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include transmission-qt.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/transmission
+private-bin transmission-qt
-noblacklist ${HOME}/.config/transmission
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-mkdir ${HOME}/.cache/transmission
-mkdir ${HOME}/.config/transmission
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/transmission
-whitelist ${HOME}/.config/transmission
-include whitelist-common.inc
-include whitelist-var-common.inc
-apparmor
+# private-lib - breaks on Arch
-caps.drop all
+ignore private-lib
-machine-id
-netfilter
-nodbus
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-private-bin transmission-qt
+ignore memory-deny-write-execute
-private-dev
-# private-lib - problems on Arch
-private-tmp
-# memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0
+# Redirect
+include transmission-common.profile
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile
index 98b875fc5..8b3a966c1 100644
--- a/etc/transmission-remote-cli.profile
+++ b/etc/transmission-remote-cli.profile
@@ -1,25 +1,17 @@
 # Firejail profile for transmission-remote-cli
 # Description: A remote control utility for transmission-daemon (CLI)
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include transmission-remote-cli.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
-mkdir ${HOME}/.cache/transmission
+private-bin python*,transmission-remote-cli
-mkdir ${HOME}/.config/transmission
-whitelist ${HOME}/.cache/transmission
-whitelist ${HOME}/.config/transmission
-include whitelist-common.inc
-include whitelist-var-common.inc
-# private-bin python*
-private-etc fonts
 # Redirect
-include transmission-remote.profile
+include transmission-common.profile
diff --git a/etc/transmission-remote-gtk.profile b/etc/transmission-remote-gtk.profile
index b7173def5..a6400e2c0 100644
--- a/etc/transmission-remote-gtk.profile
+++ b/etc/transmission-remote-gtk.profile
@@ -1,20 +1,22 @@
 # Firejail profile for transmission-remote-gtk
 # Description: A remote control utility for transmission-daemon (GTK GUI)
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include transmission-remote-gtk.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
-mkdir ${HOME}/.cache/transmission
+noblacklist ${HOME}/.config/transmission-remote-gtk
-mkdir ${HOME}/.config/transmission
-whitelist ${HOME}/.cache/transmission
-whitelist ${HOME}/.config/transmission
-include whitelist-common.inc
-include whitelist-var-common.inc
-private-etc fonts
+mkdir ${HOME}/.config/transmission-remote-gtk
+whitelist ${HOME}/.config/transmission-remote-gtk
+private-etc fonts,hostname,hosts,resolv.conf
+# Problems with private-lib (see issue #2889)
+ignore private-lib
+ignore memory-deny-write-execute
 # Redirect
-include transmission-remote.profile
+include transmission-common.profile
diff --git a/etc/transmission-remote.profile b/etc/transmission-remote.profile
index ddeb9adf9..fee4999e6 100644
--- a/etc/transmission-remote.profile
+++ b/etc/transmission-remote.profile
@@ -7,37 +7,8 @@ include transmission-remote.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/transmission
+private-bin transmission-remote
-noblacklist ${HOME}/.config/transmission
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-apparmor
-caps.drop all
-machine-id
-netfilter
-nodbus
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol inet,inet6
-seccomp
-shell none
-tracelog
-# private-bin transmission-remote
-private-dev
 private-etc alternatives,hosts,nsswitch.conf
-private-lib
-private-tmp
-memory-deny-write-execute
+# Redirect
+include transmission-common.profile
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 779606f04..5a3c83f58 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -1,41 +1,14 @@
 # Firejail profile for transmission-show
 # Description: CLI utility to show BitTorrent .torrent file metadata
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include transmission-show.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/transmission
+private-bin transmission-show
-noblacklist ${HOME}/.config/transmission
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-apparmor
-caps.drop all
-machine-id
-netfilter
-nodbus
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol inet,inet6
-seccomp
-shell none
-tracelog
-private-dev
 private-etc alternatives,hosts,nsswitch.conf
-private-lib
-private-tmp
-memory-deny-write-execute
+# Redirect
+include transmission-common.profile
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
index b62d3111d..7223ea2e1 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/unknown-horizons.profile
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/unzstd.profile b/etc/unzstd.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/unzstd.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Redirect
+include zstd.profile
diff --git a/etc/vim.profile b/etc/vim.profile
index 49abb0d44..d27a9a633 100644
--- a/etc/vim.profile
+++ b/etc/vim.profile
@@ -6,14 +6,13 @@ include vim.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 noblacklist ${HOME}/.vim
 noblacklist ${HOME}/.viminfo
 noblacklist ${HOME}/.vimrc
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
index 45f9949f3..c0dbc9116 100644
--- a/etc/virtualbox.profile
+++ b/etc/virtualbox.profile
@@ -26,7 +26,7 @@ whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
-caps.drop all
+caps.keep net_raw,sys_admin,sys_nice
 netfilter
 nodvd
 notv
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index 85cbc5e43..e65e0a0c3 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -30,6 +30,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/webstorm.profile b/etc/webstorm.profile
index e820bae00..fc4e8e571 100644
--- a/etc/webstorm.profile
+++ b/etc/webstorm.profile
@@ -7,14 +7,13 @@ include globals.local
 noblacklist ${HOME}/.WebStorm*
 noblacklist ${HOME}/.android
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.local/share/JetBrains
 noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
 noblacklist ${PATH}/node
 noblacklist ${HOME}/.nvm
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index a67d3a1b8..934edfce9 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -30,6 +30,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/whalebird.profile b/etc/whalebird.profile
new file mode 100644
index 000000000..26932b6b3
--- /dev/null
+++ b/etc/whalebird.profile
@@ -0,0 +1,45 @@
+# Firejail profile for whalebird
+# Description: Electron-based Mastodon/Pleroma client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include whalebird.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Whalebird
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/Whalebird
+whitelist ${HOME}/.config/Whalebird
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin whalebird
+private-cache
+private-dev
+private-etc fonts,machine-id
+private-tmp
diff --git a/etc/whois.profile b/etc/whois.profile
index f101ee637..859542533 100644
--- a/etc/whois.profile
+++ b/etc/whois.profile
@@ -1,7 +1,7 @@
 # Firejail profile for whois
 # Description: Intelligent WHOIS client
-quiet
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include whois.local
 # Persistent global definitions
diff --git a/etc/wine.profile b/etc/wine.profile
index 34c695cf1..192c375cd 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -11,8 +11,6 @@ noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/steam
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.wine
-# with >=llvm-4 mesa drivers need llvm stuff
-noblacklist /usr/lib/llvm*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/xed.profile b/etc/xed.profile
index a02f1ef51..a67230e51 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -9,7 +9,6 @@ noblacklist ${HOME}/.config/xed
 noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.python_history
 noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/xmr-stak.profile b/etc/xmr-stak.profile
index 3fbdf66ab..c6ba9bd9d 100644
--- a/etc/xmr-stak.profile
+++ b/etc/xmr-stak.profile
@@ -6,7 +6,6 @@ include xmr-stak.local
 include globals.local
 noblacklist ${HOME}/.xmr-stak
-noblacklist /usr/lib/llvm*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/xpra.profile b/etc/xpra.profile
index 6f66b9300..1033a7471 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -1,6 +1,7 @@
 # Firejail profile for xpra
 # Description: Tool to detach/reattach running X programs
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include xpra.local
 # Persistent global definitions
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 6fc519bee..d87d29ee8 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -19,6 +19,8 @@ noblacklist ${VIDEOS}
 include allow-python2.inc
 include allow-python3.inc
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 922284353..db03076be 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -28,6 +28,7 @@ noroot
 nosound
 notv
 nou2f
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/zpaq.profile b/etc/zpaq.profile
index 6bf3605eb..80329ecfd 100644
--- a/etc/zpaq.profile
+++ b/etc/zpaq.profile
@@ -1,6 +1,7 @@
 # Firejail profile for zpaq
 # Description: Programmable file compressor, library and utilities. Based on the PAQ compression algorithm.
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include zpaq.local
 # Persistent global definitions
diff --git a/etc/zstd.profile b/etc/zstd.profile
new file mode 100644
index 000000000..ea7bbfb0d
--- /dev/null
+++ b/etc/zstd.profile
@@ -0,0 +1,42 @@
+# Firejail profile for zstd
+# Description: Zstandard - Fast real-time compression algorithm
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zstd.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+hostname zstd
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+private-cache
+private-dev
+memory-deny-write-execute
diff --git a/etc/zstdcat.profile b/etc/zstdcat.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/zstdcat.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Redirect
+include zstd.profile
diff --git a/etc/zstdgrep.profile b/etc/zstdgrep.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/zstdgrep.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Redirect
+include zstd.profile
diff --git a/etc/zstdless.profile b/etc/zstdless.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/zstdless.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Redirect
+include zstd.profile
diff --git a/etc/zstdmt.profile b/etc/zstdmt.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/zstdmt.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Redirect
+include zstd.profile
diff --git a/etc/zulip.profile b/etc/zulip.profile
new file mode 100644
index 000000000..999c2f77a
--- /dev/null
+++ b/etc/zulip.profile
@@ -0,0 +1,47 @@
+# Firejail profile for zulip
+# Description: Real-time team chat based on the email threading model
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zulip.local
+# Persistent global definitions
+include globals.local
+ignore noexec /tmp
+noblacklist ${HOME}/.config/Zulip
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/Zulip
+whitelist ${HOME}/.config/Zulip
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin locale,zulip
+private-cache
+private-dev
+private-etc asound.conf,fonts,machine-id
+private-tmp
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh
index b63340e43..351b92beb 100755
--- a/platform/rpm/mkrpm.sh
+++ b/platform/rpm/mkrpm.sh
@@ -33,7 +33,7 @@ sed -e "s/__NAME__/${name}/g" -e "s/__VERSION__/${version}/g" platform/rpm/${nam
 # FIXME: We could parse RELNOTES and create a %changelog section here
 # Copy the source to build into a tarball
-tar czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . --transform "s/^./${name}-${version}/" --exclude='./.git*' --exclude='./test*'
+tar --exclude='./.git*' --exclude='./test' --transform "s/^./${name}-${version}/" -czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz .
 # Build the files (rpm, debug rpm and source rpm)
 rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file}
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 3f507a361..a08cc66b3 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -28,11 +28,10 @@ int arg_quiet = 0;
 int arg_debug = 0;
 static int arg_follow_link = 0;
-static int copy_limit = 500 * 1024 *1024; // 500 MB
+static unsigned long long copy_limit = 500 * 1024 * 1024; // 500 MB
-#define COPY_LIMIT (
+static unsigned long long size_cnt = 0;
 static int size_limit_reached = 0;
 static unsigned file_cnt = 0;
-static unsigned size_cnt = 0;
 static char *outpath = NULL;
 static char *inpath = NULL;
@@ -187,7 +186,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
        // recalculate size
        if ((s.st_size + size_cnt) > copy_limit) {
-                fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (copy_limit / 1024) / 1024);
+                fprintf(stderr, "Error fcopy: size limit of %lluMB reached\n", (copy_limit / 1024) / 1024);
                size_limit_reached = 1;
                free(outfname);
                return 0;
@@ -392,9 +391,9 @@ int main(int argc, char **argv) {
        // extract copy limit size from env variable, if any
        char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT");
        if (cl) {
-                copy_limit = atoi(cl) * 1024 * 1024;
+                copy_limit = strtoul(cl, NULL, 10) * 1024 * 1024;
                if (arg_debug)
-                        printf("file copy limit %d bytes\n", copy_limit);
+                        printf("file copy limit %llu bytes\n", copy_limit);
        }
        // copy files
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 9645215ef..6b2a92ad5 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -81,6 +81,7 @@ brasero
 brave
 brave-browser
 bunzip2
+bzcat
 bzflag
 bzip2
 calibre
@@ -277,6 +278,7 @@ hedgewars
 hexchat
 highlight
 hugin
+i2prouter
 icecat
 icedove
 iceweasel
@@ -313,6 +315,7 @@ kid3
 kid3-cli
 kid3-qt
 kino
+kiwix-desktop
 klatexformula
 klatexformula_cmdl
 klavaro
@@ -476,6 +479,7 @@ psi-plus
 pybitmessage
 # pycharm-community - FB note: may enable later
 # pycharm-professional
+pzstd
 qbittorrent
 qemu-launcher
 qgis
@@ -561,6 +565,7 @@ thunderbird
 thunderbird-beta
 thunderbird-wayland
 tilp
+tor-browser
 tor-browser-ar
 tor-browser-ca
 tor-browser-cs
@@ -616,6 +621,7 @@ uefitool
 uget-gtk
 unbound
 unknown-horizons
+unzstd
 utox
 uudeview
 uzbl-browser
@@ -640,6 +646,7 @@ weechat
 weechat-curses
 wesnoth
 wget
+whalebird
 whois
 widelands
 wine
@@ -679,3 +686,9 @@ zathura
 zeal
 zoom
 zpaq
+zstd
+zstdcat
+zstdgrep
+zstdless
+zstdmt
+zulip
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index ff66dea08..3f5921322 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -284,9 +284,9 @@ static void set_links_homedir(const char *homedir) {
 }
 static char *get_user(void) {
-        char *user = getlogin();
+        char *user = getenv("SUDO_USER");
        if (!user) {
-                user = getenv("SUDO_USER");
+                user = getpwuid(getuid())->pw_name;
                if (!user) {
                        fprintf(stderr, "Error: cannot detect login user\n");
                        exit(1);
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 84054fe76..f94b95d60 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -50,7 +50,6 @@ int checkcfg(int val) {
                cfg_val[CFG_DISABLE_MNT] = 0;
                cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES;
                cfg_val[CFG_XPRA_ATTACH] = 0;
-                cfg_val[CFG_HOMEDIR_SYMLINK] = 0;
                // open configuration file
                const char *fname = SYSCONFDIR "/firejail.config";
@@ -86,7 +85,6 @@ int checkcfg(int val) {
                        ptr = line_remove_spaces(buf);
                        if (!ptr)
                                continue;
-                        PARSE_YESNO(CFG_HOMEDIR_SYMLINK, "homedir-symlink")
                        PARSE_YESNO(CFG_FILE_TRANSFER, "file-transfer")
                        PARSE_YESNO(CFG_DBUS, "dbus")
                        PARSE_YESNO(CFG_JOIN, "join")
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d547f9840..14cad4190 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -722,7 +722,6 @@ enum {
        CFG_PRIVATE_CACHE,
        CFG_CGROUP,
        CFG_NAME_CHANGE,
-        CFG_HOMEDIR_SYMLINK,
        // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
        CFG_MAX // this should always be the last entry
 };
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 86e6b0949..25c167af1 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -110,17 +110,12 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
 }
 static int store_xauthority(void) {
+        if (arg_x11_block)
+                return 0;
        // put a copy of .Xauthority in XAUTHORITY_FILE
-        char *src;
        char *dest = RUN_XAUTHORITY_FILE;
-        // create an empty file as root, and change ownership to user
+        char *src;
-        FILE *fp = fopen(dest, "w");
-        if (fp) {
-                fprintf(fp, "\n");
-                SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
-                fclose(fp);
-        }
        if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1)
                errExit("asprintf");
@@ -128,29 +123,37 @@ static int store_xauthority(void) {
        if (stat(src, &s) == 0) {
                if (is_link(src)) {
                        fwarning("invalid .Xauthority file\n");
+                        free(src);
                        return 0;
                }
+                // create an empty file as root, and change ownership to user
+                FILE *fp = fopen(dest, "w");
+                if (fp) {
+                        fprintf(fp, "\n");
+                        SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
+                        fclose(fp);
+                }
+                else
+                        errExit("fopen");
                copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user
                fs_logger2("clone", dest);
+                free(src);
                return 1; // file copied
        }
+        free(src);
        return 0;
 }
 static int store_asoundrc(void) {
-        // put a copy of .Xauthority in XAUTHORITY_FILE
+        if (arg_nosound)
-        char *src;
+                return 0;
-        char *dest = RUN_ASOUNDRC_FILE;
-        // create an empty file as root, and change ownership to user
-        FILE *fp = fopen(dest, "w");
-        if (fp) {
-                fprintf(fp, "\n");
-                SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
-                fclose(fp);
-        }
+        // put a copy of .asoundrc in ASOUNDRC_FILE
+        char *dest = RUN_ASOUNDRC_FILE;
+        char *src;
        if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1)
                errExit("asprintf");
@@ -164,18 +167,30 @@ static int store_asoundrc(void) {
                                fprintf(stderr, "Error: Cannot access %s\n", src);
                                exit(1);
                        }
-                        if (strncmp(rp, cfg.homedir, strlen(cfg.homedir)) != 0) {
+                        if (strncmp(rp, cfg.homedir, strlen(cfg.homedir)) != 0 || rp[strlen(cfg.homedir)] != '/') {
                                fprintf(stderr, "Error: .asoundrc is a symbolic link pointing to a file outside home directory\n");
                                exit(1);
                        }
                        free(rp);
                }
+                // create an empty file as root, and change ownership to user
+                FILE *fp = fopen(dest, "w");
+                if (fp) {
+                        fprintf(fp, "\n");
+                        SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
+                        fclose(fp);
+                }
+                else
+                        errExit("fopen");
                copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user
                fs_logger2("clone", dest);
+                free(src);
                return 1; // file copied
        }
+        free(src);
        return 0;
 }
@@ -194,13 +209,14 @@ static void copy_xauthority(void) {
        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
        fs_logger2("clone", dest);
+        free(dest);
        // delete the temporary file
        unlink(src);
 }
 static void copy_asoundrc(void) {
-        // copy XAUTHORITY_FILE in the new home directory
+        // copy ASOUNDRC_FILE in the new home directory
        char *src = RUN_ASOUNDRC_FILE ;
        char *dest;
        if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
@@ -214,6 +230,7 @@ static void copy_asoundrc(void) {
        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
        fs_logger2("clone", dest);
+        free(dest);
        // delete the temporary file
        unlink(src);
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 122c100f8..fa93751cc 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -743,9 +743,9 @@ void fs_whitelist(void) {
                                        errExit("asprintf");
                                if (strcmp(env, pamtmpdir) == 0) {
                                        // create empty user-owned /tmp/user/$uid directory
-                                        mkdir_attr("/tmp/user", 0755, 0, 0);
+                                        mkdir_attr("/tmp/user", 0711, 0, 0);
                                        fs_logger("mkdir /tmp/user");
-                                        mkdir_attr(pamtmpdir, 0700, getuid(), getgid());
+                                        mkdir_attr(pamtmpdir, 0700, getuid(), 0);
                                        fs_logger2("mkdir", pamtmpdir);
                                }
                                free(pamtmpdir);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index f5785ff50..9f44c6281 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -259,25 +259,17 @@ static int has_link(const char *dir) {
        return 0;
 }
-static void build_cfg_homedir(const char *dir) {
+static void check_homedir(void) {
-        EUID_ASSERT();
+        assert(cfg.homedir);
-        assert(dir);
+        if (cfg.homedir[0] != '/' || cfg.homedir[1] == '\0') { // system users sometimes have root directory as home
-        if (dir[0] != '/' || dir[1] == '\0') { // system users sometimes have root directory as home
+                fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir);
-                fprintf(stderr, "Error: invalid user directory \"%s\"\n", dir);
                exit(1);
        }
-        // symlinks are rejected in many places, offer a solution for home directories
+        // symlinks are rejected in many places
-        if (checkcfg(CFG_HOMEDIR_SYMLINK)) {
+        if (has_link(cfg.homedir)) {
-                cfg.homedir = realpath(dir, NULL);
+                fprintf(stderr, "No full support for symbolic links in path of user directory.\n"
-                if (cfg.homedir)
+                        "Please provide resolved path in password database (/etc/passwd).\n\n");
-                        return;
        }
-        else if (has_link(dir)) {
-                fwarning("no full support for symbolic links in path of user directory.\n"
-                        "Please provide resolved path in password database (/etc/passwd)\n"
-                        "or enable symbolic link resolution in Firejail configuration file.\n\n");
-        }
-        cfg.homedir = clean_pathname(dir);
 }
 // init configuration
@@ -323,8 +315,8 @@ static void init_cfg(int argc, char **argv) {
                fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username);
                exit(1);
        }
-        build_cfg_homedir(pw->pw_dir);
+        cfg.homedir = clean_pathname(pw->pw_dir);
-        assert(cfg.homedir);
+        check_homedir();
        // initialize random number generator
        sandbox_pid = getpid();
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 81ab18aa1..609ebb7be 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -48,10 +48,11 @@ char *seccomp_check_list(const char *str) {
        const char *ptr1 = str;
        char *ptr2 = rv;
        while (*ptr1 != '\0') {
-                if (isalnum(*ptr1) || *ptr1 == '_' || *ptr1 == ',' || *ptr1 == ':' || *ptr1 == '@' || *ptr1 == '-')
+        if (isalnum(*ptr1) || *ptr1 == '_' || *ptr1 == ',' || *ptr1 == ':'
+                                   || *ptr1 == '@' || *ptr1 == '-' || *ptr1 == '$' || *ptr1 == '!')
                        *ptr2++ = *ptr1++;
                else {
-                        fprintf(stderr, "Error: invalid syscall list\n");
+                        fprintf(stderr, "Error: invalid syscall list entry %s\n", str);
                        exit(1);
                }
        }
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index 593963e76..e1579d098 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -52,7 +52,9 @@ void seccomp_secondary_block(const char *fname);
 void write_to_file(int fd, const void *data, int size);
 void filter_init(int fd);
 void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg);
+void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg);
 void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg);
+void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg);
 void filter_add_errno(int fd, int syscall, int arg, void *ptrarg);
 void filter_end_blacklist(int fd);
 void filter_end_whitelist(int fd);
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 2a719725e..95c20d388 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -80,6 +80,10 @@ void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_
        // build pre-exec filter: don't blacklist any syscalls in @default-keep
        filter_init(fd);
+        // allow exceptions in form of !syscall
+        syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL);
        char *prelist, *postlist;
        syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist);
        if (prelist)
@@ -128,6 +132,10 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in
        // build pre-exec filter: blacklist @default, don't blacklist
        // any listed syscalls in @default-keep
        filter_init(fd);
+        // allow exceptions in form of !syscall
+        syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL);
        add_default_list(fd, allow_debuggers);
        char *prelist, *postlist;
        syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist);
@@ -175,6 +183,10 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
        // build pre-exec filter: whitelist also @default-keep
        filter_init(fd);
+        // allow exceptions in form of !syscall
+        syscall_check_list(list, filter_add_blacklist_for_excluded, fd, 0, NULL);
        // these syscalls are used by firejail after the seccomp filter is initialized
        int r;
        r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL);
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
index 2e1f317ed..266ef0c55 100644
--- a/src/fseccomp/seccomp_file.c
+++ b/src/fseccomp/seccomp_file.c
@@ -60,26 +60,58 @@ void filter_init(int fd) {
        write_to_file(fd, filter, sizeof(filter));
 }
-void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) {
+static void write_whitelist(int fd, int syscall) {
-        (void) arg;
-        (void) ptrarg;
        struct sock_filter filter[] = {
                WHITELIST(syscall)
        };
        write_to_file(fd, filter, sizeof(filter));
 }
-void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) {
+static void write_blacklist(int fd, int syscall) {
-        (void) arg;
-        (void) ptrarg;
        struct sock_filter filter[] = {
                BLACKLIST(syscall)
        };
        write_to_file(fd, filter, sizeof(filter));
 }
+void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) {
+        (void) arg;
+        (void) ptrarg;
+        if (syscall >= 0) {
+                write_whitelist(fd, syscall);
+        }
+}
+// handle seccomp list exceptions (seccomp x,y,!z)
+void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg) {
+        (void) arg;
+        (void) ptrarg;
+        if (syscall < 0) {
+                write_whitelist(fd, -syscall);
+        }
+}
+void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) {
+        (void) arg;
+        (void) ptrarg;
+        if (syscall >= 0) {
+                write_blacklist(fd, syscall);
+        }
+}
+// handle seccomp list exceptions (seccomp x,y,!z)
+void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg) {
+        (void) arg;
+        (void) ptrarg;
+        if (syscall < 0) {
+                write_blacklist(fd, -syscall);
+        }
+}
 void filter_add_errno(int fd, int syscall, int arg, void *ptrarg) {
        (void) ptrarg;
        struct sock_filter filter[] = {
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index 3b698d2dd..1683d3140 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -50,6 +50,99 @@ static const SyscallEntry syslist[] = {
 }; // end of syslist
 static const SyscallGroupList sysgroups[] = {
+        { .name = "@aio", .list =
+#ifdef SYS_io_cancel
+          "io_cancel,"
+#endif
+#ifdef SYS_io_destroy
+          "io_destroy,"
+#endif
+#ifdef SYS_io_getevents
+          "io_getevents,"
+#endif
+#ifdef SYS_io_pgetevents
+          "io_pgetevents,"
+#endif
+#ifdef SYS_io_setup
+          "io_setup,"
+#endif
+#ifdef SYS_io_submit
+          "io_submit"
+#endif
+        },
+        { .name = "@basic-io", .list =
+#ifdef SYS__llseek
+          "_llseek,"
+#endif
+#ifdef SYS_close
+          "close,"
+#endif
+#ifdef SYS_dup
+          "dup,"
+#endif
+#ifdef SYS_dup2
+          "dup2,"
+#endif
+#ifdef SYS_dup3
+          "dup3,"
+#endif
+#ifdef SYS_lseek
+          "lseek,"
+#endif
+#ifdef SYS_pread64
+          "pread64,"
+#endif
+#ifdef SYS_preadv
+          "preadv,"
+#endif
+#ifdef SYS_preadv2
+          "preadv2,"
+#endif
+#ifdef SYS_pwrite64
+          "pwrite64,"
+#endif
+#ifdef SYS_pwritev
+          "pwritev,"
+#endif
+#ifdef SYS_pwritev2
+          "pwritev2,"
+#endif
+#ifdef SYS_read
+          "read,"
+#endif
+#ifdef SYS_readv
+          "readv,"
+#endif
+#ifdef SYS_write
+          "write,"
+#endif
+#ifdef SYS_writev
+          "writev"
+#endif
+        },
+        { .name = "@chown", .list =
+#ifdef SYS_chown
+          "chown,"
+#endif
+#ifdef SYS_chown32
+          "chown32,"
+#endif
+#ifdef SYS_fchown
+          "fchown,"
+#endif
+#ifdef SYS_fchown32
+          "fchown32,"
+#endif
+#ifdef SYS_fchownat
+          "fchownat,"
+#endif
+#ifdef SYS_lchown
+          "lchown,"
+#endif
+#ifdef SYS_lchown32
+          "lchown32"
+#endif
+        },
        { .name = "@clock", .list =
 #ifdef SYS_adjtimex
          "adjtimex,"
@@ -108,11 +201,14 @@ static const SyscallGroupList sysgroups[] = {
 #endif
        },
        { .name = "@default", .list =
+          "@clock,"
          "@cpu-emulation,"
          "@debug,"
+          "@module,"
          "@obsolete,"
-          "@privileged,"
+          "@raw-io,"
-          "@resources,"
+          "@reboot,"
+          "@swap,"
 #ifdef SYS_open_by_handle_at
          "open_by_handle_at,"
 #endif
@@ -140,6 +236,15 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_request_key
          "request_key,"
 #endif
+#ifdef SYS_mbind
+          "mbind,"
+#endif
+#ifdef SYS_migrate_pages
+          "migrate_pages,"
+#endif
+#ifdef SYS_move_pages
+          "move_pages,"
+#endif
 #ifdef SYS_keyctl
          "keyctl,"
 #endif
@@ -161,6 +266,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_remap_file_pages
          "remap_file_pages,"
 #endif
+#ifdef SYS_set_mempolicy
+          "set_mempolicy"
+#endif
 #ifdef SYS_vmsplice
          "vmsplice,"
 #endif
@@ -170,6 +278,36 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_userfaultfd
          "userfaultfd,"
 #endif
+#ifdef SYS_acct
+          "acct,"
+#endif
+#ifdef SYS_bpf
+          "bpf,"
+#endif
+#ifdef SYS_chroot
+          "chroot,"
+#endif
+#ifdef SYS_mount
+          "mount,"
+#endif
+#ifdef SYS_nfsservctl
+          "nfsservctl,"
+#endif
+#ifdef SYS_pivot_root
+          "pivot_root,"
+#endif
+#ifdef SYS_setdomainname
+          "setdomainname,"
+#endif
+#ifdef SYS_sethostname
+          "sethostname,"
+#endif
+#ifdef SYS_umount2
+          "umount2,"
+#endif
+#ifdef SYS_vhangup
+          "vhangup"
+#endif
 //#ifdef SYS_mincore    // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem
 //        "mincore"
 //#endif
@@ -190,6 +328,382 @@ static const SyscallGroupList sysgroups[] = {
          "execve,"
          "prctl"
        },
+        { .name = "@file-system", .list =
+#ifdef SYS_access
+          "access,"
+#endif
+#ifdef SYS_chdir
+          "chdir,"
+#endif
+#ifdef SYS_chmod
+          "chmod,"
+#endif
+#ifdef SYS_close
+          "close,"
+#endif
+#ifdef SYS_creat
+          "creat,"
+#endif
+#ifdef SYS_faccessat
+          "faccessat,"
+#endif
+#ifdef SYS_fallocate
+          "fallocate,"
+#endif
+#ifdef SYS_fchdir
+          "fchdir,"
+#endif
+#ifdef SYS_fchmod
+          "fchmod,"
+#endif
+#ifdef SYS_fchmodat
+          "fchmodat,"
+#endif
+#ifdef SYS_fcntl
+          "fcntl,"
+#endif
+#ifdef SYS_fcntl64
+          "fcntl64,"
+#endif
+#ifdef SYS_fgetxattr
+          "fgetxattr,"
+#endif
+#ifdef SYS_flistxattr
+          "flistxattr,"
+#endif
+#ifdef SYS_fremovexattr
+          "fremovexattr,"
+#endif
+#ifdef SYS_fsetxattr
+          "fsetxattr,"
+#endif
+#ifdef SYS_fstat
+          "fstat,"
+#endif
+#ifdef SYS_fstat64
+          "fstat64,"
+#endif
+#ifdef SYS_fstatat64
+          "fstatat64,"
+#endif
+#ifdef SYS_fstatfs
+          "fstatfs,"
+#endif
+#ifdef SYS_fstatfs64
+          "fstatfs64,"
+#endif
+#ifdef SYS_ftruncate
+          "ftruncate,"
+#endif
+#ifdef SYS_ftruncate64
+          "ftruncate64,"
+#endif
+#ifdef SYS_futimesat
+          "futimesat,"
+#endif
+#ifdef SYS_getcwd
+          "getcwd,"
+#endif
+#ifdef SYS_getdents
+          "getdents,"
+#endif
+#ifdef SYS_getdents64
+          "getdents64,"
+#endif
+#ifdef SYS_getxattr
+          "getxattr,"
+#endif
+#ifdef SYS_inotify_add_watch
+          "inotify_add_watch,"
+#endif
+#ifdef SYS_inotify_init
+          "inotify_init,"
+#endif
+#ifdef SYS_inotify_init1
+          "inotify_init1,"
+#endif
+#ifdef SYS_inotify_rm_watch
+          "inotify_rm_watch,"
+#endif
+#ifdef SYS_lgetxattr
+          "lgetxattr,"
+#endif
+#ifdef SYS_link
+          "link,"
+#endif
+#ifdef SYS_linkat
+          "linkat,"
+#endif
+#ifdef SYS_listxattr
+          "listxattr,"
+#endif
+#ifdef SYS_llistxattr
+          "llistxattr,"
+#endif
+#ifdef SYS_lremovexattr
+          "lremovexattr,"
+#endif
+#ifdef SYS_lsetxattr
+          "lsetxattr,"
+#endif
+#ifdef SYS_lstat
+          "lstat,"
+#endif
+#ifdef SYS_lstat64
+          "lstat64,"
+#endif
+#ifdef SYS_mkdir
+          "mkdir,"
+#endif
+#ifdef SYS_mkdirat
+          "mkdirat,"
+#endif
+#ifdef SYS_mknod
+          "mknod,"
+#endif
+#ifdef SYS_mknodat
+          "mknodat,"
+#endif
+#ifdef SYS_mmap
+          "mmap,"
+#endif
+#ifdef SYS_mmap2
+          "mmap2,"
+#endif
+#ifdef SYS_munmap
+          "munmap,"
+#endif
+#ifdef SYS_newfstatat
+          "newfstatat,"
+#endif
+#ifdef SYS_oldfstat
+          "oldfstat,"
+#endif
+#ifdef SYS_oldlstat
+          "oldlstat,"
+#endif
+#ifdef SYS_oldstat
+          "oldstat,"
+#endif
+#ifdef SYS_open
+          "open,"
+#endif
+#ifdef SYS_openat
+          "openat,"
+#endif
+#ifdef SYS_readlink
+          "readlink,"
+#endif
+#ifdef SYS_readlinkat
+          "readlinkat,"
+#endif
+#ifdef SYS_removexattr
+          "removexattr,"
+#endif
+#ifdef SYS_rename
+          "rename,"
+#endif
+#ifdef SYS_renameat
+          "renameat,"
+#endif
+#ifdef SYS_renameat2
+          "renameat2,"
+#endif
+#ifdef SYS_rmdir
+          "rmdir,"
+#endif
+#ifdef SYS_setxattr
+          "setxattr,"
+#endif
+#ifdef SYS_stat
+          "stat,"
+#endif
+#ifdef SYS_stat64
+          "stat64,"
+#endif
+#ifdef SYS_statfs
+          "statfs,"
+#endif
+#ifdef SYS_statfs64
+          "statfs64,"
+#endif
+#ifdef SYS_statx
+          "statx,"
+#endif
+#ifdef SYS_symlink
+          "symlink,"
+#endif
+#ifdef SYS_symlinkat
+          "symlinkat,"
+#endif
+#ifdef SYS_truncate
+          "truncate,"
+#endif
+#ifdef SYS_truncate64
+          "truncate64,"
+#endif
+#ifdef SYS_unlink
+          "unlink,"
+#endif
+#ifdef SYS_unlinkat
+          "unlinkat,"
+#endif
+#ifdef SYS_utime
+          "utime,"
+#endif
+#ifdef SYS_utimensat
+          "utimensat,"
+#endif
+#ifdef SYS_utimes
+          "utimes"
+#endif
+        },
+        { .name = "@io-event", .list =
+#ifdef SYS__newselect
+          "_newselect,"
+#endif
+#ifdef SYS_epoll_create
+          "epoll_create,"
+#endif
+#ifdef SYS_epoll_create1
+          "epoll_create1,"
+#endif
+#ifdef SYS_epoll_ctl
+          "epoll_ctl,"
+#endif
+#ifdef SYS_epoll_ctl_old
+          "epoll_ctl_old,"
+#endif
+#ifdef SYS_epoll_pwait
+          "epoll_pwait,"
+#endif
+#ifdef SYS_epoll_wait
+          "epoll_wait,"
+#endif
+#ifdef SYS_epoll_wait_old
+          "epoll_wait_old,"
+#endif
+#ifdef SYS_eventfd
+          "eventfd,"
+#endif
+#ifdef SYS_eventfd2
+          "eventfd2,"
+#endif
+#ifdef SYS_poll
+          "poll,"
+#endif
+#ifdef SYS_ppoll
+          "ppoll,"
+#endif
+#ifdef SYS_pselect6
+          "pselect6,"
+#endif
+#ifdef SYS_select
+          "select"
+#endif
+        },
+        { .name = "@ipc", .list =
+#ifdef SYS_ipc
+          "ipc,"
+#endif
+#ifdef SYS_memfd_create
+          "memfd_create,"
+#endif
+#ifdef SYS_mq_getsetattr
+          "mq_getsetattr,"
+#endif
+#ifdef SYS_mq_notify
+          "mq_notify,"
+#endif
+#ifdef SYS_mq_open
+          "mq_open,"
+#endif
+#ifdef SYS_mq_timedreceive
+          "mq_timedreceive,"
+#endif
+#ifdef SYS_mq_timedsend
+          "mq_timedsend,"
+#endif
+#ifdef SYS_mq_unlink
+          "mq_unlink,"
+#endif
+#ifdef SYS_msgctl
+          "msgctl,"
+#endif
+#ifdef SYS_msgget
+          "msgget,"
+#endif
+#ifdef SYS_msgrcv
+          "msgrcv,"
+#endif
+#ifdef SYS_msgsnd
+          "msgsnd,"
+#endif
+#ifdef SYS_pipe
+          "pipe,"
+#endif
+#ifdef SYS_pipe2
+          "pipe2,"
+#endif
+#ifdef SYS_process_vm_readv
+          "process_vm_readv,"
+#endif
+#ifdef SYS_process_vm_writev
+          "process_vm_writev,"
+#endif
+#ifdef SYS_semctl
+          "semctl,"
+#endif
+#ifdef SYS_semget
+          "semget,"
+#endif
+#ifdef SYS_semop
+          "semop,"
+#endif
+#ifdef SYS_semtimedop
+          "semtimedop,"
+#endif
+#ifdef SYS_shmat
+          "shmat,"
+#endif
+#ifdef SYS_shmctl
+          "shmctl,"
+#endif
+#ifdef SYS_shmdt
+          "shmdt,"
+#endif
+#ifdef SYS_shmget
+          "shmget"
+#endif
+        },
+        { .name = "@keyring", .list =
+#ifdef SYS_add_key
+          "add_key,"
+#endif
+#ifdef SYS_keyctl
+          "keyctl,"
+#endif
+#ifdef SYS_request_key
+          "request_key"
+#endif
+        },
+        { .name = "@memlock", .list =
+#ifdef SYS_mlock
+          "mlock,"
+#endif
+#ifdef SYS_mlock2
+          "mlock2,"
+#endif
+#ifdef SYS_mlockall
+          "mlockall,"
+#endif
+#ifdef SYS_munlock
+          "munlock,"
+#endif
+#ifdef SYS_munlockall
+          "munlockall"
+#endif
+        },
        { .name = "@module", .list =
 #ifdef SYS_delete_module
          "delete_module,"
@@ -201,6 +715,88 @@ static const SyscallGroupList sysgroups[] = {
          "init_module"
 #endif
        },
+        { .name = "@mount", .list =
+#ifdef SYS_chroot
+          "chroot,"
+#endif
+#ifdef SYS_mount
+          "mount,"
+#endif
+#ifdef SYS_pivot_root
+          "pivot_root,"
+#endif
+#ifdef SYS_umount
+          "umount,"
+#endif
+#ifdef SYS_umount2
+          "umount2"
+#endif
+        },
+        { .name = "@network-io", .list =
+#ifdef SYS_accept
+          "accept,"
+#endif
+#ifdef SYS_accept4
+          "accept4,"
+#endif
+#ifdef SYS_bind
+          "bind,"
+#endif
+#ifdef SYS_connect
+          "connect,"
+#endif
+#ifdef SYS_getpeername
+          "getpeername,"
+#endif
+#ifdef SYS_getsockname
+          "getsockname,"
+#endif
+#ifdef SYS_getsockopt
+          "getsockopt,"
+#endif
+#ifdef SYS_listen
+          "listen,"
+#endif
+#ifdef SYS_recv
+          "recv,"
+#endif
+#ifdef SYS_recvfrom
+          "recvfrom,"
+#endif
+#ifdef SYS_recvmmsg
+          "recvmmsg,"
+#endif
+#ifdef SYS_recvmsg
+          "recvmsg,"
+#endif
+#ifdef SYS_send
+          "send,"
+#endif
+#ifdef SYS_sendmmsg
+          "sendmmsg,"
+#endif
+#ifdef SYS_sendmsg
+          "sendmsg,"
+#endif
+#ifdef SYS_sendto
+          "sendto,"
+#endif
+#ifdef SYS_setsockopt
+          "setsockopt,"
+#endif
+#ifdef SYS_shutdown
+          "shutdown,"
+#endif
+#ifdef SYS_socket
+          "socket,"
+#endif
+#ifdef SYS_socketcall
+          "socketcall,"
+#endif
+#ifdef SYS_socketpair
+          "socketpair"
+#endif
+        },
        { .name = "@obsolete", .list =
 #ifdef SYS__sysctl
          "_sysctl,"
@@ -229,6 +825,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_gtty
          "gtty,"
 #endif
+#ifdef SYS_idle
+          "idle,"
+#endif
 #ifdef SYS_lock
          "lock,"
 #endif
@@ -282,35 +881,81 @@ static const SyscallGroupList sysgroups[] = {
 #endif
        },
        { .name = "@privileged", .list =
+          "@chown,"
          "@clock,"
          "@module,"
          "@raw-io,"
          "@reboot,"
          "@swap,"
+#ifdef SYS__sysctl
+          "_sysctl,"
+#endif
 #ifdef SYS_acct
          "acct,"
 #endif
 #ifdef SYS_bpf
          "bpf,"
 #endif
+#ifdef SYS_capset
+          "capset,"
+#endif
 #ifdef SYS_chroot
          "chroot,"
 #endif
+#ifdef SYS_fanotify_init
+          "fanotify_init,"
+#endif
 #ifdef SYS_mount
          "mount,"
 #endif
 #ifdef SYS_nfsservctl
          "nfsservctl,"
 #endif
+#ifdef SYS_open_by_handle_at
+          "open_by_handle_at,"
+#endif
 #ifdef SYS_pivot_root
          "pivot_root,"
 #endif
+#ifdef SYS_quotactl
+          "quotactl,"
+#endif
 #ifdef SYS_setdomainname
          "setdomainname,"
 #endif
+#ifdef SYS_setfsuid
+          "setfsuid,"
+#endif
+#ifdef SYS_setfsuid32
+          "setfsuid32,"
+#endif
+#ifdef SYS_setgroups
+          "setgroups,"
+#endif
+#ifdef SYS_setgroups32
+          "setgroups32,"
+#endif
 #ifdef SYS_sethostname
          "sethostname,"
 #endif
+#ifdef SYS_setresuid
+          "setresuid,"
+#endif
+#ifdef SYS_setresuid32
+          "setresuid32,"
+#endif
+#ifdef SYS_setreuid
+          "setreuid,"
+#endif
+#ifdef SYS_setreuid32
+          "setreuid32,"
+#endif
+#ifdef SYS_setuid
+          "setuid,"
+#endif
+#ifdef SYS_setuid32
+          "setuid32,"
+#endif
 #ifdef SYS_umount2
          "umount2,"
 #endif
@@ -318,6 +963,71 @@ static const SyscallGroupList sysgroups[] = {
          "vhangup"
 #endif
        },
+        { .name = "@process", .list =
+#ifdef SYS_arch_prctl
+          "arch_prctl,"
+#endif
+#ifdef SYS_capget
+          "capget,"
+#endif
+#ifdef SYS_clone
+          "clone,"
+#endif
+#ifdef SYS_execveat
+          "execveat,"
+#endif
+#ifdef SYS_fork
+          "fork,"
+#endif
+#ifdef SYS_getrusage
+          "getrusage,"
+#endif
+#ifdef SYS_kill
+          "kill,"
+#endif
+#ifdef SYS_pidfd_send_signal
+          "pidfd_send_signal,"
+#endif
+#ifdef SYS_prctl
+          "prctl,"
+#endif
+#ifdef SYS_rt_sigqueueinfo
+          "rt_sigqueueinfo,"
+#endif
+#ifdef SYS_rt_tgsigqueueinfo
+          "rt_tgsigqueueinfo,"
+#endif
+#ifdef SYS_setns
+          "setns,"
+#endif
+#ifdef SYS_swapcontext
+          "swapcontext,"
+#endif
+#ifdef SYS_tgkill
+          "tgkill,"
+#endif
+#ifdef SYS_times
+          "times,"
+#endif
+#ifdef SYS_tkill
+          "tkill,"
+#endif
+#ifdef SYS_unshare
+          "unshare,"
+#endif
+#ifdef SYS_vfork
+          "vfork,"
+#endif
+#ifdef SYS_wait4
+          "wait4,"
+#endif
+#ifdef SYS_waitid
+          "waitid,"
+#endif
+#ifdef SYS_waitpid
+          "waitpid"
+#endif
+        },
        { .name = "@raw-io", .list =
 #ifdef SYS_ioperm
          "ioperm,"
@@ -356,8 +1066,11 @@ static const SyscallGroupList sysgroups[] = {
 #endif
        },
        { .name = "@resources", .list =
-#ifdef SYS_set_mempolicy
+#ifdef SYS_ioprio_set
-          "set_mempolicy,"
+          "ioprio_set,"
+#endif
+#ifdef SYS_mbind
+          "mbind,"
 #endif
 #ifdef SYS_migrate_pages
          "migrate_pages,"
@@ -365,8 +1078,108 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_move_pages
          "move_pages,"
 #endif
-#ifdef SYS_mbind
+#ifdef SYS_nice
-          "mbind"
+          "nice,"
+#endif
+#ifdef SYS_sched_setaffinity
+          "sched_setaffinity,"
+#endif
+#ifdef SYS_sched_setattr
+          "sched_setattr,"
+#endif
+#ifdef SYS_sched_setparam
+          "sched_setparam,"
+#endif
+#ifdef SYS_sched_setscheduler
+          "sched_setscheduler,"
+#endif
+#ifdef SYS_set_mempolicy
+          "set_mempolicy"
+#endif
+        },
+        { .name = "@setuid", .list =
+#ifdef SYS_setgid
+          "setgid,"
+#endif
+#ifdef SYS_setgid32
+          "setgid32,"
+#endif
+#ifdef SYS_setgroups
+          "setgroups,"
+#endif
+#ifdef SYS_setgroups32
+          "setgroups32,"
+#endif
+#ifdef SYS_setregid
+          "setregid,"
+#endif
+#ifdef SYS_setregid32
+          "setregid32,"
+#endif
+#ifdef SYS_setresgid
+          "setresgid,"
+#endif
+#ifdef SYS_setresgid32
+          "setresgid32,"
+#endif
+#ifdef SYS_setresuid
+          "setresuid,"
+#endif
+#ifdef SYS_setresuid32
+          "setresuid32,"
+#endif
+#ifdef SYS_setreuid
+          "setreuid,"
+#endif
+#ifdef SYS_setreuid32
+          "setreuid32,"
+#endif
+#ifdef SYS_setuid
+          "setuid,"
+#endif
+#ifdef SYS_setuid32
+          "setuid32"
+#endif
+        },
+        { .name = "@signal", .list =
+#ifdef SYS_rt_sigaction
+          "rt_sigaction,"
+#endif
+#ifdef SYS_rt_sigpending
+          "rt_sigpending,"
+#endif
+#ifdef SYS_rt_sigprocmask
+          "rt_sigprocmask,"
+#endif
+#ifdef SYS_rt_sigsuspend
+          "rt_sigsuspend,"
+#endif
+#ifdef SYS_rt_sigtimedwait
+          "rt_sigtimedwait,"
+#endif
+#ifdef SYS_sigaction
+          "sigaction,"
+#endif
+#ifdef SYS_sigaltstack
+          "sigaltstack,"
+#endif
+#ifdef SYS_signal
+          "signal,"
+#endif
+#ifdef SYS_signalfd
+          "signalfd,"
+#endif
+#ifdef SYS_signalfd4
+          "signalfd4,"
+#endif
+#ifdef SYS_sigpending
+          "sigpending,"
+#endif
+#ifdef SYS_sigprocmask
+          "sigprocmask,"
+#endif
+#ifdef SYS_sigsuspend
+          "sigsuspend"
 #endif
        },
        { .name = "@swap", .list =
@@ -376,6 +1189,226 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_swapoff
          "swapoff"
 #endif
+        },
+        { .name = "@sync", .list =
+#ifdef SYS_fdatasync
+          "fdatasync,"
+#endif
+#ifdef SYS_fsync
+          "fsync,"
+#endif
+#ifdef SYS_msync
+          "msync,"
+#endif
+#ifdef SYS_sync
+          "sync,"
+#endif
+#ifdef SYS_sync_file_range
+          "sync_file_range,"
+#endif
+#ifdef SYS_sync_file_range2
+          "sync_file_range2,"
+#endif
+#ifdef SYS_syncfs
+          "syncfs"
+#endif
+        },
+        { .name = "@system-service", .list =
+          "@aio,"
+          "@basic-io,"
+          "@chown,"
+          "@default,"
+          "@file-system,"
+          "@io-event,"
+          "@ipc,"
+          "@keyring,"
+          "@memlock,"
+          "@network-io,"
+          "@process,"
+          "@resources,"
+          "@setuid,"
+          "@signal,"
+          "@sync,"
+          "@timer,"
+#ifdef SYS_brk
+          "brk,"
+#endif
+#ifdef SYS_capget
+          "capget,"
+#endif
+#ifdef SYS_capset
+          "capset,"
+#endif
+#ifdef SYS_copy_file_range
+          "copy_file_range,"
+#endif
+#ifdef SYS_fadvise64
+          "fadvise64,"
+#endif
+#ifdef SYS_fadvise64_64
+          "fadvise64_64,"
+#endif
+#ifdef SYS_flock
+          "flock,"
+#endif
+#ifdef SYS_get_mempolicy
+          "get_mempolicy,"
+#endif
+#ifdef SYS_getcpu
+          "getcpu,"
+#endif
+#ifdef SYS_getpriority
+          "getpriority,"
+#endif
+#ifdef SYS_getrandom
+          "getrandom,"
+#endif
+#ifdef SYS_ioctl
+          "ioctl,"
+#endif
+#ifdef SYS_ioprio_get
+          "ioprio_get,"
+#endif
+#ifdef SYS_kcmp
+          "kcmp,"
+#endif
+#ifdef SYS_madvise
+          "madvise,"
+#endif
+#ifdef SYS_mprotect
+          "mprotect,"
+#endif
+#ifdef SYS_mremap
+          "mremap,"
+#endif
+#ifdef SYS_name_to_handle_at
+          "name_to_handle_at,"
+#endif
+#ifdef SYS_oldolduname
+          "oldolduname,"
+#endif
+#ifdef SYS_olduname
+          "olduname,"
+#endif
+#ifdef SYS_personality
+          "personality,"
+#endif
+#ifdef SYS_readahead
+          "readahead,"
+#endif
+#ifdef SYS_readdir
+          "readdir,"
+#endif
+#ifdef SYS_remap_file_pages
+          "remap_file_pages,"
+#endif
+#ifdef SYS_sched_get_priority_max
+          "sched_get_priority_max,"
+#endif
+#ifdef SYS_sched_get_priority_min
+          "sched_get_priority_min,"
+#endif
+#ifdef SYS_sched_getaffinity
+          "sched_getaffinity,"
+#endif
+#ifdef SYS_sched_getattr
+          "sched_getattr,"
+#endif
+#ifdef SYS_sched_getparam
+          "sched_getparam,"
+#endif
+#ifdef SYS_sched_getscheduler
+          "sched_getscheduler,"
+#endif
+#ifdef SYS_sched_rr_get_interval
+          "sched_rr_get_interval,"
+#endif
+#ifdef SYS_sched_yield
+          "sched_yield,"
+#endif
+#ifdef SYS_sendfile
+          "sendfile,"
+#endif
+#ifdef SYS_sendfile64
+          "sendfile64,"
+#endif
+#ifdef SYS_setfsgid
+          "setfsgid,"
+#endif
+#ifdef SYS_setfsgid32
+          "setfsgid32,"
+#endif
+#ifdef SYS_setfsuid
+          "setfsuid,"
+#endif
+#ifdef SYS_setfsuid32
+          "setfsuid32,"
+#endif
+#ifdef SYS_setpgid
+          "setpgid,"
+#endif
+#ifdef SYS_setsid
+          "setsid,"
+#endif
+#ifdef SYS_splice
+          "splice,"
+#endif
+#ifdef SYS_sysinfo
+          "sysinfo,"
+#endif
+#ifdef SYS_tee
+          "tee,"
+#endif
+#ifdef SYS_umask
+          "umask,"
+#endif
+#ifdef SYS_uname
+          "uname,"
+#endif
+#ifdef SYS_userfaultfd
+          "userfaultfd,"
+#endif
+#ifdef SYS_vmsplice
+          "vmsplice"
+#endif
+        },
+        { .name = "@timer", .list =
+#ifdef SYS_alarm
+          "alarm,"
+#endif
+#ifdef SYS_getitimer
+          "getitimer,"
+#endif
+#ifdef SYS_setitimer
+          "setitimer,"
+#endif
+#ifdef SYS_timer_create
+          "timer_create,"
+#endif
+#ifdef SYS_timer_delete
+          "timer_delete,"
+#endif
+#ifdef SYS_timer_getoverrun
+          "timer_getoverrun,"
+#endif
+#ifdef SYS_timer_gettime
+          "timer_gettime,"
+#endif
+#ifdef SYS_timer_settime
+          "timer_settime,"
+#endif
+#ifdef SYS_timerfd_create
+          "timerfd_create,"
+#endif
+#ifdef SYS_timerfd_gettime
+          "timerfd_gettime,"
+#endif
+#ifdef SYS_timerfd_settime
+          "timerfd_settime,"
+#endif
+#ifdef SYS_times
+          "times"
+#endif
        }
 };
@@ -497,9 +1530,17 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall,
                        syscall_check_list(new_list, callback, fd, arg, ptrarg);
                }
                else {
+                        bool negate = false;
+                        if (*ptr == '!') {
+                                negate = true;
+                                ptr++;
+                        }
                        syscall_process_name(ptr, &syscall_nr, &error_nr);
                        if (syscall_nr == -1) {;}
                        else if (callback != NULL) {
+                                if (negate) {
+                                        syscall_nr = -syscall_nr;
+                                }
                                if (error_nr != -1 && fd != 0) {
                                        filter_add_errno(fd, syscall_nr, error_nr, ptrarg);
                                }
@@ -522,7 +1563,7 @@ static void find_syscall(int fd, int syscall, int arg, void *ptrarg) {
        (void)fd;
        (void) arg;
        SyscallCheckList *ptr = ptrarg;
-        if (syscall == ptr->syscall)
+        if (abs(syscall) == ptr->syscall)
                ptr->found = true;
 }
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index 60fdb5470..745dd2260 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -34,6 +34,13 @@
 #include <dirent.h>
 #include <limits.h>
+#define tprintf(fp, args...) \
+    do { \
+        if (!fp)\
+            init(); \
+        fprintf(fp, args); \
+    } while(0)
 // break recursivity on fopen call
 typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode);
 static orig_fopen_t orig_fopen = NULL;
@@ -43,6 +50,10 @@ static orig_fopen64_t orig_fopen64 = NULL;
 //
 // library constructor/destructor
 //
+// Replacing printf with fprintf to /dev/tty in order to fix #561
+// If you really want to turn it off, comment the following line, but its a
+// really bad idea.
+#define PRINTF_DEVTTY
 static FILE *ftty = NULL;
 static pid_t mypid = 0;
 #define MAXNAME 16
@@ -50,10 +61,18 @@ static char myname[MAXNAME] = {'\0', };
 static void init(void) __attribute__((constructor));
 void init(void) {
+        if (ftty)
+                return;
        orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
        // tty
+#ifdef PRINTF_DEVTTY
        ftty = orig_fopen("/dev/tty", "w");
+#else
+        ftty = stderr;
+#endif
+        tprintf(ftty, "=== tracelib init() === \n");
        // pid
        mypid = getpid();
@@ -226,23 +245,23 @@ static char *translate(XTable *table, int val) {
 static void print_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) {
        if (addr->sa_family == AF_INET) {
                struct sockaddr_in *a = (struct sockaddr_in *) addr;
-                fprintf(ftty, "%u:%s:%s %d %s port %u:%d\n", mypid, myname, call, sockfd, inet_ntoa(a->sin_addr), ntohs(a->sin_port), rv);
+                tprintf(ftty, "%u:%s:%s %d %s port %u:%d\n", mypid, myname, call, sockfd, inet_ntoa(a->sin_addr), ntohs(a->sin_port), rv);
        }
        else if (addr->sa_family == AF_INET6) {
                struct sockaddr_in6 *a = (struct sockaddr_in6 *) addr;
                char str[INET6_ADDRSTRLEN];
                inet_ntop(AF_INET6, &(a->sin6_addr), str, INET6_ADDRSTRLEN);
-                fprintf(ftty, "%u:%s:%s %d %s:%d\n", mypid, myname, call, sockfd, str, rv);
+                tprintf(ftty, "%u:%s:%s %d %s:%d\n", mypid, myname, call, sockfd, str, rv);
        }
        else if (addr->sa_family == AF_UNIX) {
                struct sockaddr_un *a = (struct sockaddr_un *) addr;
                if (a->sun_path[0])
-                        fprintf(ftty, "%u:%s:%s %d %s:%d\n", mypid, myname, call, sockfd, a->sun_path, rv);
+                        tprintf(ftty, "%u:%s:%s %d %s:%d\n", mypid, myname, call, sockfd, a->sun_path, rv);
                else
-                        fprintf(ftty, "%u:%s:%s %d @%s:%d\n", mypid, myname, call, sockfd, a->sun_path + 1, rv);
+                        tprintf(ftty, "%u:%s:%s %d @%s:%d\n", mypid, myname, call, sockfd, a->sun_path + 1, rv);
        }
        else {
-                fprintf(ftty, "%u:%s:%s %d family %d:%d\n", mypid, myname, call, sockfd, addr->sa_family, rv);
+                tprintf(ftty, "%u:%s:%s %d family %d:%d\n", mypid, myname, call, sockfd, addr->sa_family, rv);
        }
 }
@@ -258,7 +277,7 @@ int open(const char *pathname, int flags, mode_t mode) {
                orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open");
        int rv = orig_open(pathname, flags, mode);
-        fprintf(ftty, "%u:%s:open %s:%d\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:open %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -269,7 +288,7 @@ int open64(const char *pathname, int flags, mode_t mode) {
                orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64");
        int rv = orig_open64(pathname, flags, mode);
-        fprintf(ftty, "%u:%s:open64 %s:%d\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:open64 %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -281,7 +300,7 @@ int openat(int dirfd, const char *pathname, int flags, mode_t mode) {
                orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat");
        int rv = orig_openat(dirfd, pathname, flags, mode);
-        fprintf(ftty, "%u:%s:openat %s:%d\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:openat %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -292,7 +311,7 @@ int openat64(int dirfd, const char *pathname, int flags, mode_t mode) {
                orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64");
        int rv = orig_openat64(dirfd, pathname, flags, mode);
-        fprintf(ftty, "%u:%s:openat64 %s:%d\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:openat64 %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -303,7 +322,7 @@ FILE *fopen(const char *pathname, const char *mode) {
                orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
        FILE *rv = orig_fopen(pathname, mode);
-        fprintf(ftty, "%u:%s:fopen %s:%p\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:fopen %s:%p\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -313,7 +332,7 @@ FILE *fopen64(const char *pathname, const char *mode) {
                orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64");
        FILE *rv = orig_fopen64(pathname, mode);
-        fprintf(ftty, "%u:%s:fopen64 %s:%p\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:fopen64 %s:%p\n", mypid, myname, pathname, rv);
        return rv;
 }
 #endif /* __GLIBC__ */
@@ -327,7 +346,7 @@ FILE *freopen(const char *pathname, const char *mode, FILE *stream) {
                orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen");
        FILE *rv = orig_freopen(pathname, mode, stream);
-        fprintf(ftty, "%u:%s:freopen %s:%p\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:freopen %s:%p\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -339,7 +358,7 @@ FILE *freopen64(const char *pathname, const char *mode, FILE *stream) {
                orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64");
        FILE *rv = orig_freopen64(pathname, mode, stream);
-        fprintf(ftty, "%u:%s:freopen64 %s:%p\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:freopen64 %s:%p\n", mypid, myname, pathname, rv);
        return rv;
 }
 #endif /* __GLIBC__ */
@@ -352,7 +371,7 @@ int unlink(const char *pathname) {
                orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink");
        int rv = orig_unlink(pathname);
-        fprintf(ftty, "%u:%s:unlink %s:%d\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:unlink %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -363,7 +382,7 @@ int unlinkat(int dirfd, const char *pathname, int flags) {
                orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat");
        int rv = orig_unlinkat(dirfd, pathname, flags);
-        fprintf(ftty, "%u:%s:unlinkat %s:%d\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:unlinkat %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -375,7 +394,7 @@ int mkdir(const char *pathname, mode_t mode) {
                orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir");
        int rv = orig_mkdir(pathname, mode);
-        fprintf(ftty, "%u:%s:mkdir %s:%d\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:mkdir %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -386,7 +405,7 @@ int mkdirat(int dirfd, const char *pathname, mode_t mode) {
                orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat");
        int rv = orig_mkdirat(dirfd, pathname, mode);
-        fprintf(ftty, "%u:%s:mkdirat %s:%d\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:mkdirat %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -397,7 +416,7 @@ int rmdir(const char *pathname) {
                orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir");
        int rv = orig_rmdir(pathname);
-        fprintf(ftty, "%u:%s:rmdir %s:%d\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:rmdir %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -409,7 +428,7 @@ int stat(const char *pathname, struct stat *statbuf) {
                orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat");
        int rv = orig_stat(pathname, statbuf);
-        fprintf(ftty, "%u:%s:stat %s:%d\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:stat %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -421,7 +440,7 @@ int stat64(const char *pathname, struct stat64 *statbuf) {
                orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64");
        int rv = orig_stat64(pathname, statbuf);
-        fprintf(ftty, "%u:%s:stat64 %s:%d\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:stat64 %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
 #endif /* __GLIBC__ */
@@ -434,7 +453,7 @@ int lstat(const char *pathname, struct stat *statbuf) {
                orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat");
        int rv = orig_lstat(pathname, statbuf);
-        fprintf(ftty, "%u:%s:lstat %s:%d\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:lstat %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -446,7 +465,7 @@ int lstat64(const char *pathname, struct stat64 *statbuf) {
                orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64");
        int rv = orig_lstat64(pathname, statbuf);
-        fprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
 #endif /* __GLIBC__ */
@@ -459,7 +478,7 @@ DIR *opendir(const char *pathname) {
                orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir");
        DIR *rv = orig_opendir(pathname);
-        fprintf(ftty, "%u:%s:opendir %s:%p\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:opendir %s:%p\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -471,7 +490,7 @@ int access(const char *pathname, int mode) {
                orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");
        int rv = orig_access(pathname, mode);
-        fprintf(ftty, "%u:%s:access %s:%d\n", mypid, myname, pathname, rv);
+        tprintf(ftty, "%u:%s:access %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -529,7 +548,7 @@ int socket(int domain, int type, int protocol) {
                        sprintf(ptr, "%s", str);
        }
-        fprintf(ftty, "%s:%d\n", socketbuf, rv);
+        tprintf(ftty, "%s:%d\n", socketbuf, rv);
        return rv;
 }
@@ -567,7 +586,7 @@ int system(const char *command) {
                orig_system = (orig_system_t)dlsym(RTLD_NEXT, "system");
        int rv = orig_system(command);
-        fprintf(ftty, "%u:%s:system %s:%d\n", mypid, myname, command, rv);
+        tprintf(ftty, "%u:%s:system %s:%d\n", mypid, myname, command, rv);
        return rv;
 }
@@ -579,7 +598,7 @@ int setuid(uid_t uid) {
                orig_setuid = (orig_setuid_t)dlsym(RTLD_NEXT, "setuid");
        int rv = orig_setuid(uid);
-        fprintf(ftty, "%u:%s:setuid %d:%d\n", mypid, myname, uid, rv);
+        tprintf(ftty, "%u:%s:setuid %d:%d\n", mypid, myname, uid, rv);
        return rv;
 }
@@ -591,7 +610,7 @@ int setgid(gid_t gid) {
                orig_setgid = (orig_setgid_t)dlsym(RTLD_NEXT, "setgid");
        int rv = orig_setgid(gid);
-        fprintf(ftty, "%u:%s:setgid %d:%d\n", mypid, myname, gid, rv);
+        tprintf(ftty, "%u:%s:setgid %d:%d\n", mypid, myname, gid, rv);
        return rv;
 }
@@ -603,7 +622,7 @@ int setfsuid(uid_t uid) {
                orig_setfsuid = (orig_setfsuid_t)dlsym(RTLD_NEXT, "setfsuid");
        int rv = orig_setfsuid(uid);
-        fprintf(ftty, "%u:%s:setfsuid %d:%d\n", mypid, myname, uid, rv);
+        tprintf(ftty, "%u:%s:setfsuid %d:%d\n", mypid, myname, uid, rv);
        return rv;
 }
@@ -615,7 +634,7 @@ int setfsgid(gid_t gid) {
                orig_setfsgid = (orig_setfsgid_t)dlsym(RTLD_NEXT, "setfsgid");
        int rv = orig_setfsgid(gid);
-        fprintf(ftty, "%u:%s:setfsgid %d:%d\n", mypid, myname, gid, rv);
+        tprintf(ftty, "%u:%s:setfsgid %d:%d\n", mypid, myname, gid, rv);
        return rv;
 }
@@ -627,7 +646,7 @@ int setreuid(uid_t ruid, uid_t euid) {
                orig_setreuid = (orig_setreuid_t)dlsym(RTLD_NEXT, "setreuid");
        int rv = orig_setreuid(ruid, euid);
-        fprintf(ftty, "%u:%s:setreuid %d %d:%d\n", mypid, myname, ruid, euid, rv);
+        tprintf(ftty, "%u:%s:setreuid %d %d:%d\n", mypid, myname, ruid, euid, rv);
        return rv;
 }
@@ -639,7 +658,7 @@ int setregid(gid_t rgid, gid_t egid) {
                orig_setregid = (orig_setregid_t)dlsym(RTLD_NEXT, "setregid");
        int rv = orig_setregid(rgid, egid);
-        fprintf(ftty, "%u:%s:setregid %d %d:%d\n", mypid, myname, rgid, egid, rv);
+        tprintf(ftty, "%u:%s:setregid %d %d:%d\n", mypid, myname, rgid, egid, rv);
        return rv;
 }
@@ -651,7 +670,7 @@ int setresuid(uid_t ruid, uid_t euid, uid_t suid) {
                orig_setresuid = (orig_setresuid_t)dlsym(RTLD_NEXT, "setresuid");
        int rv = orig_setresuid(ruid, euid, suid);
-        fprintf(ftty, "%u:%s:setresuid %d %d %d:%d\n", mypid, myname, ruid, euid, suid, rv);
+        tprintf(ftty, "%u:%s:setresuid %d %d %d:%d\n", mypid, myname, ruid, euid, suid, rv);
        return rv;
 }
@@ -663,7 +682,7 @@ int setresgid(gid_t rgid, gid_t egid, gid_t sgid) {
                orig_setresgid = (orig_setresgid_t)dlsym(RTLD_NEXT, "setresgid");
        int rv = orig_setresgid(rgid, egid, sgid);
-        fprintf(ftty, "%u:%s:setresgid %d %d %d:%d\n", mypid, myname, rgid, egid, sgid, rv);
+        tprintf(ftty, "%u:%s:setresgid %d %d %d:%d\n", mypid, myname, rgid, egid, sgid, rv);
        return rv;
 }
@@ -678,6 +697,6 @@ static void log_exec(int argc, char** argv) {
        int rv = readlink("/proc/self/exe", buf, PATH_MAX);
        if (rv != -1) {
                buf[rv] = '\0'; // readlink does not add a '\0' at the end
-                fprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf);
+                tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf);
        }
 }
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index b418faa15..2887a6c53 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -42,7 +42,7 @@ The following actions are implemented by default by running sudo firecfg:
 .br
 .br
-fix desktop files in $HOME/.local/share/applications/ (firecfg --fix).
+- fix desktop files in $HOME/.local/share/applications/ (firecfg --fix).
 .RE
 .SH OPTIONS
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index c2fa63dc4..430e86cc8 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -11,7 +11,7 @@ a user name followed by the arguments passed to firejail. The format is as follo
 Example:
-        netblue:--net=none --protocol=unix
+        netblue: --net=none --protocol=unix
 Wildcard patterns are accepted in the user name field:
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 74f99b538..3db8c782d 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -75,7 +75,13 @@ Child process initialized
 .RE
 .SH Templates
-Templates for writing own profiles can be found in /usr/share/doc/firejail.
+In /usr/share/doc/firejail there are two templates to write new profiles.
+.RS
+profile.template - for regular profiles
+.br
+redirect_alias-profile.template - for aliasing/redirecting profiles
+.RE
 .SH Scripting
 Scripting commands:
@@ -144,7 +150,7 @@ Ignore command.
 Example: "ignore seccomp"
 .br
-Example: "ignore net ehh0"
+Example: "ignore net eth0"
 .TP
 \fBquiet
@@ -154,10 +160,10 @@ Example: "quiet"
 .SH Filesystem
 These profile entries define a chroot filesystem built on top of the existing
-host filesystem. Each line describes a file element that is removed from
+host filesystem. Each line describes a file/directory that is inaccessible
-the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),
+(\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),
 a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),
-or mount-bind a directory  or file on top of another directory or file (\fBbind\fR).
+or mount-bind a directory or file on top of another directory or file (\fBbind\fR).
 Use \fBprivate\fR to set private mode.
 File globbing is supported, and PATH and HOME directories are searched.
 Examples:
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 951618669..500850413 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -71,10 +71,10 @@ If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
 to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
-If a program argument is not specified, Firejail starts /bin/bash shell.
+If a program argument is not specified, Firejail starts the default shell from the current user.
 Examples:
 .PP
-$ firejail [OPTIONS]                # starting a /bin/bash shell
+$ firejail [OPTIONS]                # starting the user default shell (normally /bin/bash)
 .PP
 $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 .PP
@@ -1776,11 +1776,14 @@ vm86, vm86old, vmsplice and vserver.
 .br
 To help creating useful seccomp filters more easily, the following
-system call groups are defined: @clock, @cpu-emulation, @debug,
+system call groups are defined: @aio, @basic-io, @chown, @clock,
-@default, @default-nodebuggers, @default-keep, @module, @obsolete,
+@cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep,
-@privileged, @raw-io, @reboot, @resources and @swap. In addition, a
+@file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount,
+@network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
+@resources, @setuid, @swap, @sync, @system-service and @timer. In addition, a
 system call can be specified by its number instead of name with prefix
-$, so for example $165 would be equal to mount on i386.
+$, so for example $165 would be equal to mount on i386. Exceptions
+can be allowed with prefix !.
 .br
 System architecture is strictly imposed only if flag
@@ -1798,8 +1801,10 @@ Example:
 .br
 $ firejail \-\-seccomp
 .TP
-\fB\-\-seccomp=syscall,@group
+\fB\-\-seccomp=syscall,@group,!syscall2
-Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command.
+Enable seccomp filter, whitelist "syscall2", but blacklist the default
+list (@default) and the syscalls or syscall groups specified by the
+command.
 .br
 .br
@@ -1863,8 +1868,9 @@ domain with personality(2) system call.
 .br
 .TP
-\fB\-\-seccomp.drop=syscall,@group
+\fB\-\-seccomp.drop=syscall,@group,!syscall2
-Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command.
+Enable seccomp filter, whitelist "syscall2" but blacklist the
+syscalls or the syscall groups specified by the command.
 .br
 .br
@@ -1899,10 +1905,11 @@ rm: cannot remove `testfile': Operation not permitted
 .TP
-\fB\-\-seccomp.keep=syscall,syscall,syscall
+\fB\-\-seccomp.keep=syscall,@group,!syscall2
-Enable seccomp filter, and whitelist the syscalls specified by the
+Enable seccomp filter, blacklist "syscall2" but whitelist the
-command. The system calls needed by Firejail (group @default-keep:
+syscalls or the syscall groups specified by the command. The system
-prctl, execve) are handled with the preload library.
+calls needed by Firejail (group @default-keep: prctl, execve) are
+handled with the preload library.
 .br
 .br
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index 114978f65..10e50539b 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -110,6 +110,9 @@ echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod
 echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)"
 ./seccomp-empty.exp
+echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)"
+./seccomp-numeric.exp
 if [ "$(uname -m)" = "x86_64" ]; then
        echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)"
        ./seccomp-dualfilter.exp
diff --git a/test/filters/seccomp-numeric.exp b/test/filters/seccomp-numeric.exp
new file mode 100755
index 000000000..77f6d60b0
--- /dev/null
+++ b/test/filters/seccomp-numeric.exp
@@ -0,0 +1,44 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2019 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "touch seccomp-test-file\r"
+after 100
+send --  "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT rm seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "No such file or directory"
+}
+after 100
+send --  "firejail --seccomp=\\\$263:ENOENT,mkdir:ENOENT rm seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "No such file or directory"
+}
+after 100
+send --  "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT mkdir seccomp-test-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "No such file or directory"
+}
+after 100
+send --  "firejail --seccomp=unlinkat:ENOENT,\\\$83:ENOENT mkdir seccomp-test-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "No such file or directory"
+}
+after 100
+send -- "rm seccomp-test-file\r"
+#send -- "rm -fr seccomp-test-dir\r"
+after 100
+puts "all done\n"
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp
index d2cb72edd..1df8c361c 100755
--- a/test/fs/whitelist-dev.exp
+++ b/test/fs/whitelist-dev.exp
@@ -14,10 +14,10 @@ expect {
 }
 sleep 1
-send -- "find /dev | wc -l\r"
+send -- "ls /dev | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "2"
+        "1"
 }
 after 100
 send -- "exit\r"
@@ -33,7 +33,7 @@ sleep 1
 send -- "find /dev | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "4"
+        "1"
 }
 after 100
 send -- "exit\r"
@@ -46,7 +46,7 @@ expect {
 }
 sleep 1
-send -- "ls -l /dev | wc -l\r"
+send -- "ls /dev | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "12" {puts "OK\n"}