58 files changed, 569 insertions, 390 deletions

diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile
index 02a2e7ea0..5e1c17b28 100644
--- a/etc/profile-a-l/7z.profile
+++ b/etc/profile-a-l/7z.profile
@@ -7,41 +7,6 @@ include 7z.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname 7z
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-#nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-#private-bin 7z,7z*,p7zip
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
+noblacklist ${PATH}/bash
+noblacklist ${PATH}/sh
+include archiver-common.inc
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
new file mode 100644
index 000000000..98188d2a7
--- /dev/null
+++ b/etc/profile-a-l/alacarte.profile
@@ -0,0 +1,64 @@
+# Firejail profile for alacarte
+# Description: Create desktop and menu launchers easily
+# This file is overwritten after every install/update
+# Persistent local customizations
+include alacarte.local
+# Persistent global definitions
+include globals.local
+
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-xdg.inc
+
+# Whitelist your system icon directory,varies by distro
+whitelist /usr/share/alacarte
+whitelist /usr/share/app-info
+whitelist /usr/share/desktop-directories
+whitelist /usr/share/icons
+whitelist /var/lib/app-info/icons
+whitelist /var/lib/flatpak/exports/share/applications
+whitelist /var/lib/flatpak/exports/share/icons
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+# private-bin alacarte,bash,python*,sh
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-write ${HOME}/.config/menus
+read-write ${HOME}/.gnome/apps
+read-write ${HOME}/.local/share/applications
+read-write ${HOME}/.local/share/flatpak/exports
diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile
index 183587ff8..c2b215807 100644
--- a/etc/profile-a-l/ar.profile
+++ b/etc/profile-a-l/ar.profile
@@ -7,42 +7,4 @@ include ar.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-shell.inc
-
-apparmor
-caps.drop all
-hostname ar
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-private-bin ar
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
+include archiver-common.inc
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index cf0a5a42b..f21a5febf 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -6,31 +6,27 @@ include atom.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore disable-mnt
+
 noblacklist ${HOME}/.atom
 noblacklist ${HOME}/.config/Atom
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
 
-include disable-common.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-caps.keep sys_admin,sys_chroot
 # net none
 netfilter
-nodvd
-nogroups
 nosound
-notv
-nou2f
-novideo
-shell none
-
-private-cache
-private-dev
-private-tmp
 
-dbus-user none
-dbus-system none
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index e501e956c..34af47df2 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -7,47 +7,12 @@ include atool.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
+include archiver-common.inc
 
-include disable-common.inc
-# include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname atool
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
 noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
 
-# private-bin atool,perl
-private-cache
-private-dev
 # without login.defs atool complains and uses UID/GID 1000 by default
 private-etc alternatives,group,login.defs,passwd
 private-tmp
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
new file mode 100644
index 000000000..fb12018f5
--- /dev/null
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -0,0 +1,55 @@
+# Firejail profile for authenticator-rs
+# Description: Rust based 2FA authentication program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include authenticator-rs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/authenticator-rs
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/authenticator-rs
+whitelist ${HOME}/.local/share/authenticator-rs
+whitelist ${DOWNLOADS}
+whitelist /usr/share/uk.co.grumlimited.authenticator-rs
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin authenticator-rs
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index a401ac592..cda6b1aa0 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -58,7 +58,7 @@ shell none
 tracelog
 
 # disable-mnt
-# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
 # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin balsa,balsa-ab
 private-cache
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile
index cc1886a49..f3a9568bd 100644
--- a/etc/profile-a-l/beaker.profile
+++ b/etc/profile-a-l/beaker.profile
@@ -3,17 +3,26 @@
 # Persistent local customizations
 include beaker.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
-noblacklist ${HOME}/.config/Beaker Browser
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore shell none
+ignore disable-mnt
+ignore private-cache
+ignore private-dev
+ignore private-tmp
 
-include disable-devel.inc
-include disable-interpreters.inc
+noblacklist ${HOME}/.config/Beaker Browser
 
 mkdir ${HOME}/.config/Beaker Browser
 whitelist ${HOME}/.config/Beaker Browser
-include whitelist-common.inc
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 904d3e94f..5a5e9eacd 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -10,10 +10,6 @@ include globals.local
 ignore noexec /tmp
 # TOR is installed in ${HOME}
 ignore noexec ${HOME}
-# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
-ignore whitelist /usr/share/chromium
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
 
 noblacklist ${HOME}/.cache/BraveSoftware
 noblacklist ${HOME}/.config/BraveSoftware
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index 08e51f3c1..c37f4071e 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -6,43 +6,6 @@ include bsdtar.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+include archiver-common.inc
 
-include disable-common.inc
-# include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname bsdtar
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-# noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-# support compressed archives
-private-bin bash,bsdcat,bsdcpio,bsdtar,bzip2,compress,gtar,gzip,lbzip2,libarchive,lz4,lzip,lzma,lzop,sh,xz
-private-cache
-private-dev
 private-etc alternatives,group,localtime,passwd
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 56709a466..d379651c7 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -32,7 +32,7 @@ whitelist ${HOME}/.config/celluloid
 whitelist ${HOME}/.config/gnome-mpv
 whitelist ${HOME}/.config/youtube-dl
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 6a9cf99b0..ce9c652c6 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -25,7 +25,6 @@ mkdir ${HOME}/.local/share/pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
-whitelist /usr/share/chromium
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
index dab9ce449..14f1bbe64 100644
--- a/etc/profile-a-l/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
@@ -15,6 +15,7 @@ mkdir ${HOME}/.config/chromium
 whitelist ${HOME}/.cache/chromium
 whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.config/chromium-flags.conf
+whitelist /usr/share/chromium
 
 # private-bin chromium,chromium-browser,chromedriver
 
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
new file mode 100644
index 000000000..4de7eb497
--- /dev/null
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -0,0 +1,55 @@
+# Firejail profile for com.github.bleakgrey.tootle
+# Description: Gtk Mastodon client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.bleakgrey.tootle.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/com.github.bleakgrey.tootle
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/com.github.bleakgrey.tootle
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/com.github.bleakgrey.tootle
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin com.github.bleakgrey.tootle
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+# Settings are immutable
+# dbus-user filter
+# dbus-user.own com.github.bleakgrey.tootle
+# dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index 0ab5a7f78..2c6b15e02 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -46,5 +46,4 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-
 read-only ${HOME}/.config/cower/config
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile
index 087a5b2bb..785308ffd 100644
--- a/etc/profile-a-l/cpio.profile
+++ b/etc/profile-a-l/cpio.profile
@@ -7,40 +7,7 @@ include cpio.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 noblacklist /sbin
 noblacklist /usr/sbin
 
-include disable-common.inc
-# include disable-devel.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname cpio
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-nosound
-notv
-nou2f
-novideo
-seccomp
-shell none
-tracelog
-x11 none
-
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
+include archiver-common.inc
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 996ff51d3..f8b194044 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -7,10 +7,15 @@ include curl.local
 # Persistent global definitions
 include globals.local
 
+# curl 7.74.0 introduces experimental support for HSTS cache
+# https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/
+# technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts
+# if your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local
+# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact
+noblacklist ${HOME}/.curl-hsts
 noblacklist ${HOME}/.curlrc
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 7eb7660dd..2ecf1a45d 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -5,7 +5,7 @@ include default.local
 # Persistent global definitions
 include globals.local
 
-# generic gui profile
+# generic GUI profile
 # depending on your usage, you can enable some of the commands below:
 
 include disable-common.inc
@@ -14,12 +14,13 @@ include disable-common.inc
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+# include disable-shell.inc
 # include disable-write-mnt.inc
 # include disable-xdg.inc
 
 # include whitelist-common.inc
-# include whitelist-usr-share-common.inc
 # include whitelist-runuser-common.inc
+# include whitelist-usr-share-common.inc
 # include whitelist-var-common.inc
 
 # apparmor
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index b8b07469d..a47a71feb 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -50,5 +50,4 @@ private-tmp
 # dbus-system none
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
-
 read-only ${HOME}
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 1ab10a6f6..7c3ac50ad 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -56,5 +56,4 @@ dbus-user none
 dbus-system none
 
 memory-deny-write-execute
-
 read-only ${HOME}
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index 152dfd980..80d97a31f 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.digrc
 noblacklist ${PATH}/dig
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index 35bea4aaa..e6edbd7eb 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -6,33 +6,24 @@ include discord-common.local
 # added by caller profile
 #include globals.local
 
-ignore noexec ${HOME}
+# Disabled until someone reported positive feedback
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore apparmor
+ignore disable-mnt
+ignore private-cache
+ignore dbus-user none
+ignore dbus-system none
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
+ignore noexec ${HOME}
 
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
-include whitelist-common.inc
-include whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
 
 private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
-private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
new file mode 100644
index 000000000..13d830b55
--- /dev/null
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -0,0 +1,63 @@
+# Firejail profile for dolphin-emu
+# Description: An emulator for Gamecube and Wii games
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dolphin-emu.local
+# Persistent global definitions
+include globals.local
+
+# Note: you must whitelist your games folder in a dolphin-emu.local
+
+noblacklist ${HOME}/.cache/dolphin-emu
+noblacklist ${HOME}/.config/dolphin-emu
+noblacklist ${HOME}/.local/share/dolphin-emu
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/dolphin-emu
+mkdir ${HOME}/.config/dolphin-emu
+mkdir ${HOME}/.local/share/dolphin-emu
+whitelist ${HOME}/.cache/dolphin-emu
+whitelist ${HOME}/.config/dolphin-emu
+whitelist ${HOME}/.local/share/dolphin-emu
+whitelist /usr/share/dolphin-emu
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# uncomment the following line if you do not need NetPlay support
+# net none
+netfilter
+# uncomment the following line if you do not need disc support
+#nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink,bluetooth
+seccomp
+shell none
+tracelog
+
+private-bin bash,dolphin-emu,dolphin-emu-x11,sh
+private-cache
+# uncomment the following line if you do not need controller support
+#private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
new file mode 100644
index 000000000..07f47be5d
--- /dev/null
+++ b/etc/profile-a-l/drill.profile
@@ -0,0 +1,55 @@
+# Firejail profile for drill
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include drill.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/drill
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+# include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin bash,drill,sh
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
index 9b99c7ffb..d3be07c9d 100644
--- a/etc/profile-a-l/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -3,25 +3,39 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include electron.local
-# Persistent global definitions
-include globals.local
 
 include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# Uncomment the next line (or add it to your chromium-common.local)
+# if your kernel allows unprivileged userns clone.
+#include chromium-common-hardened.inc
 
 apparmor
-caps.drop all
+caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
-nonewprivs
-noroot
 notv
-protocol unix,inet,inet6,netlink
-seccomp
+nou2f
+novideo
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index c1aa821e3..48a826f2e 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -7,16 +7,18 @@ include element-desktop.local
 # added by included profile
 #include globals.local
 
+ignore dbus-user none
+
 noblacklist ${HOME}/.config/Element
-noblacklist ${HOME}/.config/Element (Riot)
 
 mkdir ${HOME}/.config/Element
-mkdir ${HOME}/.config/Element (Riot)
 whitelist ${HOME}/.config/Element
-whitelist ${HOME}/.config/Element (Riot)
 whitelist /opt/Element
 
 private-opt Element
 
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+
 # Redirect
 include riot-desktop.profile
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 0024b6660..640b0e485 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -15,15 +15,20 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.cache/falkon
 mkdir ${HOME}/.config/falkon
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/falkon
 whitelist ${HOME}/.config/falkon
+whitelist /usr/share/falkon
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -37,7 +42,13 @@ protocol unix,inet,inet6,netlink
 seccomp !chroot
 # tracelog
 
+disable-mnt
+# private-bin falkon
+private-cache
 private-dev
-# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
-# private-tmp - interferes with the opening of downloaded files
+private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-tmp
 
+# dbus-user filter
+# dbus-user.own org.kde.Falkon
+dbus-system none
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 3ee07e559..8ac7755de 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -1,6 +1,7 @@
 # Firejail profile for feh
 # Description: imlib2 based image viewer
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include feh.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
index 74620d4cd..c02f9e3de 100644
--- a/etc/profile-a-l/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -7,7 +7,6 @@ include file.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 3472ac5c4..772aad7da 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -16,6 +16,7 @@ whitelist ${HOME}/.mozilla
 
 whitelist /usr/share/doc
 whitelist /usr/share/firefox
+whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
 whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/mozilla
 whitelist /usr/share/webext
@@ -29,6 +30,7 @@ include whitelist-usr-share-common.inc
 #private-etc firefox
 
 dbus-user filter
+dbus-user.own org.mozilla.Firefox.*
 dbus-user.own org.mozilla.firefox.*
 dbus-user.own org.mpris.MediaPlayer2.firefox.*
 # Uncomment or put in your firefox.local to enable native notifications.
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index ab907eb0d..c3af29e15 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -1,5 +1,5 @@
 # Firejail profile for fractal
-# Description: Desktop client for Matrix 
+# Description: Desktop client for Matrix
 # This file is overwritten after every install/update
 # Persistent local customizations
 include fractal.local
@@ -21,7 +21,7 @@ mkdir ${HOME}/.cache/fractal
 whitelist ${HOME}/.cache/fractal
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/freeoffice-planmaker.profile b/etc/profile-a-l/freeoffice-planmaker.profile
index 9449e7c48..b6ca167eb 100644
--- a/etc/profile-a-l/freeoffice-planmaker.profile
+++ b/etc/profile-a-l/freeoffice-planmaker.profile
@@ -7,4 +7,4 @@ include freeoffice-planmaker.local
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff --git a/etc/profile-a-l/freeoffice-presentations.profile b/etc/profile-a-l/freeoffice-presentations.profile
index 636868e2e..43661028c 100644
--- a/etc/profile-a-l/freeoffice-presentations.profile
+++ b/etc/profile-a-l/freeoffice-presentations.profile
@@ -7,4 +7,4 @@ include freeoffice-presentations.local
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff --git a/etc/profile-a-l/freeoffice-textmaker.profile b/etc/profile-a-l/freeoffice-textmaker.profile
index 5d98d1cc6..f7d30eaed 100644
--- a/etc/profile-a-l/freeoffice-textmaker.profile
+++ b/etc/profile-a-l/freeoffice-textmaker.profile
@@ -6,4 +6,4 @@ include freeoffice-textmaker.local
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index 91f0caf87..e6aff533d 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -8,24 +8,13 @@ include globals.local
 
 noblacklist ${HOME}/.config/FreeTube
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/FreeTube
 whitelist ${HOME}/.config/FreeTube
 
-seccomp !chroot
-shell none
-
-disable-mnt
 private-bin freetube
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
-private-tmp
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index e06a9afad..77287769a 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -51,5 +51,4 @@ dbus-user none
 dbus-system none
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
-
 read-only ${HOME}
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index c15174815..d56d6714e 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.local/share/ghostwriter
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index ed27de7f5..bc5ef966c 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -52,7 +52,7 @@ nosound
 notv
 nou2f
 protocol unix
-seccomp
+seccomp !mbind
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index 152396553..325c54ced 100644
--- a/etc/profile-a-l/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -6,43 +6,35 @@ include github-desktop.local
 # Persistent global definitions
 include globals.local
 
+# Note: On debian-based distributions the binary might be located in
+# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
+# If that's the case you can start GitHub Desktop with firejail via
+# `firejail "/opt/GitHub Desktop/github-desktop"`.
+
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore dbus-user none
+ignore dbus-system none
+
 noblacklist ${HOME}/.config/GitHub Desktop
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 
-include disable-common.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-
-caps.drop all
-netfilter
 # no3d
-nodvd
-nogroups
-nonewprivs
-noroot
 nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
 
-# Note: On debian-based distributions the binary might be located in
-# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
-# If that's the case you can start GitHub Desktop with firejail via
-# `firejail "/opt/GitHub Desktop/github-desktop"`.
-
-disable-mnt
 # private-bin github-desktop
-private-cache
 ?HAS_APPIMAGE: ignore private-dev
-private-dev
 # private-lib
-private-tmp
 
 # memory-deny-write-execute
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index 14b0f758e..9c0a26a02 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -53,7 +53,6 @@ writable-var-log
 # dbus-system none
 
 memory-deny-write-execute
-
-# comment this if you export logs to a file in your ${HOME}
+# Comment the line below if you export logs to a file in your ${HOME}
 # or put 'ignore read-only ${HOME}' in your gnome-system-log.local
 read-only ${HOME}
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index 8324a4eb5..f37f345ba 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -38,7 +38,7 @@ tracelog
 # private-bin godot
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile
new file mode 100644
index 000000000..e2721360b
--- /dev/null
+++ b/etc/profile-a-l/gtk-straw-viewer.profile
@@ -0,0 +1,14 @@
+# Firejail profile for gtk-straw-viewer
+# Description: Gtk front-end to straw-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-straw-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include straw-viewer.profile
diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer.profile
index 023f10d3d..848979b52 100644
--- a/etc/profile-a-l/gtk-youtube-viewer
+++ b/etc/profile-a-l/gtk-youtube-viewer.profile
@@ -3,16 +3,12 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}/wayland-*
-noblacklist ${RUNUSER}
-
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer.profile
index 331e73218..787c7bd90 100644
--- a/etc/profile-a-l/gtk2-youtube-viewer
+++ b/etc/profile-a-l/gtk2-youtube-viewer.profile
@@ -3,16 +3,15 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk2-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
 noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}/wayland-*
 noblacklist ${RUNUSER}
 
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer.profile
index 4c5bde55f..988882622 100644
--- a/etc/profile-a-l/gtk3-youtube-viewer
+++ b/etc/profile-a-l/gtk3-youtube-viewer.profile
@@ -3,16 +3,15 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk3-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
 noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}/wayland-*
 noblacklist ${RUNUSER}
 
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile
index 8ec39d8ca..9b59e57e7 100644
--- a/etc/profile-a-l/gzip.profile
+++ b/etc/profile-a-l/gzip.profile
@@ -7,43 +7,7 @@ include gzip.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname gzip
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
+include archiver-common.inc
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile
index 0761aa2fc..c2812d7f5 100644
--- a/etc/profile-a-l/highlight.profile
+++ b/etc/profile-a-l/highlight.profile
@@ -6,7 +6,6 @@ include highlight.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index 8e600a2d7..da32de640 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -10,7 +10,7 @@ noblacklist ${HOME}/.config/homebank
 
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile
index c4121d835..e5beb741a 100644
--- a/etc/profile-a-l/jitsi-meet-desktop.profile
+++ b/etc/profile-a-l/jitsi-meet-desktop.profile
@@ -6,34 +6,22 @@ include jitsi-meet-desktop.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore nou2f
+ignore novideo
+ignore shell none
+
 ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Jitsi Meet
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-xdg.inc
-
 nowhitelist ${DOWNLOADS}
 
 mkdir ${HOME}/.config/Jitsi Meet
-
 whitelist ${HOME}/.config/Jitsi Meet
 
-include whitelist-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-runuser-common.inc
-include whitelist-var-common.inc
-
-seccomp !chroot
-
-disable-mnt
 private-bin bash,jitsi-meet-desktop
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
-private-tmp
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 9899ff195..9c095e106 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -12,12 +12,12 @@ noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 noblacklist ${HOME}/.config/kazam
 
-include allow-python2.inc 
-include allow-python3.inc 
+include allow-python2.inc
+include allow-python3.inc
 
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -25,7 +25,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/kazam
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 6a3b29c9d..a3a1b500a 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -73,12 +73,11 @@ dbus-user.talk org.freedesktop.login1.Session
 dbus-user.talk org.gnome.ScreenSaver
 dbus-user.talk org.gnome.SessionManager
 dbus-user.talk org.gnome.SessionManager.Presence
-# Uncomment or add to your keepassxc.local to allow Notifications/Tray.
+# Uncomment or add to your keepassxc.local to allow Notifications.
 #dbus-user.talk org.freedesktop.Notifications
+# Uncomment or add to your keepassxc.local to allow Tray.
 #dbus-user.talk org.kde.StatusNotifierWatcher
-# These numbers seems to be not stable, see #3713. Play around with them.
-#dbus-user.own org.kde.StatusNotifierItem-2-2
-#dbus-user.own org.kde.StatusNotifierItem-10-2
+#dbus-user.own org.kde.*
 dbus-system none
 
 # Mutex is stored in /tmp by default, which is broken by private-tmp
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index cf3a69fd7..e0cfb9f24 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -63,7 +63,7 @@ shell none
 tracelog
 
 # disable-mnt
-# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
 # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin kube,sink_synchronizer
 private-cache
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
index de6fa67d1..e1f0bc290 100644
--- a/etc/profile-a-l/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -7,7 +7,6 @@ include less.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 noblacklist ${HOME}/.lesshst
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
new file mode 100644
index 000000000..5208cb979
--- /dev/null
+++ b/etc/profile-a-l/librewolf.profile
@@ -0,0 +1,28 @@
+# Firejail profile for Librewolf
+# Description: Firefox fork based on privacy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include librewolf.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/librewolf
+noblacklist ${HOME}/.librewolf
+
+mkdir ${HOME}/.cache/librewolf
+mkdir ${HOME}/.librewolf
+whitelist ${HOME}/.cache/librewolf
+whitelist ${HOME}/.librewolf
+
+# Uncomment (or add to librewolf.local) the following lines if you want to
+# use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# librewolf requires a shell to launch on Arch. We can possibly remove sh though.
+#private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which
+# private-etc must first be enabled in firefox-common.profile
+#private-etc librewolf
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
index b2f94d3cf..ccc77f274 100644
--- a/etc/profile-a-l/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -1,6 +1,7 @@
 # Firejail profile for links
 # Description: Text WWW browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include links.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
new file mode 100644
index 000000000..652f571bb
--- /dev/null
+++ b/etc/profile-a-l/lutris.profile
@@ -0,0 +1,74 @@
+# Firejail profile for lutris
+# Description: Multi-library game handler with special support for Wine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lutris.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/llvm*
+noblacklist ${HOME}/Games
+noblacklist ${HOME}/.cache/lutris
+noblacklist ${HOME}/.cache/winetricks
+noblacklist ${HOME}/.config/lutris
+noblacklist ${HOME}/.local/share/lutris
+# noblacklist ${HOME}/.wine
+noblacklist /tmp/.wine-*
+
+ignore noexec ${HOME}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/Games
+mkdir ${HOME}/.cache/lutris
+mkdir ${HOME}/.cache/winetricks
+mkdir ${HOME}/.config/lutris
+mkdir ${HOME}/.local/share/lutris
+# mkdir ${HOME}/.wine
+whitelist ${HOME}/Downloads
+whitelist ${HOME}/Games
+whitelist ${HOME}/.cache/lutris
+whitelist ${HOME}/.cache/winetricks
+whitelist ${HOME}/.config/lutris
+whitelist ${HOME}/.local/share/lutris
+# whitelist ${HOME}/.wine
+whitelist /usr/share/lutris
+whitelist /usr/share/wine
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+# allow-debuggers
+# apparmor
+caps.drop all
+ipc-namespace
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+# uncomment the following line if you do not need controller support
+# private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index dbd0a61e5..76a0e7ed0 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lynx
 # Description: Classic non-graphical (text-mode) web browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lynx.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index b2c0afbe7..ffde057d5 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -27,7 +27,7 @@ apparmor
 machine-id
 
 # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
-private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,mime.types,passwd,texmf,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
 
 # Redirect
 include latex-common.profile