115 files changed, 475 insertions, 231 deletions
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
index e75de80ac..a6a9ba6bc 100644
--- a/etc/profile-m-z/PCSX2.profile
+++ b/etc/profile-m-z/PCSX2.profile
@@ -40,8 +40,8 @@ notv
 nou2f
 novideo
 protocol unix,netlink
-#seccomp - breaks loading with no logs
+#seccomp # breaks loading with no logs
-#tracelog - 32/64 bit incompatibility
+#tracelog # 32/64 bit incompatibility
 private-bin PCSX2
 private-cache
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index 0e18b3cdf..dd5639268 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -57,7 +57,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
@@ -81,5 +81,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index 34d500bb1..fe1f9b877 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -35,4 +35,4 @@ private-bin awk,bash,dig,sh,Viber
 private-etc @tls-ca,@x11,mailcap,proxychains.conf
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index 0c3d4c1da..aae1808dd 100644
--- a/etc/profile-m-z/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
@@ -25,7 +25,7 @@ nogroups
 noinput
 nonewprivs
 # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
-# noroot
+#noroot
 nosound
 notv
 nou2f
@@ -35,10 +35,10 @@ seccomp
 disable-mnt
 # using a private home directory
 private
-# private-bin sh,Xephyr,xkbcomp
+#private-bin sh,Xephyr,xkbcomp
-# private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp
+#private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp
 private-dev
-# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
+#private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
 #private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 2bb9f171a..052ea520d 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -39,8 +39,8 @@ seccomp
 disable-mnt
 # using a private home directory
 private
-# private-bin sh,xkbcomp,Xvfb
+#private-bin sh,xkbcomp,Xvfb
-# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
+#private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
 private-dev
 private-etc gai.conf,host.conf
 private-tmp
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index 266d00395..b6afbad59 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -14,8 +14,8 @@ blacklist ${RUNUSER}/wayland-*
 # for potential issues and their solutions when Firejailing makepkg
 # This profile could be significantly strengthened by adding the following to makepkg.local
-# whitelist ${HOME}/<Your Build Folder>
+#whitelist ${HOME}/<Your Build Folder>
-# whitelist ${HOME}/.gnupg
+#whitelist ${HOME}/.gnupg
 # Enable severely restricted access to ${HOME}/.gnupg
 noblacklist ${HOME}/.gnupg
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
index 6843c11c7..e07bbe6e5 100644
--- a/etc/profile-m-z/microsoft-edge-beta.profile
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -14,10 +14,7 @@ mkdir ${HOME}/.cache/microsoft-edge-beta
 mkdir ${HOME}/.config/microsoft-edge-beta
 whitelist ${HOME}/.cache/microsoft-edge-beta
 whitelist ${HOME}/.config/microsoft-edge-beta
 whitelist /opt/microsoft/msedge-beta
-# private-opt might break the file-copy-limit, see #5307
-#private-opt microsoft
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile
index d1655fabb..fcc4845df 100644
--- a/etc/profile-m-z/midori.profile
+++ b/etc/profile-m-z/midori.profile
@@ -13,8 +13,8 @@ noblacklist ${HOME}/.cache/midori
 noblacklist ${HOME}/.config/midori
 noblacklist ${HOME}/.local/share/midori
 noblacklist ${HOME}/.local/share/pki
-# noblacklist ${HOME}/.local/share/webkit
+#noblacklist ${HOME}/.local/share/webkit
-# noblacklist ${HOME}/.local/share/webkitgtk
+#noblacklist ${HOME}/.local/share/webkitgtk
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.cache/gnome-mplayer
@@ -54,7 +54,7 @@ caps.drop all
 netfilter
 nodvd
 nonewprivs
-# noroot - problems on Ubuntu 14.04
+#noroot # problems on Ubuntu 14.04
 notv
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index 2ba03ec97..0a5e4255a 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -10,15 +10,24 @@ include globals.local
 noblacklist ${HOME}/.moc
 noblacklist ${MUSIC}
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-xdg.inc
-include whitelist-usr-share-common.inc
+mkdir ${HOME}/.moc
+whitelist ${HOME}/.moc
+whitelist ${MUSIC}
+include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -30,18 +39,20 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6,netlink
+protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 tracelog
 private-bin mocp
 private-cache
 private-dev
-private-etc @tls-ca
+private-etc @network,@tls-ca
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index a9631733c..ab1c93eaf 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -52,7 +52,11 @@ private-etc
 private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+dbus-user filter
+dbus-user.own org.mpris.MediaPlayer2.mpd
+dbus-system none
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile
index d1c4bd24f..6bf881faf 100644
--- a/etc/profile-m-z/mpd.profile
+++ b/etc/profile-m-z/mpd.profile
@@ -41,4 +41,8 @@ private-cache
 private-dev
 private-tmp
+dbus-user filter
+dbus-user.talk org.mpris.MediaPlayer2.mpd
+dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index 7d9ff39ad..bdb9fa51d 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -24,9 +24,9 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# net none - mplayer can be used for streaming.
+#net none # mplayer can be used for streaming.
 netfilter
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
diff --git a/etc/profile-m-z/mullvad-browser.profile b/etc/profile-m-z/mullvad-browser.profile
index b9eb57743..6706386aa 100644
--- a/etc/profile-m-z/mullvad-browser.profile
+++ b/etc/profile-m-z/mullvad-browser.profile
@@ -73,13 +73,12 @@ novideo
 protocol unix,inet,inet6
 seccomp !chroot
 seccomp.block-secondary
-#tracelog - may cause issues, see #1930
+#tracelog # may cause issues, see #1930
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity
 private-dev
 private-etc @tls-ca
-#private-opt mullvad-browser - can cause slow startup
 private-tmp
 blacklist ${PATH}/curl
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile
index 73107680c..41f82bd07 100644
--- a/etc/profile-m-z/multimc5.profile
+++ b/etc/profile-m-z/multimc5.profile
@@ -41,12 +41,12 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-# seccomp
+#seccomp
 disable-mnt
 # private-bin works, but causes weirdness
-# private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper
+#private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile
index ef09e6fca..52dc46800 100644
--- a/etc/profile-m-z/mumble.profile
+++ b/etc/profile-m-z/mumble.profile
@@ -41,5 +41,5 @@ disable-mnt
 private-bin mumble
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile
index ca951f70c..b62674ad6 100644
--- a/etc/profile-m-z/musescore.profile
+++ b/etc/profile-m-z/musescore.profile
@@ -37,7 +37,7 @@ protocol unix,inet,inet6
 seccomp !chroot
 tracelog
-# private-bin musescore,mscore
+#private-bin musescore,mscore
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index 7ce7fbd19..d67cd24bd 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -35,4 +35,4 @@ disable-mnt
 private-dev
 private-etc @tls-ca
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 288ffedf1..ab1e0ab02 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -13,6 +13,7 @@ noblacklist ${DOCUMENTS}
 noblacklist ${HOME}/.Mail
 noblacklist ${HOME}/.bogofilter
 noblacklist ${HOME}/.cache/mutt
+noblacklist ${HOME}/.config/msmtp
 noblacklist ${HOME}/.config/mutt
 noblacklist ${HOME}/.config/nano
 noblacklist ${HOME}/.elinks
@@ -35,6 +36,7 @@ noblacklist ${HOME}/Mail
 noblacklist ${HOME}/mail
 noblacklist ${HOME}/postponed
 noblacklist ${HOME}/sent
+noblacklist /etc/msmtprc
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
@@ -69,6 +71,7 @@ whitelist ${DOWNLOADS}
 whitelist ${HOME}/.Mail
 whitelist ${HOME}/.bogofilter
 whitelist ${HOME}/.cache/mutt
+whitelist ${HOME}/.config/msmtp
 whitelist ${HOME}/.config/mutt
 whitelist ${HOME}/.config/nano
 whitelist ${HOME}/.elinks
@@ -121,10 +124,10 @@ seccomp
 seccomp.block-secondary
 tracelog
-# disable-mnt
+#disable-mnt
 private-cache
 private-dev
-private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo
+private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 6b4074dfb..ba63b2067 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -41,7 +41,7 @@ seccomp
 tracelog
 x11 none
-# disable-mnt
+#disable-mnt
 private-bin nano,rnano
 private-cache
 private-dev
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile
index 09687199b..5cfd8290a 100644
--- a/etc/profile-m-z/ncdu.profile
+++ b/etc/profile-m-z/ncdu.profile
@@ -29,7 +29,7 @@ seccomp
 x11 none
 private-dev
-# private-tmp
+#private-tmp
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index 80e28a5e5..d1a36e079 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -45,7 +45,7 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 seccomp.block-secondary
 tracelog
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 5bd1e7cba..b15e98424 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -10,6 +10,7 @@ include globals.local
 noblacklist ${DOCUMENTS}
 noblacklist ${HOME}/.Mail
 noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.config/msmtp
 noblacklist ${HOME}/.config/mutt
 noblacklist ${HOME}/.config/nano
 noblacklist ${HOME}/.config/neomutt
@@ -34,6 +35,7 @@ noblacklist ${HOME}/Mail
 noblacklist ${HOME}/mail
 noblacklist ${HOME}/postponed
 noblacklist ${HOME}/sent
+noblacklist /etc/msmtprc
 noblacklist /var/mail
 noblacklist /var/spool/mail
@@ -59,6 +61,7 @@ whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.Mail
 whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.config/msmtp
 whitelist ${HOME}/.config/mutt
 whitelist ${HOME}/.config/nano
 whitelist ${HOME}/.config/neomutt
@@ -113,10 +116,10 @@ seccomp
 seccomp.block-secondary
 tracelog
-# disable-mnt
+#disable-mnt
 private-cache
 private-dev
-private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver
+private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index 568899eea..d1680e666 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -43,7 +43,6 @@ noinput
 nonewprivs
 noprinters
 noroot
-nosound
 notv
 nou2f
 novideo
@@ -57,7 +56,9 @@ private-cache
 private-dev
 private-tmp
-dbus-user none
+dbus-user filter
+dbus-user.own org.nicotine_plus.Nicotine
+dbus-user.talk ca.desrt.dconf
 dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index 7a97ca825..254eb789a 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -42,11 +42,11 @@ private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,ni
 private-cache
 private-dev
 private-etc @tls-ca,@x11
-# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
+#private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index 4c463521c..f301196c6 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,7 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
-# Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# Note: gulp, node-gyp, npm, npx, pnpm, pnpx, semver and yarn are all node scripts
 # using the `#!/usr/bin/env node` shebang. By sandboxing node the full
 # node.js stack will be firejailed. The only exception is nvm, which is implemented
 # as a sourced shell function, not an executable binary. Hence it is not
@@ -22,6 +22,7 @@ ignore read-only ${HOME}/.npmrc
 ignore read-only ${HOME}/.nvm
 ignore read-only ${HOME}/.yarnrc
+noblacklist ${HOME}/.local/share/pnpm
 noblacklist ${HOME}/.node-gyp
 noblacklist ${HOME}/.npm
 noblacklist ${HOME}/.npmrc
@@ -43,6 +44,7 @@ include disable-xdg.inc
 # If you want whitelisting, change ${HOME}/Projects below to your node projects directory
 # and add the next lines to your nodejs-common.local.
+#mkdir ${HOME}/.local/share/pnpm
 #mkdir ${HOME}/.node-gyp
 #mkdir ${HOME}/.npm
 #mkdir ${HOME}/.npm-packages
@@ -52,6 +54,7 @@ include disable-xdg.inc
 #mkdir ${HOME}/.yarn-config
 #mkdir ${HOME}/.yarncache
 #mkfile ${HOME}/.yarnrc
+#whitelist ${HOME}/.local/share/pnpm
 #whitelist ${HOME}/.node-gyp
 #whitelist ${HOME}/.npm
 #whitelist ${HOME}/.npm-packages
diff --git a/etc/profile-m-z/notable.profile b/etc/profile-m-z/notable.profile
index 9fbbf94c0..4bd3d45ac 100644
--- a/etc/profile-m-z/notable.profile
+++ b/etc/profile-m-z/notable.profile
@@ -14,11 +14,12 @@ include globals.local
 noblacklist ${HOME}/.config/Notable
 noblacklist ${HOME}/.notable
+whitelist /opt/Notable
 net none
 nosound
 ?HAS_APPIMAGE: ignore private-dev
-private-opt Notable
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index dec48c827..6d1e3cd8a 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -14,12 +14,12 @@ include disable-shell.inc
 mkdir ${HOME}/.config/nuclear
 whitelist ${HOME}/.config/nuclear
+whitelist /opt/nuclear
 no3d
-# private-bin nuclear
+#private-bin nuclear
 private-etc @tls-ca,@x11,host.conf,mime.types
-private-opt nuclear
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 830483bd4..3fe5a4712 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -25,6 +25,7 @@ whitelist ${HOME}/.cache/ocenaudio
 whitelist ${HOME}/.local/share/ocenaudio
 whitelist ${DOWNLOADS}
 whitelist ${MUSIC}
+whitelist /opt/ocenaudio
 include whitelist-common.inc
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
@@ -54,7 +55,6 @@ private-bin ocenaudio,ocenvst
 private-cache
 private-dev
 private-etc @tls-ca,@x11,mime.types
-private-opt ocenaudio
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index 8e0758c37..ac573dc47 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -44,7 +44,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -62,12 +62,13 @@ tracelog
 private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
 private-dev
 private-etc @x11,cups
-# private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
+# on KDE we need access to the real /tmp for data exchange with email clients
+#private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
 join-or-start okular
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index 47ac9fc05..3338cadf5 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -50,7 +50,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 seccomp.block-secondary
-#tracelog - may cause issues, see #1930
+#tracelog # may cause issues, see #1930
 disable-mnt
 private-bin onionshare,onionshare-cli,onionshare-gui,python*,tor*
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 3449ac686..e10f6011b 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -24,7 +24,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - networked game
+#net none # networked game
 netfilter
 nodvd
 nogroups
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile
index fa16c05e2..c4849b958 100644
--- a/etc/profile-m-z/orage.profile
+++ b/etc/profile-m-z/orage.profile
@@ -24,7 +24,7 @@ nogroups
 noinput
 nonewprivs
 noroot
-# nosound - calendar application, It must be able to play sound to wake you up.
+#nosound # calendar application, It must be able to play sound to wake you up.
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index a1c0462ba..76d4a2c52 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -57,4 +57,4 @@ private-tmp
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
index ab4e24595..8917a9bc5 100644
--- a/etc/profile-m-z/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/moonchild productions/pale moon
 mkdir ${HOME}/.moonchild productions
 whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
+whitelist /opt/palemoon
 whitelist /usr/share/moonchild productions
 whitelist /usr/share/palemoon
@@ -22,7 +23,6 @@ ignore seccomp
 #private-bin palemoon
 # private-etc must first be enabled in firefox-common.profile
 #private-etc palemoon
-#private-opt palemoon
 restrict-namespaces
 ignore restrict-namespaces
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 5a0f69f79..23e734b43 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -10,6 +10,7 @@ include globals.local
 blacklist ${RUNUSER}
 noblacklist ${DOCUMENTS}
+noblacklist ${PATH}/patch
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pavucontrol-qt.profile b/etc/profile-m-z/pavucontrol-qt.profile
index f96ba14d2..79ed8777d 100644
--- a/etc/profile-m-z/pavucontrol-qt.profile
+++ b/etc/profile-m-z/pavucontrol-qt.profile
@@ -9,8 +9,9 @@ include pavucontrol-qt.local
 noblacklist ${HOME}/.config/pavucontrol-qt
-mkdir ${HOME}/.config/pavucontrol-qt
+# whitelisting in ${HOME} is broken, see #3112
-whitelist ${HOME}/.config/pavucontrol-qt
+#mkdir ${HOME}/.config/pavucontrol-qt
+#whitelist ${HOME}/.config/pavucontrol-qt
 private-bin pavucontrol-qt
 ignore private-lib
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index a852a2a18..5bc0bd700 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -40,7 +40,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 tracelog
-# private-bin pidgin
+#private-bin pidgin
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index d563064e1..c3aa0a501 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -55,7 +55,7 @@ tracelog
 disable-mnt
 private
-#private-bin ping - has mammoth problems with execvp: "No such file or directory"
+#private-bin ping # has mammoth problems with execvp: "No such file or directory"
 private-cache
 private-dev
 private-etc @tls-ca
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile
index efcdaa661..6e56208d5 100644
--- a/etc/profile-m-z/pluma.profile
+++ b/etc/profile-m-z/pluma.profile
@@ -21,10 +21,10 @@ include disable-shell.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 machine-id
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -45,8 +45,8 @@ private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
 join-or-start pluma
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 34e18cbd7..38fa01553 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -53,7 +53,7 @@ writable-var-log
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks opening file-chooser
+#memory-deny-write-execute # breaks opening file-chooser
 read-only ${HOME}
 read-write ${HOME}/.config/PacmanLogViewer
 read-only /var/log/pacman.log
diff --git a/etc/profile-m-z/pnpm.profile b/etc/profile-m-z/pnpm.profile
new file mode 100644
index 000000000..08f88be43
--- /dev/null
+++ b/etc/profile-m-z/pnpm.profile
@@ -0,0 +1,11 @@
+# Firejail profile for pnpm
+# Description: Fast, disk space efficient package manager
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pnpm.local
+# Persistent global definitions
+include globals.local
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/pnpx.profile b/etc/profile-m-z/pnpx.profile
new file mode 100644
index 000000000..a99d1232a
--- /dev/null
+++ b/etc/profile-m-z/pnpx.profile
@@ -0,0 +1,11 @@
+# Firejail profile for pnpx
+# Description: Part of the Node.js stack
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pnpx.local
+# Persistent global definitions
+include globals.local
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
index af117c3b5..7a735bba7 100644
--- a/etc/profile-m-z/psi-plus.profile
+++ b/etc/profile-m-z/psi-plus.profile
@@ -43,4 +43,4 @@ disable-mnt
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index a1a0606b9..1417a87c9 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -62,7 +62,7 @@ novideo
 nou2f
 protocol unix,inet,inet6,netlink
 seccomp !chroot
-#tracelog - breaks on Arch
+#tracelog # breaks on Arch
 disable-mnt
 # Add the next line to your psi.local to enable GPG support.
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile
index 875b83e8e..fa307fc88 100644
--- a/etc/profile-m-z/pycharm-community.profile
+++ b/etc/profile-m-z/pycharm-community.profile
@@ -34,8 +34,8 @@ nou2f
 novideo
 tracelog
-# private-etc alternatives,fonts,passwd - minimal required to run but will probably break
+# minimum required to run but will probably break the program!
-# program!
+#private-etc alternatives,fonts,passwd
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
index 9605da3ac..ae0a2cdf1 100644
--- a/etc/profile-m-z/qbittorrent.profile
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -55,12 +55,12 @@ seccomp
 private-bin python*,qbittorrent
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
 private-tmp
 # See https://github.com/netblue30/firejail/issues/3707 for tray-icon
 dbus-user none
 dbus-system none
-# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
+#memory-deny-write-execute # problems on Arch, see #1690 on GitHub repo
 restrict-namespaces
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile
index ecd62a7d1..66c8f3238 100644
--- a/etc/profile-m-z/qmmp.profile
+++ b/etc/profile-m-z/qmmp.profile
@@ -18,7 +18,7 @@ include disable-xdg.inc
 caps.drop all
 netfilter
-# no3d
+#no3d
 nogroups
 noinput
 nonewprivs
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
index 4caa0917f..784d2fafd 100644
--- a/etc/profile-m-z/qpdfview.profile
+++ b/etc/profile-m-z/qpdfview.profile
@@ -41,7 +41,7 @@ private-dev
 private-tmp
 # needs D-Bus when started from a file manager
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index ab0f9425a..20c84c5a8 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -48,5 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/quassel.profile b/etc/profile-m-z/quassel.profile
index 4589c9e4a..4ec990e95 100644
--- a/etc/profile-m-z/quassel.profile
+++ b/etc/profile-m-z/quassel.profile
@@ -25,4 +25,4 @@ seccomp !chroot
 private-cache
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile
index a59f01f85..4102b1ea0 100644
--- a/etc/profile-m-z/quiterss.profile
+++ b/etc/profile-m-z/quiterss.profile
@@ -50,6 +50,6 @@ tracelog
 disable-mnt
 private-bin quiterss
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
+#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
 restrict-namespaces
diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile
index 405ab818d..603ec8ff4 100644
--- a/etc/profile-m-z/rpcs3.profile
+++ b/etc/profile-m-z/rpcs3.profile
@@ -54,7 +54,8 @@ tracelog
 disable-mnt
 #private-cache
-#private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk
+# seems to need awk
+#private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/rssguard.profile b/etc/profile-m-z/rssguard.profile
index 81381c205..ce455baba 100644
--- a/etc/profile-m-z/rssguard.profile
+++ b/etc/profile-m-z/rssguard.profile
@@ -31,13 +31,13 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile
index 34cf783fe..8e25375b0 100644
--- a/etc/profile-m-z/scribus.profile
+++ b/etc/profile-m-z/scribus.profile
@@ -55,7 +55,7 @@ protocol unix
 seccomp
 tracelog
-# private-bin gimp*,gs,scribus
+#private-bin gimp*,gs,scribus
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
index c2dbbc2c6..1171a52f0 100644
--- a/etc/profile-m-z/seamonkey.profile
+++ b/etc/profile-m-z/seamonkey.profile
@@ -55,7 +55,7 @@ seccomp
 tracelog
 disable-mnt
-# private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
+#private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
 writable-run-user
 restrict-namespaces
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 667f9c557..74587c992 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -34,36 +34,36 @@ include globals.local
 noblacklist /sbin
 noblacklist /usr/sbin
 noblacklist /etc/init.d
-# noblacklist /var/opt
+#noblacklist /var/opt
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
-# include disable-exec.inc
+#include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
-# include whitelist-runuser-common.inc
+#include whitelist-runuser-common.inc
-# include whitelist-usr-share-common.inc
+#include whitelist-usr-share-common.inc
-# include whitelist-var-common.inc
+#include whitelist-var-common.inc
 # people use to install servers all over the place!
 # apparmor runs executable only from default system locations
-# apparmor
+#apparmor
 caps
-# ipc-namespace
+#ipc-namespace
 machine-id
-# netfilter /etc/firejail/webserver.net
+#netfilter /etc/firejail/webserver.net
 no3d
 nodvd
-# nogroups
+#nogroups
 noinput
 nonewprivs
-# noroot
+#noroot
 nosound
 notv
 nou2f
@@ -74,22 +74,22 @@ tab # allow tab completion
 disable-mnt
 private
-# private-bin program
+#private-bin program
-# private-cache
+#private-cache
 private-dev
 # see /usr/share/doc/firejail/profile.template for more common private-etc paths.
-# private-etc alternatives
+#private-etc alternatives
-# private-lib
+#private-lib
-# private-opt none
+#private-opt none
 private-tmp
-# writable-run-user
+#writable-run-user
-# writable-var
+#writable-var
-# writable-var-log
+#writable-var-log
 dbus-user none
-# dbus-system none
+#dbus-system none
-# deterministic-shutdown
+#deterministic-shutdown
-# memory-deny-write-execute
+#memory-deny-write-execute
-# read-only ${HOME}
+#read-only ${HOME}
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile
index 96e4cf283..154e29ccf 100644
--- a/etc/profile-m-z/silentarmy.profile
+++ b/etc/profile-m-z/silentarmy.profile
@@ -7,7 +7,7 @@ include globals.local
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile
index 14846cf58..f8bcd3c6e 100644
--- a/etc/profile-m-z/simple-scan.profile
+++ b/etc/profile-m-z/simple-scan.profile
@@ -28,15 +28,15 @@ nonewprivs
 noroot
 nosound
 notv
-# novideo
+#novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks simple-scan
 seccomp !ioperm
 tracelog
-# private-bin simple-scan
+#private-bin simple-scan
-# private-dev
+#private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
-# private-tmp
+#private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile
index f88ae65c8..995b59538 100644
--- a/etc/profile-m-z/simutrans.profile
+++ b/etc/profile-m-z/simutrans.profile
@@ -33,7 +33,7 @@ novideo
 protocol unix
 seccomp
-# private-bin simutrans
+#private-bin simutrans
 private-dev
 private-etc @games,@x11
 private-tmp
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile
index 6b73b2289..3b78f7fd2 100644
--- a/etc/profile-m-z/skanlite.profile
+++ b/etc/profile-m-z/skanlite.profile
@@ -22,16 +22,16 @@ nonewprivs
 noroot
 nosound
 notv
-# novideo
+#novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks skanlite
 seccomp !ioperm
-# private-bin kbuildsycoca4,kdeinit4,skanlite
+#private-bin kbuildsycoca4,kdeinit4,skanlite
-# private-dev
+#private-dev
-# private-tmp
+#private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 9dd41fd27..ece191b73 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -36,7 +36,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
@@ -49,7 +49,7 @@ private-dev
 private-tmp
 # problems with KDE
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/sniffnet.profile b/etc/profile-m-z/sniffnet.profile
index eb18c1f01..940c35b2e 100644
--- a/etc/profile-m-z/sniffnet.profile
+++ b/etc/profile-m-z/sniffnet.profile
@@ -29,8 +29,8 @@ netfilter
 nodvd
 nogroups
 noinput
-# nonewprivs - breaks network traffic capture for unprivileged users
+#nonewprivs # breaks network traffic capture for unprivileged users
-# noroot
+#noroot
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile
index e2be4e9e0..07f9b0094 100644
--- a/etc/profile-m-z/sol.profile
+++ b/etc/profile-m-z/sol.profile
@@ -21,13 +21,13 @@ apparmor
 caps.drop all
 ipc-namespace
 net none
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
@@ -43,5 +43,5 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
index f5ac6c739..5c5763538 100644
--- a/etc/profile-m-z/sound-juicer.profile
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -38,7 +38,7 @@ private-cache
 private-dev
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index c893a92fb..63c2c5086 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -26,6 +26,7 @@ whitelist ${HOME}/.cache/spotify
 whitelist ${HOME}/.config/spotify
 whitelist ${HOME}/.config/spotify-adblock
 whitelist ${HOME}/.local/share/spotify
+whitelist /opt/spotify
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -48,7 +49,6 @@ private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
 private-dev
 # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local.
 private-etc @tls-ca,host.conf,spotify-adblock
-private-opt spotify
 private-srv none
 private-tmp
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index ce356367f..013c7ac13 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -46,8 +46,8 @@ private-etc @tls-ca
 private-tmp
 # breaks proxy creation
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index a7956a76e..fde85be64 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -32,10 +32,10 @@ nodvd
 nogroups
 noinput
 nonewprivs
-# noroot - see issue #1543
+#noroot # see issue #1543
 nosound
 notv
-# nou2f - OpenSSH >= 8.2 supports U2F
+#nou2f # OpenSSH >= 8.2 supports U2F
 novideo
 protocol unix,inet,inet6
 seccomp
@@ -43,7 +43,7 @@ tracelog
 private-cache
 private-dev
-# private-tmp # Breaks when exiting
+#private-tmp # Breaks when exiting
 writable-run-user
 dbus-user none
diff --git a/etc/profile-m-z/ssmtp.profile b/etc/profile-m-z/ssmtp.profile
index 1a224e7b0..b87f514f9 100644
--- a/etc/profile-m-z/ssmtp.profile
+++ b/etc/profile-m-z/ssmtp.profile
@@ -16,6 +16,7 @@ noblacklist /sbin
 noblacklist /usr/sbin
 noblacklist ${DOCUMENTS}
+noblacklist ${PATH}/ssmtp
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 3fe0963a9..fe4e4b6d7 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -47,4 +47,4 @@ private-etc @tls-ca,@x11,host.conf
 dbus-user none
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 99317c9dc..34cb3631a 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -12,10 +12,12 @@ noblacklist ${HOME}/.config/MangoHud
 noblacklist ${HOME}/.config/ModTheSpire
 noblacklist ${HOME}/.config/RogueLegacy
 noblacklist ${HOME}/.config/RogueLegacyStorageContainer
+noblacklist ${HOME}/.factorio
 noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.klei
 noblacklist ${HOME}/.local/share/3909/PapersPlease
 noblacklist ${HOME}/.local/share/aspyr-media
+noblacklist ${HOME}/.local/share/Baba_Is_You
 noblacklist ${HOME}/.local/share/bohemiainteractive
 noblacklist ${HOME}/.local/share/cdprojektred
 noblacklist ${HOME}/.local/share/Colossal Order
@@ -64,10 +66,12 @@ mkdir ${HOME}/.config/MangoHud
 mkdir ${HOME}/.config/ModTheSpire
 mkdir ${HOME}/.config/RogueLegacy
 mkdir ${HOME}/.config/unity3d
+mkdir ${HOME}/.factorio
 mkdir ${HOME}/.killingfloor
 mkdir ${HOME}/.klei
 mkdir ${HOME}/.local/share/3909/PapersPlease
 mkdir ${HOME}/.local/share/aspyr-media
+mkdir ${HOME}/.local/share/Baba_Is_You
 mkdir ${HOME}/.local/share/bohemiainteractive
 mkdir ${HOME}/.local/share/cdprojektred
 mkdir ${HOME}/.local/share/Colossal Order
@@ -100,10 +104,12 @@ whitelist ${HOME}/.config/ModTheSpire
 whitelist ${HOME}/.config/RogueLegacy
 whitelist ${HOME}/.config/RogueLegacyStorageContainer
 whitelist ${HOME}/.config/unity3d
+whitelist ${HOME}/.factorio
 whitelist ${HOME}/.killingfloor
 whitelist ${HOME}/.klei
 whitelist ${HOME}/.local/share/3909/PapersPlease
 whitelist ${HOME}/.local/share/aspyr-media
+whitelist ${HOME}/.local/share/Baba_Is_You
 whitelist ${HOME}/.local/share/bohemiainteractive
 whitelist ${HOME}/.local/share/cdprojektred
 whitelist ${HOME}/.local/share/Colossal Order
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index 6de288c46..8b5d7e253 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -49,5 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 2ad107f1a..65aea6667 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -41,7 +41,7 @@ seccomp.block-secondary
 tracelog
 disable-mnt
-# private-bin supertux2
+#private-bin supertux2
 private-cache
 private-etc
 private-dev
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile
index 7b6a87b31..728db012e 100644
--- a/etc/profile-m-z/sushi.profile
+++ b/etc/profile-m-z/sushi.profile
@@ -13,7 +13,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 include disable-shell.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 5fb35aa04..7cef394c2 100644
--- a/etc/profile-m-z/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
@@ -13,7 +13,7 @@ whitelist ${HOME}/.sylpheed-2.0
 whitelist /usr/share/sylpheed
-# private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
+#private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
 # Redirect
 include email-common.profile
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index 726baf336..b0a80fc27 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -59,11 +59,11 @@ seccomp
 tracelog
 disable-mnt
-#private-bin sysprof - breaks help menu
+#private-bin sysprof # breaks help menu
 private-cache
 private-dev
 private-etc @tls-ca
-# private-lib - breaks help menu
+#private-lib # breaks help menu
 #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
 private-tmp
@@ -73,5 +73,5 @@ dbus-user.own org.gnome.Yelp
 dbus-user.own org.gnome.Sysprof3
 dbus-user.talk ca.desrt.dconf
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-m-z/system-log-common.profile b/etc/profile-m-z/system-log-common.profile
new file mode 100644
index 000000000..dda8bdc47
--- /dev/null
+++ b/etc/profile-m-z/system-log-common.profile
@@ -0,0 +1,60 @@
+# Firejail profile for system-log-common
+# Description: Common profile for GUI system log viewers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include system-log-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /run/log/journal
+whitelist /var/log/journal
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+#nogroups
+noinput
+nonewprivs
+noprinters
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+dbus-user none
+dbus-system none
+restrict-namespaces
+# Add 'ignore read-only ${HOME}' to your system-log-common.local
+# if you export logs to a file under your ${HOME}.
+read-only ${HOME}
+writable-var-log
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
index 41da4ee13..06b547b3d 100644
--- a/etc/profile-m-z/teamspeak3.profile
+++ b/etc/profile-m-z/teamspeak3.profile
@@ -39,4 +39,4 @@ disable-mnt
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index ba915c2d4..fa992ad1a 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -7,6 +7,7 @@ include globals.local
 noblacklist ${HOME}/.TelegramDesktop
 noblacklist ${HOME}/.local/share/TelegramDesktop
+noblacklist ${HOME}/.local/share/telegram-desktop
 # Allow opening hyperlinks
 include allow-bin-sh.inc
@@ -21,8 +22,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.TelegramDesktop
 mkdir ${HOME}/.local/share/TelegramDesktop
+mkdir ${HOME}/.local/share/telegram-desktop
 whitelist ${HOME}/.TelegramDesktop
 whitelist ${HOME}/.local/share/TelegramDesktop
+whitelist ${HOME}/.local/share/telegram-desktop
 whitelist ${DOWNLOADS}
 whitelist /usr/share/TelegramDesktop
 include whitelist-common.inc
diff --git a/etc/profile-m-z/termshark.profile b/etc/profile-m-z/termshark.profile
new file mode 100644
index 000000000..630d5dda6
--- /dev/null
+++ b/etc/profile-m-z/termshark.profile
@@ -0,0 +1,15 @@
+# Firejail profile for termshark
+# Description: Terminal UI for tshark, inspired by Wireshark
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include termshark.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+# Redirect
+include wireshark.profile
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile
index 5babfb8d2..c0293406d 100644
--- a/etc/profile-m-z/tesseract.profile
+++ b/etc/profile-m-z/tesseract.profile
@@ -26,6 +26,7 @@ include whitelist-common.inc
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 whitelist /usr/share/tessdata
+whitelist /usr/share/tesseract-ocr
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile
index 46a1e57c8..e01a9d2d8 100644
--- a/etc/profile-m-z/thunderbird-beta.profile
+++ b/etc/profile-m-z/thunderbird-beta.profile
@@ -6,7 +6,7 @@ include thunderbird-beta.local
 # added by included profile
 #include globals.local
-private-opt thunderbird-beta
+whitelist /opt/thunderbird-beta
 # Redirect
 include thunderbird.profile
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 17e2f0856..979971ac2 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -35,7 +35,7 @@ whitelist ${HOME}/.mozilla/firefox/profiles.ini
 noblacklist ${HOME}/.cache/thunderbird
 noblacklist ${HOME}/.gnupg
-# noblacklist ${HOME}/.icedove
+#noblacklist ${HOME}/.icedove
 noblacklist ${HOME}/.thunderbird
 include disable-xdg.inc
@@ -46,11 +46,11 @@ include disable-xdg.inc
 # See https://github.com/netblue30/firejail/issues/2357
 mkdir ${HOME}/.cache/thunderbird
 mkdir ${HOME}/.gnupg
-# mkdir ${HOME}/.icedove
+#mkdir ${HOME}/.icedove
 mkdir ${HOME}/.thunderbird
 whitelist ${HOME}/.cache/thunderbird
 whitelist ${HOME}/.gnupg
-# whitelist ${HOME}/.icedove
+#whitelist ${HOME}/.icedove
 whitelist ${HOME}/.thunderbird
 whitelist /usr/share/gnupg
diff --git a/etc/profile-m-z/tidal-hifi.profile b/etc/profile-m-z/tidal-hifi.profile
new file mode 100644
index 000000000..d2e23239e
--- /dev/null
+++ b/etc/profile-m-z/tidal-hifi.profile
@@ -0,0 +1,39 @@
+# Firejail profile for tidal-hifi
+# Description: The web version of Tidal running in electron with hifi support thanks to widevine.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tidal-hifi.local
+# Persistent global definitions
+include globals.local
+ignore noexec ${HOME}
+noblacklist ${HOME}/.config/tidal-hifi
+include disable-proc.inc
+include disable-shell.inc
+whitelist ${HOME}/.config/tidal-hifi
+caps.drop all
+no3d
+nonewprivs
+noprinters
+noroot
+protocol unix,inet,inet6
+seccomp !chroot
+seccomp.block-secondary
+tracelog
+private-bin chrome-sandbox,tidal-hifi
+private-etc @network,@sound,@tls-ca,@xdg
+private-opt tidal-hifi
+ignore dbus-user none
+dbus-user filter
+dbus-user.own org.mpris.MediaPlayer2.tidal-hifi
+dbus-user.talk org.freedesktop.Notifications
+join-or-start tidal-hifi
+include electron-common.profile
diff --git a/etc/profile-m-z/tiny-rdm.profile b/etc/profile-m-z/tiny-rdm.profile
new file mode 100644
index 000000000..4134d666c
--- /dev/null
+++ b/etc/profile-m-z/tiny-rdm.profile
@@ -0,0 +1,61 @@
+# Firejail profile for tiny-rdm
+# Description: A Modern Redis GUI Client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tiny-rdm.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/tiny-rdm
+noblacklist ${HOME}/.config/TinyRDM
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-proc.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/tiny-rdm
+mkdir ${HOME}/.config/TinyRDM
+whitelist ${HOME}/.cache/tiny-rdm
+whitelist ${HOME}/.config/TinyRDM
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+notv
+nou2f
+novideo
+nosound
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-bin tiny-rdm
+private-cache
+private-dev
+private-etc @network,@tls-ca,@x11
+private-tmp
+dbus-user none
+dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile
index a855ff839..ddd2aa85f 100644
--- a/etc/profile-m-z/tmux.profile
+++ b/etc/profile-m-z/tmux.profile
@@ -12,10 +12,10 @@ blacklist ${RUNUSER}
 noblacklist /tmp/tmux-*
-# include disable-common.inc
+#include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
-# include disable-exec.inc
+#include disable-exec.inc
-# include disable-programs.inc
+#include disable-programs.inc
 caps.drop all
 ipc-namespace
@@ -36,9 +36,9 @@ seccomp
 seccomp.block-secondary
 tracelog
-# private-cache
+#private-cache
 private-dev
-# private-tmp
+#private-tmp
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 86746c7f1..b9fdcf92c 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -56,13 +56,12 @@ novideo
 protocol unix,inet,inet6
 seccomp !chroot
 seccomp.block-secondary
-#tracelog - may cause issues, see #1930
+#tracelog # may cause issues, see #1930
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
 private-dev
 private-etc @tls-ca
-#private-opt tor-browser - can cause slow startup
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index a4cb49171..73d3b0b6f 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -35,7 +35,7 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 netfilter
 nogroups
@@ -55,7 +55,7 @@ private-etc @tls-ca,@x11,python*
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
 dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile
index f30b0aef6..c46b00fc9 100644
--- a/etc/profile-m-z/tracker.profile
+++ b/etc/profile-m-z/tracker.profile
@@ -33,8 +33,8 @@ protocol unix
 seccomp
 tracelog
-# private-bin tracker
+#private-bin tracker
-# private-dev
+#private-dev
-# private-tmp
+#private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index 645c55c3b..9f1f1c241 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -12,6 +12,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -19,7 +20,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/transgui
 whitelist ${HOME}/.config/transgui
 whitelist ${DOWNLOADS}
+whitelist /usr/share/transgui
 include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -44,7 +48,7 @@ tracelog
 private-bin geoiplookup,geoiplookup6,transgui
 private-cache
 private-dev
-private-etc
+private-etc @network,@tls-ca,@x11
 private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
 private-tmp
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 2578eb0be..5e9e7f127 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -52,7 +52,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 tracelog
-# disable-mnt
+#disable-mnt
 private-bin trojita
 private-cache
 private-dev
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile
index 3f5a9647e..f2273e6a7 100644
--- a/etc/profile-m-z/tshark.profile
+++ b/etc/profile-m-z/tshark.profile
@@ -7,5 +7,8 @@ include tshark.local
 # added by included profile
 #include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
 # Redirect
 include wireshark.profile
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
index 55e4a4392..f0a0cacaf 100644
--- a/etc/profile-m-z/tutanota-desktop.profile
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -22,6 +22,7 @@ mkdir ${HOME}/.config/tuta_integration
 mkdir ${HOME}/.config/tutanota-desktop
 whitelist ${HOME}/.config/tuta_integration
 whitelist ${HOME}/.config/tutanota-desktop
+whitelist /opt/tutanota-desktop
 # The lines below are needed to find the default Firefox profile name, to allow
 # opening links in an existing instance of Firefox (note that it still fails if
@@ -34,7 +35,6 @@ nosound
 ?HAS_APPIMAGE: ignore private-dev
 private-etc @tls-ca
-private-opt tutanota-desktop
 dbus-user filter
 dbus-user.talk org.freedesktop.Notifications
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
index 518dc95c7..16162f989 100644
--- a/etc/profile-m-z/tvbrowser.profile
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -1,5 +1,5 @@
 # Firejail profile for tvbrowser
-# Description: java tv programm form tvbrowser.org
+# Description: java tv program form tvbrowser.org
 # This file is overwritten after every install/update
 # Persistent local customizations
 include tvbrowser.local
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index d53acdaf7..55106d622 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -1,5 +1,5 @@
 # Firejail profile for twitch
-# Description: Unofficial electron based desktop warpper for Twitch
+# Description: Unofficial electron based desktop wrapper for Twitch
 # This file is overwritten after every install/update
 # Persistent local customizations
 include twitch.local
@@ -16,10 +16,10 @@ include disable-shell.inc
 mkdir ${HOME}/.config/Twitch
 whitelist ${HOME}/.config/Twitch
+whitelist /opt/Twitch
 private-bin electron,electron[0-9],electron[0-9][0-9],twitch
 private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
-private-opt Twitch
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile
index c182326bb..175ae4591 100644
--- a/etc/profile-m-z/udiskie.profile
+++ b/etc/profile-m-z/udiskie.profile
@@ -36,8 +36,8 @@ tracelog
 private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop
 # add your configured file browser in udiskie.local, e. g.
-# private-bin nautilus
+#private-bin nautilus
-# private-bin thunar
+#private-bin thunar
 private-cache
 private-dev
 private-etc @x11,mime.types
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
index 3e2b28dec..4e7dc3705 100644
--- a/etc/profile-m-z/unknown-horizons.profile
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -34,11 +34,11 @@ protocol unix,inet,inet6,netlink
 seccomp
 disable-mnt
-# private-bin unknown-horizons
+#private-bin unknown-horizons
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
 # doesn't work - maybe all Tcl/Tk programs have this problem
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index aa8199442..8c6efaa1c 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -49,5 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808)
+#memory-deny-write-execute # breaks on Arch (see issues #1803 and #1808)
 restrict-namespaces
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index ae8afbbf1..b768a635a 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -9,7 +9,7 @@ include globals.local
 noblacklist ${HOME}/.VirtualBox
 noblacklist ${HOME}/.config/VirtualBox
 noblacklist ${HOME}/VirtualBox VMs
-# noblacklist /usr/bin/virtualbox
+#noblacklist /usr/bin/virtualbox
 noblacklist /usr/lib/virtualbox
 noblacklist /usr/lib64/virtualbox
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 79ba41d44..a7b0f5f1d 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -15,7 +15,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-#include disable-shell.inc - problems on Debian 11
+#include disable-shell.inc # problems on Debian 11
 mkdir ${HOME}/.local/share/warzone2100
 mkdir ${HOME}/.local/share/warzone2100-3.3.0
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 1e2b164b9..33f404464 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -20,23 +20,23 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
-# whitelist /usr/share/wine
+#whitelist /usr/share/wine
-# include whitelist-usr-share-common.inc
+#include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 # Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this.
 allow-debuggers
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
-# novideo
+#novideo
 seccomp
 private-dev
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
index d1b757a25..55c4e6ac7 100644
--- a/etc/profile-m-z/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.config/wireshark
 noblacklist ${HOME}/.wireshark
 noblacklist ${DOCUMENTS}
+noblacklist ${PATH}/dumpcap
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -25,29 +26,30 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
-# caps.drop all
+#caps.drop all
 caps.keep dac_override,dac_read_search,net_admin,net_raw
 netfilter
 no3d
-# nogroups - breaks network traffic capture for unprivileged users
+#nogroups # breaks network traffic capture for unprivileged users
 noinput
-# nonewprivs - breaks network traffic capture for unprivileged users
+#nonewprivs # breaks network traffic capture for unprivileged users
-# noroot
+#noroot
 nodvd
 nosound
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols
+# commented out in case they bring in new protocols
+#protocol unix,inet,inet6,netlink,packet,bluetooth
 #seccomp
 tracelog
-# private-bin wireshark
+#private-bin wireshark
 private-cache
 # private-dev prevents (some) interfaces from being shown.
 # Add the below line to your wirehsark.local if you only want to inspect pcap files.
 #private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile
index dda803bd5..b47437e2d 100644
--- a/etc/profile-m-z/xed.profile
+++ b/etc/profile-m-z/xed.profile
@@ -23,10 +23,10 @@ include disable-shell.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 machine-id
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -46,9 +46,9 @@ private-dev
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 # xed uses python plugins, memory-deny-write-execute breaks python
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile
index 141fda909..96edc15ab 100644
--- a/etc/profile-m-z/xfburn.profile
+++ b/etc/profile-m-z/xfburn.profile
@@ -25,8 +25,8 @@ protocol unix
 seccomp
 tracelog
-# private-bin xfburn
+#private-bin xfburn
-# private-dev
+#private-dev
-# private-tmp
+#private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 9c4fa8293..6c3a5812b 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -53,5 +53,5 @@ dbus-user.own org.xfce.xfce4-mixer
 dbus-user.talk org.xfce.Xfconf
 dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index 4d841b35c..9094a7872 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -47,5 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute -- see #3790
+#memory-deny-write-execute # see #3790
 restrict-namespaces
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index b8bf0ae96..06f0b5833 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -16,6 +16,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.xmr-stak
+whitelist /opt/cuda
 include whitelist-var-common.inc
 caps.drop all
@@ -39,7 +40,6 @@ private-bin xmr-stak
 private-dev
 private-etc @tls-ca
 #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
-private-opt cuda
 private-tmp
 memory-deny-write-execute
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index a673d6aa3..9741888f0 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -27,7 +27,7 @@ include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 netfilter
 nogroups
@@ -41,11 +41,11 @@ tracelog
 private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile
index 05c12b9a2..b00307394 100644
--- a/etc/profile-m-z/xpra.profile
+++ b/etc/profile-m-z/xpra.profile
@@ -45,11 +45,11 @@ seccomp
 disable-mnt
 # private home directory doesn't work on some distros, so we go for a regular home
-# private
+#private
 # older Xpra versions also use Xvfb
-# private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
+#private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
 private-dev
-# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
+#private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
 private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index 6edbf9357..cad836fdc 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -18,9 +18,9 @@ include disable-programs.inc
 include disable-xdg.inc
 # Breaks xreader on Mint 18.3
-# include whitelist-var-common.inc
+#include whitelist-var-common.inc
-# apparmor
+#apparmor
 caps.drop all
 no3d
 nodvd
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile
index 6c31df4a9..575c1bf68 100644
--- a/etc/profile-m-z/xviewer.profile
+++ b/etc/profile-m-z/xviewer.profile
@@ -19,9 +19,9 @@ include disable-shell.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -42,8 +42,8 @@ private-lib
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index f5dd0c309..f957954dd 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -33,16 +33,14 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# machine-id breaks sound - add the next line to your yelp.local if you don't need sound support.
+#machine-id # add this to your yelp.local if you don't need sound support.
-#machine-id
 net none
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound - add the next line to your yelp.local if you don't need sound support.
+#nosound # add this to your yelp.local if you don't need sound support.
-#nosound
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index 4d1e9a063..0fb87f747 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -1,5 +1,5 @@
 # Firejail profile for youtube
-# Description: Unofficial electron based desktop warpper for YouTube
+# Description: Unofficial electron based desktop wrapper for YouTube
 # This file is overwritten after every install/update
 # Persistent local customizations
 include youtube.local
@@ -15,10 +15,10 @@ include disable-shell.inc
 mkdir ${HOME}/.config/Youtube
 whitelist ${HOME}/.config/Youtube
+whitelist /opt/Youtube
 private-bin electron,electron[0-9],electron[0-9][0-9],youtube
 private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
-private-opt Youtube
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index cfee8c426..e5ece41bc 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -1,8 +1,8 @@
 # Firejail profile for youtubemusic-nativefier
-# Description: Unofficial electron based desktop warpper for YouTube Music
+# Description: Unofficial electron based desktop wrapper for YouTube Music
 # This file is overwritten after every install/update
 # Persistent local customizations
-include youtube.local
+include youtubemusic-nativefier.local
 # Persistent global definitions
 include globals.local
@@ -12,10 +12,10 @@ include disable-shell.inc
 mkdir ${HOME}/.config/youtubemusic-nativefier-040164
 whitelist ${HOME}/.config/youtubemusic-nativefier-040164
+whitelist /opt/youtubemusic-nativefier
 private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier
 private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
-private-opt youtubemusic-nativefier
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index de07e3ddf..ccf5f1e63 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -13,9 +13,9 @@ noblacklist ${HOME}/.config/youtube-music-desktop-app
 mkdir ${HOME}/.config/youtube-music-desktop-app
 whitelist ${HOME}/.config/youtube-music-desktop-app
-# private-bin env,ytmdesktop
+#private-bin env,ytmdesktop
 private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
-# private-opt
+#private-opt
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index 09a1d37a3..d576dbefd 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -67,5 +67,5 @@ dbus-user.talk org.mozilla.*
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces