1048 files changed, 5678 insertions, 800 deletions
diff --git a/etc/Thunar.profile b/etc/Thunar.profile
deleted file mode 100644
index 761440ccc..000000000
--- a/etc/Thunar.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for Thunar
-# Description: File Manager for Xfce
-# This file is overwritten after every install/update
-# Persistent local customizations
-include Thunar.local
-# Persistent global definitions
-include globals.local
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.config/Thunar
-noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# include disable-programs.inc
-allusers
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
diff --git a/etc/firejail-default b/etc/apparmor/firejail-default
index 763b838d3..04a38f0ce 100644
--- a/etc/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -19,6 +19,8 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 #include <abstractions/dbus-strict>
 #include <abstractions/dbus-session-strict>
 dbus,
+# Add rule in order to avoid dbus-*=filter breakage (#3432)
+owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
 ##########
 # With ptrace it is possible to inspect and hijack running programs.
@@ -47,6 +49,10 @@ owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
 owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
 owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
+# Allow writing to /var/mail and /var/spool/mail (for mail clients)
+# Uncomment to enable
+#owner /var/{mail,spool/mail}/** w,
 # Allow writing to removable media
 owner /{,var/}run/media/** w,
@@ -65,6 +71,8 @@ owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,
 # Needed for electron apps
 /proc/@{PID}/comm w,
+# Needed for nslookup, dig, host
+/proc/@{PID}/task/@{PID}/comm w,
 # Used by chromium
 owner /proc/@{PID}/oom_score_adj w,
diff --git a/etc/firejail-local b/etc/apparmor/firejail-local
index f086653f8..f086653f8 100644
--- a/etc/firejail-local
+++ b/etc/apparmor/firejail-local
diff --git a/etc/caja.profile b/etc/caja.profile
deleted file mode 100644
index 7bf901ae3..000000000
--- a/etc/caja.profile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Firejail profile for caja
-# Description: File manager for the MATE desktop
-# This file is overwritten after every install/update
-# Persistent local customizations
-include caja.local
-# Persistent global definitions
-include globals.local
-# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
-# is already a caja process running on MATE desktops firejail will have no effect.
-noblacklist ${HOME}/.local/share/Trash
-# noblacklist ${HOME}/.config/caja - disable-programs.inc is disabled, see below
-# noblacklist ${HOME}/.local/share/caja-python
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# include disable-programs.inc
-allusers
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-# caja needs to be able to start arbitrary applications so we cannot blacklist their files
-# private-bin caja
-# private-dev
-# private-tmp
diff --git a/etc/dolphin.profile b/etc/dolphin.profile
deleted file mode 100644
index 0e5a6e6fe..000000000
--- a/etc/dolphin.profile
+++ /dev/null
@@ -1,39 +0,0 @@
-# Firejail profile for dolphin
-# Description: File manager
-# This file is overwritten after every install/update
-# Persistent local customizations
-include dolphin.local
-# Persistent global definitions
-include globals.local
-noblacklist ${HOME}/.local/share/Trash
-# noblacklist ${HOME}/.cache/dolphin - disable-programs.inc is disabled, see below
-# noblacklist ${HOME}/.config/dolphinrc
-# noblacklist ${HOME}/.local/share/dolphin
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
-# include disable-programs.inc
-allusers
-caps.drop all
-# net none
-netfilter
-nodvd
-nogroups
-nonewprivs
-# Comment the next line (or put 'ignore noroot' in your dolphin.local) if you use MPV+Vulkan (see issue #3012)
-noroot
-notv
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-private-dev
-# private-tmp
-join-or-start dolphin
diff --git a/etc/firejail.config b/etc/firejail.config
index 6fb7d829a..731e744dd 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -27,7 +27,7 @@
 # Enable or disable chroot support, default enabled.
 # chroot yes
-# Enable or disable dbus handling by --nodbus flag, default enabled.
+# Enable or disable dbus handling, default enabled.
 # dbus yes
 # Disable /mnt, /media, /run/mount and /run/media access. By default access
@@ -70,6 +70,13 @@
 # Enable or disable sandbox name change, default enabled.
 # name-change yes
+# Change default netfilter configuration. When using --netfilter option without
+# a file argument, the default filter is hardcoded (see man 1 firejail). This
+# configuration entry allows the user to change the default by specifying
+# a file containing the filter configuration. The filter file format is the
+# format of  iptables-save  and iptable-restore commands. Example:
+# netfilter-default /etc/iptables.iptables.rules
 # Enable or disable networking features, default enabled.
 # network yes
@@ -79,12 +86,12 @@
 # Remove /usr/local directories from private-bin list, default disabled.
 # private-bin-no-local no
-# Enable or disable private-home feature, default enabled
-# private-home yes
 # Enable or disable private-cache feature, default enabled
 # private-cache yes
+# Enable or disable private-home feature, default enabled
+# private-home yes
 # Enable or disable private-lib feature, default enabled
 # private-lib yes
@@ -97,16 +104,12 @@
 # --netfilter only to root user. Regular users are only allowed --net=none.
 # restricted-network no
-# Change default netfilter configuration. When using --netfilter option without
-# a file argument, the default filter is hardcoded (see man 1 firejail). This
-# configuration entry allows the user to change the default by specifying
-# a file containing the filter configuration. The filter file format is the
-# format of  iptables-save  and iptable-restore commands. Example:
-# netfilter-default /etc/iptables.iptables.rules
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
+# Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
+# seccomp-error-action EPERM
 # Enable or disable user namespace support, default enabled.
 # userns yes
@@ -116,6 +119,10 @@
 # Enable or disable X11 sandboxing support, default enabled.
 # x11 yes
+# Xephyr command extra parameters. None by default; these are examples.
+# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
+# xephyr-extra-params -grayscale
 # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
 # a full list of resolutions available on your specific setup.
 # xephyr-screen 640x480
@@ -126,17 +133,13 @@
 # Firejail window title in Xephyr, default enabled.
 # xephyr-window-title yes
-# Xephyr command extra parameters. None by default; these are examples.
-# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
-# xephyr-extra-params -grayscale
-# Xpra server command extra parameters. None by default; this is an example.
-# xpra-extra-params --dpi 96
 # Enable this option if you have a version of Xpra that supports --attach switch
 # for start command, default disabled.
 # xpra-attach no
+# Xpra server command extra parameters. None by default; this is an example.
+# xpra-extra-params --dpi 96
 # Screen size for --x11=xvfb, default 800x600x24.  The third dimension is
 # color depth; use 24 unless you know exactly what you're doing.
 # xvfb-screen 640x480x24
diff --git a/etc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 63174eda6..7cd087b14 100644
--- a/etc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -12,10 +12,16 @@ noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.java
 # Python
+noblacklist ${HOME}/.pylint.d
 noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.python_history
 noblacklist ${HOME}/.pythonhist
 # Rust
+noblacklist ${HOME}/.cargo/advisory-db
 noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cargo/git
 noblacklist ${HOME}/.cargo/registry
+noblacklist ${HOME}/.cargo/.crates.toml
+noblacklist ${HOME}/.cargo/.crates2.json
+noblacklist ${HOME}/.cargo/.package-cache
diff --git a/etc/allow-gjs.inc b/etc/inc/allow-gjs.inc
index f552ede9d..f4f9926cd 100644
--- a/etc/allow-gjs.inc
+++ b/etc/inc/allow-gjs.inc
@@ -8,3 +8,4 @@ noblacklist /usr/lib/gjs
 noblacklist /usr/lib64/gjs
 noblacklist /usr/lib/libgjs*
 noblacklist /usr/lib64/libgjs*
+noblacklist /usr/lib64/libmozjs-*
diff --git a/etc/allow-java.inc b/etc/inc/allow-java.inc
index 24d18fb77..24d18fb77 100644
--- a/etc/allow-java.inc
+++ b/etc/inc/allow-java.inc
diff --git a/etc/allow-lua.inc b/etc/inc/allow-lua.inc
index fbdee22ee..9df8e8d32 100644
--- a/etc/allow-lua.inc
+++ b/etc/inc/allow-lua.inc
@@ -3,6 +3,8 @@
 include allow-lua.local
 noblacklist ${PATH}/lua*
-noblacklist /usr/include/lua*
+noblacklist /usr/include
+noblacklist /usr/lib/liblua*
 noblacklist /usr/lib/lua
 noblacklist /usr/share/lua
+noblacklist /usr/share/lua*
diff --git a/etc/allow-perl.inc b/etc/inc/allow-perl.inc
index f44e1e3cc..f44e1e3cc 100644
--- a/etc/allow-perl.inc
+++ b/etc/inc/allow-perl.inc
diff --git a/etc/allow-php.inc b/etc/inc/allow-php.inc
index a0950dc26..a0950dc26 100644
--- a/etc/allow-php.inc
+++ b/etc/inc/allow-php.inc
diff --git a/etc/allow-python2.inc b/etc/inc/allow-python2.inc
index b0525e2e1..b0525e2e1 100644
--- a/etc/allow-python2.inc
+++ b/etc/inc/allow-python2.inc
diff --git a/etc/allow-python3.inc b/etc/inc/allow-python3.inc
index d968886b0..d968886b0 100644
--- a/etc/allow-python3.inc
+++ b/etc/inc/allow-python3.inc
diff --git a/etc/allow-ruby.inc b/etc/inc/allow-ruby.inc
index a8c701219..a8c701219 100644
--- a/etc/allow-ruby.inc
+++ b/etc/inc/allow-ruby.inc
diff --git a/etc/disable-common.inc b/etc/inc/disable-common.inc
index bf29cd137..c7516ab42 100644
--- a/etc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -64,8 +64,9 @@ blacklist /etc/xdg/autostart
 read-only ${HOME}/.Xauthority
 # Session manager
-?HAS_X11: blacklist ${HOME}/.ICEauthority
+# see #3358
-?HAS_X11: blacklist /tmp/.ICE-unix
+#?HAS_X11: blacklist ${HOME}/.ICEauthority
+#?HAS_X11: blacklist /tmp/.ICE-unix
 # KDE config
 blacklist ${HOME}/.config/khotkeysrc
@@ -136,21 +137,27 @@ read-only ${HOME}/.local/share/kssl
 blacklist ${RUNUSER}/*.slave-socket
 blacklist ${RUNUSER}/kdeinit5__*
 blacklist ${RUNUSER}/kdesud_*
-?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
+# see #3358
-?HAS_NODBUS: blacklist /tmp/ksocket-*
+#?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
+#?HAS_NODBUS: blacklist /tmp/ksocket-*
 # gnome
 # contains extensions, last used times of applications, and notifications
 blacklist ${HOME}/.local/share/gnome-shell
 # no direct modification of dconf database
 read-only ${HOME}/.config/dconf
+blacklist ${RUNUSER}/gnome-session-leader-fifo
+blacklist ${RUNUSER}/gnome-shell
+blacklist ${RUNUSER}/gsconnect
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
 blacklist /var/lib/systemd
-# blacklist /var/run/systemd
+blacklist ${PATH}/systemd-run
+blacklist ${RUNUSER}/systemd
 # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
+#blacklist /var/run/systemd
 # openrc
 blacklist /etc/runlevels/
@@ -166,6 +173,21 @@ blacklist ${HOME}/VirtualBox VMs
 blacklist ${HOME}/.config/gnome-boxes
 blacklist ${HOME}/.local/share/gnome-boxes
+# libvirt
+blacklist ${HOME}/.cache/libvirt
+blacklist ${HOME}/.config/libvirt
+blacklist ${RUNUSER}/libvirt
+blacklist /var/cache/libvirt
+blacklist /var/lib/libvirt
+blacklist /var/log/libvirt
+# OCI-Containers / Podman
+blacklist ${RUNUSER}/containers
+blacklist ${RUNUSER}/crun
+blacklist ${RUNUSER}/libpod
+blacklist ${RUNUSER}/runc
+blacklist ${RUNUSER}/toolbox
 # VeraCrypt
 blacklist ${HOME}/.VeraCrypt
 blacklist ${PATH}/veracrypt
@@ -300,13 +322,17 @@ read-only ${HOME}/bin
 read-only ${HOME}/.bin
 read-only ${HOME}/.local/bin
 read-only ${HOME}/.cargo/bin
-read-only ${HOME}/.cargo/env
 # Write-protection for desktop entries
 read-only ${HOME}/.config/menus
 read-only ${HOME}/.gnome/apps
 read-only ${HOME}/.local/share/applications
+read-only ${HOME}/.config/mimeapps.list
+read-only ${HOME}/.config/user-dirs.dirs
+read-only ${HOME}/.config/user-dirs.locale
+read-only ${HOME}/.local/share/mime
 # Write-protection for thumbnailer dir
 read-only ${HOME}/.local/share/thumbnailers
@@ -376,6 +402,7 @@ blacklist /usr/sbin
 # system management
 blacklist ${PATH}/at
+blacklist ${PATH}/busybox
 blacklist ${PATH}/chage
 blacklist ${PATH}/chfn
 blacklist ${PATH}/chsh
@@ -443,14 +470,30 @@ blacklist /vmlinuz*
 blacklist /.snapshots
 # flatpak
+blacklist ${HOME}/.cache/flatpak
 blacklist ${HOME}/.config/flatpak
-blacklist ${HOME}/.local/share/flatpak
+blacklist ${HOME}/.local/share/flatpak/app
+blacklist ${HOME}/.local/share/flatpak/appstream
+blacklist ${HOME}/.local/share/flatpak/db
+read-only ${HOME}/.local/share/flatpak/exports
+blacklist ${HOME}/.local/share/flatpak/oci
+blacklist ${HOME}/.local/share/flatpak/overrides
+blacklist ${HOME}/.local/share/flatpak/repo
+blacklist ${HOME}/.local/share/flatpak/runtime
 blacklist ${HOME}/.var
+blacklist ${RUNUSER}/app
+blacklist ${RUNUSER}/doc
+blacklist ${RUNUSER}/.dbus-proxy
+blacklist ${RUNUSER}/.flatpak
+blacklist ${RUNUSER}/.flatpak-helper
 blacklist /usr/share/flatpak
 blacklist /var/lib/flatpak
 # most of the time bwrap is SUID binary
 blacklist ${PATH}/bwrap
+# snap
+blacklist ${RUNUSER}/snapd-session-agent.socket
 # mail directories used by mutt
 blacklist ${HOME}/.Mail
 blacklist ${HOME}/.mail
@@ -462,3 +505,22 @@ blacklist ${HOME}/sent
 # kernel configuration
 blacklist /proc/config.gz
+# prevent DNS malware attempting to communicate with the server
+# using regular DNS tools
+blacklist ${PATH}/dig
+blacklist ${PATH}/kdig
+blacklist ${PATH}/nslookup
+blacklist ${PATH}/host
+blacklist ${PATH}/dlint
+blacklist ${PATH}/dnswalk
+blacklist ${PATH}/dns2tcp
+blacklist ${PATH}/iodine
+blacklist ${PATH}/knsupdate
+blacklist ${PATH}/resolvectl
+# rest of ${RUNUSER}
+blacklist ${RUNUSER}/*.lock
+blacklist ${RUNUSER}/inaccessible
+blacklist ${RUNUSER}/update-notifier.pid
+blacklist ${RUNUSER}/pk-debconf-socket
diff --git a/etc/disable-devel.inc b/etc/inc/disable-devel.inc
index 59df9fb0f..e1ba13380 100644
--- a/etc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -26,7 +26,6 @@ blacklist ${PATH}/*-gcc*
 blacklist ${PATH}/*-g++*
 blacklist ${PATH}/*-gcc*
 blacklist ${PATH}/*-g++*
-blacklist /usr/include
 # seems to create problems on Gentoo
 #blacklist /usr/lib/gcc
diff --git a/etc/disable-exec.inc b/etc/inc/disable-exec.inc
index ee3391730..ee3391730 100644
--- a/etc/disable-exec.inc
+++ b/etc/inc/disable-exec.inc
diff --git a/etc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index ae539e1bc..59e9c7de3 100644
--- a/etc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -13,8 +13,12 @@ blacklist /usr/lib64/libgjs*
 # Lua
 blacklist ${PATH}/lua*
 blacklist /usr/include/lua*
+blacklist /usr/lib/liblua*
 blacklist /usr/lib/lua
-blacklist /usr/share/lua
+blacklist /usr/share/lua*
+# mozjs
+blacklist /usr/lib64/libmozjs-*
 # Node.js
 blacklist ${PATH}/node
diff --git a/etc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc
index 316378cb8..316378cb8 100644
--- a/etc/disable-passwdmgr.inc
+++ b/etc/inc/disable-passwdmgr.inc
diff --git a/etc/disable-programs.inc b/etc/inc/disable-programs.inc
index db257c1b6..e5dd9cb59 100644
--- a/etc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -8,6 +8,9 @@ blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
 blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
+blacklist ${HOME}/TeamSpeak3-Client-linux_x86
+blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
+blacklist ${HOME}/hyperrogue.ini
 blacklist ${HOME}/mps
 blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/.*coin
@@ -51,8 +54,13 @@ blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
 blacklist ${HOME}/.bogofilter
 blacklist ${HOME}/.bzf
-blacklist ${HOME}/.cargo/registry
+blacklist ${HOME}/.cargo/advisory-db
 blacklist ${HOME}/.cargo/config
+blacklist ${HOME}/.cargo/git
+blacklist ${HOME}/.cargo/registry
+blacklist ${HOME}/.cargo/.crates.toml
+blacklist ${HOME}/.cargo/.crates2.json
+blacklist ${HOME}/.cargo/.package-cache
 blacklist ${HOME}/.claws-mail
 blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clonk
@@ -72,9 +80,15 @@ blacklist ${HOME}/.config/Code - OSS
 blacklist ${HOME}/.config/Code Industry
 blacklist ${HOME}/.config/Cryptocat
 blacklist ${HOME}/.config/Debauchee/Barrier.conf
+blacklist ${HOME}/.config/Dharkael
+blacklist ${HOME}/.config/Element
+blacklist ${HOME}/.config/Element (Riot)
 blacklist ${HOME}/.config/Enox
+blacklist ${HOME}/.config/Ferdi
+blacklist ${HOME}/.config/Flavio Tordini
 blacklist ${HOME}/.config/Franz
 blacklist ${HOME}/.config/FreeCAD
+blacklist ${HOME}/.config/FreeTube
 blacklist ${HOME}/.config/Fritzing
 blacklist ${HOME}/.config/GIMP
 blacklist ${HOME}/.config/GitHub Desktop
@@ -84,9 +98,12 @@ blacklist ${HOME}/.config/Google Play Music Desktop Player
 blacklist ${HOME}/.config/Gpredict
 blacklist ${HOME}/.config/INRIA
 blacklist ${HOME}/.config/InSilmaril
+blacklist ${HOME}/.config/Jitsi Meet
 blacklist ${HOME}/.config/Kid3
 blacklist ${HOME}/.config/Kingsoft
 blacklist ${HOME}/.config/Luminance
+blacklist ${HOME}/.config/LyX
+blacklist ${HOME}/.config/Mattermost
 blacklist ${HOME}/.config/Meltytech
 blacklist ${HOME}/.config/Mendeley Ltd.
 blacklist ${HOME}/.config/Min
@@ -97,6 +114,7 @@ blacklist ${HOME}/.config/MuseScore
 blacklist ${HOME}/.config/MusicBrainz
 blacklist ${HOME}/.config/Nathan Osman
 blacklist ${HOME}/.config/Nylas Mail
+blacklist ${HOME}/.config/PacmanLogViewer
 blacklist ${HOME}/.config/PBE
 blacklist ${HOME}/.config/Philipp Schmieder
 blacklist ${HOME}/.config/QGIS
@@ -113,11 +131,16 @@ blacklist ${HOME}/.config/Slack
 blacklist ${HOME}/.config/Standard Notes
 blacklist ${HOME}/.config/SubDownloader
 blacklist ${HOME}/.config/Thunar
+blacklist ${HOME}/.config/Unknown Organization
 blacklist ${HOME}/.config/VirtualBox
 blacklist ${HOME}/.config/Wire
 blacklist ${HOME}/.config/Zeal
+blacklist ${HOME}/.config/ZeGrapher Project
+blacklist ${HOME}/.config/abiword
+blacklist ${HOME}/.config/agenda
 blacklist ${HOME}/.config/akonadi*
 blacklist ${HOME}/.config/akregatorrc
+blacklist ${HOME}/.config/alacritty
 blacklist ${HOME}/.config/ardour4
 blacklist ${HOME}/.config/ardour5
 blacklist ${HOME}/.config/aria2
@@ -129,6 +152,7 @@ blacklist ${HOME}/.config/atril
 blacklist ${HOME}/.config/audacious
 blacklist ${HOME}/.config/autokey
 blacklist ${HOME}/.config/aweather
+blacklist ${HOME}/.config/backintime
 blacklist ${HOME}/.config/baloofilerc
 blacklist ${HOME}/.config/baloorc
 blacklist ${HOME}/.config/blender
@@ -142,8 +166,15 @@ blacklist ${HOME}/.config/caja
 blacklist ${HOME}/.config/calibre
 blacklist ${HOME}/.config/cantata
 blacklist ${HOME}/.config/catfish
+blacklist ${HOME}/.config/cawbird
 blacklist ${HOME}/.config/celluloid
 blacklist ${HOME}/.config/cherrytree
+blacklist ${HOME}/.config/chrome-beta-flags.conf
+blacklist ${HOME}/.config/chrome-beta-flags.config
+blacklist ${HOME}/.config/chrome-flags.conf
+blacklist ${HOME}/.config/chrome-flags.config
+blacklist ${HOME}/.config/chrome-unstable-flags.conf
+blacklist ${HOME}/.config/chrome-unstable-flags.config
 blacklist ${HOME}/.config/chromium
 blacklist ${HOME}/.config/chromium-dev
 blacklist ${HOME}/.config/chromium-flags.conf
@@ -188,13 +219,20 @@ blacklist ${HOME}/.config/geeqie
 blacklist ${HOME}/.config/ghb
 blacklist ${HOME}/.config/ghostwriter
 blacklist ${HOME}/.config/git
+blacklist ${HOME}/.config/git-cola
+blacklist ${HOME}/.config/glade.conf
 blacklist ${HOME}/.config/globaltime
 blacklist ${HOME}/.config/gmpc
 blacklist ${HOME}/.config/gnome-builder
+blacklist ${HOME}/.config/gnome-chess
+blacklist ${HOME}/.config/gnome-control-center
+blacklist ${HOME}/.config/gnome-initial-setup-done
 blacklist ${HOME}/.config/gnome-latex
 blacklist ${HOME}/.config/gnome-mplayer
 blacklist ${HOME}/.config/gnome-mpv
 blacklist ${HOME}/.config/gnome-pie
+blacklist ${HOME}/.config/gnome-session
+blacklist ${HOME}/.config/gnote
 blacklist ${HOME}/.config/godot
 blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
@@ -204,6 +242,7 @@ blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gummi
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
+blacklist ${HOME}/.config/homebank
 blacklist ${HOME}/.config/i2p
 blacklist ${HOME}/.config/inkscape
 blacklist ${HOME}/.config/inox
@@ -228,8 +267,10 @@ blacklist ${HOME}/.config/klavaro
 blacklist ${HOME}/.config/klipperrc
 blacklist ${HOME}/.config/kmail2rc
 blacklist ${HOME}/.config/kmailsearchindexingrc
+blacklist ${HOME}/.config/kmplayerrc
 blacklist ${HOME}/.config/knotesrc
 blacklist ${HOME}/.config/konversationrc
+blacklist ${HOME}/.config/konversation.notifyrc
 blacklist ${HOME}/.config/kritarc
 blacklist ${HOME}/.config/ktorrentrc
 blacklist ${HOME}/.config/ktouch2rc
@@ -246,6 +287,7 @@ blacklist ${HOME}/.config/mate/eom
 blacklist ${HOME}/.config/mate/mate-dictionary
 blacklist ${HOME}/.config/meld
 blacklist ${HOME}/.config/meteo-qt
+blacklist ${HOME}/.config/menulibre.cfg
 blacklist ${HOME}/.config/mfusion
 blacklist ${HOME}/.config/Microsoft
 blacklist ${HOME}/.config/midori
@@ -255,15 +297,18 @@ blacklist ${HOME}/.config/mpd
 blacklist ${HOME}/.config/mps-youtube
 blacklist ${HOME}/.config/mpv
 blacklist ${HOME}/.config/mupen64plus
+blacklist ${HOME}/.config/mutter
 blacklist ${HOME}/.config/mypaint
 blacklist ${HOME}/.config/nano
 blacklist ${HOME}/.config/nautilus
 blacklist ${HOME}/.config/nemo
 blacklist ${HOME}/.config/netsurf
 blacklist ${HOME}/.config/newsbeuter
+blacklist ${HOME}/.config/newsflash
 blacklist ${HOME}/.config/nheko
 blacklist ${HOME}/.config/NitroShare
 blacklist ${HOME}/.config/nomacs
+blacklist ${HOME}/.config/nuclear
 blacklist ${HOME}/.config/obs-studio
 blacklist ${HOME}/.config/okularpartrc
 blacklist ${HOME}/.config/okularrc
@@ -274,6 +319,7 @@ blacklist ${HOME}/.config/opera-beta
 blacklist ${HOME}/.config/orage
 blacklist ${HOME}/.config/org.gabmus.gfeeds.json
 blacklist ${HOME}/.config/org.kde.gwenviewrc
+blacklist ${HOME}/.config/otter
 blacklist ${HOME}/.config/pavucontrol-qt
 blacklist ${HOME}/.config/pavucontrol.ini
 blacklist ${HOME}/.config/pcmanfm
@@ -305,13 +351,16 @@ blacklist ${HOME}/.config/slimjet
 blacklist ${HOME}/.config/smplayer
 blacklist ${HOME}/.config/smtube
 blacklist ${HOME}/.config/snox
+blacklist ${HOME}/.config/sound-juicer
 blacklist ${HOME}/.config/specialmailcollectionsrc
 blacklist ${HOME}/.config/spotify
 blacklist ${HOME}/.config/sqlitebrowser
 blacklist ${HOME}/.config/stellarium
+blacklist ${HOME}/.config/strawberry
 blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/synfig
 blacklist ${HOME}/.config/teams
+blacklist ${HOME}/.config/teams-for-linux
 blacklist ${HOME}/.config/telepathy-account-widgets
 blacklist ${HOME}/.config/torbrowser
 blacklist ${HOME}/.config/totem
@@ -327,6 +376,7 @@ blacklist ${HOME}/.config/vivaldi
 blacklist ${HOME}/.config/vivaldi-snapshot
 blacklist ${HOME}/.config/vlc
 blacklist ${HOME}/.config/wesnoth
+blacklist ${HOME}/.config/wormux
 blacklist ${HOME}/.config/Whalebird
 blacklist ${HOME}/.config/wireshark
 blacklist ${HOME}/.config/xchat
@@ -346,11 +396,13 @@ blacklist ${HOME}/.config/yandex-browser
 blacklist ${HOME}/.config/yandex-browser-beta
 blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/youtube-dl
+blacklist ${HOME}/.config/youtube-viewer
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.config/Zulip
 blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.crawl
+blacklist ${HOME}/.cups
 blacklist ${HOME}/.curlrc
 blacklist ${HOME}/.dashcore
 blacklist ${HOME}/.devilspie
@@ -375,6 +427,7 @@ blacklist ${HOME}/.fossamail
 blacklist ${HOME}/.freeciv
 blacklist ${HOME}/.freecol
 blacklist ${HOME}/.freemind
+blacklist ${HOME}/.frogatto
 blacklist ${HOME}/.frozen-bubble
 blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.gist
@@ -388,6 +441,7 @@ blacklist ${HOME}/.gradle
 blacklist ${HOME}/.gramps
 blacklist ${HOME}/.guayadeque
 blacklist ${HOME}/.hashcat
+blacklist ${HOME}/.hex-a-hop
 blacklist ${HOME}/.hedgewars
 blacklist ${HOME}/.hugin
 blacklist ${HOME}/.i2p
@@ -401,6 +455,7 @@ blacklist ${HOME}/.jak
 blacklist ${HOME}/.java
 blacklist ${HOME}/.jd
 blacklist ${HOME}/.jitsi
+blacklist ${HOME}/.jumpnbump
 blacklist ${HOME}/.kde/share/apps/digikam
 blacklist ${HOME}/.kde/share/apps/gwenview
 blacklist ${HOME}/.kde/share/apps/kaffeine
@@ -424,6 +479,7 @@ blacklist ${HOME}/.kde/share/config/kfindrc
 blacklist ${HOME}/.kde/share/config/kgetrc
 blacklist ${HOME}/.kde/share/config/khtmlrc
 blacklist ${HOME}/.kde/share/config/klipperrc
+blacklist ${HOME}/.kde/share/config/kmplayerrc
 blacklist ${HOME}/.kde/share/config/konq_history
 blacklist ${HOME}/.kde/share/config/konqsidebartngrc
 blacklist ${HOME}/.kde/share/config/konquerorrc
@@ -479,6 +535,7 @@ blacklist ${HOME}/.local/share/3909/PapersPlease
 blacklist ${HOME}/.local/share/Anki2
 blacklist ${HOME}/.local/share/Empathy
 blacklist ${HOME}/.local/share/Enpass
+blacklist ${HOME}/.local/share/Flavio Tordini
 blacklist ${HOME}/.local/share/JetBrains
 blacklist ${HOME}/.local/share/Kingsoft
 blacklist ${HOME}/.local/share/Mendeley Ltd.
@@ -488,6 +545,7 @@ blacklist ${HOME}/.local/share/QGIS
 blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
+blacklist ${HOME}/.local/share/Shortwave
 blacklist ${HOME}/.local/share/Steam
 blacklist ${HOME}/.local/share/SuperHexagon
 blacklist ${HOME}/.local/share/TelegramDesktop
@@ -496,12 +554,15 @@ blacklist ${HOME}/.local/share/TpLogger
 blacklist ${HOME}/.local/share/Zeal
 blacklist ${HOME}/.local/share/akonadi*
 blacklist ${HOME}/.local/share/akregator
+blacklist ${HOME}/.local/share/agenda
 blacklist ${HOME}/.local/share/apps/korganizer
 blacklist ${HOME}/.local/share/aspyr-media
 blacklist ${HOME}/.local/share/autokey
+blacklist ${HOME}/.local/share/backintime
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/barrier
 blacklist ${HOME}/.local/share/bibletime
+blacklist ${HOME}/.local/share/bijiben
 blacklist ${HOME}/.local/share/caja-python
 blacklist ${HOME}/.local/share/cantata
 blacklist ${HOME}/.local/share/cdprojektred
@@ -519,8 +580,10 @@ blacklist ${HOME}/.local/share/dolphin
 blacklist ${HOME}/.local/share/emailidentities
 blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
+blacklist ${HOME}/.local/share/FasterThanLight
 blacklist ${HOME}/.local/share/feedreader
 blacklist ${HOME}/.local/share/feral-interactive
+blacklist ${HOME}/.local/share/five-or-more
 blacklist ${HOME}/.local/share/freecol
 blacklist ${HOME}/.local/share/gajim
 blacklist ${HOME}/.local/share/geary
@@ -528,18 +591,26 @@ blacklist ${HOME}/.local/share/geeqie
 blacklist ${HOME}/.local/share/ghostwriter
 blacklist ${HOME}/.local/share/gitg
 blacklist ${HOME}/.local/share/gnome-2048
-blacklist ${HOME}/.local/share/gnome-chess
+blacklist ${HOME}/.local/share/gnome-boxes
 blacklist ${HOME}/.local/share/gnome-builder
+blacklist ${HOME}/.local/share/gnome-chess
+blacklist ${HOME}/.local/share/gnome-klotski
 blacklist ${HOME}/.local/share/gnome-latex
+blacklist ${HOME}/.local/share/gnome-mines
 blacklist ${HOME}/.local/share/gnome-music
+blacklist ${HOME}/.local/share/gnome-nibbles
 blacklist ${HOME}/.local/share/gnome-photos
+blacklist ${HOME}/.local/share/gnome-pomodoro
 blacklist ${HOME}/.local/share/gnome-recipes
 blacklist ${HOME}/.local/share/gnome-ring
+blacklist ${HOME}/.local/share/gnome-sudoku
 blacklist ${HOME}/.local/share/gnome-twitch
+blacklist ${HOME}/.local/share/gnote
 blacklist ${HOME}/.local/share/godot
 blacklist ${HOME}/.local/share/gradio
 blacklist ${HOME}/.local/share/gwenview
 blacklist ${HOME}/.local/share/i2p
+blacklist ${HOME}/.local/share/IntoTheBreach
 blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kalgebra
 blacklist ${HOME}/.local/share/kate
@@ -549,15 +620,18 @@ blacklist ${HOME}/.local/share/kiwix
 blacklist ${HOME}/.local/share/kiwix-desktop
 blacklist ${HOME}/.local/share/klavaro
 blacklist ${HOME}/.local/share/kmail2
+blacklist ${HOME}/.local/share/kmplayer
 blacklist ${HOME}/.local/share/knotes
 blacklist ${HOME}/.local/share/krita
 blacklist ${HOME}/.local/share/ktorrent
 blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktouch
 blacklist ${HOME}/.local/share/kwrite
+blacklist ${HOME}/.local/share/kxmlgui5/*
 blacklist ${HOME}/.local/share/liferea
 blacklist ${HOME}/.local/share/local-mail
 blacklist ${HOME}/.local/share/lollypop
+blacklist ${HOME}/.local/share/love
 blacklist ${HOME}/.local/share/lugaru
 blacklist ${HOME}/.local/share/mana
 blacklist ${HOME}/.local/share/maps-places.json
@@ -571,6 +645,7 @@ blacklist ${HOME}/.local/share/nautilus
 blacklist ${HOME}/.local/share/nautilus-python
 blacklist ${HOME}/.local/share/nemo
 blacklist ${HOME}/.local/share/nemo-python
+blacklist ${HOME}/.local/share/news-flash
 blacklist ${HOME}/.local/share/nomacs
 blacklist ${HOME}/.local/share/notes
 blacklist ${HOME}/.local/share/ocenaudio
@@ -578,10 +653,12 @@ blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/onlyoffice
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
+blacklist ${HOME}/.local/share/Paradox Interactive
 blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/profanity
 blacklist ${HOME}/.local/share/psi+
+blacklist ${HOME}/.local/share/quadrapassel
 blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/qutebrowser
 blacklist ${HOME}/.local/share/remmina
@@ -591,8 +668,10 @@ blacklist ${HOME}/.local/share/scribus
 blacklist ${HOME}/.local/share/signal-cli
 blacklist ${HOME}/.local/share/spotify
 blacklist ${HOME}/.local/share/steam
+blacklist ${HOME}/.local/share/strawberry
 blacklist ${HOME}/.local/share/supertux2
 blacklist ${HOME}/.local/share/supertuxkart
+blacklist ${HOME}/.local/share/swell-foop
 blacklist ${HOME}/.local/share/telepathy
 blacklist ${HOME}/.local/share/terasology
 blacklist ${HOME}/.local/share/torbrowser
@@ -603,16 +682,23 @@ blacklist ${HOME}/.local/share/vpltd
 blacklist ${HOME}/.local/share/vulkan
 blacklist ${HOME}/.local/share/warsow-2.1
 blacklist ${HOME}/.local/share/wesnoth
+blacklist ${HOME}/.local/share/wormux
 blacklist ${HOME}/.local/share/xplayer
 blacklist ${HOME}/.local/share/xreader
 blacklist ${HOME}/.local/share/zathura
 blacklist ${HOME}/.lv2
+blacklist ${HOME}/.lyx
+blacklist ${HOME}/.magicor
 blacklist ${HOME}/.masterpdfeditor
+blacklist ${HOME}/.mbwarband
 blacklist ${HOME}/.mcabber
 blacklist ${HOME}/.mcabberrc
 blacklist ${HOME}/.mediathek3
 blacklist ${HOME}/.megaglest
+blacklist ${HOME}/.minecraft
 blacklist ${HOME}/.minetest
+blacklist ${HOME}/.mirrormagic
+blacklist ${HOME}/.moc
 blacklist ${HOME}/.moonchild productions/basilisk
 blacklist ${HOME}/.moonchild productions/pale moon
 blacklist ${HOME}/.mozilla
@@ -627,6 +713,7 @@ blacklist ${HOME}/.netactview
 blacklist ${HOME}/.neverball
 blacklist ${HOME}/.newsbeuter
 blacklist ${HOME}/.newsboat
+blacklist ${HOME}/.nicotine
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.openarena
@@ -638,9 +725,13 @@ blacklist ${HOME}/.openttd
 blacklist ${HOME}/.opera
 blacklist ${HOME}/.opera-beta
 blacklist ${HOME}/.ostrichriders
+blacklist ${HOME}/.paradoxinteractive
+blacklist ${HOME}/.parallelrealities/blobwars
+blacklist ${HOME}/.penguin-command
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
 blacklist ${HOME}/.purple
+blacklist ${HOME}/.pylint.d
 blacklist ${HOME}/.qemu-launcher
 blacklist ${HOME}/.qgis2
 blacklist ${HOME}/.qmmp
@@ -650,6 +741,7 @@ blacklist ${HOME}/.remmina
 blacklist ${HOME}/.repo_.gitconfig.json
 blacklist ${HOME}/.repoconfig
 blacklist ${HOME}/.retroshare
+blacklist ${HOME}/.ripperXrc
 blacklist ${HOME}/.scorched3d
 blacklist ${HOME}/.scribus
 blacklist ${HOME}/.scribusrc
@@ -662,13 +754,14 @@ blacklist ${HOME}/.steampid
 blacklist ${HOME}/.stellarium
 blacklist ${HOME}/.subversion
 blacklist ${HOME}/.surf
+blacklist ${HOME}/.swb.ini
 blacklist ${HOME}/.sword
 blacklist ${HOME}/.sylpheed-2.0
 blacklist ${HOME}/.synfig
-blacklist ${HOME}/.config/teams-for-linux
 blacklist ${HOME}/.tb
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.teeworlds
+blacklist ${HOME}/.texlive2018
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tilp
 blacklist ${HOME}/.tooling
@@ -683,6 +776,7 @@ blacklist ${HOME}/.viking
 blacklist ${HOME}/.viking-maps
 blacklist ${HOME}/.vim
 blacklist ${HOME}/.vimrc
+blacklist ${HOME}/.vmware
 blacklist ${HOME}/.vscode
 blacklist ${HOME}/.vscode-oss
 blacklist ${HOME}/.vst
@@ -697,6 +791,8 @@ blacklist ${HOME}/.widelands
 blacklist ${HOME}/.wine
 blacklist ${HOME}/.wine64
 blacklist ${HOME}/.wireshark
+blacklist ${HOME}/.wordwarvi
+blacklist ${HOME}/.wormux
 blacklist ${HOME}/.xiphos
 blacklist ${HOME}/.xmind
 blacklist ${HOME}/.xmms
@@ -721,12 +817,18 @@ blacklist ${HOME}/.cache/BraveSoftware
 blacklist ${HOME}/.cache/Clementine
 blacklist ${HOME}/.cache/Enox
 blacklist ${HOME}/.cache/Enpass
+blacklist ${HOME}/.cache/Ferdi
+blacklist ${HOME}/.cache/Flavio Tordini
 blacklist ${HOME}/.cache/Franz
 blacklist ${HOME}/.cache/INRIA
 blacklist ${HOME}/.cache/MusicBrainz
+blacklist ${HOME}/.cache/NewsFlashGTK
+blacklist ${HOME}/.cache/Otter
 blacklist ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/Shortwave
 blacklist ${HOME}/.cache/Tox
 blacklist ${HOME}/.cache/Zeal
+blacklist ${HOME}/.cache/agenda
 blacklist ${HOME}/.cache/akonadi*
 blacklist ${HOME}/.cache/atril
 blacklist ${HOME}/.cache/attic
@@ -741,6 +843,7 @@ blacklist ${HOME}/.cache/chromium-dev
 blacklist ${HOME}/.cache/cliqz
 blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
 blacklist ${HOME}/.cache/darktable
+blacklist ${HOME}/.cache/deja-dup
 blacklist ${HOME}/.cache/discover
 blacklist ${HOME}/.cache/dnox
 blacklist ${HOME}/.cache/dolphin
@@ -757,8 +860,12 @@ blacklist ${HOME}/.cache/gegl-0.4
 blacklist ${HOME}/.cache/geeqie
 blacklist ${HOME}/.cache/gfeeds
 blacklist ${HOME}/.cache/gimp
+blacklist ${HOME}/.cache/gnome-boxes
 blacklist ${HOME}/.cache/gnome-builder
+blacklist ${HOME}/.cache/gnome-control-center
 blacklist ${HOME}/.cache/gnome-recipes
+blacklist ${HOME}/.cache/gnome-screenshot
+blacklist ${HOME}/.cache/gnome-software
 blacklist ${HOME}/.cache/gnome-twitch
 blacklist ${HOME}/.cache/godot
 blacklist ${HOME}/.cache/google-chrome
@@ -773,6 +880,7 @@ blacklist ${HOME}/.cache/inox
 blacklist ${HOME}/.cache/iridium
 blacklist ${HOME}/.cache/kcmshell5
 blacklist ${HOME}/.cache/kdenlive
+blacklist ${HOME}/.cache/keepassxc
 blacklist ${HOME}/.cache/kfind
 blacklist ${HOME}/.cache/kinfocenter
 blacklist ${HOME}/.cache/kmail2
@@ -809,6 +917,7 @@ blacklist ${HOME}/.cache/org.gnome.Books
 blacklist ${HOME}/.cache/org.gnome.Maps
 blacklist ${HOME}/.cache/pdfmod
 blacklist ${HOME}/.cache/peek
+blacklist ${HOME}/.cache/pip
 blacklist ${HOME}/.cache/plasmashell
 blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
 blacklist ${HOME}/.cache/qBittorrent
@@ -819,6 +928,7 @@ blacklist ${HOME}/.cache/simple-scan
 blacklist ${HOME}/.cache/slimjet
 blacklist ${HOME}/.cache/snox
 blacklist ${HOME}/.cache/spotify
+blacklist ${HOME}/.cache/strawberry
 blacklist ${HOME}/.cache/supertuxkart
 blacklist ${HOME}/.cache/systemsettings
 blacklist ${HOME}/.cache/telepathy
@@ -828,6 +938,7 @@ blacklist ${HOME}/.cache/transmission
 blacklist ${HOME}/.cache/vivaldi
 blacklist ${HOME}/.cache/vivaldi-snapshot
 blacklist ${HOME}/.cache/vlc
+blacklist ${HOME}/.cache/vmware
 blacklist ${HOME}/.cache/warsow-2.1
 blacklist ${HOME}/.cache/waterfox
 blacklist ${HOME}/.cache/wesnoth
diff --git a/etc/inc/disable-shell.inc b/etc/inc/disable-shell.inc
new file mode 100644
index 000000000..fda528eb6
--- /dev/null
+++ b/etc/inc/disable-shell.inc
@@ -0,0 +1,13 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-shell.local
+blacklist ${PATH}/bash
+blacklist ${PATH}/csh
+blacklist ${PATH}/dash
+blacklist ${PATH}/fish
+blacklist ${PATH}/ksh
+blacklist ${PATH}/sh
+blacklist ${PATH}/tclsh
+blacklist ${PATH}/tcsh
+blacklist ${PATH}/zsh
diff --git a/etc/disable-xdg.inc b/etc/inc/disable-xdg.inc
index 22acf272d..22acf272d 100644
--- a/etc/disable-xdg.inc
+++ b/etc/inc/disable-xdg.inc
diff --git a/etc/feh-network.inc b/etc/inc/feh-network.inc
index e94e7205c..e94e7205c 100644
--- a/etc/feh-network.inc
+++ b/etc/inc/feh-network.inc
diff --git a/etc/firefox-common-addons.inc b/etc/inc/firefox-common-addons.inc
index 1dca67e06..11acb7b42 100644
--- a/etc/firefox-common-addons.inc
+++ b/etc/inc/firefox-common-addons.inc
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.kde4/share/config/kgetrc
 noblacklist ${HOME}/.kde4/share/config/okularpartrc
 noblacklist ${HOME}/.kde4/share/config/okularrc
 noblacklist ${HOME}/.local/share/kget
+noblacklist ${HOME}/.local/share/kxmlgui5/okular
 noblacklist ${HOME}/.local/share/okular
 noblacklist ${HOME}/.local/share/qpdfview
@@ -41,6 +42,7 @@ whitelist ${HOME}/.kde4/share/config/okularrc
 whitelist ${HOME}/.keysnail.js
 whitelist ${HOME}/.lastpass
 whitelist ${HOME}/.local/share/kget
+whitelist ${HOME}/.local/share/kxmlgui5/okular
 whitelist ${HOME}/.local/share/okular
 whitelist ${HOME}/.local/share/qpdfview
 whitelist ${HOME}/.local/share/tridactyl
@@ -57,7 +59,8 @@ whitelist ${HOME}/dwhelper
 # GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc)
 noblacklist ${HOME}/.local/share/gnome-shell
 whitelist ${HOME}/.local/share/gnome-shell
-ignore nodbus
+ignore dbus-user none
+ignore dbus-system none
 include allow-python3.inc
 # KeePassXC Browser Integration
diff --git a/etc/softmaker-common.inc b/etc/inc/softmaker-common.inc
index 48249877c..a8ec5848c 100644
--- a/etc/softmaker-common.inc
+++ b/etc/inc/softmaker-common.inc
@@ -28,7 +28,6 @@ apparmor
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,3 +45,6 @@ private-cache
 private-dev
 private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/whitelist-common.inc b/etc/inc/whitelist-common.inc
index 9c1b7b92c..0798c7d3e 100644
--- a/etc/whitelist-common.inc
+++ b/etc/inc/whitelist-common.inc
@@ -11,6 +11,8 @@ whitelist ${HOME}/.config/pkcs11
 read-only ${HOME}/.config/pkcs11
 whitelist ${HOME}/.config/user-dirs.dirs
 read-only ${HOME}/.config/user-dirs.dirs
+whitelist ${HOME}/.config/user-dirs.locale
+read-only ${HOME}/.config/user-dirs.locale
 whitelist ${HOME}/.drirc
 whitelist ${HOME}/.icons
 ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
@@ -38,6 +40,7 @@ whitelist ${HOME}/.pangorc
 # gtk
 whitelist ${HOME}/.config/gtk-2.0
 whitelist ${HOME}/.config/gtk-3.0
+whitelist ${HOME}/.config/gtk-4.0
 whitelist ${HOME}/.config/gtkrc
 whitelist ${HOME}/.config/gtkrc-2.0
 whitelist ${HOME}/.gnome2
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
new file mode 100644
index 000000000..f2a510e9d
--- /dev/null
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -0,0 +1,12 @@
+# Local customizations come here
+include whitelist-runuser-common.local
+# common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
+whitelist ${RUNUSER}/bus
+whitelist ${RUNUSER}/dconf
+whitelist ${RUNUSER}/gdm/Xauthority
+whitelist ${RUNUSER}/ICEauthority
+whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
+whitelist ${RUNUSER}/pulse/native
+whitelist ${RUNUSER}/wayland-0
diff --git a/etc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index a9d4cadb8..ceeb14dcc 100644
--- a/etc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -22,6 +22,7 @@ whitelist /usr/share/glib-2.0
 whitelist /usr/share/glvnd
 whitelist /usr/share/gtk-2.0
 whitelist /usr/share/gtk-3.0
+whitelist /usr/share/gtk-engines
 whitelist /usr/share/gtksourceview-3.0
 whitelist /usr/share/gtksourceview-4
 whitelist /usr/share/hunspell
@@ -40,6 +41,8 @@ whitelist /usr/share/misc
 whitelist /usr/share/Modules
 whitelist /usr/share/myspell
 whitelist /usr/share/p11-kit
+whitelist /usr/share/perl
+whitelist /usr/share/perl5
 whitelist /usr/share/pixmaps
 whitelist /usr/share/pki
 whitelist /usr/share/plasma
@@ -47,8 +50,10 @@ whitelist /usr/share/publicsuffix
 whitelist /usr/share/qt
 whitelist /usr/share/qt4
 whitelist /usr/share/qt5
+whitelist /usr/share/qt5ct
 whitelist /usr/share/sounds
 whitelist /usr/share/tcl8.6
+whitelist /usr/share/tcltk
 whitelist /usr/share/terminfo
 whitelist /usr/share/texlive
 whitelist /usr/share/texmf
diff --git a/etc/whitelist-var-common.inc b/etc/inc/whitelist-var-common.inc
index e2210057b..e2210057b 100644
--- a/etc/whitelist-var-common.inc
+++ b/etc/inc/whitelist-var-common.inc
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
deleted file mode 100644
index d04ada227..000000000
--- a/etc/keepassxc.profile
+++ /dev/null
@@ -1,56 +0,0 @@
-# Firejail profile for keepassxc
-# Description: Cross Platform Password Manager
-# This file is overwritten after every install/update
-# Persistent local customizations
-include keepassxc.local
-# Persistent global definitions
-include globals.local
-noblacklist ${HOME}/*.kdb
-noblacklist ${HOME}/*.kdbx
-noblacklist ${HOME}/.config/keepassxc
-noblacklist ${HOME}/.keepassxc
-# 2.2.4 needs this path when compiled with "Native messaging browser extension"
-noblacklist ${HOME}/.mozilla
-noblacklist ${DOCUMENTS}
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-whitelist /usr/share/keepassxc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-caps.drop all
-machine-id
-net none
-no3d
-nodvd
-# Breaks 'Lock database when session is locked or lid is closed' (#2899).
-# Also breaks (Plasma) tray icon,
-# you can safely uncomment it or add to keepassxc.local if you don't need these features.
-#nodbus
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,netlink
-seccomp
-shell none
-tracelog
-private-bin keepassxc,keepassxc-cli,keepassxc-proxy
-private-dev
-private-etc alternatives,fonts,ld.so.cache,machine-id
-private-tmp
-# Mutex is stored in /tmp by default, which is broken by private-tmp
-join-or-start keepassxc
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
deleted file mode 100644
index e003488de..000000000
--- a/etc/nautilus.profile
+++ /dev/null
@@ -1,44 +0,0 @@
-# Firejail profile for nautilus
-# Description: File manager and graphical shell for GNOME
-# This file is overwritten after every install/update
-# Persistent local customizations
-include nautilus.local
-# Persistent global definitions
-include globals.local
-# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there
-# is already a nautilus process running on gnome desktops firejail will have no effect.
-noblacklist ${HOME}/.config/nautilus
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.local/share/nautilus
-noblacklist ${HOME}/.local/share/nautilus-python
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# include disable-programs.inc
-allusers
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
-# private-bin nautilus
-# private-dev
-# private-tmp
diff --git a/etc/nemo.profile b/etc/nemo.profile
deleted file mode 100644
index 6a62a3a0c..000000000
--- a/etc/nemo.profile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Firejail profile for nemo
-# Description: File manager and graphical shell for Cinnamon
-# This file is overwritten after every install/update
-# Persistent local customizations
-include nemo.local
-# Persistent global definitions
-include globals.local
-noblacklist ${HOME}/.config/nemo
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.local/share/nemo
-noblacklist ${HOME}/.local/share/nemo-python
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-allusers
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
diff --git a/etc/nolocal.net b/etc/net/nolocal.net
index 8955f740d..0eb9f9784 100644
--- a/etc/nolocal.net
+++ b/etc/net/nolocal.net
@@ -32,5 +32,5 @@
 -A OUTPUT -d 172.16.0.0/12 -j DROP
 # drop multicast traffic
-A OUTPUT -d 244.0.0.0/4 -j DROP
+-A OUTPUT -d 224.0.0.0/4 -j DROP
 COMMIT
diff --git a/etc/tcpserver.net b/etc/net/tcpserver.net
index 9c39ee5fb..9c39ee5fb 100644
--- a/etc/tcpserver.net
+++ b/etc/net/tcpserver.net
diff --git a/etc/webserver.net b/etc/net/webserver.net
index 83db76825..83db76825 100644
--- a/etc/webserver.net
+++ b/etc/net/webserver.net
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile
deleted file mode 100644
index 7f2a0d673..000000000
--- a/etc/pcmanfm.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for pcmanfm
-# Description: Extremely fast and lightweight file manager
-# This file is overwritten after every install/update
-# Persistent local customizations
-include pcmanfm.local
-# Persistent global definitions
-include globals.local
-noblacklist ${HOME}/.local/share/Trash
-# noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below
-# noblacklist ${HOME}/.config/pcmanfm
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# include disable-programs.inc
-allusers
-caps.drop all
-# net none - see issue #1467, computer:/// location broken
-no3d
-# nodbus
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
diff --git a/etc/0ad.profile b/etc/profile-a-l/0ad.profile
index 8b5820d5e..6869ea631 100644
--- a/etc/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -24,13 +24,13 @@ whitelist ${HOME}/.cache/0ad
 whitelist ${HOME}/.config/0ad
 whitelist ${HOME}/.local/share/0ad
 whitelist /usr/share/0ad
+whitelist /usr/share/games
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,6 +45,9 @@ tracelog
 disable-mnt
 private-bin 0ad,pyrogenesis,sh,which
+private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/2048-qt.profile b/etc/profile-a-l/2048-qt.profile
index 2347039a6..12268706a 100644
--- a/etc/2048-qt.profile
+++ b/etc/profile-a-l/2048-qt.profile
@@ -23,8 +23,9 @@ whitelist ${HOME}/.config/xiaoyong
 include whitelist-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/7z.profile b/etc/profile-a-l/7z.profile
index b60bb9ee9..02a2e7ea0 100644
--- a/etc/7z.profile
+++ b/etc/profile-a-l/7z.profile
@@ -23,7 +23,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 #nogroups
 nonewprivs
@@ -42,4 +41,7 @@ x11 none
 private-cache
 private-dev
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/7za.profile b/etc/profile-a-l/7za.profile
index 9cd04cad1..9cd04cad1 100644
--- a/etc/7za.profile
+++ b/etc/profile-a-l/7za.profile
diff --git a/etc/7zr.profile b/etc/profile-a-l/7zr.profile
index bd3842900..bd3842900 100644
--- a/etc/7zr.profile
+++ b/etc/profile-a-l/7zr.profile
diff --git a/etc/Builder.profile b/etc/profile-a-l/Builder.profile
index 54b437441..54b437441 100644
--- a/etc/Builder.profile
+++ b/etc/profile-a-l/Builder.profile
diff --git a/etc/Cheese.profile b/etc/profile-a-l/Cheese.profile
index 5bb5064f0..5bb5064f0 100644
--- a/etc/Cheese.profile
+++ b/etc/profile-a-l/Cheese.profile
diff --git a/etc/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile
index e9cc07bd7..e9cc07bd7 100644
--- a/etc/Cryptocat.profile
+++ b/etc/profile-a-l/Cryptocat.profile
diff --git a/etc/Cyberfox.profile b/etc/profile-a-l/Cyberfox.profile
index 26a4348c9..26a4348c9 100644
--- a/etc/Cyberfox.profile
+++ b/etc/profile-a-l/Cyberfox.profile
diff --git a/etc/Discord.profile b/etc/profile-a-l/Discord.profile
index 3f274b21c..3f274b21c 100644
--- a/etc/Discord.profile
+++ b/etc/profile-a-l/Discord.profile
diff --git a/etc/DiscordCanary.profile b/etc/profile-a-l/DiscordCanary.profile
index d24e73ed8..d24e73ed8 100644
--- a/etc/DiscordCanary.profile
+++ b/etc/profile-a-l/DiscordCanary.profile
diff --git a/etc/Documents.profile b/etc/profile-a-l/Documents.profile
index 171ab4357..171ab4357 100644
--- a/etc/Documents.profile
+++ b/etc/profile-a-l/Documents.profile
diff --git a/etc/FossaMail.profile b/etc/profile-a-l/FossaMail.profile
index 9e1f61421..9e1f61421 100644
--- a/etc/FossaMail.profile
+++ b/etc/profile-a-l/FossaMail.profile
diff --git a/etc/Fritzing.profile b/etc/profile-a-l/Fritzing.profile
index d318da885..d318da885 100644
--- a/etc/Fritzing.profile
+++ b/etc/profile-a-l/Fritzing.profile
diff --git a/etc/Gitter.profile b/etc/profile-a-l/Gitter.profile
index a8bcb6a54..a8bcb6a54 100644
--- a/etc/Gitter.profile
+++ b/etc/profile-a-l/Gitter.profile
diff --git a/etc/JDownloader.profile b/etc/profile-a-l/JDownloader.profile
index 1435f3422..45ec71e63 100644
--- a/etc/JDownloader.profile
+++ b/etc/profile-a-l/JDownloader.profile
@@ -28,7 +28,6 @@ caps.drop all
 ipc-namespace
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,3 +44,5 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/Logs.profile b/etc/profile-a-l/Logs.profile
index 431439f17..431439f17 100644
--- a/etc/Logs.profile
+++ b/etc/profile-a-l/Logs.profile
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
new file mode 100644
index 000000000..1fdc9e9fe
--- /dev/null
+++ b/etc/profile-a-l/abiword.profile
@@ -0,0 +1,49 @@
+# Firejail profile for abiword
+# Description: flexible cross-platform word processor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include abiword.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/abiword
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+whitelist /usr/share/abiword-3.0
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin abiword
+private-cache
+private-dev
+private-etc fonts,gtk-3.0,passwd
+private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/abrowser.profile b/etc/profile-a-l/abrowser.profile
index 2e6e8f1af..2e6e8f1af 100644
--- a/etc/abrowser.profile
+++ b/etc/profile-a-l/abrowser.profile
diff --git a/etc/acat.profile b/etc/profile-a-l/acat.profile
index 522d8db4e..522d8db4e 100644
--- a/etc/acat.profile
+++ b/etc/profile-a-l/acat.profile
diff --git a/etc/adiff.profile b/etc/profile-a-l/adiff.profile
index a80886d56..a80886d56 100644
--- a/etc/adiff.profile
+++ b/etc/profile-a-l/adiff.profile
diff --git a/etc/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index ffc613f1e..4ab1967a6 100644
--- a/etc/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -47,7 +47,7 @@ notv
 nou2f
 novideo
 # protocol unix,inet,inet6,netlink
-# seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set
+# seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
 tracelog
 private-dev
diff --git a/etc/akregator.profile b/etc/profile-a-l/akregator.profile
index 34933f283..6a4d775e7 100644
--- a/etc/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/akregatorrc
 noblacklist ${HOME}/.local/share/akregator
+noblacklist ${HOME}/.local/share/kxmlgui5/akregator
 include disable-common.inc
 include disable-devel.inc
@@ -15,12 +16,15 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkfile ${HOME}/.config/akregatorrc
 mkdir ${HOME}/.local/share/akregator
+mkdir ${HOME}/.local/share/kxmlgui5/akregator
 whitelist ${HOME}/.config/akregatorrc
 whitelist ${HOME}/.local/share/akregator
 whitelist ${HOME}/.local/share/kssl
+whitelist ${HOME}/.local/share/kxmlgui5/akregator
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/als.profile b/etc/profile-a-l/als.profile
index 5eae228b6..5eae228b6 100644
--- a/etc/als.profile
+++ b/etc/profile-a-l/als.profile
diff --git a/etc/amarok.profile b/etc/profile-a-l/amarok.profile
index 0b974e9ac..0b974e9ac 100644
--- a/etc/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
diff --git a/etc/amule.profile b/etc/profile-a-l/amule.profile
index feb4a5e7e..feb4a5e7e 100644
--- a/etc/amule.profile
+++ b/etc/profile-a-l/amule.profile
diff --git a/etc/amuled.profile b/etc/profile-a-l/amuled.profile
index 58b796875..58b796875 100644
--- a/etc/amuled.profile
+++ b/etc/profile-a-l/amuled.profile
diff --git a/etc/android-studio.profile b/etc/profile-a-l/android-studio.profile
index 2e4e564dd..2e4e564dd 100644
--- a/etc/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
diff --git a/etc/anki.profile b/etc/profile-a-l/anki.profile
index a0a79ef48..61e5f2eea 100644
--- a/etc/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/Anki2
@@ -32,7 +33,6 @@ caps.drop all
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -53,3 +53,6 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/anydesk.profile b/etc/profile-a-l/anydesk.profile
index 35b18bab4..c847a04dc 100644
--- a/etc/anydesk.profile
+++ b/etc/profile-a-l/anydesk.profile
@@ -9,9 +9,10 @@ noblacklist ${HOME}/.anydesk
 include disable-common.inc
 include disable-devel.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-interpreters.inc
+include disable-shell.inc
 mkdir ${HOME}/.anydesk
 whitelist ${HOME}/.anydesk
diff --git a/etc/aosp.profile b/etc/profile-a-l/aosp.profile
index a5b1ba9f1..a5b1ba9f1 100644
--- a/etc/aosp.profile
+++ b/etc/profile-a-l/aosp.profile
diff --git a/etc/apack.profile b/etc/profile-a-l/apack.profile
index 9fef911af..9fef911af 100644
--- a/etc/apack.profile
+++ b/etc/profile-a-l/apack.profile
diff --git a/etc/apktool.profile b/etc/profile-a-l/apktool.profile
index aeeb845ea..39c5da9ab 100644
--- a/etc/apktool.profile
+++ b/etc/profile-a-l/apktool.profile
@@ -18,7 +18,6 @@ include whitelist-var-common.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -34,3 +33,6 @@ shell none
 private-bin apktool,basename,bash,dirname,expr,java,sh
 private-cache
 private-dev
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
new file mode 100644
index 000000000..9c0b92598
--- /dev/null
+++ b/etc/profile-a-l/apostrophe.profile
@@ -0,0 +1,58 @@
+# Firejail profile for apostrophe
+# Description: Distraction free Markdown editor for GNU/Linux made with GTK+
+# This file is overwritten after every install/update
+# Persistent local customizations
+include apostrophe.local
+# Persistent global definitions
+include globals.local
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /usr/share/apostrophe
+whitelist /usr/share/pandoc-*
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin apostrophe,pandoc,python3*
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+dbus-user filter
+dbus-user.own org.gnome.gitlab.somas.Apostrophe
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/ar.profile b/etc/profile-a-l/ar.profile
index e28370450..183587ff8 100644
--- a/etc/ar.profile
+++ b/etc/profile-a-l/ar.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 apparmor
 caps.drop all
@@ -23,7 +24,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,4 +42,7 @@ private-bin ar
 private-cache
 private-dev
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/arch-audit.profile b/etc/profile-a-l/arch-audit.profile
index 0a87ec297..934b89404 100644
--- a/etc/arch-audit.profile
+++ b/etc/profile-a-l/arch-audit.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/arch-audit
@@ -26,7 +27,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,4 +46,7 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/archaudit-report.profile b/etc/profile-a-l/archaudit-report.profile
index 19c37f90e..19c37f90e 100644
--- a/etc/archaudit-report.profile
+++ b/etc/profile-a-l/archaudit-report.profile
diff --git a/etc/ardour4.profile b/etc/profile-a-l/ardour4.profile
index 4ad8dd456..4ad8dd456 100644
--- a/etc/ardour4.profile
+++ b/etc/profile-a-l/ardour4.profile
diff --git a/etc/ardour5.profile b/etc/profile-a-l/ardour5.profile
index 5ebeafa76..a27cb4f6e 100644
--- a/etc/ardour5.profile
+++ b/etc/profile-a-l/ardour5.profile
@@ -23,7 +23,6 @@ include disable-xdg.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +39,5 @@ private-dev
 #private-etc alternatives,ardour4,ardour5,asound.conf,fonts,machine-id,pulse,X11
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/arduino.profile b/etc/profile-a-l/arduino.profile
index fd1ca9a09..fd1ca9a09 100644
--- a/etc/arduino.profile
+++ b/etc/profile-a-l/arduino.profile
diff --git a/etc/arepack.profile b/etc/profile-a-l/arepack.profile
index 012f2f049..012f2f049 100644
--- a/etc/arepack.profile
+++ b/etc/profile-a-l/arepack.profile
diff --git a/etc/aria2c.profile b/etc/profile-a-l/aria2c.profile
index a52a26d6f..d2dcaace1 100644
--- a/etc/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -27,7 +27,6 @@ caps.drop all
 ipc-namespace
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +49,7 @@ private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machi
 private-lib libreadline.so.*
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/ark.profile b/etc/profile-a-l/ark.profile
index 2fe546b55..4b81b2717 100644
--- a/etc/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -7,6 +7,7 @@ include ark.local
 include globals.local
 noblacklist ${HOME}/.config/arkrc
+noblacklist ${HOME}/.local/share/kxmlgui5/ark
 include disable-common.inc
 include disable-devel.inc
@@ -23,7 +24,6 @@ apparmor
 caps.drop all
 # net none
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +42,5 @@ private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,
 private-dev
 private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/arm.profile b/etc/profile-a-l/arm.profile
index 51dad94d1..51dad94d1 100644
--- a/etc/arm.profile
+++ b/etc/profile-a-l/arm.profile
diff --git a/etc/artha.profile b/etc/profile-a-l/artha.profile
index aaaede7ee..adb33fae1 100644
--- a/etc/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 # whitelisting in ${HOME} makes settings immutable, see #3112
@@ -38,7 +39,6 @@ caps.drop all
 ipc-namespace
 # net none - breaks on Ubuntu
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -60,4 +60,7 @@ private-etc alternatives,fonts,machine-id
 private-lib libnotify.so.*
 private-tmp
+# dbus-user none
+# dbus-system none
 memory-deny-write-execute
diff --git a/etc/assogiate.profile b/etc/profile-a-l/assogiate.profile
index 542b3da8d..2686839ef 100644
--- a/etc/assogiate.profile
+++ b/etc/profile-a-l/assogiate.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist ${PICTURES}
@@ -26,7 +27,6 @@ caps.drop all
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,4 +47,7 @@ private-dev
 private-lib gnome-vfs-2.0,libacl.so.*,libattr.so.*,libfam.so.*
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/asunder.profile b/etc/profile-a-l/asunder.profile
index 1f3acd735..33dd4103f 100644
--- a/etc/asunder.profile
+++ b/etc/profile-a-l/asunder.profile
@@ -20,23 +20,29 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-nodbus
+no3d
 # nogroups
 nonewprivs
 noroot
 nou2f
+notv
 novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
 # mdwe is disabled due to breaking hardware accelerated decoding
 # memory-deny-write-execute
diff --git a/etc/atom-beta.profile b/etc/profile-a-l/atom-beta.profile
index c0ee2c492..c0ee2c492 100644
--- a/etc/atom-beta.profile
+++ b/etc/profile-a-l/atom-beta.profile
diff --git a/etc/atom.profile b/etc/profile-a-l/atom.profile
index b9cb49d08..cf0a5a42b 100644
--- a/etc/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -17,22 +17,20 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-caps.drop all
+caps.keep sys_admin,sys_chroot
 # net none
 netfilter
-nodbus
 nodvd
 nogroups
-nonewprivs
-noroot
 nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6,netlink
-seccomp
 shell none
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/atool.profile b/etc/profile-a-l/atool.profile
index 0250451fc..e501e956c 100644
--- a/etc/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -25,10 +25,8 @@ hostname atool
 ipc-namespace
 machine-id
 net none
-netfilter
 no3d
 nodvd
-nodbus
 nogroups
 nonewprivs
 noroot
@@ -49,4 +47,7 @@ private-dev
 private-etc alternatives,group,login.defs,passwd
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/atril-previewer.profile b/etc/profile-a-l/atril-previewer.profile
index 7f4697357..7f4697357 100644
--- a/etc/atril-previewer.profile
+++ b/etc/profile-a-l/atril-previewer.profile
diff --git a/etc/atril-thumbnailer.profile b/etc/profile-a-l/atril-thumbnailer.profile
index 8f6129ea6..8f6129ea6 100644
--- a/etc/atril-thumbnailer.profile
+++ b/etc/profile-a-l/atril-thumbnailer.profile
diff --git a/etc/atril.profile b/etc/profile-a-l/atril.profile
index adca38cb5..adca38cb5 100644
--- a/etc/atril.profile
+++ b/etc/profile-a-l/atril.profile
diff --git a/etc/audacious.profile b/etc/profile-a-l/audacious.profile
index 4d0c93047..2e1f6f32a 100644
--- a/etc/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-#nodbus - dbus needed for MPRIS
 nogroups
 nonewprivs
 noroot
@@ -40,4 +39,6 @@ private-cache
 private-dev
 private-tmp
-memory-deny-write-execute
+# dbus needed for MPRIS
+# dbus-user none
+# dbus-system none
diff --git a/etc/audacity.profile b/etc/profile-a-l/audacity.profile
index 200d3a387..a11e59553 100644
--- a/etc/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-var-common.inc
@@ -24,7 +25,6 @@ apparmor
 caps.drop all
 net none
 no3d
-# nodbus - problems on Fedora 27
 nodvd
 nogroups
 nonewprivs
@@ -41,4 +41,6 @@ private-bin audacity
 private-dev
 private-tmp
-memory-deny-write-execute
+# problems on Fedora 27
+# dbus-user none
+# dbus-system none
diff --git a/etc/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index b2ed3b030..b2ed3b030 100644
--- a/etc/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
diff --git a/etc/aunpack.profile b/etc/profile-a-l/aunpack.profile
index 6ce4aa491..6ce4aa491 100644
--- a/etc/aunpack.profile
+++ b/etc/profile-a-l/aunpack.profile
diff --git a/etc/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 4887299ec..131b20c70 100644
--- a/etc/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -24,7 +24,6 @@ include disable-programs.inc
 caps.drop all
 netfilter
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -43,4 +42,8 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl
 private-tmp
+# makes settings immutable
+# dbus-user none
+# dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
index b1a77c0a4..b1a77c0a4 100644
--- a/etc/autokey-common.profile
+++ b/etc/profile-a-l/autokey-common.profile
diff --git a/etc/autokey-gtk.profile b/etc/profile-a-l/autokey-gtk.profile
index e16449064..e16449064 100644
--- a/etc/autokey-gtk.profile
+++ b/etc/profile-a-l/autokey-gtk.profile
diff --git a/etc/autokey-qt.profile b/etc/profile-a-l/autokey-qt.profile
index b6f1210dd..b6f1210dd 100644
--- a/etc/autokey-qt.profile
+++ b/etc/profile-a-l/autokey-qt.profile
diff --git a/etc/autokey-run.profile b/etc/profile-a-l/autokey-run.profile
index 05669351a..05669351a 100644
--- a/etc/autokey-run.profile
+++ b/etc/profile-a-l/autokey-run.profile
diff --git a/etc/autokey-shell.profile b/etc/profile-a-l/autokey-shell.profile
index dfbd8759f..dfbd8759f 100644
--- a/etc/autokey-shell.profile
+++ b/etc/profile-a-l/autokey-shell.profile
diff --git a/etc/aweather.profile b/etc/profile-a-l/aweather.profile
index d7228570f..44c3110a0 100644
--- a/etc/aweather.profile
+++ b/etc/profile-a-l/aweather.profile
@@ -13,6 +13,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.config/aweather
 whitelist ${HOME}/.config/aweather
diff --git a/etc/awesome.profile b/etc/profile-a-l/awesome.profile
index 5d1bf5071..5d1bf5071 100644
--- a/etc/awesome.profile
+++ b/etc/profile-a-l/awesome.profile
diff --git a/etc/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index 785e37a16..785e37a16 100644
--- a/etc/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
diff --git a/etc/baloo_filemetadata_temp_extractor.profile b/etc/profile-a-l/baloo_filemetadata_temp_extractor.profile
index ff10e9965..ff10e9965 100644
--- a/etc/baloo_filemetadata_temp_extractor.profile
+++ b/etc/profile-a-l/baloo_filemetadata_temp_extractor.profile
diff --git a/etc/baobab.profile b/etc/profile-a-l/baobab.profile
index 18c862a4d..3937e1966 100644
--- a/etc/baobab.profile
+++ b/etc/profile-a-l/baobab.profile
@@ -12,12 +12,14 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 # include disable-programs.inc
+include disable-shell.inc
 # include disable-xdg.inc
+include whitelist-runuser-common.inc
 caps.drop all
 net none
 no3d
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -29,9 +31,13 @@ novideo
 protocol unix
 seccomp
 shell none
+tracelog
 private-bin baobab
 private-dev
 private-tmp
+# dbus-user none
+# dbus-system none
 read-only ${HOME}
diff --git a/etc/barrier.profile b/etc/profile-a-l/barrier.profile
index f5da3782e..f5da3782e 100644
--- a/etc/barrier.profile
+++ b/etc/profile-a-l/barrier.profile
diff --git a/etc/basilisk.profile b/etc/profile-a-l/basilisk.profile
index 8dc3847a0..8dc3847a0 100644
--- a/etc/basilisk.profile
+++ b/etc/profile-a-l/basilisk.profile
diff --git a/etc/beaker.profile b/etc/profile-a-l/beaker.profile
index cc1886a49..cc1886a49 100644
--- a/etc/beaker.profile
+++ b/etc/profile-a-l/beaker.profile
diff --git a/etc/bibletime.profile b/etc/profile-a-l/bibletime.profile
index b76bc8367..99e2802eb 100644
--- a/etc/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -35,7 +35,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -54,3 +53,6 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/bibtex.profile b/etc/profile-a-l/bibtex.profile
index e868dcbab..e868dcbab 100644
--- a/etc/bibtex.profile
+++ b/etc/profile-a-l/bibtex.profile
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
new file mode 100644
index 000000000..c1c338536
--- /dev/null
+++ b/etc/profile-a-l/bijiben.profile
@@ -0,0 +1,58 @@
+# Firejail profile for bijiben
+# Description: Simple Note Viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bijiben.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/bijiben
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.local/share/bijiben
+whitelist ${HOME}/.local/share/bijiben
+whitelist ${HOME}/.cache/tracker
+whitelist /usr/share/bijiben
+whitelist /usr/share/tracker
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin bijiben
+# private-cache -- access to .cache/tracker is required
+private-dev
+private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-tmp
+dbus-user filter
+dbus-user.own org.gnome.Notes
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Tracker1
+dbus-system none
diff --git a/etc/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile
index ac1e21ba7..3a3f2b62c 100644
--- a/etc/bitcoin-qt.profile
+++ b/etc/profile-a-l/bitcoin-qt.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.bitcoin
 mkdir ${HOME}/.config/Bitcoin
diff --git a/etc/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
index 62eeb88f3..62eeb88f3 100644
--- a/etc/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
diff --git a/etc/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index a5538bacc..41f8e51fd 100644
--- a/etc/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/Bitwarden
@@ -29,7 +30,6 @@ caps.drop all
 machine-id
 netfilter
 no3d
-#nodbus - breaks appindicator (tray) functionality
 nodvd
 nogroups
 nonewprivs
@@ -39,7 +39,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 shell none
 #tracelog - breaks on Arch
@@ -51,4 +51,8 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.co
 private-opt Bitwarden
 private-tmp
+# breaks appindicator (tray) functionality
+# dbus-user none
+# dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/blackbox.profile b/etc/profile-a-l/blackbox.profile
index 13e83493d..13e83493d 100644
--- a/etc/blackbox.profile
+++ b/etc/profile-a-l/blackbox.profile
diff --git a/etc/bleachbit.profile b/etc/profile-a-l/bleachbit.profile
index 47c0cfa48..8f230a413 100644
--- a/etc/bleachbit.profile
+++ b/etc/profile-a-l/bleachbit.profile
@@ -20,7 +20,6 @@ include disable-passwdmgr.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,5 +35,8 @@ shell none
 private-dev
 # private-tmp
+dbus-user none
+dbus-system none
 # memory-deny-write-execute breaks some systems, see issue #1850
 # memory-deny-write-execute
diff --git a/etc/blender-2.8.profile b/etc/profile-a-l/blender-2.8.profile
index b7242c443..b7242c443 100644
--- a/etc/blender-2.8.profile
+++ b/etc/profile-a-l/blender-2.8.profile
diff --git a/etc/blender.profile b/etc/profile-a-l/blender.profile
index 6a72fb602..0f80f0a63 100644
--- a/etc/blender.profile
+++ b/etc/profile-a-l/blender.profile
@@ -33,9 +33,8 @@ noroot
 notv
 nou2f
 protocol unix,inet,inet6,netlink
-seccomp
+# numpy, used by many add-ons, requires the mbind syscall
+seccomp !mbind
 shell none
 private-dev
-private-tmp
diff --git a/etc/bless.profile b/etc/profile-a-l/bless.profile
index 35235962e..216e86109 100644
--- a/etc/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -20,7 +20,6 @@ include whitelist-var-common.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -39,3 +38,5 @@ private-dev
 private-etc alternatives,fonts,mono
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
new file mode 100644
index 000000000..d43a9d241
--- /dev/null
+++ b/etc/profile-a-l/blobwars.profile
@@ -0,0 +1,50 @@
+# Firejail profile for blobwars
+# Description: Mission and Objective based 2D Platform Game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blobwars.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.parallelrealities/blobwars
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.parallelrealities/blobwars
+whitelist ${HOME}/.parallelrealities/blobwars
+whitelist /usr/share/blobwars
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin blobwars
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/bluefish.profile b/etc/profile-a-l/bluefish.profile
index 412088ba9..88ac9c0ed 100644
--- a/etc/bluefish.profile
+++ b/etc/profile-a-l/bluefish.profile
@@ -15,10 +15,10 @@ include disable-programs.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,3 +36,5 @@ private-bin bluefish
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/bnox.profile b/etc/profile-a-l/bnox.profile
index 031f3f4bd..031f3f4bd 100644
--- a/etc/bnox.profile
+++ b/etc/profile-a-l/bnox.profile
diff --git a/etc/brackets.profile b/etc/profile-a-l/brackets.profile
index 70f62813e..70f62813e 100644
--- a/etc/brackets.profile
+++ b/etc/profile-a-l/brackets.profile
diff --git a/etc/brasero.profile b/etc/profile-a-l/brasero.profile
index 67fc07afb..417a6b3e0 100644
--- a/etc/brasero.profile
+++ b/etc/profile-a-l/brasero.profile
@@ -15,6 +15,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
 nogroups
diff --git a/etc/brave-browser-beta.profile b/etc/profile-a-l/brave-browser-beta.profile
index 528a6402d..528a6402d 100644
--- a/etc/brave-browser-beta.profile
+++ b/etc/profile-a-l/brave-browser-beta.profile
diff --git a/etc/brave-browser-dev.profile b/etc/profile-a-l/brave-browser-dev.profile
index 4601de119..4601de119 100644
--- a/etc/brave-browser-dev.profile
+++ b/etc/profile-a-l/brave-browser-dev.profile
diff --git a/etc/brave-browser-nightly.profile b/etc/profile-a-l/brave-browser-nightly.profile
index 43d3cc724..43d3cc724 100644
--- a/etc/brave-browser-nightly.profile
+++ b/etc/profile-a-l/brave-browser-nightly.profile
diff --git a/etc/brave-browser-stable.profile b/etc/profile-a-l/brave-browser-stable.profile
index 06d33dea4..06d33dea4 100644
--- a/etc/brave-browser-stable.profile
+++ b/etc/profile-a-l/brave-browser-stable.profile
diff --git a/etc/brave-browser.profile b/etc/profile-a-l/brave-browser.profile
index e223ecf87..e223ecf87 100644
--- a/etc/brave-browser.profile
+++ b/etc/profile-a-l/brave-browser.profile
diff --git a/etc/brave.profile b/etc/profile-a-l/brave.profile
index 35c59f5a3..35c59f5a3 100644
--- a/etc/brave.profile
+++ b/etc/profile-a-l/brave.profile
diff --git a/etc/bsdcat.profile b/etc/profile-a-l/bsdcat.profile
index 5271ee5d6..5271ee5d6 100644
--- a/etc/bsdcat.profile
+++ b/etc/profile-a-l/bsdcat.profile
diff --git a/etc/bsdcpio.profile b/etc/profile-a-l/bsdcpio.profile
index 5271ee5d6..5271ee5d6 100644
--- a/etc/bsdcpio.profile
+++ b/etc/profile-a-l/bsdcpio.profile
diff --git a/etc/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index 5ce9b6406..08e51f3c1 100644
--- a/etc/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -22,7 +22,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,4 +42,7 @@ private-cache
 private-dev
 private-etc alternatives,group,localtime,passwd
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/bunzip2.profile b/etc/profile-a-l/bunzip2.profile
index 37b47c2ce..37b47c2ce 100644
--- a/etc/bunzip2.profile
+++ b/etc/profile-a-l/bunzip2.profile
diff --git a/etc/bzcat.profile b/etc/profile-a-l/bzcat.profile
index edefb6bb8..edefb6bb8 100644
--- a/etc/bzcat.profile
+++ b/etc/profile-a-l/bzcat.profile
diff --git a/etc/bzflag.profile b/etc/profile-a-l/bzflag.profile
index 86ab73e0b..f06bead1e 100644
--- a/etc/bzflag.profile
+++ b/etc/profile-a-l/bzflag.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.bzf
@@ -24,7 +25,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +42,6 @@ private-bin bzadmin,bzflag,bzflag-wrapper,bzfs
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/bzip2.profile b/etc/profile-a-l/bzip2.profile
index 0756e0537..0756e0537 100644
--- a/etc/bzip2.profile
+++ b/etc/profile-a-l/bzip2.profile
diff --git a/etc/profile-a-l/caja.profile b/etc/profile-a-l/caja.profile
new file mode 100644
index 000000000..1af102ca8
--- /dev/null
+++ b/etc/profile-a-l/caja.profile
@@ -0,0 +1,15 @@
+# Firejail profile for caja
+# Description: File manager for the MATE desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include caja.local
+# Persistent global definitions
+include globals.local
+# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
+# is already a caja process running on MATE desktops firejail will have no effect.
+# Put 'ignore noroot' in your caja.local if you use MPV+Vulkan (see issue #3012)
+# Redirect
+include file-manager-common.profile
diff --git a/etc/calibre.profile b/etc/profile-a-l/calibre.profile
index ad6f0aa0d..d17cfa85f 100644
--- a/etc/calibre.profile
+++ b/etc/profile-a-l/calibre.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/calligra.profile b/etc/profile-a-l/calligra.profile
index 7054739c8..f4ce47018 100644
--- a/etc/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@@ -6,6 +6,8 @@ include calligra.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.local/share/kxmlgui5/calligra
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -16,7 +18,6 @@ caps.drop all
 ipc-namespace
 # net none
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -31,5 +32,8 @@ shell none
 private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4
 private-dev
+# dbus-user none
+# dbus-system none
 # noexec ${HOME}
 noexec /tmp
diff --git a/etc/calligraauthor.profile b/etc/profile-a-l/calligraauthor.profile
index 7804a3b97..7804a3b97 100644
--- a/etc/calligraauthor.profile
+++ b/etc/profile-a-l/calligraauthor.profile
diff --git a/etc/calligraconverter.profile b/etc/profile-a-l/calligraconverter.profile
index 7804a3b97..7804a3b97 100644
--- a/etc/calligraconverter.profile
+++ b/etc/profile-a-l/calligraconverter.profile
diff --git a/etc/calligraflow.profile b/etc/profile-a-l/calligraflow.profile
index 7804a3b97..7804a3b97 100644
--- a/etc/calligraflow.profile
+++ b/etc/profile-a-l/calligraflow.profile
diff --git a/etc/calligraplan.profile b/etc/profile-a-l/calligraplan.profile
index 7804a3b97..23dd61175 100644
--- a/etc/calligraplan.profile
+++ b/etc/profile-a-l/calligraplan.profile
@@ -1,5 +1,7 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
+noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan
 # Redirect
 include calligra.profile
diff --git a/etc/calligraplanwork.profile b/etc/profile-a-l/calligraplanwork.profile
index 7804a3b97..1c283a3cb 100644
--- a/etc/calligraplanwork.profile
+++ b/etc/profile-a-l/calligraplanwork.profile
@@ -1,5 +1,7 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
+noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork
 # Redirect
 include calligra.profile
diff --git a/etc/calligrasheets.profile b/etc/profile-a-l/calligrasheets.profile
index 7804a3b97..8ef75be71 100644
--- a/etc/calligrasheets.profile
+++ b/etc/profile-a-l/calligrasheets.profile
@@ -1,5 +1,7 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
+noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets
 # Redirect
 include calligra.profile
diff --git a/etc/calligrastage.profile b/etc/profile-a-l/calligrastage.profile
index 7804a3b97..d5c960248 100644
--- a/etc/calligrastage.profile
+++ b/etc/profile-a-l/calligrastage.profile
@@ -1,5 +1,7 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
+noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage
 # Redirect
 include calligra.profile
diff --git a/etc/calligrawords.profile b/etc/profile-a-l/calligrawords.profile
index 7804a3b97..5985b4250 100644
--- a/etc/calligrawords.profile
+++ b/etc/profile-a-l/calligrawords.profile
@@ -1,5 +1,7 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
+noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords
 # Redirect
 include calligra.profile
diff --git a/etc/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index 1d7aa0f9c..74c7cc34b 100644
--- a/etc/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/cameramonitor
@@ -30,7 +31,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +50,7 @@ private-cache
 private-etc alternatives,fonts
 private-tmp
+# dbus-user none
+# dbus-system none
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/cantata.profile b/etc/profile-a-l/cantata.profile
index c44d56b90..294bb31b3 100644
--- a/etc/cantata.profile
+++ b/etc/profile-a-l/cantata.profile
@@ -20,6 +20,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 # apparmor
diff --git a/etc/catfish.profile b/etc/profile-a-l/catfish.profile
index c6c2d7e8a..009d3a049 100644
--- a/etc/catfish.profile
+++ b/etc/profile-a-l/catfish.profile
@@ -24,10 +24,10 @@ include disable-passwdmgr.inc
 whitelist /var/lib/mlocate
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,3 +45,6 @@ tracelog
 # private-bin bash,catfish,env,locate,ls,mlocate,python*
 # private-dev
 # private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
new file mode 100644
index 000000000..3d29c3817
--- /dev/null
+++ b/etc/profile-a-l/cawbird.profile
@@ -0,0 +1,46 @@
+# Firejail profile for cawbird
+# Description: Open-source Twitter client for Linux
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cawbird.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/cawbird
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin cawbird
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
+private-tmp
+# dbus-user none
+dbus-system none
diff --git a/etc/celluloid.profile b/etc/profile-a-l/celluloid.profile
index d099ba11e..567bd912a 100644
--- a/etc/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -24,13 +24,13 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nodbus -- uses dconf, MPRIS
 nogroups
 nonewprivs
 noroot
@@ -46,5 +46,10 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3
 private-dev
 private-tmp
+dbus-user filter
+dbus-user.own io.github.celluloid_player.Celluloid
+dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
+dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.config/celluloid
diff --git a/etc/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile
index e15131dca..93f61091b 100644
--- a/etc/checkbashisms.profile
+++ b/etc/profile-a-l/checkbashisms.profile
@@ -32,7 +32,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -51,4 +50,7 @@ private-dev
 private-lib libfreebl3.so,perl*
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/cheese.profile b/etc/profile-a-l/cheese.profile
index 633928260..337117c4a 100644
--- a/etc/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -26,7 +26,6 @@ apparmor
 caps.drop all
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,3 +42,6 @@ private-bin cheese
 private-cache
 private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/cherrytree.profile b/etc/profile-a-l/cherrytree.profile
index 70dea5bd9..70dea5bd9 100644
--- a/etc/cherrytree.profile
+++ b/etc/profile-a-l/cherrytree.profile
diff --git a/etc/chromium-browser.profile b/etc/profile-a-l/chromium-browser.profile
index f83052d9a..f83052d9a 100644
--- a/etc/chromium-browser.profile
+++ b/etc/profile-a-l/chromium-browser.profile
diff --git a/etc/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index c54fb0e19..899400d25 100644
--- a/etc/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -29,7 +29,6 @@ include whitelist-var-common.inc
 apparmor
 caps.keep sys_admin,sys_chroot
 netfilter
-# nodbus - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
 nodvd
 nogroups
 notv
@@ -40,5 +39,9 @@ disable-mnt
 ?BROWSER_DISABLE_U2F: private-dev
 # private-tmp - problems with multiple browser sessions
+# prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
+# dbus-user none
+dbus-system none
 # the file dialog needs to work without d-bus
 ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/chromium.profile b/etc/profile-a-l/chromium.profile
index dab9ce449..dab9ce449 100644
--- a/etc/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
diff --git a/etc/cin.profile b/etc/profile-a-l/cin.profile
index efeb9cd14..8c3fb42d1 100644
--- a/etc/cin.profile
+++ b/etc/profile-a-l/cin.profile
@@ -17,7 +17,6 @@ include disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 #nogroups
 nonewprivs
@@ -34,3 +33,5 @@ shell none
 private-cache
 private-dev
+dbus-user none
+dbus-system none
diff --git a/etc/cinelerra.profile b/etc/profile-a-l/cinelerra.profile
index 88a65037e..88a65037e 100644
--- a/etc/cinelerra.profile
+++ b/etc/profile-a-l/cinelerra.profile
diff --git a/etc/clamav.profile b/etc/profile-a-l/clamav.profile
index 51bc58108..2726ab5af 100644
--- a/etc/clamav.profile
+++ b/etc/profile-a-l/clamav.profile
@@ -15,7 +15,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -31,6 +30,10 @@ tracelog
 x11 none
 private-dev
+dbus-user none
+dbus-system none
 read-only ${HOME}
 memory-deny-write-execute
diff --git a/etc/clamdscan.profile b/etc/profile-a-l/clamdscan.profile
index 4c6c56c5f..4c6c56c5f 100644
--- a/etc/clamdscan.profile
+++ b/etc/profile-a-l/clamdscan.profile
diff --git a/etc/clamdtop.profile b/etc/profile-a-l/clamdtop.profile
index 4c6c56c5f..4c6c56c5f 100644
--- a/etc/clamdtop.profile
+++ b/etc/profile-a-l/clamdtop.profile
diff --git a/etc/clamscan.profile b/etc/profile-a-l/clamscan.profile
index 4c6c56c5f..4c6c56c5f 100644
--- a/etc/clamscan.profile
+++ b/etc/profile-a-l/clamscan.profile
diff --git a/etc/clamtk.profile b/etc/profile-a-l/clamtk.profile
index bc09808cb..4425a2bd0 100644
--- a/etc/clamtk.profile
+++ b/etc/profile-a-l/clamtk.profile
@@ -11,7 +11,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -25,3 +24,6 @@ seccomp
 shell none
 private-dev
+dbus-user none
+dbus-system none
diff --git a/etc/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 24954b2d8..24954b2d8 100644
--- a/etc/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
diff --git a/etc/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 07db86c92..12ce47401 100644
--- a/etc/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -29,7 +29,6 @@ apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +49,7 @@ private-etc alternatives,fonts
 private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
 private-tmp
+dbus-user none
+dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/clementine.profile b/etc/profile-a-l/clementine.profile
index 4d92157d0..4d92157d0 100644
--- a/etc/clementine.profile
+++ b/etc/profile-a-l/clementine.profile
diff --git a/etc/clion.profile b/etc/profile-a-l/clion.profile
index b27d93684..b27d93684 100644
--- a/etc/clion.profile
+++ b/etc/profile-a-l/clion.profile
diff --git a/etc/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index 786d1c866..dace5e83e 100644
--- a/etc/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -25,8 +25,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-# Breaks tray-icon, uncommend or add to clipgrab.local if you don't need it.
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,3 +41,7 @@ disable-mnt
 private-cache
 private-dev
 private-tmp
+# Breaks tray icon, uncomment or add to clipgrab.local if you don't need it
+# dbus-user none
+# dbus-system none
diff --git a/etc/clipit.profile b/etc/profile-a-l/clipit.profile
index 66b5fc859..66b5fc859 100644
--- a/etc/clipit.profile
+++ b/etc/profile-a-l/clipit.profile
diff --git a/etc/cliqz.profile b/etc/profile-a-l/cliqz.profile
index d0b8cc0ef..d0b8cc0ef 100644
--- a/etc/cliqz.profile
+++ b/etc/profile-a-l/cliqz.profile
diff --git a/etc/clocks.profile b/etc/profile-a-l/clocks.profile
index da50e7d49..da50e7d49 100644
--- a/etc/clocks.profile
+++ b/etc/profile-a-l/clocks.profile
diff --git a/etc/cmus.profile b/etc/profile-a-l/cmus.profile
index fa1e5d722..bcd557787 100644
--- a/etc/cmus.profile
+++ b/etc/profile-a-l/cmus.profile
@@ -14,6 +14,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 caps.drop all
diff --git a/etc/code-oss.profile b/etc/profile-a-l/code-oss.profile
index 6d45d5994..6d45d5994 100644
--- a/etc/code-oss.profile
+++ b/etc/profile-a-l/code-oss.profile
diff --git a/etc/code.profile b/etc/profile-a-l/code.profile
index 6f8a25211..6f8a25211 100644
--- a/etc/code.profile
+++ b/etc/profile-a-l/code.profile
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
new file mode 100644
index 000000000..77b6c7bd8
--- /dev/null
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -0,0 +1,66 @@
+# Firejail profile for com.github.dahenson.agenda
+# Description: Simple, fast, no-nonsense to-do (task) list
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.dahenson.agenda.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/agenda
+noblacklist ${HOME}/.config/agenda
+noblacklist ${HOME}/.local/share/agenda
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/agenda
+mkdir ${HOME}/.config/agenda
+mkdir ${HOME}/.local/share/agenda
+whitelist ${HOME}/.cache/agenda
+whitelist ${HOME}/.config/agenda
+whitelist ${HOME}/.local/share/agenda
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin com.github.dahenson.agenda
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0
+private-tmp
+dbus-user filter
+dbus-user.own com.github.dahenson.agenda
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+read-only ${HOME}
+read-write ${HOME}/.cache/agenda
+read-write ${HOME}/.config/agenda
+read-write ${HOME}/.local/share/agenda
diff --git a/etc/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index 39a9a360d..c1800fe4c 100644
--- a/etc/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.cache/com.github.johnfactotum.Foliate
diff --git a/etc/profile-a-l/com.gitlab.newsflash.profile b/etc/profile-a-l/com.gitlab.newsflash.profile
new file mode 100644
index 000000000..0628d3d01
--- /dev/null
+++ b/etc/profile-a-l/com.gitlab.newsflash.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for newsflash
+# This file is overwritten after every install/update
+# Redirect
+include newsflash.profile
diff --git a/etc/conkeror.profile b/etc/profile-a-l/conkeror.profile
index 38edf0d21..38edf0d21 100644
--- a/etc/conkeror.profile
+++ b/etc/profile-a-l/conkeror.profile
diff --git a/etc/conky.profile b/etc/profile-a-l/conky.profile
index 10a243cd3..e5cd7085a 100644
--- a/etc/conky.profile
+++ b/etc/profile-a-l/conky.profile
@@ -8,6 +8,9 @@ include globals.local
 noblacklist ${PICTURES}
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/conplay.profile b/etc/profile-a-l/conplay.profile
index 8d9f3324f..8d9f3324f 100644
--- a/etc/conplay.profile
+++ b/etc/profile-a-l/conplay.profile
diff --git a/etc/corebird.profile b/etc/profile-a-l/corebird.profile
index dbb043c17..e9a2c9441 100644
--- a/etc/corebird.profile
+++ b/etc/profile-a-l/corebird.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-var-common.inc
diff --git a/etc/cower.profile b/etc/profile-a-l/cower.profile
index 8efe48240..0ab5a7f78 100644
--- a/etc/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 # This profile could be significantly strengthened by adding the following to cower.local
diff --git a/etc/cpio.profile b/etc/profile-a-l/cpio.profile
index 1156b7439..087a5b2bb 100644
--- a/etc/cpio.profile
+++ b/etc/profile-a-l/cpio.profile
@@ -25,7 +25,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,4 +40,7 @@ x11 none
 private-cache
 private-dev
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/crawl-tiles.profile b/etc/profile-a-l/crawl-tiles.profile
index 39151865e..39151865e 100644
--- a/etc/crawl-tiles.profile
+++ b/etc/profile-a-l/crawl-tiles.profile
diff --git a/etc/crawl.profile b/etc/profile-a-l/crawl.profile
index af78ac738..3da2413d9 100644
--- a/etc/crawl.profile
+++ b/etc/profile-a-l/crawl.profile
@@ -25,7 +25,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,3 +42,6 @@ private-bin crawl,crawl-tiles
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/crow.profile b/etc/profile-a-l/crow.profile
index 755b6e9f8..db4be7679 100644
--- a/etc/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-common.inc
diff --git a/etc/cryptocat.profile b/etc/profile-a-l/cryptocat.profile
index 69aa39de2..69aa39de2 100644
--- a/etc/cryptocat.profile
+++ b/etc/profile-a-l/cryptocat.profile
diff --git a/etc/curl.profile b/etc/profile-a-l/curl.profile
index 3f93e5f7e..996ff51d3 100644
--- a/etc/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -10,6 +10,8 @@ include globals.local
 noblacklist ${HOME}/.curlrc
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-exec.inc
@@ -19,13 +21,14 @@ include disable-programs.inc
 #include disable-xdg.inc
 include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -44,3 +47,6 @@ private-cache
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/cvlc.profile b/etc/profile-a-l/cvlc.profile
index 56c0d965c..56c0d965c 100644
--- a/etc/cvlc.profile
+++ b/etc/profile-a-l/cvlc.profile
diff --git a/etc/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
index d1fff0004..d1fff0004 100644
--- a/etc/cyberfox.profile
+++ b/etc/profile-a-l/cyberfox.profile
diff --git a/etc/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 897bf5f5d..7e622799a 100644
--- a/etc/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -18,12 +18,14 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/d-feet
 whitelist ${HOME}/.config/d-feet
 whitelist /usr/share/d-feet
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/darktable.profile b/etc/profile-a-l/darktable.profile
index 2a71ad11c..2a71ad11c 100644
--- a/etc/darktable.profile
+++ b/etc/profile-a-l/darktable.profile
diff --git a/etc/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index a9d25128f..d6541850d 100644
--- a/etc/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -12,10 +12,12 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist ${HOME}/.local/share/glib-2.0
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -43,3 +45,8 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
 private-lib
 private-tmp
+dbus-user filter
+dbus-user.own ca.desrt.dconf-editor
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/dconf.profile b/etc/profile-a-l/dconf.profile
index ea19b2209..ea19b2209 100644
--- a/etc/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
diff --git a/etc/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 3dfc657bc..5b95b74be 100644
--- a/etc/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -30,7 +30,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +49,7 @@ private-cache
 private-etc alternatives,fonts
 private-tmp
+dbus-user none
+dbus-system none
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/deadbeef.profile b/etc/profile-a-l/deadbeef.profile
index 8e67d9daa..8e67d9daa 100644
--- a/etc/deadbeef.profile
+++ b/etc/profile-a-l/deadbeef.profile
diff --git a/etc/default.profile b/etc/profile-a-l/default.profile
index 95a6e8095..74314cf92 100644
--- a/etc/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -16,6 +16,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 # include disable-xdg.inc
+# include whitelist-common.inc
+# include whitelist-usr-share-common.inc
+# include whitelist-runuser-common.inc
+# include whitelist-var-common.inc
 # apparmor
 caps.drop all
 # ipc-namespace
@@ -23,7 +28,6 @@ caps.drop all
 # net none
 netfilter
 # no3d
-# nodbus
 # nodvd
 # nogroups
 nonewprivs
@@ -42,8 +46,14 @@ seccomp
 # private-bin program
 # private-cache
 # private-dev
-# private-etc alternatives
+# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
+# private-etc alternatives,fonts,machine-id
 # private-lib
+# private-opt none
 # private-tmp
+# dbus-user none
+# dbus-system none
 # memory-deny-write-execute
+# read-only ${HOME}
diff --git a/etc/deluge.profile b/etc/profile-a-l/deluge.profile
index 8f4f9fbe9..17c5059f5 100644
--- a/etc/deluge.profile
+++ b/etc/profile-a-l/deluge.profile
@@ -14,6 +14,7 @@ include allow-python3.inc
 include disable-common.inc
 # include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -24,6 +25,7 @@ whitelist ${HOME}/.config/deluge
 include whitelist-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 machine-id
 netfilter
diff --git a/etc/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile
index d0c727c5c..9a98c4933 100644
--- a/etc/desktopeditors.profile
+++ b/etc/profile-a-l/desktopeditors.profile
@@ -24,7 +24,6 @@ apparmor
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +40,6 @@ private-bin desktopeditors,sh
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/devhelp.profile b/etc/profile-a-l/devhelp.profile
index cc9553e73..b8b07469d 100644
--- a/etc/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -13,6 +13,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/devhelp
@@ -24,7 +25,6 @@ include whitelist-usr-share-common.inc
 apparmor
 caps.drop all
 # net none - makes settings immutable
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -45,6 +45,10 @@ private-dev
 private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl
 private-tmp
+# makes settings immutable
+# dbus-user none
+# dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
diff --git a/etc/devilspie.profile b/etc/profile-a-l/devilspie.profile
index b561787d8..1ab10a6f6 100644
--- a/etc/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -30,7 +30,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -53,6 +52,9 @@ private-etc alternatives
 private-lib gconv
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
diff --git a/etc/devilspie2.profile b/etc/profile-a-l/devilspie2.profile
index 9eab3f536..9eab3f536 100644
--- a/etc/devilspie2.profile
+++ b/etc/profile-a-l/devilspie2.profile
diff --git a/etc/dex2jar.profile b/etc/profile-a-l/dex2jar.profile
index e5f37b06a..7a59c5d73 100644
--- a/etc/dex2jar.profile
+++ b/etc/profile-a-l/dex2jar.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -39,3 +38,5 @@ private-bin bash,dex2jar,dirname,expr,grep,java,ls,sh,uname
 private-cache
 private-dev
+dbus-user none
+dbus-system none
diff --git a/etc/dia.profile b/etc/profile-a-l/dia.profile
index bd79797b7..52bf1c7f8 100644
--- a/etc/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -19,10 +19,12 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +43,5 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/dig.profile b/etc/profile-a-l/dig.profile
index 054e4891d..152dfd980 100644
--- a/etc/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -8,8 +8,11 @@ include dig.local
 include globals.local
 noblacklist ${HOME}/.digrc
+noblacklist ${PATH}/dig
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 include disable-common.inc
 # include disable-devel.inc
@@ -25,12 +28,12 @@ include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,12 +48,13 @@ shell none
 tracelog
 disable-mnt
-private
 private-bin bash,dig,sh
-private-cache
 private-dev
 # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)
 #private-lib
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/digikam.profile b/etc/profile-a-l/digikam.profile
index e66434444..ae4a63c62 100644
--- a/etc/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -25,7 +25,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -39,3 +38,6 @@ shell none
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
 # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/dillo.profile b/etc/profile-a-l/dillo.profile
index 7103d0285..7103d0285 100644
--- a/etc/dillo.profile
+++ b/etc/profile-a-l/dillo.profile
diff --git a/etc/profile-a-l/dino-im.profile b/etc/profile-a-l/dino-im.profile
new file mode 100644
index 000000000..ae0549d3e
--- /dev/null
+++ b/etc/profile-a-l/dino-im.profile
@@ -0,0 +1,14 @@
+# Firejail profile for dino-im
+# Description: Modern XMPP Chat Client using GTK+/Vala, Ubuntu specific bin name
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dino-im.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Add Ubuntu specific binary name
+private-bin dino-im
+# Redirect
+include dino.profile
diff --git a/etc/dino.profile b/etc/profile-a-l/dino.profile
index 82ddf2819..d06ca042e 100644
--- a/etc/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.local/share/dino
 whitelist ${HOME}/.local/share/dino
diff --git a/etc/discord-canary.profile b/etc/profile-a-l/discord-canary.profile
index 3e9dacd1e..3e9dacd1e 100644
--- a/etc/discord-canary.profile
+++ b/etc/profile-a-l/discord-canary.profile
diff --git a/etc/discord-common.profile b/etc/profile-a-l/discord-common.profile
index a6e730937..35bea4aaa 100644
--- a/etc/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -6,12 +6,17 @@ include discord-common.local
 # added by caller profile
 #include globals.local
+ignore noexec ${HOME}
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/BetterDiscord
+whitelist ${HOME}/.local/share/betterdiscordctl
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -25,11 +30,9 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
-private-bin bash,cut,echo,egrep,grep,head,sed,sh,tr,xdg-mime,xdg-open,zsh
+private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
 private-tmp
-noexec /tmp
diff --git a/etc/discord.profile b/etc/profile-a-l/discord.profile
index 8ef02a30f..8ef02a30f 100644
--- a/etc/discord.profile
+++ b/etc/profile-a-l/discord.profile
diff --git a/etc/display.profile b/etc/profile-a-l/display.profile
index 9e976c11a..9de634da9 100644
--- a/etc/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-usr-share-common.inc
@@ -24,7 +25,6 @@ include whitelist-var-common.inc
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +42,6 @@ private-dev
 # On Debian-based systems, display is a symlink in /etc/alternatives
 private-etc alternatives
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/dnox.profile b/etc/profile-a-l/dnox.profile
index e02395771..e02395771 100644
--- a/etc/dnox.profile
+++ b/etc/profile-a-l/dnox.profile
diff --git a/etc/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile
index 6637b8d02..e48e9d1ac 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/profile-a-l/dnscrypt-proxy.profile
@@ -31,7 +31,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nonewprivs
 nosound
@@ -48,5 +47,8 @@ private
 private-cache
 private-dev
+dbus-user none
+dbus-system none
 # mdwe can break modules/plugins
 memory-deny-write-execute
diff --git a/etc/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile
index 6db71bd49..6db71bd49 100644
--- a/etc/dnsmasq.profile
+++ b/etc/profile-a-l/dnsmasq.profile
diff --git a/etc/profile-a-l/dolphin.profile b/etc/profile-a-l/dolphin.profile
new file mode 100644
index 000000000..e0300a577
--- /dev/null
+++ b/etc/profile-a-l/dolphin.profile
@@ -0,0 +1,14 @@
+# Firejail profile for dolphin
+# Description: File manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dolphin.local
+# Persistent global definitions
+include globals.local
+# Put 'ignore noroot' in your dolphin.local if you use MPV+Vulkan (see issue #3012)
+# Redirect
+include file-manager-common.profile
+join-or-start dolphin
diff --git a/etc/dooble-qt4.profile b/etc/profile-a-l/dooble-qt4.profile
index 70a21e11c..70a21e11c 100644
--- a/etc/dooble-qt4.profile
+++ b/etc/profile-a-l/dooble-qt4.profile
diff --git a/etc/dooble.profile b/etc/profile-a-l/dooble.profile
index bc197b223..bc197b223 100644
--- a/etc/dooble.profile
+++ b/etc/profile-a-l/dooble.profile
diff --git a/etc/dosbox.profile b/etc/profile-a-l/dosbox.profile
index 17ccc9b9a..11b9a4f42 100644
--- a/etc/dosbox.profile
+++ b/etc/profile-a-l/dosbox.profile
@@ -14,6 +14,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-var-common.inc
diff --git a/etc/dragon.profile b/etc/profile-a-l/dragon.profile
index df839cc47..d355cd121 100644
--- a/etc/dragon.profile
+++ b/etc/profile-a-l/dragon.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/dragonplayer
diff --git a/etc/drawio.profile b/etc/profile-a-l/drawio.profile
index d4fd735a1..4d723c8aa 100644
--- a/etc/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/draw.io
@@ -28,7 +29,6 @@ caps.drop all
 ipc-namespace
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,4 +48,7 @@ private-dev
 private-etc alternatives,fonts
 private-tmp
+dbus-user none
+dbus-system none
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/dropbox.profile b/etc/profile-a-l/dropbox.profile
index 1b242d422..1b242d422 100644
--- a/etc/dropbox.profile
+++ b/etc/profile-a-l/dropbox.profile
diff --git a/etc/easystroke.profile b/etc/profile-a-l/easystroke.profile
index 1297f5f40..bb711b1bf 100644
--- a/etc/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -27,7 +27,6 @@ caps.drop all
 machine-id
 net none
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -51,4 +50,7 @@ private-etc alternatives,fonts,group,passwd
 #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
+# dbus-user none
+# dbus-system none
 memory-deny-write-execute
diff --git a/etc/ebook-viewer.profile b/etc/profile-a-l/ebook-viewer.profile
index 29cb87a62..706aec737 100644
--- a/etc/ebook-viewer.profile
+++ b/etc/profile-a-l/ebook-viewer.profile
@@ -4,7 +4,8 @@
 include ebook-viewer.local
 net none
-nodbus
+dbus-user none
+dbus-system none
 # Redirect
 include calibre.profile
diff --git a/etc/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index bde8978df..39366470f 100644
--- a/etc/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/electron-mail
@@ -29,7 +30,6 @@ apparmor
 caps.drop all
 netfilter
 no3d
-# nodbus - breaks tray functionality
 nodvd
 nogroups
 nonewprivs
@@ -49,4 +49,8 @@ private-etc alternatives,fonts
 private-opt ElectronMail
 private-tmp
+# breaks tray functionality
+# dbus-user none
+# dbus-system none
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/electron.profile b/etc/profile-a-l/electron.profile
index c24100f17..9b99c7ffb 100644
--- a/etc/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -15,7 +15,6 @@ whitelist ${DOWNLOADS}
 apparmor
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -23,3 +22,6 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 seccomp
+dbus-user none
+dbus-system none
diff --git a/etc/electrum.profile b/etc/profile-a-l/electrum.profile
index c9f50f12a..73c19f380 100644
--- a/etc/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.electrum
@@ -29,7 +30,6 @@ caps.drop all
 ipc-namespace
 netfilter
 no3d
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,3 +50,5 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl
 private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
new file mode 100644
index 000000000..c1aa821e3
--- /dev/null
+++ b/etc/profile-a-l/element-desktop.profile
@@ -0,0 +1,22 @@
+# Firejail profile for element-desktop
+# Description: All-in-one secure chat app for teams, friends and organisations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include element-desktop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+noblacklist ${HOME}/.config/Element
+noblacklist ${HOME}/.config/Element (Riot)
+mkdir ${HOME}/.config/Element
+mkdir ${HOME}/.config/Element (Riot)
+whitelist ${HOME}/.config/Element
+whitelist ${HOME}/.config/Element (Riot)
+whitelist /opt/Element
+private-opt Element
+# Redirect
+include riot-desktop.profile
diff --git a/etc/elinks.profile b/etc/profile-a-l/elinks.profile
index 82d1ba528..2a306d704 100644
--- a/etc/elinks.profile
+++ b/etc/profile-a-l/elinks.profile
@@ -18,6 +18,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+include whitelist-runuser-common.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/emacs.profile b/etc/profile-a-l/emacs.profile
index ab378105e..226237b5b 100644
--- a/etc/emacs.profile
+++ b/etc/profile-a-l/emacs.profile
@@ -29,3 +29,6 @@ notv
 novideo
 protocol unix,inet,inet6
 seccomp
+read-write ${HOME}/.emacs
+read-write ${HOME}/.emacs.d
diff --git a/etc/email-common.profile b/etc/profile-a-l/email-common.profile
index f9d96858b..67af04267 100644
--- a/etc/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -63,6 +63,8 @@ read-only ${HOME}/.config/mimeapps.list
 writable-run-user
 # If you want to read local mail stored in /var/mail, add the following to email-common.local:
-# whitelist /var/mail
+#noblacklist /var/mail
-# whitelist /var/spool/mail
+#noblacklist /var/spool/mail
-# writable-var
+#whitelist /var/mail
+#whitelist /var/spool/mail
+#writable-var
diff --git a/etc/empathy.profile b/etc/profile-a-l/empathy.profile
index 5ca640d30..5ca640d30 100644
--- a/etc/empathy.profile
+++ b/etc/profile-a-l/empathy.profile
diff --git a/etc/enchant-2.profile b/etc/profile-a-l/enchant-2.profile
index 32cc0e691..32cc0e691 100644
--- a/etc/enchant-2.profile
+++ b/etc/profile-a-l/enchant-2.profile
diff --git a/etc/enchant-lsmod-2.profile b/etc/profile-a-l/enchant-lsmod-2.profile
index a7199955e..a7199955e 100644
--- a/etc/enchant-lsmod-2.profile
+++ b/etc/profile-a-l/enchant-lsmod-2.profile
diff --git a/etc/enchant-lsmod.profile b/etc/profile-a-l/enchant-lsmod.profile
index ba4353d15..ba4353d15 100644
--- a/etc/enchant-lsmod.profile
+++ b/etc/profile-a-l/enchant-lsmod.profile
diff --git a/etc/enchant.profile b/etc/profile-a-l/enchant.profile
index fa556c7d2..2b5de799f 100644
--- a/etc/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -21,6 +21,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/enchant
 whitelist ${HOME}/.config/enchant
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -30,7 +31,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -52,4 +52,7 @@ private-etc alternatives
 private-lib
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/engrampa.profile b/etc/profile-a-l/engrampa.profile
index aaf3e3382..6c0892c56 100644
--- a/etc/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -19,7 +19,6 @@ apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -37,4 +36,7 @@ tracelog
 private-dev
 # private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/enox.profile b/etc/profile-a-l/enox.profile
index d8ac8b24a..d8ac8b24a 100644
--- a/etc/enox.profile
+++ b/etc/profile-a-l/enox.profile
diff --git a/etc/enpass.profile b/etc/profile-a-l/enpass.profile
index 68113e294..68113e294 100644
--- a/etc/enpass.profile
+++ b/etc/profile-a-l/enpass.profile
diff --git a/etc/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 13f498c03..80c704c6b 100644
--- a/etc/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -18,6 +18,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/eog.profile b/etc/profile-a-l/eog.profile
index 6690b33ca..0d0153fc2 100644
--- a/etc/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -15,5 +15,10 @@ whitelist /usr/share/eog
 # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local
 private-bin eog
+dbus-user filter
+dbus-user.own org.gnome.eog
+dbus-user.talk ca.desrt.dconf
+dbus-system none
 # Redirect
 include eo-common.profile
diff --git a/etc/eom.profile b/etc/profile-a-l/eom.profile
index 5bfeb8c8f..5bfeb8c8f 100644
--- a/etc/eom.profile
+++ b/etc/profile-a-l/eom.profile
diff --git a/etc/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index c688c2324..029f613c6 100644
--- a/etc/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -39,8 +39,6 @@ caps.drop all
 # machine-id breaks pulse audio; it should work fine in setups where sound is not required.
 #machine-id
 netfilter
-# nodbus breaks preferences
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -59,3 +57,7 @@ private-cache
 # private-etc below works fine on most distributions. There are some problems on CentOS.
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
+# breaks preferences
+# dbus-user none
+# dbus-system none
diff --git a/etc/epiphany.profile b/etc/profile-a-l/epiphany.profile
index 225811226..225811226 100644
--- a/etc/epiphany.profile
+++ b/etc/profile-a-l/epiphany.profile
diff --git a/etc/et.profile b/etc/profile-a-l/et.profile
index 4e70bb114..4e70bb114 100644
--- a/etc/et.profile
+++ b/etc/profile-a-l/et.profile
diff --git a/etc/etr.profile b/etc/profile-a-l/etr.profile
index 97a43bb59..1c34335d2 100644
--- a/etc/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -9,21 +9,25 @@ include globals.local
 noblacklist ${HOME}/.etr
 include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.etr
 whitelist ${HOME}/.etr
+whitelist /usr/share/etr
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +46,6 @@ private-cache
 private-dev
 # private-etc alternatives,drirc,machine-id,openal
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/evince-previewer.profile b/etc/profile-a-l/evince-previewer.profile
index 3857d6f7b..3857d6f7b 100644
--- a/etc/evince-previewer.profile
+++ b/etc/profile-a-l/evince-previewer.profile
diff --git a/etc/evince-thumbnailer.profile b/etc/profile-a-l/evince-thumbnailer.profile
index 080a04a52..080a04a52 100644
--- a/etc/evince-thumbnailer.profile
+++ b/etc/profile-a-l/evince-thumbnailer.profile
diff --git a/etc/evince.profile b/etc/profile-a-l/evince.profile
index 143a347e6..77a48f0ba 100644
--- a/etc/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -15,12 +15,14 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/doc
 whitelist /usr/share/evince
 whitelist /usr/share/poppler
 whitelist /usr/share/tracker
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -29,8 +31,6 @@ machine-id
 # net none - breaks AppArmor on Ubuntu systems
 netfilter
 no3d
-# nodbus might break two-page-view on some systems
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -51,3 +51,7 @@ private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
 # private-lib might break two-page-view on some systems
 private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
+# might break two-page-view on some systems
+dbus-user none
+dbus-system none
diff --git a/etc/evolution.profile b/etc/profile-a-l/evolution.profile
index 71a7a5600..422200ffe 100644
--- a/etc/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -23,6 +23,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-runuser-common.inc
 caps.drop all
 netfilter
 # no3d breaks under wayland
@@ -41,4 +43,4 @@ shell none
 private-dev
 private-tmp
+writable-var
diff --git a/etc/exfalso.profile b/etc/profile-a-l/exfalso.profile
index 04bafdde4..192858304 100644
--- a/etc/exfalso.profile
+++ b/etc/profile-a-l/exfalso.profile
@@ -22,6 +22,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.quodlibet
@@ -35,7 +36,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -55,4 +55,7 @@ private-etc alternatives,fonts,group,passwd
 private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3*
 private-tmp
+dbus-user none
+dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/exiftool.profile b/etc/profile-a-l/exiftool.profile
index daacbc0c7..90d8a0fc2 100644
--- a/etc/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -29,7 +29,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -52,4 +51,7 @@ private-dev
 private-etc alternatives
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/falkon.profile b/etc/profile-a-l/falkon.profile
index 0024b6660..0024b6660 100644
--- a/etc/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
diff --git a/etc/fbreader.profile b/etc/profile-a-l/fbreader.profile
index 701f14dce..e9fcc2231 100644
--- a/etc/fbreader.profile
+++ b/etc/profile-a-l/fbreader.profile
@@ -11,15 +11,18 @@ noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
-netfilter
+net none
 nodvd
 nonewprivs
 noroot
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
new file mode 100644
index 000000000..179540806
--- /dev/null
+++ b/etc/profile-a-l/fdns.profile
@@ -0,0 +1,50 @@
+# Firejail profile for server
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fdns.local
+# Persistent global definitions
+include globals.local
+noblacklist /sbin
+noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+#include whitelist-usr-share-common.inc
+#include whitelist-var-common.inc
+caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot
+ipc-namespace
+# netfilter /etc/firejail/webserver.net
+no3d
+nodvd
+nogroups
+nonewprivs
+# noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+#seccomp
+#shell none
+disable-mnt
+private
+private-bin bash,fdns,sh
+# private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
+# private-lib
+private-tmp
+memory-deny-write-execute
diff --git a/etc/feedreader.profile b/etc/profile-a-l/feedreader.profile
index 5a72b60ea..2abd80b06 100644
--- a/etc/feedreader.profile
+++ b/etc/profile-a-l/feedreader.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.cache/feedreader
@@ -23,6 +24,7 @@ whitelist ${HOME}/.cache/feedreader
 whitelist ${HOME}/.local/share/feedreader
 whitelist /usr/share/feedreader
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -47,3 +49,11 @@ private-cache
 private-dev
 private-tmp
+dbus-user filter
+dbus-user.own org.gnome.FeedReader
+dbus-user.own org.gnome.FeedReader.ArticleView
+dbus-user.talk org.freedesktop.secrets
+# Enable as you need.
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system none
diff --git a/etc/feh.profile b/etc/profile-a-l/feh.profile
index 6a8071c28..3ee07e559 100644
--- a/etc/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -12,6 +12,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 # This profile disables network access
 # In order to enable network access,
@@ -21,7 +22,6 @@ include disable-programs.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -39,3 +39,6 @@ private-cache
 private-dev
 private-etc alternatives,feh
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
new file mode 100644
index 000000000..9b4c5f114
--- /dev/null
+++ b/etc/profile-a-l/ferdi.profile
@@ -0,0 +1,46 @@
+# Firejail profile for ferdi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ferdi.local
+# Persistent global definitions
+include globals.local
+ignore noexec /tmp
+noblacklist ${HOME}/.cache/Ferdi
+noblacklist ${HOME}/.config/Ferdi
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+mkdir ${HOME}/.cache/Ferdi
+mkdir ${HOME}/.config/Ferdi
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/Ferdi
+whitelist ${HOME}/.config/Ferdi
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/fetchmail.profile b/etc/profile-a-l/fetchmail.profile
index d64fe830f..d64fe830f 100644
--- a/etc/fetchmail.profile
+++ b/etc/profile-a-l/fetchmail.profile
diff --git a/etc/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index b392087e8..fb5c9ee57 100644
--- a/etc/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/devedeng
@@ -29,7 +30,6 @@ caps.drop all
 ipc-namespace
 machine-id
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +50,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl
 private-tmp
+dbus-user none
+dbus-system none
 # memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/ffmpegthumbnailer.profile b/etc/profile-a-l/ffmpegthumbnailer.profile
index 6d72c3b99..6d72c3b99 100644
--- a/etc/ffmpegthumbnailer.profile
+++ b/etc/profile-a-l/ffmpegthumbnailer.profile
diff --git a/etc/ffplay.profile b/etc/profile-a-l/ffplay.profile
index 04134cbf4..04134cbf4 100644
--- a/etc/ffplay.profile
+++ b/etc/profile-a-l/ffplay.profile
diff --git a/etc/ffprobe.profile b/etc/profile-a-l/ffprobe.profile
index e7c9f678d..e7c9f678d 100644
--- a/etc/ffprobe.profile
+++ b/etc/profile-a-l/ffprobe.profile
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile
new file mode 100644
index 000000000..24339953b
--- /dev/null
+++ b/etc/profile-a-l/file-manager-common.profile
@@ -0,0 +1,52 @@
+# Firejail profile for file managers
+# Description: Common profile for GUI file managers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include file-manager-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+# File managers need to be able to see everything under ${HOME}
+# and be able to start arbitrary applications
+ignore noexec ${HOME}
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+# Allow perl
+include allow-perl.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+#include disable-programs.inc
+allusers
+#apparmor
+caps.drop all
+#net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-dev
+#dbus-user none
+#dbus-system none
diff --git a/etc/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 253b82cfe..745b8b8e9 100644
--- a/etc/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -14,6 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 whitelist /usr/share/file-roller
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -36,8 +37,10 @@ seccomp
 shell none
 tracelog
-private-bin 7z,7za,7zr,ar,arj,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,rar,rzip,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo
+private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,p7zip,rar,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo
 private-cache
 private-dev
 private-etc dconf,fonts,gtk-3.0,xdg
 # private-tmp
+dbus-system none
diff --git a/etc/file.profile b/etc/profile-a-l/file.profile
index 9b21818f8..74620d4cd 100644
--- a/etc/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -8,6 +8,7 @@ include file.local
 include globals.local
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-exec.inc
@@ -21,7 +22,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,8 +38,11 @@ x11 none
 #private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd
 private-cache
 private-dev
-private-etc alternatives,localtime,magic,magic.mgc
+#private-etc alternatives,localtime,magic,magic.mgc
-private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*
+#private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*,libseccomp.so.*
+dbus-user none
+dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
diff --git a/etc/filezilla.profile b/etc/profile-a-l/filezilla.profile
index d8d4c1746..6c7ab8f0d 100644
--- a/etc/filezilla.profile
+++ b/etc/profile-a-l/filezilla.profile
@@ -17,6 +17,8 @@ include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/firefox-beta.profile b/etc/profile-a-l/firefox-beta.profile
index fa8bbb1f5..fa8bbb1f5 100644
--- a/etc/firefox-beta.profile
+++ b/etc/profile-a-l/firefox-beta.profile
diff --git a/etc/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 323070289..7c343c26d 100644
--- a/etc/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -34,9 +34,6 @@ caps.drop all
 # machine-id breaks pulse audio; it should work fine in setups where sound is not required.
 #machine-id
 netfilter
-# nodbus breaks various desktop integration features
-# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -56,3 +53,8 @@ disable-mnt
 # private-etc below works fine on most distributions. There are some problems on CentOS.
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
+# breaks various desktop integration features
+# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma
+dbus-user none
+dbus-system none
diff --git a/etc/firefox-developer-edition.profile b/etc/profile-a-l/firefox-developer-edition.profile
index 8c7ca3887..8c7ca3887 100644
--- a/etc/firefox-developer-edition.profile
+++ b/etc/profile-a-l/firefox-developer-edition.profile
diff --git a/etc/firefox-esr.profile b/etc/profile-a-l/firefox-esr.profile
index 6c1d77986..5e69fdb51 100644
--- a/etc/firefox-esr.profile
+++ b/etc/profile-a-l/firefox-esr.profile
@@ -6,5 +6,7 @@ include firefox-esr.local
 # added by included profile
 #include globals.local
+whitelist /usr/share/firefox-esr
 # Redirect
 include firefox.profile
diff --git a/etc/firefox-nightly.profile b/etc/profile-a-l/firefox-nightly.profile
index 96d2bf898..96d2bf898 100644
--- a/etc/firefox-nightly.profile
+++ b/etc/profile-a-l/firefox-nightly.profile
diff --git a/etc/firefox-wayland.profile b/etc/profile-a-l/firefox-wayland.profile
index 17c9f059e..17c9f059e 100644
--- a/etc/firefox-wayland.profile
+++ b/etc/profile-a-l/firefox-wayland.profile
diff --git a/etc/firefox-x11.profile b/etc/profile-a-l/firefox-x11.profile
index ffd64aad7..ffd64aad7 100644
--- a/etc/firefox-x11.profile
+++ b/etc/profile-a-l/firefox-x11.profile
diff --git a/etc/firefox.profile b/etc/profile-a-l/firefox.profile
index 0530516d8..337311ed8 100644
--- a/etc/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -15,6 +15,7 @@ whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla
 whitelist /usr/share/doc
+whitelist /usr/share/firefox
 whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/mozilla
 whitelist /usr/share/webext
@@ -27,5 +28,12 @@ include whitelist-usr-share-common.inc
 # private-etc must first be enabled in firefox-common.profile
 #private-etc firefox
+dbus-user filter
+dbus-user.own org.mozilla.firefox.*
+dbus-user.own org.mpris.MediaPlayer2.firefox.*
+# Uncomment or put in your firefox.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+ignore dbus-user none
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/five-or-more.profile b/etc/profile-a-l/five-or-more.profile
new file mode 100644
index 000000000..2c86d3ac7
--- /dev/null
+++ b/etc/profile-a-l/five-or-more.profile
@@ -0,0 +1,21 @@
+# Firejail profile for five-or-more
+# Description: GNOME port of the once-popular Colour Lines game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include five-or-more.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/five-or-more
+mkdir ${HOME}/.local/share/five-or-more
+whitelist ${HOME}/.local/share/five-or-more
+whitelist /usr/share/five-or-more
+private-bin five-or-more
+dbus-user.own org.gnome.five-or-more
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/flacsplt.profile b/etc/profile-a-l/flacsplt.profile
index 2efef0f22..2efef0f22 100644
--- a/etc/flacsplt.profile
+++ b/etc/profile-a-l/flacsplt.profile
diff --git a/etc/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 3aad9723b..7c41417ec 100644
--- a/etc/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -8,6 +8,7 @@ include flameshot.local
 include globals.local
 noblacklist ${PICTURES}
+noblacklist ${HOME}/.config/Dharkael
 include disable-common.inc
 include disable-devel.inc
@@ -15,13 +16,21 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
+#whitelist ${PICTURES}
+#whitelist ${HOME}/.config/Dharkael
+whitelist /usr/share/flameshot
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -33,11 +42,15 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 disable-mnt
 private-bin flameshot
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl
 private-dev
 private-tmp
+dbus-user filter
+dbus-user.own org.dharkael.Flameshot
+dbus-system none
diff --git a/etc/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile
index b841bce75..b841bce75 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/profile-a-l/flashpeak-slimjet.profile
diff --git a/etc/flowblade.profile b/etc/profile-a-l/flowblade.profile
index 40472ab93..40472ab93 100644
--- a/etc/flowblade.profile
+++ b/etc/profile-a-l/flowblade.profile
diff --git a/etc/fluxbox.profile b/etc/profile-a-l/fluxbox.profile
index c296c0491..c296c0491 100644
--- a/etc/fluxbox.profile
+++ b/etc/profile-a-l/fluxbox.profile
diff --git a/etc/font-manager.profile b/etc/profile-a-l/font-manager.profile
index ae0e32d1e..acad6ad13 100644
--- a/etc/font-manager.profile
+++ b/etc/profile-a-l/font-manager.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.cache/font-manager
diff --git a/etc/fontforge.profile b/etc/profile-a-l/fontforge.profile
index 6d305e2af..6d305e2af 100644
--- a/etc/fontforge.profile
+++ b/etc/profile-a-l/fontforge.profile
diff --git a/etc/fossamail.profile b/etc/profile-a-l/fossamail.profile
index 2d700d336..2d700d336 100644
--- a/etc/fossamail.profile
+++ b/etc/profile-a-l/fossamail.profile
diff --git a/etc/profile-a-l/four-in-a-row.profile b/etc/profile-a-l/four-in-a-row.profile
new file mode 100644
index 000000000..eb0c43ca5
--- /dev/null
+++ b/etc/profile-a-l/four-in-a-row.profile
@@ -0,0 +1,19 @@
+# Firejail profile for four-in-a-row
+# Description: four-in-a-row game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include four-in-a-row.local
+# Persistent global definitions
+include globals.local
+ignore machine-id
+ignore nosound
+whitelist /usr/share/four-in-a-row
+private-bin four-in-a-row
+dbus-user.own org.gnome.Four-in-a-row
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/franz.profile b/etc/profile-a-l/franz.profile
index 344804ca9..344804ca9 100644
--- a/etc/franz.profile
+++ b/etc/profile-a-l/franz.profile
diff --git a/etc/freecad.profile b/etc/profile-a-l/freecad.profile
index 6f0f52a55..0a1d4a750 100644
--- a/etc/freecad.profile
+++ b/etc/profile-a-l/freecad.profile
@@ -24,7 +24,6 @@ include disable-xdg.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +41,5 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/freecadcmd.profile b/etc/profile-a-l/freecadcmd.profile
index 44bf62cfe..44bf62cfe 100644
--- a/etc/freecadcmd.profile
+++ b/etc/profile-a-l/freecadcmd.profile
diff --git a/etc/freeciv-gtk3.profile b/etc/profile-a-l/freeciv-gtk3.profile
index fa36459e7..fa36459e7 100644
--- a/etc/freeciv-gtk3.profile
+++ b/etc/profile-a-l/freeciv-gtk3.profile
diff --git a/etc/freeciv-mp-gtk3.profile b/etc/profile-a-l/freeciv-mp-gtk3.profile
index fa36459e7..fa36459e7 100644
--- a/etc/freeciv-mp-gtk3.profile
+++ b/etc/profile-a-l/freeciv-mp-gtk3.profile
diff --git a/etc/freeciv.profile b/etc/profile-a-l/freeciv.profile
index fa115d325..0fe933478 100644
--- a/etc/freeciv.profile
+++ b/etc/profile-a-l/freeciv.profile
@@ -21,10 +21,10 @@ whitelist ${HOME}/.freeciv
 include whitelist-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +42,6 @@ private-bin freeciv-gtk3,freeciv-manual,freeciv-mp-gtk3,freeciv-server
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/freecol.profile b/etc/profile-a-l/freecol.profile
index baeb4c528..3cbd2ff53 100644
--- a/etc/freecol.profile
+++ b/etc/profile-a-l/freecol.profile
@@ -37,7 +37,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -54,3 +53,6 @@ disable-mnt
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/freemind.profile b/etc/profile-a-l/freemind.profile
index ba945c0fb..0ffb5c54d 100644
--- a/etc/freemind.profile
+++ b/etc/profile-a-l/freemind.profile
@@ -27,7 +27,6 @@ caps.drop all
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,3 +48,6 @@ private-dev
 private-tmp
 private-opt none
 private-srv none
+dbus-user none
+dbus-system none
diff --git a/etc/freeoffice-planmaker.profile b/etc/profile-a-l/freeoffice-planmaker.profile
index b6ca167eb..9449e7c48 100644
--- a/etc/freeoffice-planmaker.profile
+++ b/etc/profile-a-l/freeoffice-planmaker.profile
@@ -7,4 +7,4 @@ include freeoffice-planmaker.local
 include globals.local
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/freeoffice-presentations.profile b/etc/profile-a-l/freeoffice-presentations.profile
index 43661028c..636868e2e 100644
--- a/etc/freeoffice-presentations.profile
+++ b/etc/profile-a-l/freeoffice-presentations.profile
@@ -7,4 +7,4 @@ include freeoffice-presentations.local
 include globals.local
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/freeoffice-textmaker.profile b/etc/profile-a-l/freeoffice-textmaker.profile
index f7d30eaed..5d98d1cc6 100644
--- a/etc/freeoffice-textmaker.profile
+++ b/etc/profile-a-l/freeoffice-textmaker.profile
@@ -6,4 +6,4 @@ include freeoffice-textmaker.local
 include globals.local
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
new file mode 100644
index 000000000..91f0caf87
--- /dev/null
+++ b/etc/profile-a-l/freetube.profile
@@ -0,0 +1,31 @@
+# Firejail profile for freetube
+# Description: Youtube client with local subscription feature
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freetube.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/FreeTube
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-shell.inc 
+include disable-xdg.inc
+mkdir ${HOME}/.config/FreeTube
+whitelist ${HOME}/.config/FreeTube
+seccomp !chroot
+shell none
+disable-mnt
+private-bin freetube
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+# Redirect
+include electron.profile
diff --git a/etc/freshclam.profile b/etc/profile-a-l/freshclam.profile
index 2bab79e2e..2bab79e2e 100644
--- a/etc/freshclam.profile
+++ b/etc/profile-a-l/freshclam.profile
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
new file mode 100644
index 000000000..653272499
--- /dev/null
+++ b/etc/profile-a-l/frogatto.profile
@@ -0,0 +1,50 @@
+# Firejail profile for frogatto
+# Description: 2D platformer game starring a quixotic frog
+# This file is overwritten after every install/update
+# Persistent local customizations
+include frogatto.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.frogatto
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.frogatto
+whitelist ${HOME}/.frogatto
+whitelist /usr/share/frogatto
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin frogatto,sh
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index 6cef181c8..9245ae3a9 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -13,18 +13,23 @@ include allow-perl.inc
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.frozen-bubble
 whitelist ${HOME}/.frozen-bubble
+whitelist /usr/share/perl5
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -35,8 +40,12 @@ novideo
 protocol unix,netlink
 seccomp
 shell none
+tracelog
 disable-mnt
 # private-bin frozen-bubble
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/gajim-history-manager.profile b/etc/profile-a-l/gajim-history-manager.profile
index 2ae6dd9d8..2ae6dd9d8 100644
--- a/etc/gajim-history-manager.profile
+++ b/etc/profile-a-l/gajim-history-manager.profile
diff --git a/etc/gajim.profile b/etc/profile-a-l/gajim.profile
index 85d9b9bd9..85d9b9bd9 100644
--- a/etc/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
diff --git a/etc/galculator.profile b/etc/profile-a-l/galculator.profile
index f757aed69..89f20b923 100644
--- a/etc/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/galculator
@@ -26,7 +27,6 @@ caps.drop all
 #hostname galculator - breaks Arch Linux
 #ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,4 +47,7 @@ private-etc alternatives,fonts
 private-lib
 private-tmp
+dbus-user none
+dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
new file mode 100644
index 000000000..74b468020
--- /dev/null
+++ b/etc/profile-a-l/gapplication.profile
@@ -0,0 +1,71 @@
+# Firejail profile for gapplication
+# Description: D-Bus application launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gapplication.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+disable-mnt
+private
+private-bin gapplication
+private-cache
+private-dev
+private-etc none
+private-tmp
+# Uncomment (or add to your gapplcation.local) the next line to filter D-Bus names.
+# You might need to add additional dbus-user.talk rules. see 'gapplication list-apps'.
+#dbus-user filter
+dbus-user.talk org.gnome.Boxes
+dbus-user.talk org.gnome.Builder
+dbus-user.talk org.gnome.Calendar
+dbus-user.talk org.gnome.ChromeGnomeShell
+dbus-user.talk org.gnome.DejaDup
+dbus-user.talk org.gnome.DiskUtility
+dbus-user.talk org.gnome.Extensions
+dbus-user.talk org.gnome.Maps
+dbus-user.talk org.gnome.Nautilus
+dbus-user.talk org.gnome.Shell.PortalHelper
+dbus-user.talk org.gnome.Software
+dbus-user.talk org.gnome.Weather
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/gcalccmd.profile b/etc/profile-a-l/gcalccmd.profile
index 691d6b0c4..691d6b0c4 100644
--- a/etc/gcalccmd.profile
+++ b/etc/profile-a-l/gcalccmd.profile
diff --git a/etc/gcloud.profile b/etc/profile-a-l/gcloud.profile
index 7ca99f420..46a862a21 100644
--- a/etc/gcloud.profile
+++ b/etc/profile-a-l/gcloud.profile
@@ -21,7 +21,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-nodbus
 nodvd
 # required for sudo-free docker
 #nogroups
@@ -38,3 +37,6 @@ disable-mnt
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/gconf-editor.profile b/etc/profile-a-l/gconf-editor.profile
index cb39174e5..cb39174e5 100644
--- a/etc/gconf-editor.profile
+++ b/etc/profile-a-l/gconf-editor.profile
diff --git a/etc/gconf-merge-schema.profile b/etc/profile-a-l/gconf-merge-schema.profile
index 619f801b0..619f801b0 100644
--- a/etc/gconf-merge-schema.profile
+++ b/etc/profile-a-l/gconf-merge-schema.profile
diff --git a/etc/gconf-merge-tree.profile b/etc/profile-a-l/gconf-merge-tree.profile
index 2f6bfe5e5..2f6bfe5e5 100644
--- a/etc/gconf-merge-tree.profile
+++ b/etc/profile-a-l/gconf-merge-tree.profile
diff --git a/etc/gconf.profile b/etc/profile-a-l/gconf.profile
index 96848575d..96848575d 100644
--- a/etc/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
diff --git a/etc/gconfpkg.profile b/etc/profile-a-l/gconfpkg.profile
index 5bfc1250a..5bfc1250a 100644
--- a/etc/gconfpkg.profile
+++ b/etc/profile-a-l/gconfpkg.profile
diff --git a/etc/gconftool-2.profile b/etc/profile-a-l/gconftool-2.profile
index 947e4252f..947e4252f 100644
--- a/etc/gconftool-2.profile
+++ b/etc/profile-a-l/gconftool-2.profile
diff --git a/etc/geany.profile b/etc/profile-a-l/geany.profile
index 31599e32a..31599e32a 100644
--- a/etc/geany.profile
+++ b/etc/profile-a-l/geany.profile
diff --git a/etc/geary.profile b/etc/profile-a-l/geary.profile
index eb427c077..fa01d04b7 100644
--- a/etc/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -10,7 +10,8 @@ include geary.local
 # Users have Geary set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
-ignore nodbus
+ignore dbus-user none
+ignore dbus-system none
 ignore private-tmp
 noblacklist ${HOME}/.gnupg
diff --git a/etc/gedit.profile b/etc/profile-a-l/gedit.profile
index a4471077a..17b7ad563 100644
--- a/etc/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 # apparmor - makes settings immutable
@@ -26,7 +27,6 @@ caps.drop all
 machine-id
 # net none - makes settings immutable
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -46,3 +46,6 @@ private-dev
 #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
+# makes settings immutable
+# dbus-user none
+# dbus-system none
diff --git a/etc/geekbench.profile b/etc/profile-a-l/geekbench.profile
index 6398505ed..e06a9afad 100644
--- a/etc/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -25,7 +25,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,6 +47,9 @@ private-lib gcc/*/*/libstdc++.so.*
 private-opt none
 private-tmp
+dbus-user none
+dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
diff --git a/etc/geeqie.profile b/etc/profile-a-l/geeqie.profile
index 8810ca161..8810ca161 100644
--- a/etc/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
diff --git a/etc/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index d332c1bbe..d97ab530b 100644
--- a/etc/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.cache/gfeeds
@@ -29,6 +30,7 @@ whitelist ${HOME}/.cache/org.gabmus.gfeeds
 whitelist ${HOME}/.config/org.gabmus.gfeeds.json
 whitelist /usr/share/gfeeds
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -37,7 +39,6 @@ caps.drop all
 machine-id
 netfilter
 no3d
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -57,3 +58,8 @@ private-bin gfeeds,python3*
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
+dbus-user filter
+dbus-user.own org.gabmus.gfeeds
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/ghb.profile b/etc/profile-a-l/ghb.profile
index 1e7ce2350..1e7ce2350 100644
--- a/etc/ghb.profile
+++ b/etc/profile-a-l/ghb.profile
diff --git a/etc/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index 27becf8fe..5bb410278 100644
--- a/etc/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -17,13 +17,15 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
-#whitelist /usr/share/ghostwriter
+whitelist /usr/share/ghostwriter
-#whitelist /usr/share/mozilla-dicts
+whitelist /usr/share/mozilla-dicts
-#whitelist /usr/share/texlive
+whitelist /usr/share/texlive
-#whitelist /usr/share/pandoc*
+whitelist /usr/share/pandoc*
-#include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 apparmor
 caps.drop all
@@ -48,3 +50,6 @@ private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
 private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/gimp-2.10.profile b/etc/profile-a-l/gimp-2.10.profile
index dbf49ac22..dbf49ac22 100644
--- a/etc/gimp-2.10.profile
+++ b/etc/profile-a-l/gimp-2.10.profile
diff --git a/etc/gimp-2.8.profile b/etc/profile-a-l/gimp-2.8.profile
index dbf49ac22..dbf49ac22 100644
--- a/etc/gimp-2.8.profile
+++ b/etc/profile-a-l/gimp-2.8.profile
diff --git a/etc/gimp.profile b/etc/profile-a-l/gimp.profile
index 94035bc02..8093c0c39 100644
--- a/etc/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -36,7 +36,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -51,3 +50,6 @@ tracelog
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/gist-paste.profile b/etc/profile-a-l/gist-paste.profile
index 56b3176ed..56b3176ed 100644
--- a/etc/gist-paste.profile
+++ b/etc/profile-a-l/gist-paste.profile
diff --git a/etc/gist.profile b/etc/profile-a-l/gist.profile
index 59fcb2775..681fc2829 100644
--- a/etc/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -36,7 +36,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -56,4 +55,7 @@ private-dev
 private-etc alternatives
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
new file mode 100644
index 000000000..30e80f519
--- /dev/null
+++ b/etc/profile-a-l/git-cola.profile
@@ -0,0 +1,66 @@
+# Firejail profile for git-cola
+# Description: Linux native frontend for Git
+# This file is overwritten after every install/update
+# Persistent local customizations
+include git-cola.local
+# Persistent global definitions
+include globals.local
+ignore noexec ${HOME}
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.config/git-cola
+# Put your editor,diff viewer config path below and uncomment to load settings
+# noblacklist ${HOME}/
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+# private-bin atom,bash,colordiff,emacs,fldiff,geany,gedit,git,git gui,git-cola,git-dag,gitk,gpg,gvim,leafpad,meld,mousepad,nano,notepadqq,python*,sh,ssh,vim,vimdiff,which,xed
+private-cache
+private-dev
+# Comment if you sign commits with GPG
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+dbus-user filter
+# Uncomment if you need keyring access
+# dbus-user.talk org.freedesktop.secrets
+dbus-system none
+read-only ${HOME}/.ssh
+read-only ${HOME}/.gnupg
+read-only ${HOME}/.git-credentials
diff --git a/etc/git.profile b/etc/profile-a-l/git.profile
index e5a2f3985..e5a2f3985 100644
--- a/etc/git.profile
+++ b/etc/profile-a-l/git.profile
diff --git a/etc/gitg.profile b/etc/profile-a-l/gitg.profile
index 56f8e136f..71b8e9b11 100644
--- a/etc/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -19,7 +19,16 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+#whitelist ${HOME}/YOUR_GIT_PROJECTS_DIRECTORY
+#whitelist ${HOME}/.config/git
+#whitelist ${HOME}/.gitconfig
+#whitelist ${HOME}/.git-credentials
+#whitelist ${HOME}/.local/share/gitg
+#whitelist ${HOME}/.ssh
+#include whitelist-common.inc
 whitelist /usr/share/gitg
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -43,3 +52,10 @@ private-bin git,gitg,ssh
 private-cache
 private-dev
 private-tmp
+dbus-user filter
+dbus-user.own org.gnome.gitg
+dbus-user.talk ca.desrt.dconf
+# Uncomment (or put in your gitg.local) if you need keyring access.
+#dbus-user.talk org.freedesktop.secrets
+dbus-system none
diff --git a/etc/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index b25b138ad..152396553 100644
--- a/etc/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -30,7 +30,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 # Note: On debian-based distributions the binary might be located in
 # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
diff --git a/etc/gitter.profile b/etc/profile-a-l/gitter.profile
index 017b1765a..017b1765a 100644
--- a/etc/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
diff --git a/etc/gjs.profile b/etc/profile-a-l/gjs.profile
index 85dd57f29..9c8848b8a 100644
--- a/etc/gjs.profile
+++ b/etc/profile-a-l/gjs.profile
@@ -22,6 +22,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/globaltime.profile b/etc/profile-a-l/globaltime.profile
index bb78a608e..bb78a608e 100644
--- a/etc/globaltime.profile
+++ b/etc/profile-a-l/globaltime.profile
diff --git a/etc/gmpc.profile b/etc/profile-a-l/gmpc.profile
index b1546db30..b3aad8b2c 100644
--- a/etc/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -30,7 +30,6 @@ caps.drop all
 ipc-namespace
 netfilter
 no3d
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +49,7 @@ private-etc alternatives,fonts
 private-tmp
 writable-run-user
+# dbus-user none
+# dbus-system none
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/gnome-2048.profile b/etc/profile-a-l/gnome-2048.profile
new file mode 100644
index 000000000..777c81dbe
--- /dev/null
+++ b/etc/profile-a-l/gnome-2048.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-2048
+# Description: Sliding tile puzzle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-2048.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/gnome-2048
+mkdir ${HOME}/.local/share/gnome-2048
+whitelist ${HOME}/.local/share/gnome-2048
+private-bin gnome-2048
+dbus-user.own org.gnome.TwentyFortyEight
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
index 84e38d0e1..998109ca7 100644
--- a/etc/gnome-books.profile
+++ b/etc/profile-a-l/gnome-books.profile
@@ -23,8 +23,9 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
-netfilter
+net none
 no3d
 nodvd
 nogroups
diff --git a/etc/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile
index eaf48931d..7a684dd59 100644
--- a/etc/gnome-builder.profile
+++ b/etc/profile-a-l/gnome-builder.profile
@@ -17,6 +17,8 @@ include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-runuser-common.inc
 caps.drop all
 ipc-namespace
 netfilter
diff --git a/etc/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index 6709a331e..ceb01f2a0 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -13,9 +13,11 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -23,10 +25,9 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
-# net none
+#net none -- breaks currency conversion
 netfilter
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -38,6 +39,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 disable-mnt
 private-bin gnome-calculator
@@ -46,4 +48,7 @@ private-dev
 #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.*
 private-tmp
-# memory-deny-write-execute
+dbus-user filter
+dbus-user.own org.gnome.Calculator
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
new file mode 100644
index 000000000..3e815234c
--- /dev/null
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -0,0 +1,62 @@
+# Firejail profile for gnome-calendar
+# Description: Calendar for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-calendar.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /usr/share/libgweather
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin gnome-calendar
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+dbus-user filter
+dbus-user.own org.gnome.Calendar
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.evolution.dataserver.*
+#dbus-user.talk org.gnome.OnlineAccounts
+#dbus-user.talk org.gnome.ControlCenter
+# NOTE: dbus-system none fails, filter without rules works.
+dbus-system filter
+#dbus-system.talk org.freedesktop.timedate1
+#dbus-system.talk org.freedesktop.login1
+#dbus-system.talk org.freedesktop.GeoClue2
+read-only ${HOME}
diff --git a/etc/gnome-character-map.profile b/etc/profile-a-l/gnome-character-map.profile
index 27804fdd0..27804fdd0 100644
--- a/etc/gnome-character-map.profile
+++ b/etc/profile-a-l/gnome-character-map.profile
diff --git a/etc/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index 2d4724610..f4f3ae2d7 100644
--- a/etc/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -15,20 +15,20 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/org.gnome.Characters
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 machine-id
 net none
 no3d
-# Uncomment the next line (or add it to your gnome-characters.local)
-# if you don't need recently used chars
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -52,4 +52,9 @@ private-dev
 private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg
 private-tmp
+# Uncomment the next lines (or add it to your gnome-characters.local)
+# if you don't need recently used chars
+# dbus-user none
+# dbus-system none
 read-only ${HOME}
diff --git a/etc/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index e657293ac..84a3cabd6 100644
--- a/etc/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -6,6 +6,7 @@ include gnome-chess.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.config/gnome-chess
 noblacklist ${HOME}/.local/share/gnome-chess
 include disable-common.inc
@@ -14,8 +15,17 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
+#mkdir ${HOME}/.local/share/gnome-chess
+#whitelist ${HOME}/.local/share/gnome-chess
+#include whitelist-common.inc
+whitelist /usr/share/gnuchess
+whitelist /usr/share/gnome-chess
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index 025335a23..fc899178f 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -12,11 +12,13 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/gnome-clocks
 whitelist /usr/share/libgweather
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index ac6d82451..7a38bdc8a 100644
--- a/etc/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -17,11 +17,12 @@ include disable-programs.inc
 include disable-xdg.inc
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 caps.drop all
 netfilter
-no3d
+#no3d - breaks on Arch
 nodvd
 nonewprivs
 noroot
diff --git a/etc/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile
index 705fe624e..705fe624e 100644
--- a/etc/gnome-documents.profile
+++ b/etc/profile-a-l/gnome-documents.profile
diff --git a/etc/gnome-font-viewer.profile b/etc/profile-a-l/gnome-font-viewer.profile
index 468ef0401..b2327133c 100644
--- a/etc/gnome-font-viewer.profile
+++ b/etc/profile-a-l/gnome-font-viewer.profile
@@ -17,8 +17,9 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
-netfilter
+net none
 no3d
 nodvd
 nonewprivs
diff --git a/etc/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 386c33d7f..5ae7bbe01 100644
--- a/etc/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -12,19 +12,18 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.cache/mesa_shader_cache
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/wayland-0
 whitelist /usr/share/gnome-hexgl
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,8 +41,11 @@ private
 private-bin gnome-hexgl
 private-cache
 private-dev
-private-etc machine-id
+private-etc alsa,asound.conf,machine-id,pulse
 private-tmp
+dbus-user none
+dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.cache/mesa_shader_cache
diff --git a/etc/gnome-keyring-3.profile b/etc/profile-a-l/gnome-keyring-3.profile
index e9961e4f0..e9961e4f0 100644
--- a/etc/gnome-keyring-3.profile
+++ b/etc/profile-a-l/gnome-keyring-3.profile
diff --git a/etc/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index 7e2d701b7..ecbb74158 100644
--- a/etc/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -31,7 +31,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -52,4 +51,7 @@ private-dev
 #private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security
 private-tmp
+# dbus-user none
+# dbus-system none
 memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-klotski.profile b/etc/profile-a-l/gnome-klotski.profile
new file mode 100644
index 000000000..c67a5c0da
--- /dev/null
+++ b/etc/profile-a-l/gnome-klotski.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-klotski
+# Description: Sliding block puzzles game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-klotski.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/gnome-klotski
+mkdir ${HOME}/.local/share/gnome-klotski
+whitelist ${HOME}/.local/share/gnome-klotski
+private-bin gnome-klotski
+dbus-user.own org.gnome.Klotski
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 1bf48c6ab..eb5e9ec40 100644
--- a/etc/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -22,6 +22,7 @@ include disable-programs.inc
 whitelist /usr/share/gnome-latex
 whitelist /usr/share/perl5
 whitelist /usr/share/texlive
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 # May cause issues.
 #include whitelist-var-common.inc
@@ -48,3 +49,5 @@ private-cache
 private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
 private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
+dbus-system none
diff --git a/etc/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 0c5bec144..41218d3f7 100644
--- a/etc/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -12,9 +12,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /var/log/journal
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -23,7 +25,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
 # comment both 'nogroups' and 'noroot'
@@ -49,6 +50,9 @@ private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.s
 private-tmp
 writable-var-log
+dbus-user none
+dbus-system none
 # comment this if you export logs to a file in your ${HOME}
 # or put 'ignore read-only ${HOME}' in your gnome-logs.local.
 read-only ${HOME}
diff --git a/etc/profile-a-l/gnome-mahjongg.profile b/etc/profile-a-l/gnome-mahjongg.profile
new file mode 100644
index 000000000..42409dce8
--- /dev/null
+++ b/etc/profile-a-l/gnome-mahjongg.profile
@@ -0,0 +1,16 @@
+# Firejail profile for gnome-mahjongg
+# Description: A matching game played with Mahjongg tiles
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-mahjongg.local
+# Persistent global definitions
+include globals.local
+whitelist /usr/share/gnome-mahjongg
+private-bin gnome-mahjongg
+dbus-user.own org.gnome.Mahjongg
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index 62350b862..eb0030dda 100644
--- a/etc/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -13,7 +13,6 @@ include globals.local
 noblacklist ${HOME}/.cache/champlain
 noblacklist ${HOME}/.cache/org.gnome.Maps
-noblacklist ${HOME}/.local/share/flatpak
 noblacklist ${HOME}/.local/share/maps-places.json
 # Allow gjs (blacklisted by disable-interpreters.inc)
@@ -25,6 +24,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.cache/champlain
@@ -36,6 +36,7 @@ whitelist ${PICTURES}
 whitelist /usr/share/gnome-maps
 whitelist /usr/share/libgweather
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -62,3 +63,11 @@ private-bin gjs,gnome-maps
 private-dev
 private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
+dbus-user filter
+dbus-user.own org.gnome.Maps
+#dbus-user.talk org.freedesktop.secrets
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system filter
+#dbus-system.talk org.freedesktop.NetworkManager
+dbus-system.talk org.freedesktop.GeoClue2
diff --git a/etc/profile-a-l/gnome-mines.profile b/etc/profile-a-l/gnome-mines.profile
new file mode 100644
index 000000000..4fe8986c2
--- /dev/null
+++ b/etc/profile-a-l/gnome-mines.profile
@@ -0,0 +1,20 @@
+# Firejail profile for gnome-mines
+# Description: The popular logic puzzle minesweeper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-mines.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/gnome-mines
+mkdir ${HOME}/.local/share/gnome-mines
+whitelist ${HOME}/.local/share/gnome-mines
+whitelist /usr/share/gnome-mines
+private-bin gnome-mines
+dbus-user.own org.gnome.Mines
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
index 12bee6448..12bee6448 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/profile-a-l/gnome-mplayer.profile
diff --git a/etc/gnome-mpv.profile b/etc/profile-a-l/gnome-mpv.profile
index f5d652732..f5d652732 100644
--- a/etc/gnome-mpv.profile
+++ b/etc/profile-a-l/gnome-mpv.profile
diff --git a/etc/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index ad3fa1753..36b46897c 100644
--- a/etc/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -21,8 +21,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 no3d
@@ -37,8 +39,9 @@ seccomp
 shell none
 tracelog
-private-bin env,gio-launch-desktop,gnome-music,python*,yelp
+# private-bin calls a file manager - whatever is installed!
+#private-bin env,gio-launch-desktop,gnome-music,python*,yelp
 private-dev
-private-etc alternatives,asound.conf,fonts,machine-id,pulse
+private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg
 private-tmp
diff --git a/etc/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
index d15299890..33eb9c81a 100644
--- a/etc/gnome-nettool.profile
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -16,6 +16,7 @@ include disable-xdg.inc
 whitelist /usr/share/gnome-nettool
 #include whitelist-common.inc -- see #903
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -24,7 +25,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 # ping needs to elevate privileges, noroot and nonewprivs will kill it
@@ -44,3 +44,5 @@ private-dev
 private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libgtk-3.so.*,libgtop*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.*
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gnome-nibbles.profile b/etc/profile-a-l/gnome-nibbles.profile
new file mode 100644
index 000000000..b22810d34
--- /dev/null
+++ b/etc/profile-a-l/gnome-nibbles.profile
@@ -0,0 +1,23 @@
+# Firejail profile for gnome-nibbles
+# Description: A worm game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-nibbles.local
+# Persistent global definitions
+include globals.local
+ignore machine-id
+ignore nosound
+noblacklist ${HOME}/.local/share/gnome-nibbles
+mkdir ${HOME}/.local/share/gnome-nibbles
+whitelist ${HOME}/.local/share/gnome-nibbles
+whitelist /usr/share/gnome-nibbles
+private-bin gnome-nibbles
+dbus-user.own org.gnome.Nibbles
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index de8f6ad7d..615be7873 100644
--- a/etc/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -19,15 +19,12 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
-whitelist ${RUNUSER}/bus
-# If you have a second wayland compositor, whitelist its socket here.
-whitelist ${RUNUSER}/wayland-0
-whitelist ${RUNUSER}/gdm/Xauthority
 whitelist /usr/share/cracklib
 whitelist /usr/share/passwordsafe
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index aa0b7dbe3..2af406af9 100644
--- a/etc/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -17,8 +17,10 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index c1d2dae35..c1d2dae35 100644
--- a/etc/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
new file mode 100644
index 000000000..a46e47759
--- /dev/null
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -0,0 +1,59 @@
+# Firejail profile for gnome-pomodoro
+# Description: time management utility for GNOME based on the pomodoro technique
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-pomodoro.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/gnome-pomodoro
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.local/share/gnome-pomodoro
+whitelist ${HOME}/.local/share/gnome-pomodoro
+whitelist /usr/share/gnome-pomodoro
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin gnome-pomodoro
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
+private-tmp
+dbus-user filter
+dbus-user.own org.gnome.Pomodoro
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.Mutter.IdleMonitor
+dbus-user.talk org.gnome.Shell
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+read-only ${HOME}
+read-write ${HOME}/.local/share/gnome-pomodoro
diff --git a/etc/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index b4791afc5..c4969590f 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.cache/gnome-recipes
 mkdir ${HOME}/.local/share/gnome-recipes
@@ -26,6 +27,7 @@ include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
diff --git a/etc/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile
index 78ceb9c4f..78ceb9c4f 100644
--- a/etc/gnome-ring.profile
+++ b/etc/profile-a-l/gnome-ring.profile
diff --git a/etc/profile-a-l/gnome-robots.profile b/etc/profile-a-l/gnome-robots.profile
new file mode 100644
index 000000000..8835f2b93
--- /dev/null
+++ b/etc/profile-a-l/gnome-robots.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-robots
+# Description: Based on classic BSD Robots
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-robots.local
+# Persistent global definitions
+include globals.local
+ignore machine-id
+ignore nosound
+whitelist /usr/share/gnome-robots
+private-bin gnome-robots
+dbus-user.own org.gnome.Robots
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
index c8dd8ead7..55913a2d7 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -39,6 +39,7 @@ whitelist /usr/share/gnome-schedule
 whitelist /var/spool/atd
 whitelist /var/spool/cron
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
new file mode 100644
index 000000000..82fb1b658
--- /dev/null
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -0,0 +1,50 @@
+# Firejail profile for gnome-screenshot
+# Description: GNOME screenshot tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-screenshot.local
+# Persistent global definitions
+include globals.local
+noblacklist ${PICTURES}
+noblacklist ${HOME}/.cache/gnome-screenshot
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin gnome-screenshot
+private-dev
+private-etc dconf,fonts,gtk-3.0,localtime,machine-id
+private-tmp
+dbus-user filter
+dbus-user.own org.gnome.Screenshot
+dbus-user.talk org.gnome.Shell.Screenshot
+dbus-system none
diff --git a/etc/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index 7f8fc8a0c..a64ec25a9 100644
--- a/etc/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -7,7 +7,6 @@ include gnome-sound-recorder.local
 include globals.local
 noblacklist ${MUSIC}
-noblacklist ${HOME}/.local/share/flatpak
 noblacklist ${HOME}/.local/share/Trash
 # Allow gjs (blacklisted by disable-interpreters.inc)
diff --git a/etc/profile-a-l/gnome-sudoku.profile b/etc/profile-a-l/gnome-sudoku.profile
new file mode 100644
index 000000000..12fd48a86
--- /dev/null
+++ b/etc/profile-a-l/gnome-sudoku.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-sudoku
+# Description: puzzle game for the popular Japanese sudoku logic puzzle
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-sudoku.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/gnome-sudoku
+mkdir ${HOME}/.local/share/gnome-sudoku
+whitelist ${HOME}/.local/share/gnome-sudoku
+private-bin gnome-sudoku
+dbus-user.own org.gnome.Sudoku
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index cfe39d18b..14b0f758e 100644
--- a/etc/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -12,6 +12,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /var/log
@@ -24,7 +25,6 @@ caps.drop all
 ipc-namespace
 # net none - breaks dbus
 no3d
-# nodbus
 nodvd
 # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
 # comment both 'nogroups' and 'noroot'
@@ -49,6 +49,9 @@ private-lib
 private-tmp
 writable-var-log
+# dbus-user none
+# dbus-system none
 memory-deny-write-execute
 # comment this if you export logs to a file in your ${HOME}
diff --git a/etc/profile-a-l/gnome-taquin.profile b/etc/profile-a-l/gnome-taquin.profile
new file mode 100644
index 000000000..2341334f7
--- /dev/null
+++ b/etc/profile-a-l/gnome-taquin.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-taquin
+# Description: A sliding puzzle game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-taquin.local
+# Persistent global definitions
+include globals.local
+ignore machine-id
+ignore nosound
+whitelist /usr/share/gnome-taquin
+private-bin gnome-taquin
+dbus-user.own org.gnome.Taquin
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-tetravex.profile b/etc/profile-a-l/gnome-tetravex.profile
new file mode 100644
index 000000000..6e820dd70
--- /dev/null
+++ b/etc/profile-a-l/gnome-tetravex.profile
@@ -0,0 +1,14 @@
+# Firejail profile for gnome-tetravex
+# Description: A simple puzzle game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-tetravex.local
+# Persistent global definitions
+include globals.local
+private-bin gnome-tetravex
+dbus-user.own org.gnome.Tetravex
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
new file mode 100644
index 000000000..2fab3dcc7
--- /dev/null
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -0,0 +1,64 @@
+# Firejail profile for gnome-todo
+# Description: Personal task manager for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-todo.local
+# Persistent global definitions
+include globals.local
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /usr/share/gnome-todo
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+#private
+private-bin gnome-todo
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg
+private-tmp
+dbus-user filter
+dbus-user.own org.gnome.Todo
+dbus-user.talk ca.desrt.dconf
+#dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
+#dbus-user.talk org.gnome.evolution.dataserver.Calendar8
+#dbus-user.talk org.gnome.evolution.dataserver.Sources5
+#dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system none
+#dbus-system filter
+#dbus-system.talk org.freedesktop.login1
+read-only ${HOME}
diff --git a/etc/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile
index 5e8153035..5e8153035 100644
--- a/etc/gnome-twitch.profile
+++ b/etc/profile-a-l/gnome-twitch.profile
diff --git a/etc/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index 10db6296b..a181f1b9e 100644
--- a/etc/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -21,6 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
new file mode 100644
index 000000000..c46fbc1d9
--- /dev/null
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -0,0 +1,48 @@
+# Firejail profile for gnome_games-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome_games-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11
+private-tmp
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
new file mode 100644
index 000000000..1b5129fc5
--- /dev/null
+++ b/etc/profile-a-l/gnote.profile
@@ -0,0 +1,59 @@
+# Firejail profile for gnote
+# Description: A simple note-taking application for Gnome
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnote.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/gnote
+noblacklist ${HOME}/.local/share/gnote
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/gnote
+mkdir ${HOME}/.local/share/gnote
+whitelist ${HOME}/.config/gnote
+whitelist ${HOME}/.local/share/gnote
+whitelist /usr/share/gnote
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin gnote
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,pango,X11
+private-tmp
+dbus-user filter
+dbus-user.own org.gnome.Gnote
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
new file mode 100644
index 000000000..8eaba161c
--- /dev/null
+++ b/etc/profile-a-l/gnubik.profile
@@ -0,0 +1,50 @@
+# Firejail profile for gnubik
+# Description: DESCRIPTION
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnubik.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /usr/share/gnubik
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin gnubik
+private-cache
+private-dev
+private-etc drirc,fonts,gtk-2.0
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/godot.profile b/etc/profile-a-l/godot.profile
index 2baf09b1d..8324a4eb5 100644
--- a/etc/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +40,6 @@ private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/goobox.profile b/etc/profile-a-l/goobox.profile
index c932ad528..c932ad528 100644
--- a/etc/goobox.profile
+++ b/etc/profile-a-l/goobox.profile
diff --git a/etc/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile
index 73101f509..a62e4cf74 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/profile-a-l/google-chrome-beta.profile
@@ -8,10 +8,16 @@ include globals.local
 noblacklist ${HOME}/.cache/google-chrome-beta
 noblacklist ${HOME}/.config/google-chrome-beta
+noblacklist ${HOME}/.config/chrome-beta-flags.conf
+noblacklist ${HOME}/.config/chrome-beta-flags.config
 mkdir ${HOME}/.cache/google-chrome-beta
 mkdir ${HOME}/.config/google-chrome-beta
 whitelist ${HOME}/.cache/google-chrome-beta
 whitelist ${HOME}/.config/google-chrome-beta
+whitelist ${HOME}/.config/chrome-beta-flags.conf
+whitelist ${HOME}/.config/chrome-beta-flags.config
 # Redirect
 include chromium-common.profile
diff --git a/etc/google-chrome-stable.profile b/etc/profile-a-l/google-chrome-stable.profile
index a456e8d61..a456e8d61 100644
--- a/etc/google-chrome-stable.profile
+++ b/etc/profile-a-l/google-chrome-stable.profile
diff --git a/etc/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile
index 50e9923aa..14547eab2 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/profile-a-l/google-chrome-unstable.profile
@@ -8,10 +8,16 @@ include globals.local
 noblacklist ${HOME}/.cache/google-chrome-unstable
 noblacklist ${HOME}/.config/google-chrome-unstable
+noblacklist ${HOME}/.config/chrome-unstable-flags.conf
+noblacklist ${HOME}/.config/chrome-unstable-flags.config
 mkdir ${HOME}/.cache/google-chrome-unstable
 mkdir ${HOME}/.config/google-chrome-unstable
 whitelist ${HOME}/.cache/google-chrome-unstable
 whitelist ${HOME}/.config/google-chrome-unstable
+whitelist ${HOME}/.config/chrome-unstable-flags.conf
+whitelist ${HOME}/.config/chrome-unstable-flags.config
 # Redirect
 include chromium-common.profile
diff --git a/etc/google-chrome.profile b/etc/profile-a-l/google-chrome.profile
index c69e98271..66f76caa0 100644
--- a/etc/google-chrome.profile
+++ b/etc/profile-a-l/google-chrome.profile
@@ -8,10 +8,16 @@ include globals.local
 noblacklist ${HOME}/.cache/google-chrome
 noblacklist ${HOME}/.config/google-chrome
+noblacklist ${HOME}/.config/chrome-flags.conf
+noblacklist ${HOME}/.config/chrome-flags.config
 mkdir ${HOME}/.cache/google-chrome
 mkdir ${HOME}/.config/google-chrome
 whitelist ${HOME}/.cache/google-chrome
 whitelist ${HOME}/.config/google-chrome
+whitelist ${HOME}/.config/chrome-flags.conf
+whitelist ${HOME}/.config/chrome-flags.config
 # Redirect
 include chromium-common.profile
diff --git a/etc/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile
index c1f919769..c1f919769 100644
--- a/etc/google-earth-pro.profile
+++ b/etc/profile-a-l/google-earth-pro.profile
diff --git a/etc/google-earth.profile b/etc/profile-a-l/google-earth.profile
index a331ef8d2..a331ef8d2 100644
--- a/etc/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
diff --git a/etc/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
index daa385234..daa385234 100644
--- a/etc/google-play-music-desktop-player.profile
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
diff --git a/etc/gpa.profile b/etc/profile-a-l/gpa.profile
index ce7c8496d..ce7c8496d 100644
--- a/etc/gpa.profile
+++ b/etc/profile-a-l/gpa.profile
diff --git a/etc/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
index 16bda186e..adc8957e6 100644
--- a/etc/gpg-agent.profile
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -21,9 +21,12 @@ include disable-xdg.inc
 mkdir ${HOME}/.gnupg
 whitelist ${HOME}/.gnupg
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/gpg.profile b/etc/profile-a-l/gpg.profile
index b408a0123..787f35f9e 100644
--- a/etc/gpg.profile
+++ b/etc/profile-a-l/gpg.profile
@@ -18,9 +18,12 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /usr/share/pacman/keyrings
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/gpg2.profile b/etc/profile-a-l/gpg2.profile
index b831b0f62..b831b0f62 100644
--- a/etc/gpg2.profile
+++ b/etc/profile-a-l/gpg2.profile
diff --git a/etc/gpicview.profile b/etc/profile-a-l/gpicview.profile
index eb00688dd..a536e5985 100644
--- a/etc/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 whitelist /usr/share/gpicview
 include whitelist-usr-share-common.inc
@@ -24,7 +25,6 @@ caps.drop all
 ipc-namespace
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,4 +45,7 @@ private-etc alternatives,fonts,group,passwd
 private-lib
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/gpredict.profile b/etc/profile-a-l/gpredict.profile
index c1f1b53a0..3152db096 100644
--- a/etc/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.config/Gpredict
 whitelist ${HOME}/.config/Gpredict
diff --git a/etc/gradio.profile b/etc/profile-a-l/gradio.profile
index 82e2504b9..a16e65efb 100644
--- a/etc/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -14,12 +14,15 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.cache/gradio
 mkdir ${HOME}/.local/share/gradio
 whitelist ${HOME}/.cache/gradio
 whitelist ${HOME}/.local/share/gradio
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
@@ -30,11 +33,23 @@ nogroups
 nonewprivs
 noroot
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
+tracelog
+disable-mnt
+private-bin gradio
+private-cache
+private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
+dbus-user filter
+dbus-user.own de.haeckerfelix.gradio
+dbus-user.own org.mpris.MediaPlayer2.gradio
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/gramps.profile b/etc/profile-a-l/gramps.profile
index 54b154964..427fe2d7a 100644
--- a/etc/gramps.profile
+++ b/etc/profile-a-l/gramps.profile
@@ -30,7 +30,6 @@ caps.drop all
 ipc-namespace
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +46,6 @@ disable-mnt
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
new file mode 100644
index 000000000..0cb3aa864
--- /dev/null
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -0,0 +1,47 @@
+# Firejail profile for gravity-beams-and-evaporating-stars
+# Description: a game about hurling asteroids into the sun
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gravity-beams-and-evaporating-stars.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /usr/share/gravity-beams-and-evaporating-stars
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin gravity-beams-and-evaporating-stars
+private-cache
+private-dev
+private-etc fonts,machine-id
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/gsettings-data-convert.profile b/etc/profile-a-l/gsettings-data-convert.profile
index 6f1d43939..6f1d43939 100644
--- a/etc/gsettings-data-convert.profile
+++ b/etc/profile-a-l/gsettings-data-convert.profile
diff --git a/etc/gsettings-schema-convert.profile b/etc/profile-a-l/gsettings-schema-convert.profile
index 5c8b0e2e2..5c8b0e2e2 100644
--- a/etc/gsettings-schema-convert.profile
+++ b/etc/profile-a-l/gsettings-schema-convert.profile
diff --git a/etc/gsettings.profile b/etc/profile-a-l/gsettings.profile
index 2203fac15..2203fac15 100644
--- a/etc/gsettings.profile
+++ b/etc/profile-a-l/gsettings.profile
diff --git a/etc/gtar.profile b/etc/profile-a-l/gtar.profile
index 2391c121b..2391c121b 100644
--- a/etc/gtar.profile
+++ b/etc/profile-a-l/gtar.profile
diff --git a/etc/gthumb.profile b/etc/profile-a-l/gthumb.profile
index 77de59802..de0fc96ae 100644
--- a/etc/gthumb.profile
+++ b/etc/profile-a-l/gthumb.profile
@@ -15,6 +15,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 caps.drop all
 nodvd
diff --git a/etc/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index 668a48f9a..2051a8af6 100644
--- a/etc/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-common.inc
@@ -27,7 +28,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +50,7 @@ private-etc none
 private-lib
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer
new file mode 100644
index 000000000..023f10d3d
--- /dev/null
+++ b/etc/profile-a-l/gtk-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+ignore quiet
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+include whitelist-runuser-common.inc
+# Redirect
+include youtube-viewer.profile
+\ No newline at end of file
diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer
new file mode 100644
index 000000000..331e73218
--- /dev/null
+++ b/etc/profile-a-l/gtk2-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk2-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk2-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+ignore quiet
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+include whitelist-runuser-common.inc
+# Redirect
+include youtube-viewer.profile
+\ No newline at end of file
diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer
new file mode 100644
index 000000000..4c5bde55f
--- /dev/null
+++ b/etc/profile-a-l/gtk3-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk3-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk3-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+ignore quiet
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+include whitelist-runuser-common.inc
+# Redirect
+include youtube-viewer.profile
+\ No newline at end of file
diff --git a/etc/guayadeque.profile b/etc/profile-a-l/guayadeque.profile
index 8ffd7ff58..8a7f65918 100644
--- a/etc/guayadeque.profile
+++ b/etc/profile-a-l/guayadeque.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 caps.drop all
diff --git a/etc/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index b3aa58d29..c0254b5ec 100644
--- a/etc/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -12,9 +12,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -23,7 +25,6 @@ caps.drop all
 machine-id
 #net none - breaks dbus
 no3d
-#nodbus - breaks state saveing
 nodvd
 nogroups
 nonewprivs
@@ -45,4 +46,8 @@ private-etc alternatives,dbus-1,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld
 private-lib
 private-tmp
+# breaks state saving
+# dbus-user none
+# dbus-system none
 read-only ${HOME}
diff --git a/etc/gummi.profile b/etc/profile-a-l/gummi.profile
index 922b2cbde..40c268c46 100644
--- a/etc/gummi.profile
+++ b/etc/profile-a-l/gummi.profile
@@ -12,8 +12,7 @@ include allow-lua.inc
 include allow-perl.inc
 include allow-python3.inc
-private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,lualatex,luatex,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex
+private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex
 # Redirect
 include latex-common.profile
diff --git a/etc/gunzip.profile b/etc/profile-a-l/gunzip.profile
index 6e97c6b78..6e97c6b78 100644
--- a/etc/gunzip.profile
+++ b/etc/profile-a-l/gunzip.profile
diff --git a/etc/gwenview.profile b/etc/profile-a-l/gwenview.profile
index 5a5d81378..efdc56e38 100644
--- a/etc/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.kde/share/config/gwenviewrc
 noblacklist ${HOME}/.kde4/share/apps/gwenview
 noblacklist ${HOME}/.kde4/share/config/gwenviewrc
 noblacklist ${HOME}/.local/share/gwenview
+noblacklist ${HOME}/.local/share/kxmlgui5/gwenview
 noblacklist ${HOME}/.local/share/org.kde.gwenview
 include disable-common.inc
@@ -23,6 +24,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include whitelist-var-common.inc
@@ -30,7 +32,6 @@ apparmor
 caps.drop all
 # net none
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,4 +48,7 @@ private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
 private-dev
 private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg
+# dbus-user none
+# dbus-system none
 # memory-deny-write-execute
diff --git a/etc/gzexe.profile b/etc/profile-a-l/gzexe.profile
index bb570d553..bb570d553 100644
--- a/etc/gzexe.profile
+++ b/etc/profile-a-l/gzexe.profile
diff --git a/etc/gzip.profile b/etc/profile-a-l/gzip.profile
index 1af15d227..8ec39d8ca 100644
--- a/etc/gzip.profile
+++ b/etc/profile-a-l/gzip.profile
@@ -26,7 +26,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -44,4 +43,7 @@ x11 none
 private-cache
 private-dev
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/handbrake-gtk.profile b/etc/profile-a-l/handbrake-gtk.profile
index 1e7ce2350..1e7ce2350 100644
--- a/etc/handbrake-gtk.profile
+++ b/etc/profile-a-l/handbrake-gtk.profile
diff --git a/etc/handbrake.profile b/etc/profile-a-l/handbrake.profile
index 324c629e3..0539ffcb8 100644
--- a/etc/handbrake.profile
+++ b/etc/profile-a-l/handbrake.profile
@@ -22,8 +22,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-netfilter
+net none
-nodbus
 nogroups
 nonewprivs
 noroot
@@ -36,3 +35,5 @@ shell none
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/hashcat.profile b/etc/profile-a-l/hashcat.profile
index b4d6d52f0..8ec67ff19 100644
--- a/etc/hashcat.profile
+++ b/etc/profile-a-l/hashcat.profile
@@ -23,7 +23,6 @@ include disable-xdg.inc
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,3 +42,5 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/hedgewars.profile b/etc/profile-a-l/hedgewars.profile
index 898a07a5f..898a07a5f 100644
--- a/etc/hedgewars.profile
+++ b/etc/profile-a-l/hedgewars.profile
diff --git a/etc/hexchat.profile b/etc/profile-a-l/hexchat.profile
index 7723cbd6b..4c8911a06 100644
--- a/etc/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/hexchat
diff --git a/etc/highlight.profile b/etc/profile-a-l/highlight.profile
index 036de8d99..0761aa2fc 100644
--- a/etc/highlight.profile
+++ b/etc/profile-a-l/highlight.profile
@@ -7,17 +7,18 @@ include highlight.local
 include globals.local
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,3 +37,6 @@ private-bin highlight
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/hitori.profile b/etc/profile-a-l/hitori.profile
new file mode 100644
index 000000000..6d67f4587
--- /dev/null
+++ b/etc/profile-a-l/hitori.profile
@@ -0,0 +1,14 @@
+# Firejail profile for hitori
+# Description: Play the Hitori puzzle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include hitori.local
+# Persistent global definitions
+include globals.local
+private-bin hitori
+dbus-user.own org.gnome.Hitori
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
new file mode 100644
index 000000000..8e600a2d7
--- /dev/null
+++ b/etc/profile-a-l/homebank.profile
@@ -0,0 +1,59 @@
+# Firejail profile for homebank
+# Description: Personal finance manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include homebank.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/homebank
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/homebank
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/homebank
+whitelist /usr/share/homebank
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+# net none
+netfilter
+nodvd
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin homebank
+private-cache
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11
+private-tmp
+dbus-user none
+dbus-system none
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile
new file mode 100644
index 000000000..e5a5a7efa
--- /dev/null
+++ b/etc/profile-a-l/host.profile
@@ -0,0 +1,52 @@
+# Firejail profile for host
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include host.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}
+noblacklist ${PATH}/host
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin bash,host,sh
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/hugin.profile b/etc/profile-a-l/hugin.profile
index 07a697c05..e03b68128 100644
--- a/etc/hugin.profile
+++ b/etc/profile-a-l/hugin.profile
@@ -16,11 +16,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,3 +38,5 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
new file mode 100644
index 000000000..f2cb25edf
--- /dev/null
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -0,0 +1,51 @@
+# Firejail profile for hyperrogue
+# Description: An SDL roguelike in a non-euclidean world
+# This file is overwritten after every install/update
+# Persistent local customizations
+include hyperrogue.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/hyperrogue.ini
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkfile ${HOME}/hyperrogue.ini
+whitelist ${HOME}/hyperrogue.ini
+whitelist /usr/share/hyperrogue
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin hyperrogue
+private-cache
+private-cwd ${HOME}
+private-dev
+private-etc fonts,machine-id
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index 9ffdb9e9b..9ffdb9e9b 100644
--- a/etc/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
diff --git a/etc/i3.profile b/etc/profile-a-l/i3.profile
index c1ca0e413..c1ca0e413 100644
--- a/etc/i3.profile
+++ b/etc/profile-a-l/i3.profile
diff --git a/etc/gnome-2048.profile b/etc/profile-a-l/iagno.profile
index 9eb4c147d..42fc7d449 100644
--- a/etc/gnome-2048.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -1,38 +1,40 @@
-# Firejail profile for gnome-2048
+# Firejail profile for iagno
-# Description: Sliding tile puzzle game
+# Description: Reversi clone for Gnome desktop
 # This file is overwritten after every install/update
 # Persistent local customizations
-include gnome-2048.local
+include iagno.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.local/share/gnome-2048
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include whitelist-var-common.inc
-mkdir ${HOME}/.local/share/gnome-2048
+apparmor
-whitelist ${HOME}/.local/share/gnome-2048
-include whitelist-common.inc
 caps.drop all
-netfilter
+net none
 nodvd
+nogroups
 nonewprivs
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix
 seccomp
+shell none
 disable-mnt
+private
+private-bin iagno
 private-dev
 private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/icecat.profile b/etc/profile-a-l/icecat.profile
index 660343a29..660343a29 100644
--- a/etc/icecat.profile
+++ b/etc/profile-a-l/icecat.profile
diff --git a/etc/icedove.profile b/etc/profile-a-l/icedove.profile
index 19690cd5a..19690cd5a 100644
--- a/etc/icedove.profile
+++ b/etc/profile-a-l/icedove.profile
diff --git a/etc/iceweasel.profile b/etc/profile-a-l/iceweasel.profile
index badd2648a..badd2648a 100644
--- a/etc/iceweasel.profile
+++ b/etc/profile-a-l/iceweasel.profile
diff --git a/etc/idea.profile b/etc/profile-a-l/idea.profile
index 4e43bb629..4e43bb629 100644
--- a/etc/idea.profile
+++ b/etc/profile-a-l/idea.profile
diff --git a/etc/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index a7d0d531f..a7d0d531f 100644
--- a/etc/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
diff --git a/etc/ideaIC.profile b/etc/profile-a-l/ideaIC.profile
index 7e1778f58..7e1778f58 100644
--- a/etc/ideaIC.profile
+++ b/etc/profile-a-l/ideaIC.profile
diff --git a/etc/imagej.profile b/etc/profile-a-l/imagej.profile
index 00ee115ed..91a60c188 100644
--- a/etc/imagej.profile
+++ b/etc/profile-a-l/imagej.profile
@@ -21,7 +21,6 @@ include disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,3 +37,5 @@ private-bin awk,basename,bash,cut,free,grep,hostname,imagej,ln,ls,mkdir,rm,sort,
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/img2txt.profile b/etc/profile-a-l/img2txt.profile
index 0b30ec33f..ae03fc8bc 100644
--- a/etc/img2txt.profile
+++ b/etc/profile-a-l/img2txt.profile
@@ -27,7 +27,6 @@ caps.drop all
 ipc-namespace
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,4 +46,7 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/impressive.profile b/etc/profile-a-l/impressive.profile
index 0bfe5de5a..af82fb059 100644
--- a/etc/impressive.profile
+++ b/etc/profile-a-l/impressive.profile
@@ -33,7 +33,6 @@ caps.drop all
 ipc-namespace
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -51,5 +50,8 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.cache/mesa_shader_cache
diff --git a/etc/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 30cb5d75d..f14868668 100644
--- a/etc/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -37,7 +37,6 @@ caps.drop all
 ipc-namespace
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -56,4 +55,7 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
 # memory-deny-write-execute
diff --git a/etc/inkview.profile b/etc/profile-a-l/inkview.profile
index 4f88b0258..4f88b0258 100644
--- a/etc/inkview.profile
+++ b/etc/profile-a-l/inkview.profile
diff --git a/etc/inox.profile b/etc/profile-a-l/inox.profile
index 1b3db73b4..1b3db73b4 100644
--- a/etc/inox.profile
+++ b/etc/profile-a-l/inox.profile
diff --git a/etc/iridium-browser.profile b/etc/profile-a-l/iridium-browser.profile
index c7ee64d56..c7ee64d56 100644
--- a/etc/iridium-browser.profile
+++ b/etc/profile-a-l/iridium-browser.profile
diff --git a/etc/iridium.profile b/etc/profile-a-l/iridium.profile
index ebb39b0a3..ebb39b0a3 100644
--- a/etc/iridium.profile
+++ b/etc/profile-a-l/iridium.profile
diff --git a/etc/itch.profile b/etc/profile-a-l/itch.profile
index b3c78c810..b3c78c810 100644
--- a/etc/itch.profile
+++ b/etc/profile-a-l/itch.profile
diff --git a/etc/jd-gui.profile b/etc/profile-a-l/jd-gui.profile
index 5b7275718..0944051e5 100644
--- a/etc/jd-gui.profile
+++ b/etc/profile-a-l/jd-gui.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +40,5 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/jdownloader.profile b/etc/profile-a-l/jdownloader.profile
index b5f892a9d..b5f892a9d 100644
--- a/etc/jdownloader.profile
+++ b/etc/profile-a-l/jdownloader.profile
diff --git a/etc/jerry.profile b/etc/profile-a-l/jerry.profile
index f6bfb9953..b79ae0ee0 100644
--- a/etc/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -20,7 +20,6 @@ caps.drop all
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,4 +37,7 @@ private-dev
 private-etc fonts,gtk-2.0,gtk-3.0
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile
new file mode 100644
index 000000000..c4121d835
--- /dev/null
+++ b/etc/profile-a-l/jitsi-meet-desktop.profile
@@ -0,0 +1,39 @@
+# Firejail profile for jitsi-meet-desktop
+# Description: Jitsi Meet desktop application powered by Electron
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jitsi-meet-desktop.local
+# Persistent global definitions
+include globals.local
+ignore noexec /tmp
+noblacklist ${HOME}/.config/Jitsi Meet
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-xdg.inc
+nowhitelist ${DOWNLOADS}
+mkdir ${HOME}/.config/Jitsi Meet
+whitelist ${HOME}/.config/Jitsi Meet
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+seccomp !chroot
+disable-mnt
+private-bin bash,jitsi-meet-desktop
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+# Redirect
+include electron.profile
diff --git a/etc/jitsi.profile b/etc/profile-a-l/jitsi.profile
index 223c360b8..223c360b8 100644
--- a/etc/jitsi.profile
+++ b/etc/profile-a-l/jitsi.profile
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
new file mode 100644
index 000000000..b1852b015
--- /dev/null
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -0,0 +1,15 @@
+# Firejail profile for jumpnbump-menu
+# Description: Level selection and config menu for the Jump 'n Bump game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jumpnbump-menu.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+include allow-python3.inc
+private-bin jumpnbump-menu,python3*
+# Redirect
+include jumpnbump.profile
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
new file mode 100644
index 000000000..daeb54610
--- /dev/null
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -0,0 +1,49 @@
+# Firejail profile for jumpnbump
+# Description: Cute multiplayer platform game with bunnies
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jumpnbump.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.jumpnbump
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.jumpnbump
+whitelist ${HOME}/.jumpnbump
+whitelist /usr/share/jumpnbump
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin jumpnbump
+private-cache
+private-dev
+private-etc none
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/k3b.profile b/etc/profile-a-l/k3b.profile
index 0c1da7ae1..86292744c 100644
--- a/etc/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.config/k3brc
 noblacklist ${HOME}/.kde/share/config/k3brc
 noblacklist ${HOME}/.kde4/share/config/k3brc
+noblacklist ${HOME}/.local/share/kxmlgui5/k3b
 noblacklist ${MUSIC}
 include disable-common.inc
diff --git a/etc/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index c7f811939..c7f811939 100644
--- a/etc/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
diff --git a/etc/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index 2dc90b9b9..e1e93163b 100644
--- a/etc/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -25,7 +25,6 @@ apparmor
 caps.drop all
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,3 +44,6 @@ private-cache
 private-dev
 private-etc fonts,machine-id
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/kalgebramobile.profile b/etc/profile-a-l/kalgebramobile.profile
index d2394fe20..d2394fe20 100644
--- a/etc/kalgebramobile.profile
+++ b/etc/profile-a-l/kalgebramobile.profile
diff --git a/etc/karbon.profile b/etc/profile-a-l/karbon.profile
index 3b2e93b0a..d54d6d3d0 100644
--- a/etc/karbon.profile
+++ b/etc/profile-a-l/karbon.profile
@@ -1,5 +1,7 @@
 # Firejail profile alias for krita
 # This file is overwritten after every install/update
+noblacklist ${HOME}/.local/share/kxmlgui5/karbon
 # Redirect
 include krita.profile
diff --git a/etc/kate.profile b/etc/profile-a-l/kate.profile
index 3035393c4..37605dfa9 100644
--- a/etc/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -15,6 +15,13 @@ noblacklist ${HOME}/.config/kateschemarc
 noblacklist ${HOME}/.config/katesyntaxhighlightingrc
 noblacklist ${HOME}/.config/katevirc
 noblacklist ${HOME}/.local/share/kate
+noblacklist ${HOME}/.local/share/kxmlgui5/kate
+noblacklist ${HOME}/.local/share/kxmlgui5/katefiletree
+noblacklist ${HOME}/.local/share/kxmlgui5/katekonsole
+noblacklist ${HOME}/.local/share/kxmlgui5/kateopenheaderplugin
+noblacklist ${HOME}/.local/share/kxmlgui5/katepart
+noblacklist ${HOME}/.local/share/kxmlgui5/kateproject
+noblacklist ${HOME}/.local/share/kxmlgui5/katesearch
 include disable-common.inc
 # include disable-devel.inc
@@ -28,7 +35,6 @@ include whitelist-var-common.inc
 # apparmor
 caps.drop all
 # net none
-# nodbus
 netfilter
 nodvd
 nogroups
@@ -48,4 +54,7 @@ private-dev
 # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
+# dbus-user none
+# dbus-system none
 join-or-start kate
diff --git a/etc/kcalc.profile b/etc/profile-a-l/kcalc.profile
index 8c641802b..fa82e76f3 100644
--- a/etc/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -6,6 +6,7 @@ include kcalc.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.local/share/kxmlgui5/kcalc
 include disable-common.inc
 include disable-devel.inc
@@ -13,13 +14,16 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
+mkdir ${HOME}/.local/share/kxmlgui5/kcalc
 mkfile ${HOME}/.config/kcalcrc
 mkfile ${HOME}/.kde/share/config/kcalcrc
 mkfile ${HOME}/.kde4/share/config/kcalcrc
 whitelist ${HOME}/.config/kcalcrc
 whitelist ${HOME}/.kde/share/config/kcalcrc
 whitelist ${HOME}/.kde4/share/config/kcalcrc
+whitelist ${HOME}/.local/share/kxmlgui5/kcalc
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -27,7 +31,6 @@ apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,3 +49,5 @@ private-dev
 # private-lib - problems on Arch
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile
index 082045c62..f7235ea84 100644
--- a/etc/kdeinit4.profile
+++ b/etc/profile-a-l/kdeinit4.profile
@@ -13,6 +13,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include whitelist-var-common.inc
diff --git a/etc/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
index 361109127..9ca33b68e 100644
--- a/etc/kdenlive.profile
+++ b/etc/profile-a-l/kdenlive.profile
@@ -11,6 +11,7 @@ ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/kdenlive
 noblacklist ${HOME}/.config/kdenliverc
 noblacklist ${HOME}/.local/share/kdenlive
+noblacklist ${HOME}/.local/share/kxmlgui5/kdenlive
 include disable-common.inc
 include disable-devel.inc
@@ -22,7 +23,6 @@ include disable-programs.inc
 apparmor
 caps.drop all
 # net none
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,3 +36,6 @@ shell none
 private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
 private-dev
 # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
+# dbus-user none
+# dbus-system none
diff --git a/etc/keepass.profile b/etc/profile-a-l/keepass.profile
index 9852f8a79..9852f8a79 100644
--- a/etc/keepass.profile
+++ b/etc/profile-a-l/keepass.profile
diff --git a/etc/keepass2.profile b/etc/profile-a-l/keepass2.profile
index aef236ccc..aef236ccc 100644
--- a/etc/keepass2.profile
+++ b/etc/profile-a-l/keepass2.profile
diff --git a/etc/keepassx.profile b/etc/profile-a-l/keepassx.profile
index 44e9c67bb..b8239e140 100644
--- a/etc/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -26,7 +26,6 @@ caps.drop all
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,4 +44,7 @@ private-dev
 private-etc alternatives,fonts,machine-id
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/keepassx2.profile b/etc/profile-a-l/keepassx2.profile
index fdd27e9f9..fdd27e9f9 100644
--- a/etc/keepassx2.profile
+++ b/etc/profile-a-l/keepassx2.profile
diff --git a/etc/keepassxc-cli.profile b/etc/profile-a-l/keepassxc-cli.profile
index 925609384..925609384 100644
--- a/etc/keepassxc-cli.profile
+++ b/etc/profile-a-l/keepassxc-cli.profile
diff --git a/etc/keepassxc-proxy.profile b/etc/profile-a-l/keepassxc-proxy.profile
index b2b6763ee..b2b6763ee 100644
--- a/etc/keepassxc-proxy.profile
+++ b/etc/profile-a-l/keepassxc-proxy.profile
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
new file mode 100644
index 000000000..e8fc4e632
--- /dev/null
+++ b/etc/profile-a-l/keepassxc.profile
@@ -0,0 +1,81 @@
+# Firejail profile for keepassxc
+# Description: Cross Platform Password Manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include keepassxc.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/*.kdb
+noblacklist ${HOME}/*.kdbx
+noblacklist ${HOME}/.cache/keepassxc
+noblacklist ${HOME}/.config/keepassxc
+noblacklist ${HOME}/.keepassxc
+# 2.2.4 needs this path when compiled with "Native messaging browser extension"
+noblacklist ${HOME}/.mozilla
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+# You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines.
+# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx
+#mkdir ${HOME}/Documents/KeePassXC
+#whitelist ${HOME}/Documents/KeePassXC
+# Needed for KeePassXC-Browser
+#mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.cache/keepassxc
+#mkdir ${HOME}/.config/keepassxc
+#whitelist ${HOME}/.cache/keepassxc
+#whitelist ${HOME}/.config/keepassxc
+#include whitelist-common.inc
+whitelist /usr/share/keepassxc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+private-bin keepassxc,keepassxc-cli,keepassxc-proxy
+private-dev
+private-etc alternatives,fonts,ld.so.cache,machine-id
+private-tmp
+dbus-user filter
+#dbus-user.own org.keepassxc.KeePassXC
+dbus-user.talk com.canonical.Unity.Session
+dbus-user.talk org.freedesktop.ScreenSaver
+dbus-user.talk org.freedesktop.login1.Manager
+dbus-user.talk org.freedesktop.login1.Session
+dbus-user.talk org.gnome.ScreenSaver
+dbus-user.talk org.gnome.SessionManager
+dbus-user.talk org.gnome.SessionManager.Presence
+# Uncomment or add to your keepassxc.local to allow Notifications.
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
+# Mutex is stored in /tmp by default, which is broken by private-tmp
+join-or-start keepassxc
diff --git a/etc/kfind.profile b/etc/profile-a-l/kfind.profile
index ee4c35825..ed815676a 100644
--- a/etc/kfind.profile
+++ b/etc/profile-a-l/kfind.profile
@@ -27,7 +27,6 @@ machine-id
 # net none
 netfilter
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,3 +42,6 @@ shell none
 # private-bin kbuildsycoca4,kdeinit4,kfind
 private-dev
 private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/kget.profile b/etc/profile-a-l/kget.profile
index 485edc1a4..5990d0752 100644
--- a/etc/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.kde/share/config/kgetrc
 noblacklist ${HOME}/.kde4/share/apps/kget
 noblacklist ${HOME}/.kde4/share/config/kgetrc
 noblacklist ${HOME}/.local/share/kget
+noblacklist ${HOME}/.local/share/kxmlgui5/kget
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/kid3-cli.profile b/etc/profile-a-l/kid3-cli.profile
index bee62b5d9..bee62b5d9 100644
--- a/etc/kid3-cli.profile
+++ b/etc/profile-a-l/kid3-cli.profile
diff --git a/etc/kid3-qt.profile b/etc/profile-a-l/kid3-qt.profile
index 9bcede077..9bcede077 100644
--- a/etc/kid3-qt.profile
+++ b/etc/profile-a-l/kid3-qt.profile
diff --git a/etc/kid3.profile b/etc/profile-a-l/kid3.profile
index 01064feb5..aa2e0ad1e 100644
--- a/etc/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${MUSIC}
 noblacklist ${HOME}/.config/kid3rc
+noblacklist ${HOME}/.local/share/kxmlgui5/kid3
 include disable-common.inc
 include disable-devel.inc
@@ -22,7 +23,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,4 +42,7 @@ private-tmp
 private-opt none
 private-srv none
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/kino.profile b/etc/profile-a-l/kino.profile
index 9e8d61391..b3ade0dd9 100644
--- a/etc/kino.profile
+++ b/etc/profile-a-l/kino.profile
@@ -16,6 +16,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nogroups
diff --git a/etc/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 8b7b12882..d222d6d24 100644
--- a/etc/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -29,7 +29,6 @@ caps.drop all
 ipc-namespace
 netfilter
 # no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +46,6 @@ private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/klatexformula.profile b/etc/profile-a-l/klatexformula.profile
index d584f6a56..10b689ce5 100644
--- a/etc/klatexformula.profile
+++ b/etc/profile-a-l/klatexformula.profile
@@ -24,7 +24,6 @@ apparmor
 caps.drop all
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +40,6 @@ tracelog
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/klatexformula_cmdl.profile b/etc/profile-a-l/klatexformula_cmdl.profile
index 9137963c4..9137963c4 100644
--- a/etc/klatexformula_cmdl.profile
+++ b/etc/profile-a-l/klatexformula_cmdl.profile
diff --git a/etc/klavaro.profile b/etc/profile-a-l/klavaro.profile
index b6b538557..c03d75098 100644
--- a/etc/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -29,7 +29,6 @@ caps.drop all
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,3 +49,6 @@ private-etc alternatives,fonts
 private-tmp
 private-opt none
 private-srv none
+dbus-user none
+dbus-system none
diff --git a/etc/kmail.profile b/etc/profile-a-l/kmail.profile
index 198b05a11..ab4ff10b9 100644
--- a/etc/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -25,6 +25,8 @@ noblacklist ${HOME}/.local/share/apps/korganizer
 noblacklist ${HOME}/.local/share/contacts
 noblacklist ${HOME}/.local/share/emailidentities
 noblacklist ${HOME}/.local/share/kmail2
+noblacklist ${HOME}/.local/share/kxmlgui5/kmail
+noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
 noblacklist /tmp/akonadi-*
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
new file mode 100644
index 000000000..7eabde61d
--- /dev/null
+++ b/etc/profile-a-l/kmplayer.profile
@@ -0,0 +1,41 @@
+# Firejail profile for mplayer
+# Description: mplayer KDE GUI (movie player)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kmplayer.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/kmplayerrc
+noblacklist ${HOME}/.kde/share/config/kmplayerrc
+noblacklist ${HOME}/.local/share/kmplayer
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+# private-bin kmplayer,mplayer
+private-cache
+private-dev
+private-tmp
diff --git a/etc/knotes.profile b/etc/profile-a-l/knotes.profile
index ababfcdb1..f155d0ad6 100644
--- a/etc/knotes.profile
+++ b/etc/profile-a-l/knotes.profile
@@ -12,6 +12,7 @@ include knotes.local
 noblacklist ${HOME}/.config/knotesrc
 noblacklist ${HOME}/.local/share/knotes
+noblacklist ${HOME}/.local/share/kxmlgui5/knotes
 # Redirect
 include kmail.profile
diff --git a/etc/kodi.profile b/etc/profile-a-l/kodi.profile
index 86afe46b5..63cae6231 100644
--- a/etc/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -33,6 +33,7 @@ caps.drop all
 netfilter
 nogroups
 nonewprivs
+# Seems to cause issues with Nvidia drivers sometimes (#3501)
 noroot
 nou2f
 protocol unix,inet,inet6,netlink
diff --git a/etc/konversation.profile b/etc/profile-a-l/konversation.profile
index dd3e9617f..4dd929c6b 100644
--- a/etc/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -7,8 +7,10 @@ include konversation.local
 include globals.local
 noblacklist ${HOME}/.config/konversationrc
+noblacklist ${HOME}/.config/konversation.notifyrc
 noblacklist ${HOME}/.kde/share/config/konversationrc
 noblacklist ${HOME}/.kde4/share/config/konversationrc
+noblacklist ${HOME}/.local/share/kxmlgui5/konversation
 include disable-common.inc
 include disable-devel.inc
@@ -16,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-var-common.inc
diff --git a/etc/kopete.profile b/etc/profile-a-l/kopete.profile
index e0bdce059..a5269373d 100644
--- a/etc/kopete.profile
+++ b/etc/profile-a-l/kopete.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.kde/share/apps/kopete
 noblacklist ${HOME}/.kde/share/config/kopeterc
 noblacklist ${HOME}/.kde4/share/apps/kopete
 noblacklist ${HOME}/.kde4/share/config/kopeterc
+noblacklist ${HOME}/.local/share/kxmlgui5/kopete
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/krita.profile b/etc/profile-a-l/krita.profile
index 49c36274a..be9921478 100644
--- a/etc/krita.profile
+++ b/etc/profile-a-l/krita.profile
@@ -31,7 +31,6 @@ caps.drop all
 ipc-namespace
 # net none
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +46,6 @@ shell none
 private-cache
 private-dev
 private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/krunner.profile b/etc/profile-a-l/krunner.profile
index c64113c15..c64113c15 100644
--- a/etc/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
diff --git a/etc/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index 2eb46a7e8..b55e00f22 100644
--- a/etc/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.kde/share/config/ktorrentrc
 noblacklist ${HOME}/.kde4/share/apps/ktorrent
 noblacklist ${HOME}/.kde4/share/config/ktorrentrc
 noblacklist ${HOME}/.local/share/ktorrent
+noblacklist ${HOME}/.local/share/kxmlgui5/ktorrent
 include disable-common.inc
 include disable-devel.inc
@@ -19,10 +20,12 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.kde/share/apps/ktorrent
 mkdir ${HOME}/.kde4/share/apps/ktorrent
 mkdir ${HOME}/.local/share/ktorrent
+mkdir ${HOME}/.local/share/kxmlgui5/ktorrent
 mkfile ${HOME}/.config/ktorrentrc
 mkfile ${HOME}/.kde/share/config/ktorrentrc
 mkfile ${HOME}/.kde4/share/config/ktorrentrc
@@ -33,6 +36,7 @@ whitelist ${HOME}/.kde/share/config/ktorrentrc
 whitelist ${HOME}/.kde4/share/apps/ktorrent
 whitelist ${HOME}/.kde4/share/config/ktorrentrc
 whitelist ${HOME}/.local/share/ktorrent
+whitelist ${HOME}/.local/share/kxmlgui5/ktorrent
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 446bc50ee..8d8bcdd7d 100644
--- a/etc/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkfile ${HOME}/.config/ktouch2rc
@@ -28,7 +29,6 @@ apparmor
 caps.drop all
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,3 +48,6 @@ private-cache
 private-dev
 private-etc alternatives,fonts,kde5rc,machine-id
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index d512dd100..316a93d30 100644
--- a/etc/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-var-common.inc
diff --git a/etc/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 31ac19039..4ff8efa70 100644
--- a/etc/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.config/katesyntaxhighlightingrc
 noblacklist ${HOME}/.config/katevirc
 noblacklist ${HOME}/.config/kwriterc
 noblacklist ${HOME}/.local/share/kwrite
+noblacklist ${HOME}/.local/share/kxmlgui5/kwrite
 noblacklist ${DOCUMENTS}
 include disable-common.inc
@@ -21,6 +22,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-var-common.inc
@@ -29,7 +31,6 @@ apparmor
 caps.drop all
 # net none
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,5 +49,7 @@ private-dev
 private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
 private-tmp
+# dbus-user none
+# dbus-system none
 join-or-start kwrite
diff --git a/etc/latex-common.profile b/etc/profile-a-l/latex-common.profile
index 712ada722..b090be726 100644
--- a/etc/latex-common.profile
+++ b/etc/profile-a-l/latex-common.profile
@@ -14,12 +14,12 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 whitelist /var/lib
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -37,3 +37,5 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/latex.profile b/etc/profile-a-l/latex.profile
index 2230dd570..2230dd570 100644
--- a/etc/latex.profile
+++ b/etc/profile-a-l/latex.profile
diff --git a/etc/lbunzip2.profile b/etc/profile-a-l/lbunzip2.profile
index 338d8c8bb..338d8c8bb 100644
--- a/etc/lbunzip2.profile
+++ b/etc/profile-a-l/lbunzip2.profile
diff --git a/etc/lbzcat.profile b/etc/profile-a-l/lbzcat.profile
index 338d8c8bb..338d8c8bb 100644
--- a/etc/lbzcat.profile
+++ b/etc/profile-a-l/lbzcat.profile
diff --git a/etc/lbzip2.profile b/etc/profile-a-l/lbzip2.profile
index 338d8c8bb..338d8c8bb 100644
--- a/etc/lbzip2.profile
+++ b/etc/profile-a-l/lbzip2.profile
diff --git a/etc/leafpad.profile b/etc/profile-a-l/leafpad.profile
index 56a792c8e..eb23b200b 100644
--- a/etc/leafpad.profile
+++ b/etc/profile-a-l/leafpad.profile
@@ -14,11 +14,13 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
-netfilter
+net none
 no3d
 nodvd
 nogroups
diff --git a/etc/less.profile b/etc/profile-a-l/less.profile
index 00624e0f1..de6fa67d1 100644
--- a/etc/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -8,6 +8,7 @@ include less.local
 include globals.local
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 noblacklist ${HOME}/.lesshst
@@ -22,7 +23,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nonewprivs
 #noroot
@@ -44,6 +44,9 @@ private-cache
 private-dev
 writable-var-log
+dbus-user none
+dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
 read-write ${HOME}/.lesshst
diff --git a/etc/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index aa113883e..f9c92f6f6 100644
--- a/etc/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -46,4 +46,6 @@ tracelog
 private-dev
 private-tmp
+dbus-system none
 join-or-start libreoffice
diff --git a/etc/liferea.profile b/etc/profile-a-l/liferea.profile
index 7cfd4fc10..7cfd4fc10 100644
--- a/etc/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
diff --git a/etc/profile-a-l/lightsoff.profile b/etc/profile-a-l/lightsoff.profile
new file mode 100644
index 000000000..c065c44a9
--- /dev/null
+++ b/etc/profile-a-l/lightsoff.profile
@@ -0,0 +1,16 @@
+# Firejail profile for lightsoff
+# Description: GNOME Lightsoff game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lightsoff.local
+# Persistent global definitions
+include globals.local
+whitelist /usr/share/lightsoff
+private-bin lightsoff
+dbus-user.own org.gnome.LightsOff
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile
index b55ac9a15..91bd12d0d 100644
--- a/etc/lincity-ng.profile
+++ b/etc/profile-a-l/lincity-ng.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.lincity-ng
@@ -21,10 +22,10 @@ whitelist ${HOME}/.lincity-ng
 include whitelist-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +43,6 @@ private-bin lincity-ng
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/links.profile b/etc/profile-a-l/links.profile
index a31001c87..b2f94d3cf 100644
--- a/etc/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -24,6 +24,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.links
 whitelist ${HOME}/.links
 whitelist ${DOWNLOADS}
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/linphone.profile b/etc/profile-a-l/linphone.profile
index dc156b298..dc156b298 100644
--- a/etc/linphone.profile
+++ b/etc/profile-a-l/linphone.profile
diff --git a/etc/lmms.profile b/etc/profile-a-l/lmms.profile
index 98ddd03e5..afe1ad635 100644
--- a/etc/lmms.profile
+++ b/etc/profile-a-l/lmms.profile
@@ -22,7 +22,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -37,3 +36,5 @@ shell none
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/lobase.profile b/etc/profile-a-l/lobase.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/lobase.profile
+++ b/etc/profile-a-l/lobase.profile
diff --git a/etc/localc.profile b/etc/profile-a-l/localc.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/localc.profile
+++ b/etc/profile-a-l/localc.profile
diff --git a/etc/lodraw.profile b/etc/profile-a-l/lodraw.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/lodraw.profile
+++ b/etc/profile-a-l/lodraw.profile
diff --git a/etc/loffice.profile b/etc/profile-a-l/loffice.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/loffice.profile
+++ b/etc/profile-a-l/loffice.profile
diff --git a/etc/lofromtemplate.profile b/etc/profile-a-l/lofromtemplate.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/lofromtemplate.profile
+++ b/etc/profile-a-l/lofromtemplate.profile
diff --git a/etc/loimpress.profile b/etc/profile-a-l/loimpress.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/loimpress.profile
+++ b/etc/profile-a-l/loimpress.profile
diff --git a/etc/lollypop.profile b/etc/profile-a-l/lollypop.profile
index 1ce83822d..1ce83822d 100644
--- a/etc/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
diff --git a/etc/lomath.profile b/etc/profile-a-l/lomath.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/lomath.profile
+++ b/etc/profile-a-l/lomath.profile
diff --git a/etc/loweb.profile b/etc/profile-a-l/loweb.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/loweb.profile
+++ b/etc/profile-a-l/loweb.profile
diff --git a/etc/lowriter.profile b/etc/profile-a-l/lowriter.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/lowriter.profile
+++ b/etc/profile-a-l/lowriter.profile
diff --git a/etc/lrunzip.profile b/etc/profile-a-l/lrunzip.profile
index c010cbd96..c010cbd96 100644
--- a/etc/lrunzip.profile
+++ b/etc/profile-a-l/lrunzip.profile
diff --git a/etc/lrz.profile b/etc/profile-a-l/lrz.profile
index 8077be945..8077be945 100644
--- a/etc/lrz.profile
+++ b/etc/profile-a-l/lrz.profile
diff --git a/etc/lrzcat.profile b/etc/profile-a-l/lrzcat.profile
index d05ee7aae..d05ee7aae 100644
--- a/etc/lrzcat.profile
+++ b/etc/profile-a-l/lrzcat.profile
diff --git a/etc/lrzip.profile b/etc/profile-a-l/lrzip.profile
index 3767767f6..3767767f6 100644
--- a/etc/lrzip.profile
+++ b/etc/profile-a-l/lrzip.profile
diff --git a/etc/lrztar.profile b/etc/profile-a-l/lrztar.profile
index 673e9f62e..673e9f62e 100644
--- a/etc/lrztar.profile
+++ b/etc/profile-a-l/lrztar.profile
diff --git a/etc/lrzuntar.profile b/etc/profile-a-l/lrzuntar.profile
index 245d1c669..245d1c669 100644
--- a/etc/lrzuntar.profile
+++ b/etc/profile-a-l/lrzuntar.profile
diff --git a/etc/lugaru.profile b/etc/profile-a-l/lugaru.profile
index d81441572..cd8f0e529 100644
--- a/etc/lugaru.profile
+++ b/etc/profile-a-l/lugaru.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/lugaru
@@ -29,7 +30,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +47,6 @@ private-bin lugaru
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile
index 2b0feaa17..2b0feaa17 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/profile-a-l/luminance-hdr.profile
diff --git a/etc/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile
index 74adb7a67..a33ddab78 100644
--- a/etc/lximage-qt.profile
+++ b/etc/profile-a-l/lximage-qt.profile
@@ -14,9 +14,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
-netfilter
+net none
 no3d
 nodvd
 nogroups
diff --git a/etc/lxmusic.profile b/etc/profile-a-l/lxmusic.profile
index e1a37343e..9094f4377 100644
--- a/etc/lxmusic.profile
+++ b/etc/profile-a-l/lxmusic.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/lynx.profile b/etc/profile-a-l/lynx.profile
index fb6fe94ec..dbd0a61e5 100644
--- a/etc/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -16,6 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+include whitelist-runuser-common.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
new file mode 100644
index 000000000..b2c0afbe7
--- /dev/null
+++ b/etc/profile-a-l/lyx.profile
@@ -0,0 +1,33 @@
+# Firejail profile for lyx
+# Description: Open source document processor based on LaTeX typsetting
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lyx.local
+# Persistent global definitions
+include globals.local
+ignore private-tmp
+noblacklist ${HOME}/.config/LyX
+noblacklist ${HOME}/.lyx
+include allow-lua.inc
+include allow-perl.inc
+include allow-python2.inc
+include allow-python3.inc
+whitelist /usr/share/lyx
+whitelist /usr/share/texinfo
+whitelist /usr/share/texlive
+whitelist /usr/share/texmf-dist
+whitelist /usr/share/tlpkg
+include whitelist-usr-share-common.inc
+apparmor
+machine-id
+# private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
+private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,mime.types,passwd,texmf,X11,xdg
+# Redirect
+include latex-common.profile
diff --git a/etc/lzcat.profile b/etc/profile-a-l/lzcat.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzcat.profile
+++ b/etc/profile-a-l/lzcat.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/lzcmp.profile b/etc/profile-a-l/lzcmp.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzcmp.profile
+++ b/etc/profile-a-l/lzcmp.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/lzdiff.profile b/etc/profile-a-l/lzdiff.profile
index f7410b928..f7410b928 100644
--- a/etc/lzdiff.profile
+++ b/etc/profile-a-l/lzdiff.profile
diff --git a/etc/lzegrep.profile b/etc/profile-a-l/lzegrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzegrep.profile
+++ b/etc/profile-a-l/lzegrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/lzfgrep.profile b/etc/profile-a-l/lzfgrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzfgrep.profile
+++ b/etc/profile-a-l/lzfgrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/lzgrep.profile b/etc/profile-a-l/lzgrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzgrep.profile
+++ b/etc/profile-a-l/lzgrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/lzip.profile b/etc/profile-a-l/lzip.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzip.profile
+++ b/etc/profile-a-l/lzip.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/lzless.profile b/etc/profile-a-l/lzless.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzless.profile
+++ b/etc/profile-a-l/lzless.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/lzma.profile b/etc/profile-a-l/lzma.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzma.profile
+++ b/etc/profile-a-l/lzma.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/lzmadec.profile b/etc/profile-a-l/lzmadec.profile
index 0c5ec1b09..0c5ec1b09 100644
--- a/etc/lzmadec.profile
+++ b/etc/profile-a-l/lzmadec.profile
diff --git a/etc/lzmainfo.profile b/etc/profile-a-l/lzmainfo.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzmainfo.profile
+++ b/etc/profile-a-l/lzmainfo.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/lzmore.profile b/etc/profile-a-l/lzmore.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzmore.profile
+++ b/etc/profile-a-l/lzmore.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/Maelstrom.profile b/etc/profile-m-z/Maelstrom.profile
index cee49111e..77bce4179 100644
--- a/etc/Maelstrom.profile
+++ b/etc/profile-m-z/Maelstrom.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /var/lib/games
@@ -23,7 +24,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 #nonewprivs
@@ -41,3 +41,6 @@ private-bin Maelstrom
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/Maps.profile b/etc/profile-m-z/Maps.profile
index c52d2f2da..c52d2f2da 100644
--- a/etc/Maps.profile
+++ b/etc/profile-m-z/Maps.profile
diff --git a/etc/Mathematica.profile b/etc/profile-m-z/Mathematica.profile
index c2734b1c1..c2734b1c1 100644
--- a/etc/Mathematica.profile
+++ b/etc/profile-m-z/Mathematica.profile
diff --git a/etc/Natron.profile b/etc/profile-m-z/Natron.profile
index 42c22bf67..42c22bf67 100644
--- a/etc/Natron.profile
+++ b/etc/profile-m-z/Natron.profile
diff --git a/etc/PPSSPPQt.profile b/etc/profile-m-z/PPSSPPQt.profile
index c5592f99c..c5592f99c 100644
--- a/etc/PPSSPPQt.profile
+++ b/etc/profile-m-z/PPSSPPQt.profile
diff --git a/etc/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index b9ddd80c4..589dcfeb6 100644
--- a/etc/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -25,6 +25,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/qtchooser
@@ -34,7 +35,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
 # no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -53,4 +53,7 @@ private-cache
 private-dev
 private-tmp
+# dbus-user none
+# dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index 8157cdff4..e2dcf17e0 100644
--- a/etc/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/Nextcloud/Notes
diff --git a/etc/profile-m-z/Screenshot.profile b/etc/profile-m-z/Screenshot.profile
new file mode 100644
index 000000000..d4b083736
--- /dev/null
+++ b/etc/profile-m-z/Screenshot.profile
@@ -0,0 +1,6 @@
+# Firejail profile for gnome-screenshot
+# This file is overwritten after every install/update
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-screenshot.profile
diff --git a/etc/Telegram.profile b/etc/profile-m-z/Telegram.profile
index 310e0237e..310e0237e 100644
--- a/etc/Telegram.profile
+++ b/etc/profile-m-z/Telegram.profile
diff --git a/etc/profile-m-z/Thunar.profile b/etc/profile-m-z/Thunar.profile
new file mode 100644
index 000000000..28acb414b
--- /dev/null
+++ b/etc/profile-m-z/Thunar.profile
@@ -0,0 +1,12 @@
+# Firejail profile for Thunar
+# Description: File Manager for Xfce
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Thunar.local
+# Persistent global definitions
+include globals.local
+# Put 'ignore noroot' in your pcmanfm.local if you use MPV+Vulkan (see issue #3012)
+# Redirect
+include file-manager-common.profile
diff --git a/etc/Viber.profile b/etc/profile-m-z/Viber.profile
index 925e130de..3195e39fa 100644
--- a/etc/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -6,6 +6,7 @@ include Viber.local
 include globals.local
 noblacklist ${HOME}/.ViberPC
+noblacklist ${PATH}/dig
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/VirtualBox.profile b/etc/profile-m-z/VirtualBox.profile
index 4c99ae9a3..4c99ae9a3 100644
--- a/etc/VirtualBox.profile
+++ b/etc/profile-m-z/VirtualBox.profile
diff --git a/etc/XMind.profile b/etc/profile-m-z/XMind.profile
index 7e7c0c3cd..7e7c0c3cd 100644
--- a/etc/XMind.profile
+++ b/etc/profile-m-z/XMind.profile
diff --git a/etc/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index ab5fdf942..ab5fdf942 100644
--- a/etc/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
diff --git a/etc/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 937d02d60..937d02d60 100644
--- a/etc/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
diff --git a/etc/profile-m-z/ZeGrapher.profile b/etc/profile-m-z/ZeGrapher.profile
new file mode 100644
index 000000000..02c5a043d
--- /dev/null
+++ b/etc/profile-m-z/ZeGrapher.profile
@@ -0,0 +1,48 @@
+# Firejail profile for ZeGrapher
+# Description: Free and opensource math graphing software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ZeGrapher.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/ZeGrapher Project
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+whitelist /usr/share/ZeGrapher
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin ZeGrapher
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/macrofusion.profile b/etc/profile-m-z/macrofusion.profile
index 94d90780b..2e0071b47 100644
--- a/etc/macrofusion.profile
+++ b/etc/profile-m-z/macrofusion.profile
@@ -18,12 +18,12 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +41,5 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
new file mode 100644
index 000000000..d26aed0bb
--- /dev/null
+++ b/etc/profile-m-z/magicor.profile
@@ -0,0 +1,52 @@
+# Firejail profile for magicor
+# Description: Push ice blocks around to extinguish all fires
+# This file is overwritten after every install/update
+# Persistent local customizations
+include magicor.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.magicor
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.magicor
+whitelist ${HOME}/.magicor
+whitelist /usr/share/magicor
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin magicor,python2*
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/makepkg.profile b/etc/profile-m-z/makepkg.profile
index 513fcae55..513fcae55 100644
--- a/etc/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
diff --git a/etc/manaplus.profile b/etc/profile-m-z/manaplus.profile
index 93d409bf8..eba77c8f2 100644
--- a/etc/manaplus.profile
+++ b/etc/profile-m-z/manaplus.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/mana
@@ -28,7 +29,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,3 +46,6 @@ private-bin manaplus
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
index e4da0c66a..e4da0c66a 100644
--- a/etc/masterpdfeditor.profile
+++ b/etc/profile-m-z/masterpdfeditor.profile
diff --git a/etc/masterpdfeditor4.profile b/etc/profile-m-z/masterpdfeditor4.profile
index 84e78171f..84e78171f 100644
--- a/etc/masterpdfeditor4.profile
+++ b/etc/profile-m-z/masterpdfeditor4.profile
diff --git a/etc/masterpdfeditor5.profile b/etc/profile-m-z/masterpdfeditor5.profile
index 057d343dd..057d343dd 100644
--- a/etc/masterpdfeditor5.profile
+++ b/etc/profile-m-z/masterpdfeditor5.profile
diff --git a/etc/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
index 2f6020ad3..ce418d68f 100644
--- a/etc/mate-calc.profile
+++ b/etc/profile-m-z/mate-calc.profile
@@ -22,11 +22,12 @@ whitelist ${HOME}/.cache/mate-calc
 whitelist ${HOME}/.config/caja
 whitelist ${HOME}/.config/mate-menu
 include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,4 +47,7 @@ private-dev
 private-opt none
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/mate-calculator.profile b/etc/profile-m-z/mate-calculator.profile
index bb438f5f0..bb438f5f0 100644
--- a/etc/mate-calculator.profile
+++ b/etc/profile-m-z/mate-calculator.profile
diff --git a/etc/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile
index f1a7ca18f..b6dc643d4 100644
--- a/etc/mate-color-select.profile
+++ b/etc/profile-m-z/mate-color-select.profile
@@ -11,6 +11,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include whitelist-common.inc
diff --git a/etc/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index 49a776766..2267bbb50 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -13,11 +13,13 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.config/mate/mate-dictionary
 whitelist ${HOME}/.config/mate/mate-dictionary
 include whitelist-common.inc
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/mathematica.profile b/etc/profile-m-z/mathematica.profile
index 964060350..964060350 100644
--- a/etc/mathematica.profile
+++ b/etc/profile-m-z/mathematica.profile
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile
new file mode 100644
index 000000000..e4487c8aa
--- /dev/null
+++ b/etc/profile-m-z/mattermost-desktop.profile
@@ -0,0 +1,46 @@
+# Firejail profile for mattermost-desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mattermost-desktop.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Mattermost
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/Mattermost
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/Mattermost
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.keep sys_admin,sys_chroot
+netfilter
+nodvd
+nogroups
+notv
+nou2f
+novideo
+shell none
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+# Not tested
+#dbus-user filter
+#dbus-user.own com.mattermost.Desktop
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-system none
diff --git a/etc/mcabber.profile b/etc/profile-m-z/mcabber.profile
index 134a6ae63..b63de6c3e 100644
--- a/etc/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -14,6 +14,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 caps.drop all
 netfilter
diff --git a/etc/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
index 40ae663fc..be7c8cbca 100644
--- a/etc/mediainfo.profile
+++ b/etc/profile-m-z/mediainfo.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -24,7 +25,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,4 +45,7 @@ private-dev
 private-etc alternatives
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/mediathekview.profile b/etc/profile-m-z/mediathekview.profile
index 95cd673c6..95cd673c6 100644
--- a/etc/mediathekview.profile
+++ b/etc/profile-m-z/mediathekview.profile
diff --git a/etc/megaglest.profile b/etc/profile-m-z/megaglest.profile
index 08eae6dfc..19f9edf05 100644
--- a/etc/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -18,13 +18,16 @@ include disable-xdg.inc
 mkdir ${HOME}/.megaglest
 whitelist ${HOME}/.megaglest
+whitelist /usr/share/megaglest
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +45,6 @@ private-bin megaglest,megaglest_editor,megaglest_g3dviewer
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/megaglest_editor.profile b/etc/profile-m-z/megaglest_editor.profile
index 02aad8084..02aad8084 100644
--- a/etc/megaglest_editor.profile
+++ b/etc/profile-m-z/megaglest_editor.profile
diff --git a/etc/meld.profile b/etc/profile-m-z/meld.profile
index 9a320c13d..385700648 100644
--- a/etc/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -35,6 +35,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
+include disable-shell.inc
+include whitelist-runuser-common.inc
 # Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share.
 #whitelist /usr/share/meld
@@ -67,6 +70,7 @@ private-cache
 private-dev
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc.
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
+# Comment the next line (or add 'ignore private-tmp to your meld.local') if you want to use it as a difftool (#3551)
 private-tmp
 read-only ${HOME}/.ssh
diff --git a/etc/mencoder.profile b/etc/profile-m-z/mencoder.profile
index ad5ce436a..caf238785 100644
--- a/etc/mencoder.profile
+++ b/etc/profile-m-z/mencoder.profile
@@ -18,7 +18,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nosound
 notv
 protocol unix
@@ -27,6 +26,9 @@ x11 none
 private-bin mencoder
+dbus-user none
+dbus-system none
 memory-deny-write-execute
 # Redirect
diff --git a/etc/mendeleydesktop.profile b/etc/profile-m-z/mendeleydesktop.profile
index 1f02ff5c0..6022b110a 100644
--- a/etc/mendeleydesktop.profile
+++ b/etc/profile-m-z/mendeleydesktop.profile
@@ -29,7 +29,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +46,5 @@ private-bin cat,env,gconftool-2,ln,mendeleydesktop,python*,sh,update-desktop-dat
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile
index 4437d86ea..c8b0a0ff1 100644
--- a/etc/meteo-qt.profile
+++ b/etc/profile-m-z/meteo-qt.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/meteo-qt
@@ -28,7 +29,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,4 +48,7 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/midori.profile b/etc/profile-m-z/midori.profile
index e11e2acaa..e15259608 100644
--- a/etc/midori.profile
+++ b/etc/profile-m-z/midori.profile
@@ -48,7 +48,9 @@ whitelist ${HOME}/.local/share/webkitgtk
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -60,3 +62,4 @@ seccomp
 tracelog
 disable-mnt
+private-tmp
diff --git a/etc/min.profile b/etc/profile-m-z/min.profile
index 7f3aeab44..7f3aeab44 100644
--- a/etc/min.profile
+++ b/etc/profile-m-z/min.profile
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
new file mode 100644
index 000000000..6108c0b69
--- /dev/null
+++ b/etc/profile-m-z/mindless.profile
@@ -0,0 +1,51 @@
+# Firejail profile for mindless
+# Description: figure out the secret code
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mindless.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /usr/share/mindless
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin mindless
+private-cache
+private-dev
+private-etc fonts
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
new file mode 100644
index 000000000..8c7d18c58
--- /dev/null
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -0,0 +1,58 @@
+# Firejail profile for minecraft-launcher
+# Description: Official Minecraft launcher from Mojang
+# This file is overwritten after every install/update
+# Persistent local customizations
+include minecraft-launcher.local
+# Persistent global definitions
+include globals.local
+# On some distros executable may be in '/opt/minecraft-launcher/', if so, run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it.
+ignore noexec ${HOME}
+noblacklist ${HOME}/.minecraft
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.minecraft
+whitelist ${HOME}/.minecraft
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin java,java-config,minecraft-launcher
+private-cache
+private-dev
+# If multiplayer or realms break add your own java folder from /etc or comment the line below.
+private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg
+private-opt minecraft-launcher
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/minetest.profile b/etc/profile-m-z/minetest.profile
index 0439a1ccc..1da430ce6 100644
--- a/etc/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -6,6 +6,9 @@ include minetest.local
 # Persistent global definitions
 include globals.local
+# In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf:
+#   screenshot_path = /home/<USER>/.minetest/screenshots
 noblacklist ${HOME}/.cache/minetest
 noblacklist ${HOME}/.minetest
@@ -15,19 +18,22 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.cache/minetest
 mkdir ${HOME}/.minetest
 whitelist ${HOME}/.cache/minetest
 whitelist ${HOME}/.minetest
+whitelist /usr/share/minetest
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +53,6 @@ private-dev
 # private-etc needs to be updated, see #1702
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
new file mode 100644
index 000000000..2c70978a9
--- /dev/null
+++ b/etc/profile-m-z/minitube.profile
@@ -0,0 +1,61 @@
+# Firejail profile for minitube
+# Description: Native Youtube viewer for Linux
+# This file is overwritten after every install/update
+# Persistent local customizations
+include minitube.local
+# Persistent global definitions
+include globals.local
+noblacklist ${PICTURES}
+noblacklist ${HOME}/.cache/Flavio Tordini
+noblacklist ${HOME}/.config/Flavio Tordini
+noblacklist ${HOME}/.local/share/Flavio Tordini
+include allow-lua.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc 
+include disable-xdg.inc
+mkdir ${HOME}/.cache/Flavio Tordini
+mkdir ${HOME}/.config/Flavio Tordini
+mkdir ${HOME}/.local/share/Flavio Tordini
+whitelist ${PICTURES}
+whitelist ${HOME}/.cache/Flavio Tordini
+whitelist ${HOME}/.config/Flavio Tordini
+whitelist ${HOME}/.local/share/Flavio Tordini
+whitelist /usr/share/minitube
+include whitelist-common.inc 
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin minitube
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
new file mode 100644
index 000000000..ded84bf7e
--- /dev/null
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -0,0 +1,51 @@
+# Firejail profile for mirrormagic
+# Description: Puzzle game where you steer a beam of light using mirrors
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mirrormagic.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.mirrormagic
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.mirrormagic
+whitelist ${HOME}/.mirrormagic
+whitelist /usr/share/mirrormagic
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin mirrormagic
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
new file mode 100644
index 000000000..6fc7a4d67
--- /dev/null
+++ b/etc/profile-m-z/mocp.profile
@@ -0,0 +1,53 @@
+# Firejail profile for mocp
+# Description: A powerful & easy to use console audio player
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include mocp.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.moc
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-bin mocp
+private-cache
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}
+read-write ${HOME}/.moc
diff --git a/etc/mousepad.profile b/etc/profile-m-z/mousepad.profile
index 20370a5b5..5f15b71e2 100644
--- a/etc/mousepad.profile
+++ b/etc/profile-m-z/mousepad.profile
@@ -14,11 +14,13 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index e0936476b..3481a4a82 100644
--- a/etc/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include whitelist-var-common.inc
@@ -21,7 +22,6 @@ apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -39,3 +39,6 @@ private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
index 7754d276b..c65754a03 100644
--- a/etc/mp3splt.profile
+++ b/etc/profile-m-z/mp3splt.profile
@@ -26,7 +26,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,3 +48,6 @@ private-etc alternatives
 private-tmp
 memory-deny-write-execute
+dbus-user none
+dbus-system none
diff --git a/etc/mp3wrap.profile b/etc/profile-m-z/mp3wrap.profile
index 9e48f7807..9e48f7807 100644
--- a/etc/mp3wrap.profile
+++ b/etc/profile-m-z/mp3wrap.profile
diff --git a/etc/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index fd0351db0..4ba1dfbd6 100644
--- a/etc/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -20,6 +20,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist ${MUSIC}
diff --git a/etc/mpd.profile b/etc/profile-m-z/mpd.profile
index 3fda87a48..3fda87a48 100644
--- a/etc/mpd.profile
+++ b/etc/profile-m-z/mpd.profile
diff --git a/etc/mpg123-alsa.profile b/etc/profile-m-z/mpg123-alsa.profile
index 378435af1..378435af1 100644
--- a/etc/mpg123-alsa.profile
+++ b/etc/profile-m-z/mpg123-alsa.profile
diff --git a/etc/mpg123-id3dump.profile b/etc/profile-m-z/mpg123-id3dump.profile
index 370a57b3c..370a57b3c 100644
--- a/etc/mpg123-id3dump.profile
+++ b/etc/profile-m-z/mpg123-id3dump.profile
diff --git a/etc/mpg123-jack.profile b/etc/profile-m-z/mpg123-jack.profile
index e36a2e5b3..e36a2e5b3 100644
--- a/etc/mpg123-jack.profile
+++ b/etc/profile-m-z/mpg123-jack.profile
diff --git a/etc/mpg123-nas.profile b/etc/profile-m-z/mpg123-nas.profile
index cdbf0b1d2..cdbf0b1d2 100644
--- a/etc/mpg123-nas.profile
+++ b/etc/profile-m-z/mpg123-nas.profile
diff --git a/etc/mpg123-openal.profile b/etc/profile-m-z/mpg123-openal.profile
index e5585feaa..e5585feaa 100644
--- a/etc/mpg123-openal.profile
+++ b/etc/profile-m-z/mpg123-openal.profile
diff --git a/etc/mpg123-oss.profile b/etc/profile-m-z/mpg123-oss.profile
index dcb92ecd6..dcb92ecd6 100644
--- a/etc/mpg123-oss.profile
+++ b/etc/profile-m-z/mpg123-oss.profile
diff --git a/etc/mpg123-portaudio.profile b/etc/profile-m-z/mpg123-portaudio.profile
index 319843504..319843504 100644
--- a/etc/mpg123-portaudio.profile
+++ b/etc/profile-m-z/mpg123-portaudio.profile
diff --git a/etc/mpg123-pulse.profile b/etc/profile-m-z/mpg123-pulse.profile
index 31063a96b..31063a96b 100644
--- a/etc/mpg123-pulse.profile
+++ b/etc/profile-m-z/mpg123-pulse.profile
diff --git a/etc/mpg123-strip.profile b/etc/profile-m-z/mpg123-strip.profile
index 62de57c22..62de57c22 100644
--- a/etc/mpg123-strip.profile
+++ b/etc/profile-m-z/mpg123-strip.profile
diff --git a/etc/mpg123.bin.profile b/etc/profile-m-z/mpg123.bin.profile
index 0a01d0829..0a01d0829 100644
--- a/etc/mpg123.bin.profile
+++ b/etc/profile-m-z/mpg123.bin.profile
diff --git a/etc/mpg123.profile b/etc/profile-m-z/mpg123.profile
index 6dfeb4586..b1ab81c1e 100644
--- a/etc/mpg123.profile
+++ b/etc/profile-m-z/mpg123.profile
@@ -1,13 +1,13 @@
 # Firejail profile for mpg123
 # Description: MPEG audio player/decoder
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include mpg123.local
 # Persistent global definitions
 include globals.local
 noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
@@ -23,17 +23,23 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-nodbus
+no3d
 nogroups
 nonewprivs
 noroot
+notv
 nou2f
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
+tracelog
 #private-bin mpg123*
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/mplayer.profile b/etc/profile-m-z/mplayer.profile
index 9ab4f8c7f..cd25d6c0b 100644
--- a/etc/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -21,7 +21,9 @@ include disable-xdg.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
+# net none - mplayer can be used for streaming.
 netfilter
 # nogroups
 nonewprivs
diff --git a/etc/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
index 546755ecb..e0c6ff1c8 100644
--- a/etc/mpsyt.profile
+++ b/etc/profile-m-z/mpsyt.profile
@@ -26,6 +26,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/mps-youtube
@@ -48,7 +49,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-nodbus
 nodvd
 # Seems to cause issues with Nvidia drivers sometimes
 nogroups
@@ -67,3 +67,5 @@ private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/mpv.profile b/etc/profile-m-z/mpv.profile
index 56cd66199..2fc027257 100644
--- a/etc/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.netrc
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
@@ -25,8 +27,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
+whitelist /usr/share/lua
+whitelist /usr/share/lua*
 whitelist /usr/share/vulkan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -34,8 +39,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-nodbus
+# nogroups seems to cause issues with Nvidia drivers sometimes
-# Seems to cause issues with Nvidia drivers sometimes
 nogroups
 nonewprivs
 noroot
@@ -46,6 +50,9 @@ shell none
 tracelog
 private-bin env,mpv,python*,youtube-dl
-# Causes slow OSD, see #2838
+# private-cache causes slow OSD, see #2838
 #private-cache
 private-dev
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
new file mode 100644
index 000000000..f02a4f357
--- /dev/null
+++ b/etc/profile-m-z/mrrescue.profile
@@ -0,0 +1,49 @@
+# Firejail profile for mrrescue
+# Description: Arcade-style fire fighting game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mrrescue.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/love
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.local/share/love
+whitelist ${HOME}/.local/share/love
+whitelist /usr/share/mrrescue
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin love,mrrescue,sh
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/ms-excel.profile b/etc/profile-m-z/ms-excel.profile
index db24e8f9b..db24e8f9b 100644
--- a/etc/ms-excel.profile
+++ b/etc/profile-m-z/ms-excel.profile
diff --git a/etc/ms-office.profile b/etc/profile-m-z/ms-office.profile
index 3bc674134..a6892d698 100644
--- a/etc/ms-office.profile
+++ b/etc/profile-m-z/ms-office.profile
@@ -21,7 +21,6 @@ include disable-programs.inc
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +39,5 @@ private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/ms-onenote.profile b/etc/profile-m-z/ms-onenote.profile
index 9ea0637bd..9ea0637bd 100644
--- a/etc/ms-onenote.profile
+++ b/etc/profile-m-z/ms-onenote.profile
diff --git a/etc/ms-outlook.profile b/etc/profile-m-z/ms-outlook.profile
index fc3e7c009..fc3e7c009 100644
--- a/etc/ms-outlook.profile
+++ b/etc/profile-m-z/ms-outlook.profile
diff --git a/etc/ms-powerpoint.profile b/etc/profile-m-z/ms-powerpoint.profile
index dadcd5b1e..dadcd5b1e 100644
--- a/etc/ms-powerpoint.profile
+++ b/etc/profile-m-z/ms-powerpoint.profile
diff --git a/etc/ms-skype.profile b/etc/profile-m-z/ms-skype.profile
index df1618361..df1618361 100644
--- a/etc/ms-skype.profile
+++ b/etc/profile-m-z/ms-skype.profile
diff --git a/etc/ms-word.profile b/etc/profile-m-z/ms-word.profile
index 5a617a893..5a617a893 100644
--- a/etc/ms-word.profile
+++ b/etc/profile-m-z/ms-word.profile
diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile
new file mode 100644
index 000000000..cfd00e8ae
--- /dev/null
+++ b/etc/profile-m-z/mtpaint.profile
@@ -0,0 +1,49 @@
+# Firejail profile for mtpaint
+# Description: Simple painting and editing program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mtpaint.local
+# Persistent global definitions
+include globals.local
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin mtpaint
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/multimc.profile b/etc/profile-m-z/multimc.profile
index 338f494c9..338f494c9 100644
--- a/etc/multimc.profile
+++ b/etc/profile-m-z/multimc.profile
diff --git a/etc/multimc5.profile b/etc/profile-m-z/multimc5.profile
index 475307418..475307418 100644
--- a/etc/multimc5.profile
+++ b/etc/profile-m-z/multimc5.profile
diff --git a/etc/mumble.profile b/etc/profile-m-z/mumble.profile
index 94ccbad0c..0c4efc3d3 100644
--- a/etc/mumble.profile
+++ b/etc/profile-m-z/mumble.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.config/Mumble
 mkdir ${HOME}/.local/share/data/Mumble
@@ -34,7 +35,7 @@ nogroups
 nonewprivs
 noroot
 notv
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
diff --git a/etc/mupdf-gl.profile b/etc/profile-m-z/mupdf-gl.profile
index be94a9083..be94a9083 100644
--- a/etc/mupdf-gl.profile
+++ b/etc/profile-m-z/mupdf-gl.profile
diff --git a/etc/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile
index a04d386a2..a04d386a2 100644
--- a/etc/mupdf-x11-curl.profile
+++ b/etc/profile-m-z/mupdf-x11-curl.profile
diff --git a/etc/mupdf-x11.profile b/etc/profile-m-z/mupdf-x11.profile
index 256201d0c..256201d0c 100644
--- a/etc/mupdf-x11.profile
+++ b/etc/profile-m-z/mupdf-x11.profile
diff --git a/etc/mupdf.profile b/etc/profile-m-z/mupdf.profile
index 43afbc859..a3e56170a 100644
--- a/etc/mupdf.profile
+++ b/etc/profile-m-z/mupdf.profile
@@ -18,10 +18,10 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,3 +38,6 @@ tracelog
 private-dev
 private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/mupen64plus.profile b/etc/profile-m-z/mupen64plus.profile
index e131f5319..00983a8f3 100644
--- a/etc/mupen64plus.profile
+++ b/etc/profile-m-z/mupen64plus.profile
@@ -24,10 +24,12 @@ include whitelist-common.inc
 caps.drop all
 net none
-nodbus
 nodvd
 nonewprivs
 noroot
 notv
 novideo
 seccomp
+dbus-user none
+dbus-system none
diff --git a/etc/muraster.profile b/etc/profile-m-z/muraster.profile
index 90e3f2050..90e3f2050 100644
--- a/etc/muraster.profile
+++ b/etc/profile-m-z/muraster.profile
diff --git a/etc/musescore.profile b/etc/profile-m-z/musescore.profile
index b3693c956..679e82ae8 100644
--- a/etc/musescore.profile
+++ b/etc/profile-m-z/musescore.profile
@@ -23,6 +23,7 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index a6b85a8e4..a6b85a8e4 100644
--- a/etc/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
diff --git a/etc/mutool.profile b/etc/profile-m-z/mutool.profile
index e61f4665d..e61f4665d 100644
--- a/etc/mutool.profile
+++ b/etc/profile-m-z/mutool.profile
diff --git a/etc/mutt.profile b/etc/profile-m-z/mutt.profile
index 1fc412955..1ce12f54f 100644
--- a/etc/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -40,6 +40,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-runuser-common.inc
 caps.drop all
 netfilter
 no3d
@@ -57,3 +59,4 @@ shell none
 private-dev
 writable-run-user
+writable-var
diff --git a/etc/mypaint-ora-thumbnailer.profile b/etc/profile-m-z/mypaint-ora-thumbnailer.profile
index 59b3024ed..59b3024ed 100644
--- a/etc/mypaint-ora-thumbnailer.profile
+++ b/etc/profile-m-z/mypaint-ora-thumbnailer.profile
diff --git a/etc/mypaint.profile b/etc/profile-m-z/mypaint.profile
index d75651d78..c592e8477 100644
--- a/etc/mypaint.profile
+++ b/etc/profile-m-z/mypaint.profile
@@ -28,7 +28,6 @@ caps.drop all
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +46,5 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/nano.profile b/etc/profile-m-z/nano.profile
index bc8c3dde0..2a4625896 100644
--- a/etc/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -28,7 +28,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +49,7 @@ private-dev
 # Comment the next line if you want to edit files in /etc directly
 private-etc alternatives,nanorc
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/natron.profile b/etc/profile-m-z/natron.profile
index 7ad217b72..5bf152f84 100644
--- a/etc/natron.profile
+++ b/etc/profile-m-z/natron.profile
@@ -22,7 +22,6 @@ include disable-programs.inc
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -34,3 +33,6 @@ seccomp
 shell none
 private-bin natron,Natron,NatronRenderer
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/nautilus.profile b/etc/profile-m-z/nautilus.profile
new file mode 100644
index 000000000..e54bea228
--- /dev/null
+++ b/etc/profile-m-z/nautilus.profile
@@ -0,0 +1,15 @@
+# Firejail profile for nautilus
+# Description: File manager and graphical shell for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nautilus.local
+# Persistent global definitions
+include globals.local
+# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there
+# is already a nautilus process running on gnome desktops firejail will have no effect.
+# Put 'ignore noroot' in your nautilus.local if you use MPV+Vulkan (see issue #3012)
+# Redirect
+include file-manager-common.profile
diff --git a/etc/ncdu.profile b/etc/profile-m-z/ncdu.profile
index 9fda6ebe0..651804bf1 100644
--- a/etc/ncdu.profile
+++ b/etc/profile-m-z/ncdu.profile
@@ -12,7 +12,6 @@ include disable-exec.inc
 caps.drop all
 ipc-namespace
-nodbus
 net none
 no3d
 nodvd
@@ -31,4 +30,7 @@ x11 none
 private-dev
 # private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/profile-m-z/nemo.profile b/etc/profile-m-z/nemo.profile
new file mode 100644
index 000000000..1b3333e8c
--- /dev/null
+++ b/etc/profile-m-z/nemo.profile
@@ -0,0 +1,12 @@
+# Firejail profile for nemo
+# Description: File manager and graphical shell for Cinnamon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nemo.local
+# Persistent global definitions
+include globals.local
+# Put 'ignore noroot' in your nemo.local if you use MPV+Vulkan (see issue #3012)
+# Redirect
+include file-manager-common.profile
diff --git a/etc/netactview.profile b/etc/profile-m-z/netactview.profile
index 0618caf68..fd73cea89 100644
--- a/etc/netactview.profile
+++ b/etc/profile-m-z/netactview.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkfile ${HOME}/.netactview
@@ -29,7 +30,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,4 +49,7 @@ private-etc alternatives,fonts
 private-lib
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile
index 079f44ee7..4daa8054b 100644
--- a/etc/nethack-vultures.profile
+++ b/etc/profile-m-z/nethack-vultures.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 #nonewprivs
@@ -41,3 +40,6 @@ private-cache
 private-dev
 private-tmp
 writable-var
+dbus-user none
+dbus-system none
diff --git a/etc/nethack.profile b/etc/profile-m-z/nethack.profile
index 3df632451..c8c927db2 100644
--- a/etc/nethack.profile
+++ b/etc/profile-m-z/nethack.profile
@@ -23,7 +23,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 #nonewprivs
@@ -42,4 +41,7 @@ private-dev
 private-tmp
 writable-var
+dbus-user none
+dbus-system none
 #memory-deny-write-execute
diff --git a/etc/netsurf.profile b/etc/profile-m-z/netsurf.profile
index 0ddb7bbbe..0ddb7bbbe 100644
--- a/etc/netsurf.profile
+++ b/etc/profile-m-z/netsurf.profile
diff --git a/etc/neverball.profile b/etc/profile-m-z/neverball.profile
index 84c634549..84c634549 100644
--- a/etc/neverball.profile
+++ b/etc/profile-m-z/neverball.profile
diff --git a/etc/neverputt.profile b/etc/profile-m-z/neverputt.profile
index d370d1218..d370d1218 100644
--- a/etc/neverputt.profile
+++ b/etc/profile-m-z/neverputt.profile
diff --git a/etc/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile
index 059c2156d..85581a2f0 100644
--- a/etc/newsbeuter.profile
+++ b/etc/profile-m-z/newsbeuter.profile
@@ -1,4 +1,4 @@
-# Firejail profile for Newsboat
+# Firejail profile for Newsbeuter
 # Description: Text based Atom/RSS feed reader
 # This file is overwritten after every install/update
 # Persistent local customizations
diff --git a/etc/newsboat.profile b/etc/profile-m-z/newsboat.profile
index e063abe53..a7bac6286 100644
--- a/etc/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -19,13 +19,13 @@ include disable-xdg.inc
 mkdir ${HOME}/.newsboat
 whitelist ${HOME}/.newsboat
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -44,4 +44,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
new file mode 100644
index 000000000..d0ac83baf
--- /dev/null
+++ b/etc/profile-m-z/newsflash.profile
@@ -0,0 +1,60 @@
+# Firejail profile for newsflash
+# Description: Modern feed reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsflash.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/NewsFlashGTK
+noblacklist ${HOME}/.config/news-flash
+noblacklist ${HOME}/.local/share/news-flash
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/NewsFlashGTK
+mkdir ${HOME}/.config/news-flash
+mkdir ${HOME}/.local/share/news-flash
+whitelist ${HOME}/.cache/NewsFlashGTK
+whitelist ${HOME}/.config/news-flash
+whitelist ${HOME}/.local/share/news-flash
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin com.gitlab.newsflash,newsflash
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
+private-tmp
+dbus-user none
+#dbus-user.own com.gitlab.newsflash
+#dbus-user.talk org.freedesktop.Notifications
+dbus-system none
diff --git a/etc/nheko.profile b/etc/profile-m-z/nheko.profile
index 119b30239..701098f4b 100644
--- a/etc/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.config/nheko
 mkdir ${HOME}/.cache/nheko/nheko
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
new file mode 100644
index 000000000..6c363345e
--- /dev/null
+++ b/etc/profile-m-z/nicotine.profile
@@ -0,0 +1,56 @@
+# Firejail profile for Nicotine Plus
+# Description: Soulseek music-sharing client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nicotine.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.nicotine
+include allow-python2.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.nicotine
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.nicotine
+whitelist /usr/share/GeoIP
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+#ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin nicotine,python2*
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/nitroshare-cli.profile b/etc/profile-m-z/nitroshare-cli.profile
index d9cb2edc5..d9cb2edc5 100644
--- a/etc/nitroshare-cli.profile
+++ b/etc/profile-m-z/nitroshare-cli.profile
diff --git a/etc/nitroshare-nmh.profile b/etc/profile-m-z/nitroshare-nmh.profile
index d9cb2edc5..d9cb2edc5 100644
--- a/etc/nitroshare-nmh.profile
+++ b/etc/profile-m-z/nitroshare-nmh.profile
diff --git a/etc/nitroshare-send.profile b/etc/profile-m-z/nitroshare-send.profile
index d9cb2edc5..d9cb2edc5 100644
--- a/etc/nitroshare-send.profile
+++ b/etc/profile-m-z/nitroshare-send.profile
diff --git a/etc/nitroshare-ui.profile b/etc/profile-m-z/nitroshare-ui.profile
index d9cb2edc5..d9cb2edc5 100644
--- a/etc/nitroshare-ui.profile
+++ b/etc/profile-m-z/nitroshare-ui.profile
diff --git a/etc/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index dfa64cff9..1743a771e 100644
--- a/etc/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,4 +46,7 @@ private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,
 # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
 private-tmp
+# dbus-user none
+# dbus-system none
 # memory-deny-write-execute
diff --git a/etc/nomacs.profile b/etc/profile-m-z/nomacs.profile
index 7a7ff504a..d081c9cb7 100644
--- a/etc/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -43,5 +43,3 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl
 private-tmp
-memory-deny-write-execute
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile
new file mode 100644
index 000000000..a8e0ddd89
--- /dev/null
+++ b/etc/profile-m-z/nslookup.profile
@@ -0,0 +1,56 @@
+# Firejail profile for nslookup
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include nslookup.local
+# Persistent global definitions
+include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+noblacklist ${PATH}/nslookup
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist ${HOME}/.nslookuprc
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin bash,nslookup,sh
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
new file mode 100644
index 000000000..1b97eda9b
--- /dev/null
+++ b/etc/profile-m-z/nuclear.profile
@@ -0,0 +1,40 @@
+# Firejail profile for nuclear
+# Description: Stream music from Youtube,Soundcloud,Jamendo
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nuclear.local
+# Persistent global definitions
+include globals.local
+ignore dbus-user
+noblacklist ${HOME}/.config/nuclear
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-shell.inc 
+include disable-xdg.inc
+mkdir ${HOME}/.config/nuclear
+whitelist ${HOME}/.config/nuclear
+include whitelist-common.inc 
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+no3d
+nou2f
+novideo
+shell none
+disable-mnt
+# private-bin nuclear
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-opt nuclear
+private-tmp
+# Redirect
+include electron.profile
diff --git a/etc/nylas.profile b/etc/profile-m-z/nylas.profile
index c959eb991..c959eb991 100644
--- a/etc/nylas.profile
+++ b/etc/profile-m-z/nylas.profile
diff --git a/etc/nyx.profile b/etc/profile-m-z/nyx.profile
index c4475c75c..9e27dafab 100644
--- a/etc/nyx.profile
+++ b/etc/profile-m-z/nyx.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.nyx
@@ -28,7 +29,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,3 +50,5 @@ private-opt none
 private-srv none
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/obs.profile b/etc/profile-m-z/obs.profile
index 4277bdab3..4277bdab3 100644
--- a/etc/obs.profile
+++ b/etc/profile-m-z/obs.profile
diff --git a/etc/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index a523a6c56..ae18cfff9 100644
--- a/etc/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-usr-share-common.inc
@@ -29,8 +30,6 @@ ipc-namespace
 #net none
 netfilter
 no3d
-# nodbus - breaks preferences, comment (or put 'ignore nodbus' in your oceanaudio.local) when needed
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,4 +48,8 @@ private-dev
 private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
 private-tmp
+# breaks preferences
+# dbus-user none
+# dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
index c0c5b671c..6201b6fba 100644
--- a/etc/odt2txt.profile
+++ b/etc/profile-m-z/odt2txt.profile
@@ -15,12 +15,12 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,4 +40,8 @@ private-cache
 private-dev
 private-etc alternatives
 private-tmp
+dbus-user none
+dbus-system none
 read-only ${HOME}
diff --git a/etc/oggsplt.profile b/etc/profile-m-z/oggsplt.profile
index 5aedadde9..5aedadde9 100644
--- a/etc/oggsplt.profile
+++ b/etc/profile-m-z/oggsplt.profile
diff --git a/etc/okular.profile b/etc/profile-m-z/okular.profile
index 9debd86ff..36723ca29 100644
--- a/etc/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.kde/share/config/okularrc
 noblacklist ${HOME}/.kde4/share/apps/okular
 noblacklist ${HOME}/.kde4/share/config/okularpartrc
 noblacklist ${HOME}/.kde4/share/config/okularrc
+noblacklist ${HOME}/.local/share/kxmlgui5/okular
 noblacklist ${HOME}/.local/share/okular
 noblacklist ${DOCUMENTS}
@@ -24,9 +25,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/config.kcfg
+whitelist /usr/share/kxmlgui5/okular
 whitelist /usr/share/okular
 whitelist /usr/share/poppler
 include whitelist-usr-share-common.inc
@@ -37,7 +40,6 @@ caps.drop all
 machine-id
 # net none
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -56,6 +58,9 @@ private-dev
 private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg
 # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
+# dbus-user none
+# dbus-system none
 # memory-deny-write-execute
 join-or-start okular
diff --git a/etc/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index 5bfcd0527..5bfcd0527 100644
--- a/etc/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
diff --git a/etc/ooffice.profile b/etc/profile-m-z/ooffice.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/ooffice.profile
+++ b/etc/profile-m-z/ooffice.profile
diff --git a/etc/ooviewdoc.profile b/etc/profile-m-z/ooviewdoc.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/ooviewdoc.profile
+++ b/etc/profile-m-z/ooviewdoc.profile
diff --git a/etc/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index 5925ccc09..e18599d1d 100644
--- a/etc/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -10,17 +10,20 @@ noblacklist ${HOME}/.openinvaders
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.openinvaders
 whitelist ${HOME}/.openinvaders
 include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -32,6 +35,9 @@ protocol unix,netlink
 seccomp
 shell none
-# private-bin open-invaders
+private-bin open-invaders
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/openarena.profile b/etc/profile-m-z/openarena.profile
index c83e78e2c..45682fc31 100644
--- a/etc/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -16,28 +16,35 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.openarena
+whitelist ${HOME}/.openarena
+whitelist /usr/share/openarena
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.in
 include whitelist-var-common.inc
 apparmor
 caps.drop all
-# ipc-namespace
+netfilter
-# netfilter
+nodvd
-# nodbus
+nogroups
-# nodvd
-# nogroups
 nonewprivs
 noroot
 notv
-# nou2f
+nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-# tracelog
+tracelog
-# disable-mnt
+disable-mnt
-# private-bin openarena
+private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
 private-cache
 private-dev
-# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
+private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/openarena_ded.profile b/etc/profile-m-z/openarena_ded.profile
new file mode 100644
index 000000000..c529e7e11
--- /dev/null
+++ b/etc/profile-m-z/openarena_ded.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for openarena
+# This file is overwritten after every install/update
+# Redirect
+include openarena.profile
diff --git a/etc/openbox.profile b/etc/profile-m-z/openbox.profile
index 1fb93c79c..1fb93c79c 100644
--- a/etc/openbox.profile
+++ b/etc/profile-m-z/openbox.profile
diff --git a/etc/opencity.profile b/etc/profile-m-z/opencity.profile
index 6a27c8095..cb8a511ad 100644
--- a/etc/opencity.profile
+++ b/etc/profile-m-z/opencity.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.opencity
@@ -21,10 +22,10 @@ whitelist ${HOME}/.opencity
 include whitelist-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +43,6 @@ private-bin opencity
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/openclonk.profile b/etc/profile-m-z/openclonk.profile
index da60006b3..a6760617c 100644
--- a/etc/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.clonk
@@ -21,10 +22,11 @@ whitelist ${HOME}/.clonk
 include whitelist-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
-net none
+# net none - networked game
-nodbus
+netfilter
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +44,6 @@ private-bin c4group,openclonk
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/openoffice.org.profile b/etc/profile-m-z/openoffice.org.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/openoffice.org.profile
+++ b/etc/profile-m-z/openoffice.org.profile
diff --git a/etc/openshot-qt.profile b/etc/profile-m-z/openshot-qt.profile
index 2f886d2ac..2f886d2ac 100644
--- a/etc/openshot-qt.profile
+++ b/etc/profile-m-z/openshot-qt.profile
diff --git a/etc/openshot.profile b/etc/profile-m-z/openshot.profile
index 9d0b4c4c9..e1839c724 100644
--- a/etc/openshot.profile
+++ b/etc/profile-m-z/openshot.profile
@@ -23,9 +23,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-#net none
+net none
-netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +38,5 @@ tracelog
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/openttd.profile b/etc/profile-m-z/openttd.profile
index 5de4d325d..b71883d68 100644
--- a/etc/openttd.profile
+++ b/etc/profile-m-z/openttd.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.openttd
@@ -21,10 +22,10 @@ whitelist ${HOME}/.openttd
 include whitelist-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
-netfilter
+net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +43,6 @@ private-bin openttd
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/opera-beta.profile b/etc/profile-m-z/opera-beta.profile
index 8658d30c6..8658d30c6 100644
--- a/etc/opera-beta.profile
+++ b/etc/profile-m-z/opera-beta.profile
diff --git a/etc/opera.profile b/etc/profile-m-z/opera.profile
index b342b3961..b342b3961 100644
--- a/etc/opera.profile
+++ b/etc/profile-m-z/opera.profile
diff --git a/etc/orage.profile b/etc/profile-m-z/orage.profile
index 4e12892d6..4e12892d6 100644
--- a/etc/orage.profile
+++ b/etc/profile-m-z/orage.profile
diff --git a/etc/profile-m-z/org.gnome.NautilusPreviewer.profile b/etc/profile-m-z/org.gnome.NautilusPreviewer.profile
new file mode 100644
index 000000000..eb75add58
--- /dev/null
+++ b/etc/profile-m-z/org.gnome.NautilusPreviewer.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for sushi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include org.gnome.NautilusPreviewer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include sushi.profile
diff --git a/etc/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile
index bef784126..cc44d5a48 100644
--- a/etc/ostrichriders.profile
+++ b/etc/profile-m-z/ostrichriders.profile
@@ -14,17 +14,19 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.ostrichriders
 whitelist ${HOME}/.ostrichriders
+whitelist /usr/share/ostrichriders
 include whitelist-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,3 +45,6 @@ private-cache
 # private-dev should be commented for controllers
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
new file mode 100644
index 000000000..652b6b7cb
--- /dev/null
+++ b/etc/profile-m-z/otter-browser.profile
@@ -0,0 +1,59 @@
+# Firejail profile for otter-browser
+# Description: Lightweight web browser based on Qt5 
+# This file is overwritten after every install/update
+# Persistent local customizations
+include otter-browser.local
+# Persistent global definitions
+include globals.local
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+noblacklist ${HOME}/.cache/Otter
+noblacklist ${HOME}/.config/otter
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/Otter
+mkdir ${HOME}/.config/otter
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/Otter
+whitelist ${HOME}/.config/otter
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+whitelist /usr/share/otter-browser
+include whitelist-common.inc
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+?BROWSER_DISABLE_U2F: nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+disable-mnt
+private-bin bash,otter-browser,sh,which
+private-cache
+?BROWSER_DISABLE_U2F: private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp 
+dbus-system none
diff --git a/etc/out123.profile b/etc/profile-m-z/out123.profile
index 4754c05ba..4754c05ba 100644
--- a/etc/out123.profile
+++ b/etc/profile-m-z/out123.profile
diff --git a/etc/p7zip.profile b/etc/profile-m-z/p7zip.profile
index 652fac7bd..652fac7bd 100644
--- a/etc/p7zip.profile
+++ b/etc/profile-m-z/p7zip.profile
diff --git a/etc/palemoon.profile b/etc/profile-m-z/palemoon.profile
index acb2ce176..acb2ce176 100644
--- a/etc/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
diff --git a/etc/pandoc.profile b/etc/profile-m-z/pandoc.profile
index 9a8d82a96..9ee7e75b4 100644
--- a/etc/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -8,6 +8,7 @@ include pandoc.local
 include globals.local
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 noblacklist ${DOCUMENTS}
@@ -17,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 # breaks pdf output
@@ -28,7 +30,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,7 +48,10 @@ disable-mnt
 private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
 private-cache
 private-dev
-private-etc alternatives,texlive
+private-etc alternatives,texlive,texmf
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/parole.profile b/etc/profile-m-z/parole.profile
index e7a0694ed..0a4422a73 100644
--- a/etc/parole.profile
+++ b/etc/profile-m-z/parole.profile
@@ -14,6 +14,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 caps.drop all
diff --git a/etc/patch.profile b/etc/profile-m-z/patch.profile
index 4a3365378..8663fb453 100644
--- a/etc/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -8,6 +8,7 @@ include patch.local
 include globals.local
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 noblacklist ${DOCUMENTS}
@@ -16,6 +17,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-usr-share-common.inc
@@ -25,7 +27,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -44,4 +45,7 @@ private-bin patch,red
 private-dev
 private-lib libfakeroot
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/pavucontrol-qt.profile b/etc/profile-m-z/pavucontrol-qt.profile
index f96ba14d2..f96ba14d2 100644
--- a/etc/pavucontrol-qt.profile
+++ b/etc/profile-m-z/pavucontrol-qt.profile
diff --git a/etc/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
index 0ae9f08af..f7d3576da 100644
--- a/etc/pavucontrol.profile
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -29,7 +29,6 @@ apparmor
 caps.drop all
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,5 +49,8 @@ private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
 private-lib
 private-tmp
+dbus-user none
+dbus-system none
 # mdwe is broken under Wayland, but works under Xorg.
 #memory-deny-write-execute
diff --git a/etc/profile-m-z/pcmanfm.profile b/etc/profile-m-z/pcmanfm.profile
new file mode 100644
index 000000000..5718ab164
--- /dev/null
+++ b/etc/profile-m-z/pcmanfm.profile
@@ -0,0 +1,12 @@
+# Firejail profile for pcmanfm
+# Description: Extremely fast and lightweight file manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pcmanfm.local
+# Persistent global definitions
+include globals.local
+# Put 'ignore noroot' in your pcmanfm.local if you use MPV+Vulkan (see issue #3012)
+# Redirect
+include file-manager-common.profile
diff --git a/etc/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
index 98a9f1840..4b6da4d6f 100644
--- a/etc/pdfchain.profile
+++ b/etc/profile-m-z/pdfchain.profile
@@ -21,7 +21,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nogroups
 nonewprivs
 noroot
@@ -38,4 +37,7 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,xdg
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/pdflatex.profile b/etc/profile-m-z/pdflatex.profile
index caf980d4d..caf980d4d 100644
--- a/etc/pdflatex.profile
+++ b/etc/profile-m-z/pdflatex.profile
diff --git a/etc/pdfmod.profile b/etc/profile-m-z/pdfmod.profile
index 177070e83..fb3c42526 100644
--- a/etc/pdfmod.profile
+++ b/etc/profile-m-z/pdfmod.profile
@@ -25,7 +25,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +40,5 @@ shell none
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/pdfsam.profile b/etc/profile-m-z/pdfsam.profile
index 48f424190..2f4227159 100644
--- a/etc/pdfsam.profile
+++ b/etc/profile-m-z/pdfsam.profile
@@ -23,7 +23,6 @@ caps.drop all
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +40,5 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index 73ebf4615..eee42424f 100644
--- a/etc/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -7,6 +7,7 @@ include pdftotext.local
 include globals.local
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 noblacklist ${DOCUMENTS}
@@ -15,6 +16,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist ${DOCUMENTS}
@@ -28,7 +30,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,3 +49,6 @@ private-cache
 private-dev
 private-etc alternatives
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/peek.profile b/etc/profile-m-z/peek.profile
index 8cbff0c64..66fdd6496 100644
--- a/etc/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -20,7 +20,6 @@ include disable-xdg.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,4 +37,7 @@ shell none
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/profile-m-z/penguin-command.profile b/etc/profile-m-z/penguin-command.profile
new file mode 100644
index 000000000..db0d84496
--- /dev/null
+++ b/etc/profile-m-z/penguin-command.profile
@@ -0,0 +1,42 @@
+# Firejail profile for open-invaders
+# Description: Space Invaders clone
+# This file is overwritten after every install/update
+# Persistent local customizations
+include penguin-command.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.penguin-command
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+whitelist ${HOME}/.penguin-command
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+private-bin penguin-command
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/picard.profile b/etc/profile-m-z/picard.profile
index 15fc7a454..15fc7a454 100644
--- a/etc/picard.profile
+++ b/etc/profile-m-z/picard.profile
diff --git a/etc/pidgin.profile b/etc/profile-m-z/pidgin.profile
index 2e4215744..2e4215744 100644
--- a/etc/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
diff --git a/etc/ping.profile b/etc/profile-m-z/ping.profile
index 5f68ee011..3ef8ad64a 100644
--- a/etc/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -7,6 +7,10 @@ include ping.local
 # Persistent global definitions
 include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -19,6 +23,7 @@ include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.keep net_raw
 ipc-namespace
 #net tun0
diff --git a/etc/pingus.profile b/etc/profile-m-z/pingus.profile
index a3adc55a2..ebfd236aa 100644
--- a/etc/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -10,17 +10,23 @@ noblacklist ${HOME}/.pingus
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.pingus
 whitelist ${HOME}/.pingus
+whitelist /usr/share/pingus
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -31,7 +37,14 @@ novideo
 protocol unix,netlink
 seccomp
 shell none
+tracelog
-# private-bin pingus
+disable-mnt
+private-bin pingus,pingus.bin,sh
+private-cache
 private-dev
+private-etc machine-id
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/pinta.profile b/etc/profile-m-z/pinta.profile
index 8151bc98f..7d94972c4 100644
--- a/etc/pinta.profile
+++ b/etc/profile-m-z/pinta.profile
@@ -21,7 +21,6 @@ include disable-xdg.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,3 +37,5 @@ private-dev
 private-cache
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/pioneer.profile b/etc/profile-m-z/pioneer.profile
index c5b936617..5f329195b 100644
--- a/etc/pioneer.profile
+++ b/etc/profile-m-z/pioneer.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.pioneer
@@ -24,7 +25,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +42,6 @@ private-bin modelcompiler,pioneer,savegamedump
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/pithos.profile b/etc/profile-m-z/pithos.profile
index ad56ce525..0864dd0bc 100644
--- a/etc/pithos.profile
+++ b/etc/profile-m-z/pithos.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-common.inc
diff --git a/etc/pitivi.profile b/etc/profile-m-z/pitivi.profile
index 89a6a020b..c722e29b4 100644
--- a/etc/pitivi.profile
+++ b/etc/profile-m-z/pitivi.profile
@@ -6,7 +6,6 @@ include pitivi.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.config/pitivi
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -20,11 +19,13 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/pix.profile b/etc/profile-m-z/pix.profile
index 9864ed718..a2c35beb5 100644
--- a/etc/pix.profile
+++ b/etc/profile-m-z/pix.profile
@@ -15,6 +15,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 caps.drop all
 nodvd
diff --git a/etc/planmaker18.profile b/etc/profile-m-z/planmaker18.profile
index 4cf1efb7f..2ba8e86c0 100644
--- a/etc/planmaker18.profile
+++ b/etc/profile-m-z/planmaker18.profile
@@ -7,4 +7,4 @@ include planmaker18.local
 include globals.local
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/planmaker18free.profile b/etc/profile-m-z/planmaker18free.profile
index bb85f1fc7..d0bce44f5 100644
--- a/etc/planmaker18free.profile
+++ b/etc/profile-m-z/planmaker18free.profile
@@ -7,4 +7,4 @@ include planmaker18free.local
 include globals.local
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/playonlinux.profile b/etc/profile-m-z/playonlinux.profile
index 03091af6d..03091af6d 100644
--- a/etc/playonlinux.profile
+++ b/etc/profile-m-z/playonlinux.profile
diff --git a/etc/pluma.profile b/etc/profile-m-z/pluma.profile
index dadfcc44e..5303eae8a 100644
--- a/etc/pluma.profile
+++ b/etc/profile-m-z/pluma.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include whitelist-var-common.inc
@@ -26,7 +27,6 @@ caps.drop all
 machine-id
 # net none - makes settings immutable
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -45,6 +45,10 @@ private-dev
 private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma
 private-tmp
+# makes settings immutable
+# dbus-user none
+# dbus-system none
 memory-deny-write-execute
 join-or-start pluma
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
new file mode 100644
index 000000000..7ff59ea77
--- /dev/null
+++ b/etc/profile-m-z/plv.profile
@@ -0,0 +1,59 @@
+# Firejail profile for plv
+# Description: Inspect pacman log files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include plv.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/PacmanLogViewer
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/PacmanLogViewer
+whitelist ${HOME}/.config/PacmanLogViewer
+whitelist /var/log/pacman*
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin plv
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-opt none
+private-tmp
+writable-var-log
+dbus-user none
+dbus-system none
+#memory-deny-write-execute - breaks opening file-chooser
+read-only ${HOME}
+read-write ${HOME}/.config/PacmanLogViewer
diff --git a/etc/pngquant.profile b/etc/profile-m-z/pngquant.profile
index f9ce43c4c..83905b108 100644
--- a/etc/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -15,7 +15,10 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -24,7 +27,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,4 +48,7 @@ private-dev
 private-etc alternatives
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/polari.profile b/etc/profile-m-z/polari.profile
index 939e2537e..87a53775f 100644
--- a/etc/polari.profile
+++ b/etc/profile-m-z/polari.profile
@@ -28,6 +28,7 @@ whitelist ${HOME}/.local/share/TpLogger
 whitelist ${HOME}/.local/share/telepathy
 whitelist ${HOME}/.purple
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 caps.drop all
 netfilter
diff --git a/etc/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index 970290002..c62e53151 100644
--- a/etc/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -21,9 +21,7 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
-netfilter
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +38,5 @@ private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts
 private-opt ppsspp
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/pragha.profile b/etc/profile-m-z/pragha.profile
index 019c1a547..019c1a547 100644
--- a/etc/pragha.profile
+++ b/etc/profile-m-z/pragha.profile
diff --git a/etc/presentations18.profile b/etc/profile-m-z/presentations18.profile
index ac844d1af..d4f531060 100644
--- a/etc/presentations18.profile
+++ b/etc/profile-m-z/presentations18.profile
@@ -7,4 +7,5 @@ include presentations18.local
 include globals.local
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/presentations18free.profile b/etc/profile-m-z/presentations18free.profile
index 218747224..e2319f13f 100644
--- a/etc/presentations18free.profile
+++ b/etc/profile-m-z/presentations18free.profile
@@ -7,4 +7,4 @@ include presentations18free.local
 include globals.local
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/profanity.profile b/etc/profile-m-z/profanity.profile
index 6ca9314e9..a02bcd826 100644
--- a/etc/profanity.profile
+++ b/etc/profile-m-z/profanity.profile
@@ -20,6 +20,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-usr-share-common.inc
@@ -28,7 +29,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,4 +47,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
index 16fffe517..16fffe517 100644
--- a/etc/psi-plus.profile
+++ b/etc/profile-m-z/psi-plus.profile
diff --git a/etc/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile
index 034c144c7..034c144c7 100644
--- a/etc/pybitmessage.profile
+++ b/etc/profile-m-z/pybitmessage.profile
diff --git a/etc/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile
index 9ee426a95..9ee426a95 100644
--- a/etc/pycharm-community.profile
+++ b/etc/profile-m-z/pycharm-community.profile
diff --git a/etc/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile
index a14d0268b..a14d0268b 100644
--- a/etc/pycharm-professional.profile
+++ b/etc/profile-m-z/pycharm-professional.profile
diff --git a/etc/pzstd.profile b/etc/profile-m-z/pzstd.profile
index ce9af3286..ce9af3286 100644
--- a/etc/pzstd.profile
+++ b/etc/profile-m-z/pzstd.profile
diff --git a/etc/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
index fe9caec77..81ec1bc6b 100644
--- a/etc/qbittorrent.profile
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -21,6 +21,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.cache/qBittorrent
 mkdir ${HOME}/.config/qBittorrent
@@ -38,7 +39,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -56,4 +56,7 @@ private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
 private-tmp
+dbus-user none
+dbus-system none
 # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
diff --git a/etc/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile
index ac60384fd..ac60384fd 100644
--- a/etc/qemu-launcher.profile
+++ b/etc/profile-m-z/qemu-launcher.profile
diff --git a/etc/qemu-system-x86_64.profile b/etc/profile-m-z/qemu-system-x86_64.profile
index d7d7905dd..d7d7905dd 100644
--- a/etc/qemu-system-x86_64.profile
+++ b/etc/profile-m-z/qemu-system-x86_64.profile
diff --git a/etc/qgis.profile b/etc/profile-m-z/qgis.profile
index 88ed0cd81..eee538383 100644
--- a/etc/qgis.profile
+++ b/etc/profile-m-z/qgis.profile
@@ -35,7 +35,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
 machine-id
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -55,3 +54,6 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/qlipper.profile b/etc/profile-m-z/qlipper.profile
index fb9dca48f..fb9dca48f 100644
--- a/etc/qlipper.profile
+++ b/etc/profile-m-z/qlipper.profile
diff --git a/etc/qmmp.profile b/etc/profile-m-z/qmmp.profile
index b69bbdef1..e1f679417 100644
--- a/etc/qmmp.profile
+++ b/etc/profile-m-z/qmmp.profile
@@ -14,12 +14,12 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 caps.drop all
 netfilter
 # no3d
-nodbus
 nogroups
 nonewprivs
 noroot
@@ -35,3 +35,5 @@ private-bin bzip2,gzip,qmmp,tar,unzip
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
index 863f57ba4..80e34334a 100644
--- a/etc/qpdfview.profile
+++ b/etc/profile-m-z/qpdfview.profile
@@ -16,14 +16,14 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 machine-id
-# needs D-Bus when started from a file manager
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +40,7 @@ tracelog
 private-bin qpdfview
 private-dev
 private-tmp
+# needs D-Bus when started from a file manager
+# dbus-user none
+# dbus-system none
diff --git a/etc/qt-faststart.profile b/etc/profile-m-z/qt-faststart.profile
index 2cdff33a6..2cdff33a6 100644
--- a/etc/qt-faststart.profile
+++ b/etc/profile-m-z/qt-faststart.profile
diff --git a/etc/qtox.profile b/etc/profile-m-z/qtox.profile
index cb2a78920..eb8e3e314 100644
--- a/etc/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/tox
@@ -27,7 +28,6 @@ apparmor
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,4 +46,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
+dbus-user none
+dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/quadrapassel.profile b/etc/profile-m-z/quadrapassel.profile
new file mode 100644
index 000000000..91e0d9d0d
--- /dev/null
+++ b/etc/profile-m-z/quadrapassel.profile
@@ -0,0 +1,20 @@
+# Firejail profile for quadrapassel
+# Description: Tetris-like game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include quadrapassel.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/quadrapassel
+mkdir ${HOME}/.local/share/quadrapassel
+whitelist ${HOME}/.local/share/quadrapassel
+whitelist /usr/share/quadrapassel
+private-bin quadrapassel
+dbus-user.own org.gnome.Quadrapassel
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/quassel.profile b/etc/profile-m-z/quassel.profile
index c65089e20..c65089e20 100644
--- a/etc/quassel.profile
+++ b/etc/profile-m-z/quassel.profile
diff --git a/etc/quiterss.profile b/etc/profile-m-z/quiterss.profile
index 8dbdffdc8..366cff4ed 100644
--- a/etc/quiterss.profile
+++ b/etc/profile-m-z/quiterss.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.cache/QuiteRss
 mkdir ${HOME}/.config/QuiteRss
diff --git a/etc/qupzilla.profile b/etc/profile-m-z/qupzilla.profile
index 7aa71c848..7aa71c848 100644
--- a/etc/qupzilla.profile
+++ b/etc/profile-m-z/qupzilla.profile
diff --git a/etc/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
index fc910b589..fc910b589 100644
--- a/etc/qutebrowser.profile
+++ b/etc/profile-m-z/qutebrowser.profile
diff --git a/etc/rambox.profile b/etc/profile-m-z/rambox.profile
index 6f7f37aaf..ffa2022ee 100644
--- a/etc/rambox.profile
+++ b/etc/profile-m-z/rambox.profile
@@ -1,4 +1,5 @@
 # Firejail profile for rambox
+# Description: Free and Open Source messaging and emailing app that combines common web applications into one (Electron-based)
 # This file is overwritten after every install/update
 # Persistent local customizations
 include rambox.local
@@ -31,5 +32,7 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6,netlink
-seccomp
+# electron-based application, needing chroot
+#seccomp
+seccomp !chroot
 # tracelog
diff --git a/etc/profile-m-z/ranger.profile b/etc/profile-m-z/ranger.profile
new file mode 100644
index 000000000..8b3fe97d8
--- /dev/null
+++ b/etc/profile-m-z/ranger.profile
@@ -0,0 +1,12 @@
+# Firejail profile for ranger
+# Description: File manager with an ncurses frontend written in Python
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ranger.local
+# Persistent global definitions
+include globals.local
+# Put 'ignore noroot' in your ranger.local if you use MPV+Vulkan (see issue #3012)
+# Redirect
+include file-manager-common.profile
diff --git a/etc/redeclipse.profile b/etc/profile-m-z/redeclipse.profile
index bb1ad56d3..bb1ad56d3 100644
--- a/etc/redeclipse.profile
+++ b/etc/profile-m-z/redeclipse.profile
diff --git a/etc/redshift.profile b/etc/profile-m-z/redshift.profile
index 0f6d34ed0..298ab1902 100644
--- a/etc/redshift.profile
+++ b/etc/profile-m-z/redshift.profile
@@ -29,7 +29,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,4 +47,7 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/regextester.profile b/etc/profile-m-z/regextester.profile
index e30748946..6fb0d4b5f 100644
--- a/etc/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -12,6 +12,7 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/com.github.artemanufrij.regextester
@@ -26,7 +27,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -48,6 +48,10 @@ private-etc alternatives,fonts
 private-lib libgranite.so.*
 private-tmp
+# makes settings immutable
+# dbus-user none
+# dbus-system none
 memory-deny-write-execute
 # never write anything
diff --git a/etc/remmina.profile b/etc/profile-m-z/remmina.profile
index e85ceca13..6311c91df 100644
--- a/etc/remmina.profile
+++ b/etc/profile-m-z/remmina.profile
@@ -19,6 +19,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/rhythmbox-client.profile b/etc/profile-m-z/rhythmbox-client.profile
index 29e65d716..29e65d716 100644
--- a/etc/rhythmbox-client.profile
+++ b/etc/profile-m-z/rhythmbox-client.profile
diff --git a/etc/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index ad8b1015e..b76f2b947 100644
--- a/etc/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -20,25 +20,26 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/rhythmbox
 whitelist /usr/share/lua
 whitelist /usr/share/libquvi-scripts
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+apparmor
 caps.drop all
 netfilter
-# nodbus - makes settings immutable
 nogroups
 nonewprivs
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
@@ -46,3 +47,13 @@ tracelog
 private-bin rhythmbox,rhythmbox-client
 private-dev
 private-tmp
+dbus-user filter
+dbus-user.own org.gnome.Rhythmbox3
+dbus-user.own org.mpris.MediaPlayer2.rhythmbox
+dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+dbus-system filter
+dbus-system.talk org.freedesktop.Avahi
diff --git a/etc/ricochet.profile b/etc/profile-m-z/ricochet.profile
index 1b8fbbc97..86e3fbfb5 100644
--- a/etc/ricochet.profile
+++ b/etc/profile-m-z/ricochet.profile
@@ -13,6 +13,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.local/share/Ricochet
 whitelist ${DOWNLOADS}
diff --git a/etc/riot-desktop.profile b/etc/profile-m-z/riot-desktop.profile
index 4372fabe1..4372fabe1 100644
--- a/etc/riot-desktop.profile
+++ b/etc/profile-m-z/riot-desktop.profile
diff --git a/etc/riot-web.profile b/etc/profile-m-z/riot-web.profile
index b930adf2b..b930adf2b 100644
--- a/etc/riot-web.profile
+++ b/etc/profile-m-z/riot-web.profile
diff --git a/etc/profile-m-z/ripperx.profile b/etc/profile-m-z/ripperx.profile
new file mode 100644
index 000000000..cf6daada5
--- /dev/null
+++ b/etc/profile-m-z/ripperx.profile
@@ -0,0 +1,43 @@
+# Firejail profile for mpv
+# Description: Graphical audio CD ripper and encoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ripperx.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.ripperXrc
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nou2f
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/ristretto.profile b/etc/profile-m-z/ristretto.profile
index 8fcbb203c..a1cbdf16c 100644
--- a/etc/ristretto.profile
+++ b/etc/profile-m-z/ristretto.profile
@@ -17,7 +17,11 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
+net none
 netfilter
 no3d
 nodvd
diff --git a/etc/rnano.profile b/etc/profile-m-z/rnano.profile
index d9048982a..d9048982a 100644
--- a/etc/rnano.profile
+++ b/etc/profile-m-z/rnano.profile
diff --git a/etc/rocketchat.profile b/etc/profile-m-z/rocketchat.profile
index a574e4e8b..a574e4e8b 100644
--- a/etc/rocketchat.profile
+++ b/etc/profile-m-z/rocketchat.profile
diff --git a/etc/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index 84147f0a5..95deed119 100644
--- a/etc/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -14,6 +14,7 @@ include globals.local
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-devel.inc
@@ -21,6 +22,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 # Uncomment or add to rsync.local to enable extra hardening
@@ -32,7 +34,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -53,4 +54,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/rtorrent.profile b/etc/profile-m-z/rtorrent.profile
index 0b4d6e1b1..308c1c802 100644
--- a/etc/rtorrent.profile
+++ b/etc/profile-m-z/rtorrent.profile
@@ -12,6 +12,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 caps.drop all
 machine-id
diff --git a/etc/rtv.profile b/etc/profile-m-z/rtv.profile
index af4b7e94b..14740e05f 100644
--- a/etc/rtv.profile
+++ b/etc/profile-m-z/rtv.profile
@@ -35,7 +35,6 @@ caps.drop all
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -54,3 +53,6 @@ private-bin python*,rtv,sh,xdg-settings
 private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+dbus-user none
+dbus-system none
diff --git a/etc/runenpass.sh.profile b/etc/profile-m-z/runenpass.sh.profile
index 64432c171..64432c171 100644
--- a/etc/runenpass.sh.profile
+++ b/etc/profile-m-z/runenpass.sh.profile
diff --git a/etc/rview.profile b/etc/profile-m-z/rview.profile
index fb72a00de..fb72a00de 100644
--- a/etc/rview.profile
+++ b/etc/profile-m-z/rview.profile
diff --git a/etc/rvim.profile b/etc/profile-m-z/rvim.profile
index 7c6465d3c..7c6465d3c 100644
--- a/etc/rvim.profile
+++ b/etc/profile-m-z/rvim.profile
diff --git a/etc/sayonara.profile b/etc/profile-m-z/sayonara.profile
index 8f0544f33..6557c0c42 100644
--- a/etc/sayonara.profile
+++ b/etc/profile-m-z/sayonara.profile
@@ -13,6 +13,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 caps.drop all
diff --git a/etc/scallion.profile b/etc/profile-m-z/scallion.profile
index dee9e1f40..0f67d4d09 100644
--- a/etc/scallion.profile
+++ b/etc/profile-m-z/scallion.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +39,6 @@ disable-mnt
 private
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/scorched3d-wrapper.profile b/etc/profile-m-z/scorched3d-wrapper.profile
new file mode 100644
index 000000000..507d0827e
--- /dev/null
+++ b/etc/profile-m-z/scorched3d-wrapper.profile
@@ -0,0 +1,10 @@
+# Firejail profile for scorched3d
+# This file is overwritten after every install/update
+# Persistent local customizations
+include scorched3d-wrapper.local
+whitelist /usr/share/opengl-games-utils
+private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
+# Redirect
+include scorched3d.profile
diff --git a/etc/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
index e94d436cf..6a1003c33 100644
--- a/etc/scorched3d.profile
+++ b/etc/profile-m-z/scorched3d.profile
@@ -18,13 +18,15 @@ include disable-xdg.inc
 mkdir ${HOME}/.scorched3d
 whitelist ${HOME}/.scorched3d
+whitelist /usr/share/scorched3d
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +44,6 @@ private-bin scorched3d,scorched3d-wrapper,scorched3dc,scorched3ds
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
new file mode 100644
index 000000000..484ebc38e
--- /dev/null
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -0,0 +1,50 @@
+# Firejail profile for scorchwentbonkers
+# Description: Realtime remake of Scorched Earth
+# This file is overwritten after every install/update
+# Persistent local customizations
+include scorchwentbonkers.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.swb.ini
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.swb.ini
+whitelist ${HOME}/.swb.ini
+whitelist /usr/share/scorchwentbonkers
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin scorchwentbonkers
+private-cache
+private-dev
+private-etc alsa,asound.conf,machine-id,pulse
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/scp.profile b/etc/profile-m-z/scp.profile
index 287b8029a..287b8029a 100644
--- a/etc/scp.profile
+++ b/etc/profile-m-z/scp.profile
diff --git a/etc/scribus.profile b/etc/profile-m-z/scribus.profile
index e20cd1b5a..22cd10737 100644
--- a/etc/scribus.profile
+++ b/etc/profile-m-z/scribus.profile
@@ -40,9 +40,9 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -60,3 +60,5 @@ tracelog
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/sdat2img.profile b/etc/profile-m-z/sdat2img.profile
index a367acad5..8d16cd07f 100644
--- a/etc/sdat2img.profile
+++ b/etc/profile-m-z/sdat2img.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-var-common.inc
@@ -23,7 +24,6 @@ include whitelist-var-common.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +40,5 @@ private-bin env,python*,sdat2img
 private-cache
 private-dev
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
new file mode 100644
index 000000000..cb2e5ef91
--- /dev/null
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -0,0 +1,51 @@
+# Firejail profile for seahorse-adventures
+# Description: Help barbie the seahorse float on bubbles to the moon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seahorse-adventures.local
+# Persistent global definitions
+include globals.local
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /usr/share/seahorse-adventures
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin python*,seahorse-adventures
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/seahorse-daemon.profile b/etc/profile-m-z/seahorse-daemon.profile
index 6410da4d8..6410da4d8 100644
--- a/etc/seahorse-daemon.profile
+++ b/etc/profile-m-z/seahorse-daemon.profile
diff --git a/etc/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile
index 96ff74edf..96ff74edf 100644
--- a/etc/seahorse-tool.profile
+++ b/etc/profile-m-z/seahorse-tool.profile
diff --git a/etc/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 5a742d05f..85d86d646 100644
--- a/etc/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -31,7 +31,10 @@ whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /usr/share/seahorse
 whitelist /usr/share/seahorse-nautilus
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 #include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -58,3 +61,8 @@ private-cache
 private-dev
 private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
 writable-run-user
+dbus-user filter
+dbus-user.own org.gnome.seahorse.Application
+dbus-user.talk org.freedesktop.secrets
+dbus-system none
diff --git a/etc/seamonkey-bin.profile b/etc/profile-m-z/seamonkey-bin.profile
index 532294950..532294950 100644
--- a/etc/seamonkey-bin.profile
+++ b/etc/profile-m-z/seamonkey-bin.profile
diff --git a/etc/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
index 807effbeb..807effbeb 100644
--- a/etc/seamonkey.profile
+++ b/etc/profile-m-z/seamonkey.profile
diff --git a/etc/secret-tool.profile b/etc/profile-m-z/secret-tool.profile
index 70d9a5b1d..99ba11d30 100644
--- a/etc/secret-tool.profile
+++ b/etc/profile-m-z/secret-tool.profile
@@ -1,6 +1,7 @@
 # Firejail profile for secret-tool
 # Description: Library for storing and retrieving passwords and other secrets
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include secret-tool.local
 # Persistent global definitions
diff --git a/etc/server.profile b/etc/profile-m-z/server.profile
index ce318a828..5bc4735ae 100644
--- a/etc/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -1,4 +1,27 @@
-# Firejail profile for server
+# Generic Firejail profile for servers started as root
+#
+# This profile is used as a default when starting the sandbox as root.
+# Example:
+#
+#       $ sudo firejail
+#       [sudo] password for netblue:
+#       Reading profile /etc/firejail/server.profile
+#       Reading profile /etc/firejail/disable-common.inc
+#       Reading profile /etc/firejail/disable-passwdmgr.inc
+#       Reading profile /etc/firejail/disable-programs.inc
+#
+#       ** Note: you can use --noprofile to disable server.profile **
+#
+#       Parent pid 5347, child pid 5348
+#       The new log directory is /proc/5348/root/var/log
+#       Child process initialized in 64.43 ms
+#       root@debian:~#
+#
+# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
+# All the rules for regular user profiles apply with the exception of
+# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
+# by default for root user.
 # This file is overwritten after every install/update
 # Persistent local customizations
 include server.local
@@ -28,7 +51,6 @@ caps
 # ipc-namespace
 # netfilter /etc/firejail/webserver.net
 no3d
-# nodbus
 nodvd
 # nogroups
 # nonewprivs
@@ -49,4 +71,7 @@ private-dev
 # private-lib
 private-tmp
+# dbus-user none
+# dbus-system none
 # memory-deny-write-execute
diff --git a/etc/sftp.profile b/etc/profile-m-z/sftp.profile
index 66dc2a57b..66dc2a57b 100644
--- a/etc/sftp.profile
+++ b/etc/profile-m-z/sftp.profile
diff --git a/etc/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
index f8744bdf8..6cd70c2ea 100644
--- a/etc/shellcheck.profile
+++ b/etc/profile-m-z/shellcheck.profile
@@ -8,6 +8,7 @@ include shellcheck.local
 include globals.local
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 noblacklist ${DOCUMENTS}
@@ -23,12 +24,12 @@ whitelist /usr/share/shellcheck
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,4 +48,7 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile
new file mode 100644
index 000000000..ee2314833
--- /dev/null
+++ b/etc/profile-m-z/shortwave.profile
@@ -0,0 +1,50 @@
+# Firejail profile for shortwave
+# Description: Listen to internet radio
+# This file is overwritten after every install/update
+# Persistent local customizations
+include shortwave.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/Shortwave
+noblacklist ${HOME}/.local/share/Shortwave
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/Shortwave
+mkdir ${HOME}/.local/share/Shortwave
+whitelist ${HOME}/.cache/Shortwave
+whitelist ${HOME}/.local/share/Shortwave
+whitelist /usr/share/shortwave
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin shortwave
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
diff --git a/etc/shotcut.profile b/etc/profile-m-z/shotcut.profile
index 072cc2c0d..bec0bfbb0 100644
--- a/etc/shotcut.profile
+++ b/etc/profile-m-z/shotcut.profile
@@ -19,7 +19,6 @@ include disable-programs.inc
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -34,3 +33,6 @@ tracelog
 #private-bin melt,nice,qmelt,shotcut
 private-cache
 private-dev
+dbus-user none
+dbus-system none
diff --git a/etc/signal-cli.profile b/etc/profile-m-z/signal-cli.profile
index 6a2f5c434..6a2f5c434 100644
--- a/etc/signal-cli.profile
+++ b/etc/profile-m-z/signal-cli.profile
diff --git a/etc/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index f810a37ec..b51a86e7d 100644
--- a/etc/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -9,6 +9,11 @@ ignore noexec /tmp
 noblacklist ${HOME}/.config/Signal
+# These lines are needed to allow Firefox to open links
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -22,14 +27,20 @@ whitelist ${HOME}/.config/Signal
 include whitelist-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
 notv
 nou2f
+novideo
 shell none
 disable-mnt
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/silentarmy.profile b/etc/profile-m-z/silentarmy.profile
index cfc33d074..220035ee7 100644
--- a/etc/silentarmy.profile
+++ b/etc/profile-m-z/silentarmy.profile
@@ -12,6 +12,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-var-common.inc
diff --git a/etc/simple-scan.profile b/etc/profile-m-z/simple-scan.profile
index 40fe8c566..17920677b 100644
--- a/etc/simple-scan.profile
+++ b/etc/profile-m-z/simple-scan.profile
@@ -16,6 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist /usr/share/hplip
 whitelist /usr/share/simple-scan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/simplescreenrecorder.profile b/etc/profile-m-z/simplescreenrecorder.profile
index edcc2a0f4..edcc2a0f4 100644
--- a/etc/simplescreenrecorder.profile
+++ b/etc/profile-m-z/simplescreenrecorder.profile
diff --git a/etc/simutrans.profile b/etc/profile-m-z/simutrans.profile
index c6f5f70b0..1b81f2ea1 100644
--- a/etc/simutrans.profile
+++ b/etc/profile-m-z/simutrans.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.simutrans
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -17,10 +18,11 @@ include disable-programs.inc
 mkdir ${HOME}/.simutrans
 whitelist ${HOME}/.simutrans
 include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -35,3 +37,6 @@ shell none
 # private-bin simutrans
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/skanlite.profile b/etc/profile-m-z/skanlite.profile
index 6f9bfd201..093a61398 100644
--- a/etc/skanlite.profile
+++ b/etc/profile-m-z/skanlite.profile
@@ -17,7 +17,6 @@ include disable-xdg.inc
 caps.drop all
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -33,3 +32,6 @@ shell none
 # private-bin kbuildsycoca4,kdeinit4,skanlite
 # private-dev
 # private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile
index 341c25a95..341c25a95 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/profile-m-z/skypeforlinux.profile
diff --git a/etc/slack.profile b/etc/profile-m-z/slack.profile
index 54069f657..8ab3edd63 100644
--- a/etc/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -12,6 +12,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
@@ -19,16 +20,12 @@ whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
-caps.drop all
+caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
-nonewprivs
-noroot
 notv
 nou2f
-protocol unix,inet,inet6,netlink
-seccomp
 shell none
 disable-mnt
@@ -36,4 +33,3 @@ private-bin locale,slack
 private-cache
 private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
-private-tmp
diff --git a/etc/slashem.profile b/etc/profile-m-z/slashem.profile
index 8c84180d7..ca0516e65 100644
--- a/etc/slashem.profile
+++ b/etc/profile-m-z/slashem.profile
@@ -23,7 +23,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 #nonewprivs
@@ -42,4 +41,7 @@ private-dev
 private-tmp
 writable-var
+dbus-user none
+dbus-system none
 #memory-deny-write-execute
diff --git a/etc/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 395888c8a..3fb6fc349 100644
--- a/etc/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -23,6 +23,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/smplayer
@@ -32,7 +33,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nodbus - problems with KDE
 # nogroups
 nonewprivs
 noroot
@@ -45,3 +45,6 @@ private-bin env,mplayer,mpv,python*,smplayer,smtube,youtube-dl
 private-dev
 private-tmp
+# problems with KDE
+# dbus-user none
+# dbus-system none
diff --git a/etc/smtube.profile b/etc/profile-m-z/smtube.profile
index 98e0229ce..79bc02979 100644
--- a/etc/smtube.profile
+++ b/etc/profile-m-z/smtube.profile
@@ -28,6 +28,7 @@ whitelist /usr/share/smtube
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/snox.profile b/etc/profile-m-z/snox.profile
index 3b3fd1ae1..3b3fd1ae1 100644
--- a/etc/snox.profile
+++ b/etc/profile-m-z/snox.profile
diff --git a/etc/soffice.profile b/etc/profile-m-z/soffice.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/soffice.profile
+++ b/etc/profile-m-z/soffice.profile
diff --git a/etc/sol.profile b/etc/profile-m-z/sol.profile
index ea1620b31..44fb8cfe2 100644
--- a/etc/sol.profile
+++ b/etc/profile-m-z/sol.profile
@@ -11,17 +11,18 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 # all necessary files in $HOME are in whitelist-common.inc
 include whitelist-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 net none
 # no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,4 +41,7 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
 # memory-deny-write-execute
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
new file mode 100644
index 000000000..b9f3768be
--- /dev/null
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -0,0 +1,43 @@
+# Firejail profile for mpv
+# Description: Graphical audio CD ripper and encoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sound-juicer.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/sound-juicer
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+nou2f
+notv
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/soundconverter.profile b/etc/profile-m-z/soundconverter.profile
index bdd6eb7f5..bdd6eb7f5 100644
--- a/etc/soundconverter.profile
+++ b/etc/profile-m-z/soundconverter.profile
diff --git a/etc/spectre-meltdown-checker.profile b/etc/profile-m-z/spectre-meltdown-checker.profile
index e27df4cc8..a0b99abcf 100644
--- a/etc/spectre-meltdown-checker.profile
+++ b/etc/profile-m-z/spectre-meltdown-checker.profile
@@ -31,7 +31,6 @@ caps.keep sys_rawio
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,4 +48,7 @@ private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,ech
 private-cache
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/spotify.profile b/etc/profile-m-z/spotify.profile
index 59692f1d6..1a34cb86d 100644
--- a/etc/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -29,7 +29,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
-#nodbus - dbus needed for MPRIS
 nodvd
 nogroups
 nonewprivs
@@ -50,3 +49,6 @@ private-opt spotify
 private-srv none
 private-tmp
+# dbus needed for MPRIS
+# dbus-user none
+# dbus-system none
diff --git a/etc/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index 94bb4d3f2..cdb20b4e0 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-usr-share-common.inc
@@ -24,7 +25,6 @@ apparmor
 caps.drop all
 ipc-namespace
 netfilter
-# nodbus - breaks proxy creation
 nodvd
 nogroups
 nonewprivs
@@ -43,4 +43,8 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl
 private-tmp
+# breaks proxy creation
+# dbus-user none
+# dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index cf509852a..01b63d3ce 100644
--- a/etc/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -22,7 +22,6 @@ include whitelist-usr-share-common.inc
 caps.drop all
 netfilter
 no3d
-nodbus
 nodvd
 nonewprivs
 noroot
@@ -34,3 +33,6 @@ shell none
 tracelog
 writable-run-user
+dbus-user none
+dbus-system none
diff --git a/etc/ssh.profile b/etc/profile-m-z/ssh.profile
index 1551c3fb6..5d3458c29 100644
--- a/etc/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -12,19 +12,22 @@ noblacklist /tmp/ssh-*
 noblacklist ${HOME}/.ssh
 # nc can be used as ProxyCommand, e.g. when using tor
 noblacklist ${PATH}/nc
+noblacklist ${PATH}/ncat
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+whitelist ${RUNUSER}/keyring/ssh
+whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
 include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
 caps.drop all
 ipc-namespace
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,4 +46,7 @@ private-dev
 # private-tmp # Breaks when exiting
 writable-run-user
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index a402aca5a..1292b806b 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -25,7 +25,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +40,5 @@ private-dev
 private-tmp
 private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg
+dbus-user none
+dbus-system none
diff --git a/etc/start-tor-browser.desktop.profile b/etc/profile-m-z/start-tor-browser.desktop.profile
index 2f73c9fee..2f73c9fee 100644
--- a/etc/start-tor-browser.desktop.profile
+++ b/etc/profile-m-z/start-tor-browser.desktop.profile
diff --git a/etc/start-tor-browser.profile b/etc/profile-m-z/start-tor-browser.profile
index f9daf8f09..b62b19101 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/profile-m-z/start-tor-browser.profile
@@ -19,7 +19,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,3 +37,6 @@ private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/steam-native.profile b/etc/profile-m-z/steam-native.profile
index 47608ad28..47608ad28 100644
--- a/etc/steam-native.profile
+++ b/etc/profile-m-z/steam-native.profile
diff --git a/etc/profile-m-z/steam-runtime.profile b/etc/profile-m-z/steam-runtime.profile
new file mode 100644
index 000000000..47608ad28
--- /dev/null
+++ b/etc/profile-m-z/steam-runtime.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for steam
+# This file is overwritten after every install/update
+# Redirect
+include steam.profile
diff --git a/etc/steam.profile b/etc/profile-m-z/steam.profile
index bc90af837..7292f189c 100644
--- a/etc/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -10,12 +10,17 @@ noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.local/share/3909/PapersPlease
 noblacklist ${HOME}/.local/share/aspyr-media
 noblacklist ${HOME}/.local/share/cdprojektred
+noblacklist ${HOME}/.local/share/FasterThanLight
 noblacklist ${HOME}/.local/share/feral-interactive
+noblacklist ${HOME}/.local/share/IntoTheBreach
+noblacklist ${HOME}/.local/share/Paradox Interactive
 noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/SuperHexagon
 noblacklist ${HOME}/.local/share/Terraria
 noblacklist ${HOME}/.local/share/vpltd
 noblacklist ${HOME}/.local/share/vulkan
+noblacklist ${HOME}/.mbwarband
+noblacklist ${HOME}/.paradoxinteractive
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.steampath
 noblacklist ${HOME}/.steampid
@@ -27,8 +32,8 @@ noblacklist /usr/sbin
 include allow-java.inc
 # Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
+include allow-python2.inc
-include allow-python3.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
@@ -36,16 +41,52 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.config/unity3d
+mkdir ${HOME}/.killingfloor
+mkdir ${HOME}/.local/share/3909/PapersPlease
+mkdir ${HOME}/.local/share/aspyr-media
+mkdir ${HOME}/.local/share/cdprojektred
+mkdir ${HOME}/.local/share/FasterThanLight
+mkdir ${HOME}/.local/share/feral-interactive
+mkdir ${HOME}/.local/share/IntoTheBreach
+mkdir ${HOME}/.local/share/Paradox Interactive
+mkdir ${HOME}/.local/share/Steam
+mkdir ${HOME}/.local/share/SuperHexagon
+mkdir ${HOME}/.local/share/Terraria
+mkdir ${HOME}/.local/share/vpltd
+mkdir ${HOME}/.local/share/vulkan
+mkdir ${HOME}/.mbwarband
+mkdir ${HOME}/.paradoxinteractive
+mkdir ${HOME}/.steam
+mkfile ${HOME}/.steampath
+mkfile ${HOME}/.steampid
+whitelist ${HOME}/.config/unity3d
+whitelist ${HOME}/.killingfloor
+whitelist ${HOME}/.local/share/3909/PapersPlease
+whitelist ${HOME}/.local/share/aspyr-media
+whitelist ${HOME}/.local/share/cdprojektred
+whitelist ${HOME}/.local/share/FasterThanLight
+whitelist ${HOME}/.local/share/feral-interactive
+whitelist ${HOME}/.local/share/IntoTheBreach
+whitelist ${HOME}/.local/share/Paradox Interactive
+whitelist ${HOME}/.local/share/Steam
+whitelist ${HOME}/.local/share/SuperHexagon
+whitelist ${HOME}/.local/share/Terraria
+whitelist ${HOME}/.local/share/vpltd
+whitelist ${HOME}/.local/share/vulkan
+whitelist ${HOME}/.mbwarband
+whitelist ${HOME}/.paradoxinteractive
+whitelist ${HOME}/.steam
+whitelist ${HOME}/.steampath
+whitelist ${HOME}/.steampid
+include whitelist-common.inc
 include whitelist-var-common.inc
-# allow-debuggers needed for running some games with proton
-allow-debuggers
 caps.drop all
 #ipc-namespace
 netfilter
-# nodbus disabled as it breaks appindicator support
-#nodbus
 nodvd
+# nVidia users may need to comment / ignore nogroups and noroot
 nogroups
 nonewprivs
 noroot
@@ -54,11 +95,11 @@ nou2f
 # novideo should be commented for VR
 novideo
 protocol unix,inet,inet6,netlink
-# seccomp cause sometimes issues (see #2860, #2951),
+# seccomp sometimes causes issues (see #2951, #3267),
 # comment it or add 'ignore seccomp' to steam.local if so.
-seccomp
+seccomp !ptrace
 shell none
-# tracelog disabled as it breaks integrated browser
+# tracelog breaks integrated browser
 #tracelog
 # private-bin is disabled while in testing, but has been tested working with multiple games
@@ -71,5 +112,9 @@ shell none
 # private-dev should be commented for controllers
 private-dev
 # private-etc breaks a small selection of games on some systems, comment to support those
-private-etc alternatives,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
+private-etc alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
 private-tmp
+# breaks appindicator support
+# dbus-user none
+# dbus-system none
diff --git a/etc/stellarium.profile b/etc/profile-m-z/stellarium.profile
index d6df2e0ad..3f93fe591 100644
--- a/etc/stellarium.profile
+++ b/etc/profile-m-z/stellarium.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.config/stellarium
 mkdir ${HOME}/.stellarium
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
new file mode 100644
index 000000000..cd36c0d41
--- /dev/null
+++ b/etc/profile-m-z/strawberry.profile
@@ -0,0 +1,49 @@
+# Firejail profile for strawberry
+# Description: A music player and music collection organizer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include strawberry.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/strawberry
+noblacklist ${HOME}/.config/strawberry
+noblacklist ${HOME}/.local/share/strawberry
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc 
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+# blacklisting of ioprio_set system calls breaks strawberry
+seccomp !ioprio_set
+shell none
+tracelog
+disable-mnt
+private-bin strawberry,strawberry-tagreader
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+dbus-system none
diff --git a/etc/strings.profile b/etc/profile-m-z/strings.profile
index 7dc453b1f..426b2dc1c 100644
--- a/etc/strings.profile
+++ b/etc/profile-m-z/strings.profile
@@ -8,6 +8,7 @@ include strings.local
 include globals.local
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 #include disable-common.inc
 include disable-devel.inc
@@ -15,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 #include disable-programs.inc
+include disable-shell.inc
 #include disable-xdg.inc
 #include whitelist-usr-share-common.inc
@@ -26,7 +28,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,5 +50,8 @@ private-dev
 #private-lib libfakeroot
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
diff --git a/etc/studio.sh.profile b/etc/profile-m-z/studio.sh.profile
index 79e879f36..79e879f36 100644
--- a/etc/studio.sh.profile
+++ b/etc/profile-m-z/studio.sh.profile
diff --git a/etc/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index f6165f139..428af3737 100644
--- a/etc/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -30,7 +30,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,4 +47,7 @@ private-dev
 private-etc alternatives,fonts
 private-tmp
+dbus-user none
+dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 4c64ee766..ceaae8fbf 100644
--- a/etc/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -10,18 +10,23 @@ noblacklist ${HOME}/.local/share/supertux2
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.local/share/supertux2
 whitelist ${HOME}/.local/share/supertux2
+whitelist /usr/share/supertux2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -32,8 +37,12 @@ novideo
 protocol unix,netlink
 seccomp
 shell none
+tracelog
 disable-mnt
 # private-bin supertux2
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 2975a61ed..ce69c8b4b 100644
--- a/etc/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -13,10 +13,11 @@ noblacklist ${HOME}/.local/share/supertuxkart
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
-include disable-interpreters.inc
 mkdir ${HOME}/.config/supertuxkart
 mkdir ${HOME}/.cache/supertuxkart
@@ -32,7 +33,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -54,3 +54,5 @@ private-tmp
 private-opt none
 private-srv none
+dbus-user none
+dbus-system none
diff --git a/etc/surf.profile b/etc/profile-m-z/surf.profile
index d4c6d9afc..5ad82601d 100644
--- a/etc/surf.profile
+++ b/etc/profile-m-z/surf.profile
@@ -34,6 +34,6 @@ tracelog
 disable-mnt
 private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile
new file mode 100644
index 000000000..68abd8c94
--- /dev/null
+++ b/etc/profile-m-z/sushi.profile
@@ -0,0 +1,48 @@
+# Firejail profile for sushi
+# Description: A quick previewer for Nautilus
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sushi.local
+# Persistent global definitions
+include globals.local
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# include disable-programs.inc
+include disable-shell.inc
+include whitelist-runuser-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin gjs,sushi
+private-dev
+private-tmp
+dbus-system none
+read-only /
+read-only /mnt
+read-only /media
+read-only /run/mount
+read-only /run/media
+read-only ${HOME}
diff --git a/etc/profile-m-z/swell-foop.profile b/etc/profile-m-z/swell-foop.profile
new file mode 100644
index 000000000..9efae815d
--- /dev/null
+++ b/etc/profile-m-z/swell-foop.profile
@@ -0,0 +1,21 @@
+# Firejail profile for swell-foop
+# Description: GNOME colored tiles puzzle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include swell-foop.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/swell-foop
+mkdir ${HOME}/.local/share/swell-foop
+whitelist ${HOME}/.local/share/swell-foop
+whitelist /usr/share/swell-foop
+private-bin swell-foop
+dbus-user.own org.gnome.SwellFoop
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 4344fe73a..4344fe73a 100644
--- a/etc/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
diff --git a/etc/synfigstudio.profile b/etc/profile-m-z/synfigstudio.profile
index 30b0ad762..a83080cc3 100644
--- a/etc/synfigstudio.profile
+++ b/etc/profile-m-z/synfigstudio.profile
@@ -18,7 +18,6 @@ include disable-programs.inc
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,3 +35,5 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/sysprof-cli.profile b/etc/profile-m-z/sysprof-cli.profile
index 935c7e9ca..8f4de130b 100644
--- a/etc/sysprof-cli.profile
+++ b/etc/profile-m-z/sysprof-cli.profile
@@ -7,12 +7,13 @@ include sysprof-cli.local
 # added by included profile
 #include globals.local
-nodbus
 # There is no GUI help menu to break in the CLI version
 private-bin sysprof-cli
 private-lib
+dbus-user none
+dbus-system none
 memory-deny-write-execute
 # Redirect
diff --git a/etc/sysprof.profile b/etc/profile-m-z/sysprof.profile
index 9761629d2..ad3346285 100644
--- a/etc/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -23,7 +23,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -46,4 +45,8 @@ private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
 #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
 private-tmp
+# makes settings immutable
+# dbus-user none
+# dbus-system none
 # memory-deny-write-execute - Breaks GUI on Arch
diff --git a/etc/tar.profile b/etc/profile-m-z/tar.profile
index 0858dcb26..3a7405305 100644
--- a/etc/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -26,7 +26,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +49,7 @@ private-lib libfakeroot
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/tb-starter-wrapper.profile b/etc/profile-m-z/tb-starter-wrapper.profile
index ffe9605b6..ffe9605b6 100644
--- a/etc/tb-starter-wrapper.profile
+++ b/etc/profile-m-z/tb-starter-wrapper.profile
diff --git a/etc/tcpdump.profile b/etc/profile-m-z/tcpdump.profile
index 3c46dfdcb..881fbf49e 100644
--- a/etc/tcpdump.profile
+++ b/etc/profile-m-z/tcpdump.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 include whitelist-common.inc
+apparmor
 caps.keep net_raw
 ipc-namespace
 #net tun0
diff --git a/etc/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index 882d8d0f3..a13c92bc3 100644
--- a/etc/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -7,7 +7,8 @@ include teams-for-linux.local
 # added by included profile
 #include globals.local
-ignore nodbus
+ignore dbus-user none
+ignore dbus-system none
 noblacklist ${HOME}/.config/teams-for-linux
diff --git a/etc/teams.profile b/etc/profile-m-z/teams.profile
index 8b60a941e..bd7faa80a 100644
--- a/etc/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -1,14 +1,17 @@
 # Firejail profile for teams
 # Description: Official Microsoft Teams client for Linux using Electron.
 # This file is overwritten after every install/update
-# Known issues:
-#  * if Teams crashes on startup try using "ignore apparmor" in your local config
 # Persistent local customizations
 include teams.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
+# see #3404
+ignore apparmor
+ignore dbus-user none
+ignore dbus-system none
 noblacklist ${HOME}/.config/teams
 noblacklist ${HOME}/.config/Microsoft
@@ -30,7 +33,6 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-tmp
 # Redirect
 include electron.profile
diff --git a/etc/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
index c1c666f58..c1c666f58 100644
--- a/etc/teamspeak3.profile
+++ b/etc/profile-m-z/teamspeak3.profile
diff --git a/etc/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
index 782f337d3..c0d62bec2 100644
--- a/etc/teeworlds.profile
+++ b/etc/profile-m-z/teeworlds.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.teeworlds
@@ -24,7 +25,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +42,6 @@ private-bin teeworlds
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile
index 0cfa7114b..0cfa7114b 100644
--- a/etc/telegram-desktop.profile
+++ b/etc/profile-m-z/telegram-desktop.profile
diff --git a/etc/telegram.profile b/etc/profile-m-z/telegram.profile
index e3af5600a..8e0741458 100644
--- a/etc/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -25,5 +25,5 @@ seccomp
 disable-mnt
 private-cache
+private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/terasology.profile b/etc/profile-m-z/terasology.profile
index 9a8426435..36ce6d469 100644
--- a/etc/terasology.profile
+++ b/etc/profile-m-z/terasology.profile
@@ -28,8 +28,6 @@ include whitelist-common.inc
 caps.drop all
 ipc-namespace
 net none
-netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,3 +43,6 @@ disable-mnt
 private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-7-openjdk,java-8-openjdk,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/tex.profile b/etc/profile-m-z/tex.profile
index f56c3038e..f56c3038e 100644
--- a/etc/tex.profile
+++ b/etc/profile-m-z/tex.profile
diff --git a/etc/textmaker18.profile b/etc/profile-m-z/textmaker18.profile
index 8284df791..d28947394 100644
--- a/etc/textmaker18.profile
+++ b/etc/profile-m-z/textmaker18.profile
@@ -7,4 +7,5 @@ include textmaker18.local
 include globals.local
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/textmaker18free.profile b/etc/profile-m-z/textmaker18free.profile
index ad945ca55..7b4fd5b08 100644
--- a/etc/textmaker18free.profile
+++ b/etc/profile-m-z/textmaker18free.profile
@@ -7,4 +7,5 @@ include textmaker18free.local
 include globals.local
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/thunar.profile b/etc/profile-m-z/thunar.profile
index 19993016a..19993016a 100644
--- a/etc/thunar.profile
+++ b/etc/profile-m-z/thunar.profile
diff --git a/etc/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile
index 6450e40d6..6450e40d6 100644
--- a/etc/thunderbird-beta.profile
+++ b/etc/profile-m-z/thunderbird-beta.profile
diff --git a/etc/thunderbird-wayland.profile b/etc/profile-m-z/thunderbird-wayland.profile
index 9fbb80d29..9fbb80d29 100644
--- a/etc/thunderbird-wayland.profile
+++ b/etc/profile-m-z/thunderbird-wayland.profile
diff --git a/etc/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 6e888c163..6e4bb50d4 100644
--- a/etc/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -7,22 +7,22 @@ include thunderbird.local
 include globals.local
 # writable-run-user and dbus are needed by enigmail
-ignore nodbus
+ignore dbus-user none
+ignore dbus-system none
 writable-run-user
-# If you want to read local mail stored in /var/mail, add the following to thunderbird.local:
+# If you want to read local mail stored in /var/mail edit /etc/apparmor.d/firejail-default accordingly
+# and add the following to thunderbird.local:
 #noblacklist /var/mail
 #noblacklist /var/spool/mail
 #whitelist /var/mail
 #whitelist /var/spool/mail
 #writable-var
-# Uncomment the next 4 lines or put them in your thunderbird.local to
+# These lines are needed to allow Firefox to load your profile when clicking a link in an email
-# allow Firefox to load your profile when clicking a link in an email
+noblacklist ${HOME}/.mozilla
-#noblacklist ${HOME}/.cache/mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
-#noblacklist ${HOME}/.mozilla
+read-only ${HOME}/.mozilla/firefox/profiles.ini
-#whitelist ${HOME}/.cache/mozilla/firefox
-#whitelist ${HOME}/.mozilla
 noblacklist ${HOME}/.cache/thunderbird
 noblacklist ${HOME}/.gnupg
@@ -47,6 +47,7 @@ whitelist ${HOME}/.thunderbird
 whitelist /usr/share/gnupg
 whitelist /usr/share/mozilla
+whitelist /usr/share/thunderbird
 whitelist /usr/share/webext
 include whitelist-usr-share-common.inc
diff --git a/etc/tilp.profile b/etc/profile-m-z/tilp.profile
index 4d38d5184..dd4a372c4 100644
--- a/etc/tilp.profile
+++ b/etc/profile-m-z/tilp.profile
@@ -13,6 +13,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 caps.drop all
 net none
diff --git a/etc/tor-browser-ar.profile b/etc/profile-m-z/tor-browser-ar.profile
index 612b2d01b..612b2d01b 100644
--- a/etc/tor-browser-ar.profile
+++ b/etc/profile-m-z/tor-browser-ar.profile
diff --git a/etc/tor-browser-ca.profile b/etc/profile-m-z/tor-browser-ca.profile
index db70a7109..db70a7109 100644
--- a/etc/tor-browser-ca.profile
+++ b/etc/profile-m-z/tor-browser-ca.profile
diff --git a/etc/tor-browser-cs.profile b/etc/profile-m-z/tor-browser-cs.profile
index 77b271b68..77b271b68 100644
--- a/etc/tor-browser-cs.profile
+++ b/etc/profile-m-z/tor-browser-cs.profile
diff --git a/etc/tor-browser-da.profile b/etc/profile-m-z/tor-browser-da.profile
index 3b9fff9a4..3b9fff9a4 100644
--- a/etc/tor-browser-da.profile
+++ b/etc/profile-m-z/tor-browser-da.profile
diff --git a/etc/tor-browser-de.profile b/etc/profile-m-z/tor-browser-de.profile
index 3b4f7f94f..3b4f7f94f 100644
--- a/etc/tor-browser-de.profile
+++ b/etc/profile-m-z/tor-browser-de.profile
diff --git a/etc/tor-browser-el.profile b/etc/profile-m-z/tor-browser-el.profile
index b978b6042..b978b6042 100644
--- a/etc/tor-browser-el.profile
+++ b/etc/profile-m-z/tor-browser-el.profile
diff --git a/etc/tor-browser-en-us.profile b/etc/profile-m-z/tor-browser-en-us.profile
index db56dda1b..db56dda1b 100644
--- a/etc/tor-browser-en-us.profile
+++ b/etc/profile-m-z/tor-browser-en-us.profile
diff --git a/etc/tor-browser-en.profile b/etc/profile-m-z/tor-browser-en.profile
index ad4110c0e..ad4110c0e 100644
--- a/etc/tor-browser-en.profile
+++ b/etc/profile-m-z/tor-browser-en.profile
diff --git a/etc/tor-browser-es-es.profile b/etc/profile-m-z/tor-browser-es-es.profile
index 1aa586658..1aa586658 100644
--- a/etc/tor-browser-es-es.profile
+++ b/etc/profile-m-z/tor-browser-es-es.profile
diff --git a/etc/tor-browser-es.profile b/etc/profile-m-z/tor-browser-es.profile
index a386e3387..a386e3387 100644
--- a/etc/tor-browser-es.profile
+++ b/etc/profile-m-z/tor-browser-es.profile
diff --git a/etc/tor-browser-fa.profile b/etc/profile-m-z/tor-browser-fa.profile
index 7f847a7c2..7f847a7c2 100644
--- a/etc/tor-browser-fa.profile
+++ b/etc/profile-m-z/tor-browser-fa.profile
diff --git a/etc/tor-browser-fr.profile b/etc/profile-m-z/tor-browser-fr.profile
index bce470ec8..bce470ec8 100644
--- a/etc/tor-browser-fr.profile
+++ b/etc/profile-m-z/tor-browser-fr.profile
diff --git a/etc/tor-browser-ga-ie.profile b/etc/profile-m-z/tor-browser-ga-ie.profile
index 994897a87..994897a87 100644
--- a/etc/tor-browser-ga-ie.profile
+++ b/etc/profile-m-z/tor-browser-ga-ie.profile
diff --git a/etc/tor-browser-he.profile b/etc/profile-m-z/tor-browser-he.profile
index 6367b4c0a..6367b4c0a 100644
--- a/etc/tor-browser-he.profile
+++ b/etc/profile-m-z/tor-browser-he.profile
diff --git a/etc/tor-browser-hu.profile b/etc/profile-m-z/tor-browser-hu.profile
index 68e79833e..68e79833e 100644
--- a/etc/tor-browser-hu.profile
+++ b/etc/profile-m-z/tor-browser-hu.profile
diff --git a/etc/tor-browser-id.profile b/etc/profile-m-z/tor-browser-id.profile
index 85b455ba2..85b455ba2 100644
--- a/etc/tor-browser-id.profile
+++ b/etc/profile-m-z/tor-browser-id.profile
diff --git a/etc/tor-browser-is.profile b/etc/profile-m-z/tor-browser-is.profile
index 48e88db71..48e88db71 100644
--- a/etc/tor-browser-is.profile
+++ b/etc/profile-m-z/tor-browser-is.profile
diff --git a/etc/tor-browser-it.profile b/etc/profile-m-z/tor-browser-it.profile
index 3c239ca29..3c239ca29 100644
--- a/etc/tor-browser-it.profile
+++ b/etc/profile-m-z/tor-browser-it.profile
diff --git a/etc/tor-browser-ja.profile b/etc/profile-m-z/tor-browser-ja.profile
index c52e0f64e..c52e0f64e 100644
--- a/etc/tor-browser-ja.profile
+++ b/etc/profile-m-z/tor-browser-ja.profile
diff --git a/etc/tor-browser-ka.profile b/etc/profile-m-z/tor-browser-ka.profile
index 173b85e5c..173b85e5c 100644
--- a/etc/tor-browser-ka.profile
+++ b/etc/profile-m-z/tor-browser-ka.profile
diff --git a/etc/tor-browser-ko.profile b/etc/profile-m-z/tor-browser-ko.profile
index 8faa5afa1..8faa5afa1 100644
--- a/etc/tor-browser-ko.profile
+++ b/etc/profile-m-z/tor-browser-ko.profile
diff --git a/etc/tor-browser-nb.profile b/etc/profile-m-z/tor-browser-nb.profile
index d1352dd80..d1352dd80 100644
--- a/etc/tor-browser-nb.profile
+++ b/etc/profile-m-z/tor-browser-nb.profile
diff --git a/etc/tor-browser-nl.profile b/etc/profile-m-z/tor-browser-nl.profile
index d4443cca2..d4443cca2 100644
--- a/etc/tor-browser-nl.profile
+++ b/etc/profile-m-z/tor-browser-nl.profile
diff --git a/etc/tor-browser-pl.profile b/etc/profile-m-z/tor-browser-pl.profile
index 08ddd4ae7..08ddd4ae7 100644
--- a/etc/tor-browser-pl.profile
+++ b/etc/profile-m-z/tor-browser-pl.profile
diff --git a/etc/tor-browser-pt-br.profile b/etc/profile-m-z/tor-browser-pt-br.profile
index 9942a3fe8..9942a3fe8 100644
--- a/etc/tor-browser-pt-br.profile
+++ b/etc/profile-m-z/tor-browser-pt-br.profile
diff --git a/etc/tor-browser-ru.profile b/etc/profile-m-z/tor-browser-ru.profile
index 6294f8ca0..6294f8ca0 100644
--- a/etc/tor-browser-ru.profile
+++ b/etc/profile-m-z/tor-browser-ru.profile
diff --git a/etc/tor-browser-sv-se.profile b/etc/profile-m-z/tor-browser-sv-se.profile
index c8544262f..c8544262f 100644
--- a/etc/tor-browser-sv-se.profile
+++ b/etc/profile-m-z/tor-browser-sv-se.profile
diff --git a/etc/tor-browser-tr.profile b/etc/profile-m-z/tor-browser-tr.profile
index 2343fa8de..2343fa8de 100644
--- a/etc/tor-browser-tr.profile
+++ b/etc/profile-m-z/tor-browser-tr.profile
diff --git a/etc/tor-browser-vi.profile b/etc/profile-m-z/tor-browser-vi.profile
index 734c38698..734c38698 100644
--- a/etc/tor-browser-vi.profile
+++ b/etc/profile-m-z/tor-browser-vi.profile
diff --git a/etc/tor-browser-zh-cn.profile b/etc/profile-m-z/tor-browser-zh-cn.profile
index 21e813e45..21e813e45 100644
--- a/etc/tor-browser-zh-cn.profile
+++ b/etc/profile-m-z/tor-browser-zh-cn.profile
diff --git a/etc/tor-browser-zh-tw.profile b/etc/profile-m-z/tor-browser-zh-tw.profile
index 6fe09c6c1..6fe09c6c1 100644
--- a/etc/tor-browser-zh-tw.profile
+++ b/etc/profile-m-z/tor-browser-zh-tw.profile
diff --git a/etc/tor-browser.profile b/etc/profile-m-z/tor-browser.profile
index 0cd84abf5..0cd84abf5 100644
--- a/etc/tor-browser.profile
+++ b/etc/profile-m-z/tor-browser.profile
diff --git a/etc/tor-browser_ar.profile b/etc/profile-m-z/tor-browser_ar.profile
index 1e1f5ce35..1e1f5ce35 100644
--- a/etc/tor-browser_ar.profile
+++ b/etc/profile-m-z/tor-browser_ar.profile
diff --git a/etc/tor-browser_ca.profile b/etc/profile-m-z/tor-browser_ca.profile
index e114b6051..e114b6051 100644
--- a/etc/tor-browser_ca.profile
+++ b/etc/profile-m-z/tor-browser_ca.profile
diff --git a/etc/tor-browser_cs.profile b/etc/profile-m-z/tor-browser_cs.profile
index 498068bc6..498068bc6 100644
--- a/etc/tor-browser_cs.profile
+++ b/etc/profile-m-z/tor-browser_cs.profile
diff --git a/etc/tor-browser_da.profile b/etc/profile-m-z/tor-browser_da.profile
index 5c25c03c8..5c25c03c8 100644
--- a/etc/tor-browser_da.profile
+++ b/etc/profile-m-z/tor-browser_da.profile
diff --git a/etc/tor-browser_de.profile b/etc/profile-m-z/tor-browser_de.profile
index d530e7dbe..d530e7dbe 100644
--- a/etc/tor-browser_de.profile
+++ b/etc/profile-m-z/tor-browser_de.profile
diff --git a/etc/tor-browser_el.profile b/etc/profile-m-z/tor-browser_el.profile
index 67d5ab440..67d5ab440 100644
--- a/etc/tor-browser_el.profile
+++ b/etc/profile-m-z/tor-browser_el.profile
diff --git a/etc/tor-browser_en-US.profile b/etc/profile-m-z/tor-browser_en-US.profile
index b298ab2b8..b298ab2b8 100644
--- a/etc/tor-browser_en-US.profile
+++ b/etc/profile-m-z/tor-browser_en-US.profile
diff --git a/etc/tor-browser_en.profile b/etc/profile-m-z/tor-browser_en.profile
index 6bb0616b1..6bb0616b1 100644
--- a/etc/tor-browser_en.profile
+++ b/etc/profile-m-z/tor-browser_en.profile
diff --git a/etc/tor-browser_es-ES.profile b/etc/profile-m-z/tor-browser_es-ES.profile
index 78f57ffe5..78f57ffe5 100644
--- a/etc/tor-browser_es-ES.profile
+++ b/etc/profile-m-z/tor-browser_es-ES.profile
diff --git a/etc/tor-browser_es.profile b/etc/profile-m-z/tor-browser_es.profile
index ea34a07c9..ea34a07c9 100644
--- a/etc/tor-browser_es.profile
+++ b/etc/profile-m-z/tor-browser_es.profile
diff --git a/etc/tor-browser_fa.profile b/etc/profile-m-z/tor-browser_fa.profile
index fbc416ce5..fbc416ce5 100644
--- a/etc/tor-browser_fa.profile
+++ b/etc/profile-m-z/tor-browser_fa.profile
diff --git a/etc/tor-browser_fr.profile b/etc/profile-m-z/tor-browser_fr.profile
index caea6db5b..caea6db5b 100644
--- a/etc/tor-browser_fr.profile
+++ b/etc/profile-m-z/tor-browser_fr.profile
diff --git a/etc/tor-browser_ga-IE.profile b/etc/profile-m-z/tor-browser_ga-IE.profile
index 6342daebf..6342daebf 100644
--- a/etc/tor-browser_ga-IE.profile
+++ b/etc/profile-m-z/tor-browser_ga-IE.profile
diff --git a/etc/tor-browser_he.profile b/etc/profile-m-z/tor-browser_he.profile
index cc4150620..cc4150620 100644
--- a/etc/tor-browser_he.profile
+++ b/etc/profile-m-z/tor-browser_he.profile
diff --git a/etc/tor-browser_hu.profile b/etc/profile-m-z/tor-browser_hu.profile
index 952a0b68a..952a0b68a 100644
--- a/etc/tor-browser_hu.profile
+++ b/etc/profile-m-z/tor-browser_hu.profile
diff --git a/etc/tor-browser_id.profile b/etc/profile-m-z/tor-browser_id.profile
index a006b27c0..a006b27c0 100644
--- a/etc/tor-browser_id.profile
+++ b/etc/profile-m-z/tor-browser_id.profile
diff --git a/etc/tor-browser_is.profile b/etc/profile-m-z/tor-browser_is.profile
index 038e0fabb..038e0fabb 100644
--- a/etc/tor-browser_is.profile
+++ b/etc/profile-m-z/tor-browser_is.profile
diff --git a/etc/tor-browser_it.profile b/etc/profile-m-z/tor-browser_it.profile
index 3d2566994..3d2566994 100644
--- a/etc/tor-browser_it.profile
+++ b/etc/profile-m-z/tor-browser_it.profile
diff --git a/etc/tor-browser_ja.profile b/etc/profile-m-z/tor-browser_ja.profile
index 08c942bcd..08c942bcd 100644
--- a/etc/tor-browser_ja.profile
+++ b/etc/profile-m-z/tor-browser_ja.profile
diff --git a/etc/tor-browser_ka.profile b/etc/profile-m-z/tor-browser_ka.profile
index 97664be4d..97664be4d 100644
--- a/etc/tor-browser_ka.profile
+++ b/etc/profile-m-z/tor-browser_ka.profile
diff --git a/etc/tor-browser_ko.profile b/etc/profile-m-z/tor-browser_ko.profile
index 98cf1e3e1..98cf1e3e1 100644
--- a/etc/tor-browser_ko.profile
+++ b/etc/profile-m-z/tor-browser_ko.profile
diff --git a/etc/tor-browser_nb.profile b/etc/profile-m-z/tor-browser_nb.profile
index 6df840573..6df840573 100644
--- a/etc/tor-browser_nb.profile
+++ b/etc/profile-m-z/tor-browser_nb.profile
diff --git a/etc/tor-browser_nl.profile b/etc/profile-m-z/tor-browser_nl.profile
index 3f545f888..3f545f888 100644
--- a/etc/tor-browser_nl.profile
+++ b/etc/profile-m-z/tor-browser_nl.profile
diff --git a/etc/tor-browser_pl.profile b/etc/profile-m-z/tor-browser_pl.profile
index 4e04dc027..4e04dc027 100644
--- a/etc/tor-browser_pl.profile
+++ b/etc/profile-m-z/tor-browser_pl.profile
diff --git a/etc/tor-browser_pt-BR.profile b/etc/profile-m-z/tor-browser_pt-BR.profile
index 7f864886c..7f864886c 100644
--- a/etc/tor-browser_pt-BR.profile
+++ b/etc/profile-m-z/tor-browser_pt-BR.profile
diff --git a/etc/tor-browser_ru.profile b/etc/profile-m-z/tor-browser_ru.profile
index 2fae6fbe7..2fae6fbe7 100644
--- a/etc/tor-browser_ru.profile
+++ b/etc/profile-m-z/tor-browser_ru.profile
diff --git a/etc/tor-browser_sv-SE.profile b/etc/profile-m-z/tor-browser_sv-SE.profile
index 2157f8d2b..2157f8d2b 100644
--- a/etc/tor-browser_sv-SE.profile
+++ b/etc/profile-m-z/tor-browser_sv-SE.profile
diff --git a/etc/tor-browser_tr.profile b/etc/profile-m-z/tor-browser_tr.profile
index 20ac246ca..20ac246ca 100644
--- a/etc/tor-browser_tr.profile
+++ b/etc/profile-m-z/tor-browser_tr.profile
diff --git a/etc/tor-browser_vi.profile b/etc/profile-m-z/tor-browser_vi.profile
index 4faa06ff6..4faa06ff6 100644
--- a/etc/tor-browser_vi.profile
+++ b/etc/profile-m-z/tor-browser_vi.profile
diff --git a/etc/tor-browser_zh-CN.profile b/etc/profile-m-z/tor-browser_zh-CN.profile
index e4d8215e6..e4d8215e6 100644
--- a/etc/tor-browser_zh-CN.profile
+++ b/etc/profile-m-z/tor-browser_zh-CN.profile
diff --git a/etc/tor-browser_zh-TW.profile b/etc/profile-m-z/tor-browser_zh-TW.profile
index 8a28015a6..8a28015a6 100644
--- a/etc/tor-browser_zh-TW.profile
+++ b/etc/profile-m-z/tor-browser_zh-TW.profile
diff --git a/etc/tor.profile b/etc/profile-m-z/tor.profile
index 13d071635..13d071635 100644
--- a/etc/tor.profile
+++ b/etc/profile-m-z/tor.profile
diff --git a/etc/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 72bdf9fa1..6bcc51f4d 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -12,8 +12,8 @@ noblacklist ${HOME}/.config/torbrowser
 noblacklist ${HOME}/.local/share/torbrowser
 # Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
+include allow-python2.inc
-include allow-python3.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
@@ -33,7 +33,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -52,3 +51,6 @@ private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/torcs.profile b/etc/profile-m-z/torcs.profile
index d9c59b276..1ed78934e 100644
--- a/etc/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -18,13 +18,15 @@ include disable-xdg.inc
 mkdir ${HOME}/.torcs
 whitelist ${HOME}/.torcs
+whitelist /usr/share/games/torcs
+whitelist /var/games/torcs
 include whitelist-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,6 +40,10 @@ shell none
 tracelog
 disable-mnt
+private-bin bash,chmod,cp,mkdir,rm,torcs
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/totem.profile b/etc/profile-m-z/totem.profile
index 5b74709e3..b8f4ca765 100644
--- a/etc/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -9,9 +9,13 @@ include globals.local
 # Allow lua (required for youtube video)
 include allow-lua.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
 noblacklist ${HOME}/.config/totem
 noblacklist ${HOME}/.local/share/totem
 noblacklist ${MUSIC}
+noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 include disable-common.inc
@@ -20,6 +24,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-var-common.inc
@@ -27,7 +32,6 @@ include whitelist-var-common.inc
 # apparmor - makes settings immutable
 caps.drop all
 netfilter
-# nodbus - makes settings immutable
 nogroups
 nonewprivs
 noroot
@@ -35,6 +39,7 @@ nou2f
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 private-bin totem
 # totem needs access to ~/.cache/tracker or it exits
@@ -43,3 +48,6 @@ private-dev
 # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 private-tmp
+# makes settings immutable
+# dbus-user none
+# dbus-system none
diff --git a/etc/tracker.profile b/etc/profile-m-z/tracker.profile
index d47185b1d..87c5de076 100644
--- a/etc/tracker.profile
+++ b/etc/profile-m-z/tracker.profile
@@ -16,6 +16,9 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
+include whitelist-runuser-common.inc
 caps.drop all
 netfilter
diff --git a/etc/transgui.profile b/etc/profile-m-z/transgui.profile
index 567e2ab30..c31055cdc 100644
--- a/etc/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/transgui
@@ -28,7 +29,6 @@ caps.drop all
 ipc-namespace
 machine-id
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,4 +49,7 @@ private-etc alternatives,fonts
 private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile
index 486be5fe6..486be5fe6 100644
--- a/etc/transmission-cli.profile
+++ b/etc/profile-m-z/transmission-cli.profile
diff --git a/etc/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
index b9f49c4a4..9d2e8e990 100644
--- a/etc/transmission-common.profile
+++ b/etc/profile-m-z/transmission-common.profile
@@ -30,7 +30,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-nodbus
 nodvd
 nonewprivs
 noroot
@@ -48,4 +47,7 @@ private-dev
 private-lib
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/transmission-create.profile b/etc/profile-m-z/transmission-create.profile
index 8220b7887..8220b7887 100644
--- a/etc/transmission-create.profile
+++ b/etc/profile-m-z/transmission-create.profile
diff --git a/etc/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
index 1841b8ed0..363c685e0 100644
--- a/etc/transmission-daemon.profile
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -7,6 +7,8 @@ include transmission-daemon.local
 # Persistent global definitions
 include globals.local
+ignore caps.drop all
 mkdir ${HOME}/.config/transmission-daemon
 whitelist ${HOME}/.config/transmission-daemon
 whitelist /var/lib/transmission
diff --git a/etc/transmission-edit.profile b/etc/profile-m-z/transmission-edit.profile
index df381b5cd..df381b5cd 100644
--- a/etc/transmission-edit.profile
+++ b/etc/profile-m-z/transmission-edit.profile
diff --git a/etc/transmission-gtk.profile b/etc/profile-m-z/transmission-gtk.profile
index 01bdeb4ef..03111ec56 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/profile-m-z/transmission-gtk.profile
@@ -7,7 +7,10 @@ include transmission-gtk.local
 # Persistent global definitions
 include globals.local
+include whitelist-runuser-common.inc
 private-bin transmission-gtk
+private-cache
 ignore memory-deny-write-execute
diff --git a/etc/transmission-qt.profile b/etc/profile-m-z/transmission-qt.profile
index 94f3c3a20..94f3c3a20 100644
--- a/etc/transmission-qt.profile
+++ b/etc/profile-m-z/transmission-qt.profile
diff --git a/etc/transmission-remote-cli.profile b/etc/profile-m-z/transmission-remote-cli.profile
index 8b3a966c1..7b9285e66 100644
--- a/etc/transmission-remote-cli.profile
+++ b/etc/profile-m-z/transmission-remote-cli.profile
@@ -8,8 +8,8 @@ include transmission-remote-cli.local
 include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
+include allow-python2.inc
-include allow-python3.inc
+include allow-python3.inc
 private-bin python*,transmission-remote-cli
diff --git a/etc/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile
index a6400e2c0..a6400e2c0 100644
--- a/etc/transmission-remote-gtk.profile
+++ b/etc/profile-m-z/transmission-remote-gtk.profile
diff --git a/etc/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile
index fee4999e6..fee4999e6 100644
--- a/etc/transmission-remote.profile
+++ b/etc/profile-m-z/transmission-remote.profile
diff --git a/etc/transmission-show.profile b/etc/profile-m-z/transmission-show.profile
index 5a3c83f58..5a3c83f58 100644
--- a/etc/transmission-show.profile
+++ b/etc/profile-m-z/transmission-show.profile
diff --git a/etc/tremulous.profile b/etc/profile-m-z/tremulous.profile
index e148298ae..67463a999 100644
--- a/etc/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -14,17 +14,20 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.tremulous
 whitelist ${HOME}/.tremulous
+whitelist /usr/share/tremulous
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +45,6 @@ private-bin tremded,tremulous,tremulous-wrapper
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/truecraft.profile b/etc/profile-m-z/truecraft.profile
index e76d52219..e76d52219 100644
--- a/etc/truecraft.profile
+++ b/etc/profile-m-z/truecraft.profile
diff --git a/etc/profile-m-z/ts3client_runscript.sh.profile b/etc/profile-m-z/ts3client_runscript.sh.profile
new file mode 100644
index 000000000..8d4675454
--- /dev/null
+++ b/etc/profile-m-z/ts3client_runscript.sh.profile
@@ -0,0 +1,19 @@
+# Firejail profile alias for teamspeak3
+# Description: TeamSpeak is software for quality voice communication via the Internet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ts3client_runscript.sh.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+ignore noexec ${HOME}
+noblacklist ${HOME}/TeamSpeak3-Client-linux_x86
+noblacklist ${HOME}/TeamSpeak3-Client-linux_amd64
+whitelist ${HOME}/TeamSpeak3-Client-linux_x86
+whitelist ${HOME}/TeamSpeak3-Client-linux_amd64
+# Redirect
+include teamspeak3.profile
diff --git a/etc/tshark.profile b/etc/profile-m-z/tshark.profile
index 22ced5d8a..684a9491d 100644
--- a/etc/tshark.profile
+++ b/etc/profile-m-z/tshark.profile
@@ -16,9 +16,11 @@ include disable-xdg.inc
 whitelist /usr/share/wireshark
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 #caps.keep net_raw
 caps.keep dac_override,net_admin,net_raw
 ipc-namespace
diff --git a/etc/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile
index ae868a022..d2b13d9ee 100644
--- a/etc/tuxguitar.profile
+++ b/etc/profile-m-z/tuxguitar.profile
@@ -15,6 +15,7 @@ include allow-java.inc
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -22,6 +23,7 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
index 6e028b086..d3dcbfe53 100644
--- a/etc/tvbrowser.profile
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -32,7 +32,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,3 +48,6 @@ disable-mnt
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/udiskie.profile b/etc/profile-m-z/udiskie.profile
index 265f6429d..265f6429d 100644
--- a/etc/udiskie.profile
+++ b/etc/profile-m-z/udiskie.profile
diff --git a/etc/uefitool.profile b/etc/profile-m-z/uefitool.profile
index 8ab0e9a26..8807b0b2c 100644
--- a/etc/uefitool.profile
+++ b/etc/profile-m-z/uefitool.profile
@@ -19,7 +19,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,3 +35,5 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/uget-gtk.profile b/etc/profile-m-z/uget-gtk.profile
index 8a2e83a1a..c8f28444f 100644
--- a/etc/uget-gtk.profile
+++ b/etc/profile-m-z/uget-gtk.profile
@@ -11,6 +11,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.config/uGet
 whitelist ${DOWNLOADS}
diff --git a/etc/unbound.profile b/etc/profile-m-z/unbound.profile
index 36533a762..714a3f2f4 100644
--- a/etc/unbound.profile
+++ b/etc/profile-m-z/unbound.profile
@@ -30,7 +30,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nonewprivs
 nosound
@@ -46,5 +45,8 @@ private-dev
 private-tmp
 writable-var
+dbus-user none
+dbus-system none
 # mdwe can break modules/plugins
 memory-deny-write-execute
diff --git a/etc/uncompress.profile b/etc/profile-m-z/uncompress.profile
index f659d8e87..f659d8e87 100644
--- a/etc/uncompress.profile
+++ b/etc/profile-m-z/uncompress.profile
diff --git a/etc/unf.profile b/etc/profile-m-z/unf.profile
index b8eccf4dc..bcd256ba3 100644
--- a/etc/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist ${DOWNLOADS}
@@ -29,7 +30,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -53,4 +53,7 @@ private-etc alternatives
 private-lib gcc/*/*/libgcc_s.so.*
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
index 7223ea2e1..7dc13e284 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -9,13 +9,19 @@ include globals.local
 noblacklist ${HOME}/.unknown-horizons
 include disable-common.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.unknown-horizons
 whitelist ${HOME}/.unknown-horizons
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+whitelist /usr/share/unknown-horizons
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 nodvd
 nogroups
@@ -28,7 +34,11 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
+disable-mnt
 # private-bin unknown-horizons
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
+# doesn't work - maybe all Tcl/Tk programs have this problem
+# memory-deny-write-execute
diff --git a/etc/unlzma.profile b/etc/profile-m-z/unlzma.profile
index f7410b928..d9c72407f 100644
--- a/etc/unlzma.profile
+++ b/etc/profile-m-z/unlzma.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/unrar.profile b/etc/profile-m-z/unrar.profile
index bf28746b0..e07a6fc93 100644
--- a/etc/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 caps.drop all
 hostname unrar
@@ -22,7 +23,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 #nogroups
 nonewprivs
@@ -41,3 +41,6 @@ private-bin unrar
 private-dev
 private-etc alternatives,group,localtime,passwd
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/unxz.profile b/etc/profile-m-z/unxz.profile
index f7410b928..d9c72407f 100644
--- a/etc/unxz.profile
+++ b/etc/profile-m-z/unxz.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/unzip.profile b/etc/profile-m-z/unzip.profile
index 7882f2b63..e08511c12 100644
--- a/etc/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 caps.drop all
 hostname unzip
@@ -25,7 +26,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 #nogroups
 nonewprivs
@@ -43,3 +43,6 @@ x11 none
 private-bin unzip
 private-dev
 private-etc alternatives,group,localtime,passwd
+dbus-user none
+dbus-system none
diff --git a/etc/unzstd.profile b/etc/profile-m-z/unzstd.profile
index ce9af3286..ce9af3286 100644
--- a/etc/unzstd.profile
+++ b/etc/profile-m-z/unzstd.profile
diff --git a/etc/utox.profile b/etc/profile-m-z/utox.profile
index 9877ea889..cd4374004 100644
--- a/etc/utox.profile
+++ b/etc/profile-m-z/utox.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/tox
diff --git a/etc/uudeview.profile b/etc/profile-m-z/uudeview.profile
index bd2ee01d5..f60c134e0 100644
--- a/etc/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include whitelist-usr-share-common.inc
@@ -23,7 +24,6 @@ hostname uudeview
 ipc-namespace
 machine-id
 net none
-nodbus
 nodvd
 #nogroups
 nonewprivs
@@ -42,3 +42,6 @@ private-bin uudeview
 private-cache
 private-dev
 private-etc alternatives,ld.so.preload
+dbus-user none
+dbus-system none
diff --git a/etc/uzbl-browser.profile b/etc/profile-m-z/uzbl-browser.profile
index d4e54235b..41487a8f2 100644
--- a/etc/uzbl-browser.profile
+++ b/etc/profile-m-z/uzbl-browser.profile
@@ -10,8 +10,8 @@ noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/uzbl
 # Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
+include allow-python2.inc
-include allow-python3.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/viewnior.profile b/etc/profile-m-z/viewnior.profile
index 9f57b2971..83727d42b 100644
--- a/etc/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -26,7 +27,6 @@ apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,4 +46,7 @@ private-dev
 private-etc alternatives,fonts,machine-id
 private-tmp
+dbus-user none
+dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808)
diff --git a/etc/viking.profile b/etc/profile-m-z/viking.profile
index 5b6228a94..5b6228a94 100644
--- a/etc/viking.profile
+++ b/etc/profile-m-z/viking.profile
diff --git a/etc/vim.profile b/etc/profile-m-z/vim.profile
index d27a9a633..e9a474239 100644
--- a/etc/vim.profile
+++ b/etc/profile-m-z/vim.profile
@@ -17,6 +17,8 @@ include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-runuser-common.inc
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/vimcat.profile b/etc/profile-m-z/vimcat.profile
index 73b76b5ab..73b76b5ab 100644
--- a/etc/vimcat.profile
+++ b/etc/profile-m-z/vimcat.profile
diff --git a/etc/vimdiff.profile b/etc/profile-m-z/vimdiff.profile
index f09faf1d6..f09faf1d6 100644
--- a/etc/vimdiff.profile
+++ b/etc/profile-m-z/vimdiff.profile
diff --git a/etc/vimpager.profile b/etc/profile-m-z/vimpager.profile
index af7703752..af7703752 100644
--- a/etc/vimpager.profile
+++ b/etc/profile-m-z/vimpager.profile
diff --git a/etc/vimtutor.profile b/etc/profile-m-z/vimtutor.profile
index b9584cc49..b9584cc49 100644
--- a/etc/vimtutor.profile
+++ b/etc/profile-m-z/vimtutor.profile
diff --git a/etc/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index c0dbc9116..12bef5d1f 100644
--- a/etc/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -14,9 +14,12 @@ noblacklist /usr/lib/virtualbox
 noblacklist /usr/lib64/virtualbox
 include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.config/VirtualBox
 mkdir ${HOME}/VirtualBox VMs
@@ -24,9 +27,23 @@ whitelist ${HOME}/.config/VirtualBox
 whitelist ${HOME}/VirtualBox VMs
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-caps.keep net_raw,sys_admin,sys_nice
+# For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
+caps.keep net_raw,sys_nice
 netfilter
 nodvd
+#nogroups
 notv
+shell none
+tracelog
+#disable-mnt
+private-cache
+private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+dbus-user none
+dbus-system none
diff --git a/etc/vivaldi-beta.profile b/etc/profile-m-z/vivaldi-beta.profile
index 5de5682a3..5de5682a3 100644
--- a/etc/vivaldi-beta.profile
+++ b/etc/profile-m-z/vivaldi-beta.profile
diff --git a/etc/vivaldi-snapshot.profile b/etc/profile-m-z/vivaldi-snapshot.profile
index ea4a4009f..ea4a4009f 100644
--- a/etc/vivaldi-snapshot.profile
+++ b/etc/profile-m-z/vivaldi-snapshot.profile
diff --git a/etc/vivaldi-stable.profile b/etc/profile-m-z/vivaldi-stable.profile
index 5de5682a3..5de5682a3 100644
--- a/etc/vivaldi-stable.profile
+++ b/etc/profile-m-z/vivaldi-stable.profile
diff --git a/etc/vivaldi.profile b/etc/profile-m-z/vivaldi.profile
index 2185b90ec..096ce8a72 100644
--- a/etc/vivaldi.profile
+++ b/etc/profile-m-z/vivaldi.profile
@@ -23,8 +23,9 @@ whitelist ${HOME}/.cache/vivaldi
 whitelist ${HOME}/.config/vivaldi
 whitelist ${HOME}/.local/lib/vivaldi
-# nodbus breaks vivaldi sync
+# breaks vivaldi sync
-ignore nodbus
+ignore dbus-user none
+ignore dbus-system none
 # Redirect
 include chromium-common.profile
diff --git a/etc/vlc.profile b/etc/profile-m-z/vlc.profile
index 572758f28..0069ebeae 100644
--- a/etc/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -25,7 +25,6 @@ include whitelist-var-common.inc
 #apparmor - on Ubuntu 18.04 it refuses to start without dbus access
 caps.drop all
 netfilter
-#nodbus - dbus needed for MPRIS
 nogroups
 nonewprivs
 noroot
@@ -38,5 +37,9 @@ private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc
 private-dev
 private-tmp
+# dbus needed for MPRIS
+# dbus-user none
+# dbus-system none
 # mdwe is disabled due to breaking hardware accelerated decoding
 #memory-deny-write-execute
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
new file mode 100644
index 000000000..720b69773
--- /dev/null
+++ b/etc/profile-m-z/vmware.profile
@@ -0,0 +1,39 @@
+# Firejail profile for vmware
+# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vmware.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/vmware
+noblacklist ${HOME}/.vmware
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/vmware
+mkdir ${HOME}/.vmware
+whitelist ${HOME}/.cache/vmware
+whitelist ${HOME}/.vmware
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.keep chown,net_raw,sys_nice,sys_rawio
+netfilter
+nogroups
+notv
+shell none
+tracelog
+#disable-mnt
+private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+dbus-user none
+dbus-system none
diff --git a/etc/vscodium.profile b/etc/profile-m-z/vscodium.profile
index b4728fb72..b4728fb72 100644
--- a/etc/vscodium.profile
+++ b/etc/profile-m-z/vscodium.profile
diff --git a/etc/vulturesclaw.profile b/etc/profile-m-z/vulturesclaw.profile
index 2e9078a7b..2e9078a7b 100644
--- a/etc/vulturesclaw.profile
+++ b/etc/profile-m-z/vulturesclaw.profile
diff --git a/etc/vultureseye.profile b/etc/profile-m-z/vultureseye.profile
index 44c263cfc..44c263cfc 100644
--- a/etc/vultureseye.profile
+++ b/etc/profile-m-z/vultureseye.profile
diff --git a/etc/vym.profile b/etc/profile-m-z/vym.profile
index fbb53943c..fbb53943c 100644
--- a/etc/vym.profile
+++ b/etc/profile-m-z/vym.profile
diff --git a/etc/w3m.profile b/etc/profile-m-z/w3m.profile
index 97465baa1..bd33edd6a 100644
--- a/etc/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -1,6 +1,7 @@
 # Firejail profile for w3m
 # Description: WWW browsable pager with excellent tables/frames support
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include w3m.local
 # Persistent global definitions
@@ -20,6 +21,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+include whitelist-runuser-common.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
new file mode 100644
index 000000000..aaef652fd
--- /dev/null
+++ b/etc/profile-m-z/warmux.profile
@@ -0,0 +1,56 @@
+# Firejail profile for warmux
+# Description: a convivial mass murder game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include warmux.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/wormux
+noblacklist ${HOME}/.local/share/wormux
+noblacklist ${HOME}/.wormux
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/wormux
+mkdir ${HOME}/.local/share/wormux
+mkdir ${HOME}/.wormux
+whitelist ${HOME}/.config/wormux
+whitelist ${HOME}/.local/share/wormux
+whitelist ${HOME}/.wormux
+whitelist /usr/share/warmux
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin warmux
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/warsow.profile b/etc/profile-m-z/warsow.profile
index e884ab07a..d8cd5557e 100644
--- a/etc/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.cache/warsow-2.1
@@ -29,7 +30,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +47,6 @@ private-bin warsow
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index e65e0a0c3..369c9cc1d 100644
--- a/etc/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -14,14 +14,19 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 # mkdir ${HOME}/.warzone2100-3.1
 # mkdir ${HOME}/.warzone2100-3.2
 whitelist ${HOME}/.warzone2100-3.1
 whitelist ${HOME}/.warzone2100-3.2
+whitelist /usr/share/games
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/waterfox-classic.profile b/etc/profile-m-z/waterfox-classic.profile
index 6c7e18a46..6c7e18a46 100644
--- a/etc/waterfox-classic.profile
+++ b/etc/profile-m-z/waterfox-classic.profile
diff --git a/etc/waterfox-current.profile b/etc/profile-m-z/waterfox-current.profile
index 5e12a6fe3..5e12a6fe3 100644
--- a/etc/waterfox-current.profile
+++ b/etc/profile-m-z/waterfox-current.profile
diff --git a/etc/waterfox.profile b/etc/profile-m-z/waterfox.profile
index c6c940fa3..c6c940fa3 100644
--- a/etc/waterfox.profile
+++ b/etc/profile-m-z/waterfox.profile
diff --git a/etc/webstorm.profile b/etc/profile-m-z/webstorm.profile
index fc4e8e571..fc4e8e571 100644
--- a/etc/webstorm.profile
+++ b/etc/profile-m-z/webstorm.profile
diff --git a/etc/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile
index 0cd1e05ab..8928f8116 100644
--- a/etc/webui-aria2.profile
+++ b/etc/profile-m-z/webui-aria2.profile
@@ -18,7 +18,6 @@ include disable-xdg.inc
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -35,3 +34,5 @@ private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/weechat-curses.profile b/etc/profile-m-z/weechat-curses.profile
index 4719b9788..4719b9788 100644
--- a/etc/weechat-curses.profile
+++ b/etc/profile-m-z/weechat-curses.profile
diff --git a/etc/weechat.profile b/etc/profile-m-z/weechat.profile
index 800724054..800724054 100644
--- a/etc/weechat.profile
+++ b/etc/profile-m-z/weechat.profile
diff --git a/etc/wesnoth.profile b/etc/profile-m-z/wesnoth.profile
index 934edfce9..934edfce9 100644
--- a/etc/wesnoth.profile
+++ b/etc/profile-m-z/wesnoth.profile
diff --git a/etc/wget.profile b/etc/profile-m-z/wget.profile
index 401926e2d..cdb8f0b93 100644
--- a/etc/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.wgetrc
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-devel.inc
@@ -20,16 +21,17 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 # depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local
 #include disable-xdg.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
-nodbus
 netfilter
 no3d
 nodvd
@@ -52,4 +54,7 @@ private-dev
 #private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc
 #private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 2e24dd8e0..187c49ed8 100644
--- a/etc/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -7,7 +7,8 @@ include whalebird.local
 # added by included profile
 #include globals.local
-ignore nodbus
+ignore dbus-user none
+ignore dbus-system none
 noblacklist ${HOME}/.config/Whalebird
diff --git a/etc/whois.profile b/etc/profile-m-z/whois.profile
index 0e60e18ab..2af1379e0 100644
--- a/etc/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -9,6 +9,7 @@ include globals.local
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-devel.inc
@@ -21,13 +22,13 @@ include disable-xdg.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 hostname whois
 ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +51,7 @@ private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf
 private-lib gconv
 private-tmp
+dbus-user none
+dbus-system none
 memory-deny-write-execute
diff --git a/etc/widelands.profile b/etc/profile-m-z/widelands.profile
index c6b5f27da..f18878554 100644
--- a/etc/widelands.profile
+++ b/etc/profile-m-z/widelands.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.widelands
@@ -21,10 +22,10 @@ whitelist ${HOME}/.widelands
 include whitelist-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +43,6 @@ private-bin widelands
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/wine.profile b/etc/profile-m-z/wine.profile
index 901340052..901340052 100644
--- a/etc/wine.profile
+++ b/etc/profile-m-z/wine.profile
diff --git a/etc/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index 3c783322b..8f6014dc3 100644
--- a/etc/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -9,8 +9,8 @@ include wire-desktop.local
 # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
-ignore caps.drop all
+ignore dbus-user none
-ignore nodbus
+ignore dbus-system none
 noblacklist ${HOME}/.config/Wire
@@ -21,12 +21,13 @@ mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
 include whitelist-common.inc
-caps.keep sys_admin,sys_chroot
 nou2f
+ignore seccomp
+seccomp !chroot
 shell none
 disable-mnt
-private-bin bash,electron,electron4,env,sh,wire-desktop
+private-bin bash,electron,electron4,electron6,env,sh,wire-desktop
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/wireshark-gtk.profile b/etc/profile-m-z/wireshark-gtk.profile
index 3e2e1807e..3e2e1807e 100644
--- a/etc/wireshark-gtk.profile
+++ b/etc/profile-m-z/wireshark-gtk.profile
diff --git a/etc/wireshark-qt.profile b/etc/profile-m-z/wireshark-qt.profile
index 3e2e1807e..3e2e1807e 100644
--- a/etc/wireshark-qt.profile
+++ b/etc/profile-m-z/wireshark-qt.profile
diff --git a/etc/wireshark.profile b/etc/profile-m-z/wireshark.profile
index d73e2e279..a30cb43d5 100644
--- a/etc/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -47,4 +47,3 @@ tracelog
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl
 private-tmp
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
new file mode 100644
index 000000000..da1210bb8
--- /dev/null
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -0,0 +1,52 @@
+# Firejail profile for wordwarvi
+# Description: Old school '80's style side scrolling space shoot'em up game.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wordwarvi.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.wordwarvi
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.wordwarvi
+whitelist ${HOME}/.wordwarvi
+whitelist /usr/share/wordwarvi
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin wordwarvi
+private-cache
+private-dev
+private-etc alsa,asound.conf,machine-id,pulse
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/wpp.profile b/etc/profile-m-z/wpp.profile
index a219397a9..a219397a9 100644
--- a/etc/wpp.profile
+++ b/etc/profile-m-z/wpp.profile
diff --git a/etc/wps.profile b/etc/profile-m-z/wps.profile
index 47bba2dda..6e4a313e3 100644
--- a/etc/wps.profile
+++ b/etc/profile-m-z/wps.profile
@@ -27,7 +27,6 @@ machine-id
 #net none
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,3 +44,6 @@ tracelog
 private-cache
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/wpspdf.profile b/etc/profile-m-z/wpspdf.profile
index 82080acbc..82080acbc 100644
--- a/etc/wpspdf.profile
+++ b/etc/profile-m-z/wpspdf.profile
diff --git a/etc/x-terminal-emulator.profile b/etc/profile-m-z/x-terminal-emulator.profile
index e21b74030..fe0781336 100644
--- a/etc/x-terminal-emulator.profile
+++ b/etc/profile-m-z/x-terminal-emulator.profile
@@ -8,8 +8,6 @@ include globals.local
 caps.drop all
 ipc-namespace
 net none
-netfilter
-nodbus
 nogroups
 noroot
 nou2f
@@ -18,4 +16,7 @@ seccomp
 private-dev
+dbus-user none
+dbus-system none
 noexec /tmp
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile
new file mode 100644
index 000000000..bc9603835
--- /dev/null
+++ b/etc/profile-m-z/x2goclient.profile
@@ -0,0 +1,49 @@
+# Firejail profile for x2goclient
+# Description: Graphical client for X2Go remote desktop system
+# This file is overwritten after every install/update
+# Persistent local customizations
+include x2goclient.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.x2go
+noblacklist ${HOME}/.x2goclient
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+#no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+#private-bin nxproxy,x2goclient
+private-cache
+private-dev
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,X11,xdg
+#private-lib
+private-opt none
+private-srv none
+private-tmp
+dbus-user none
+dbus-system none
+#memory-deny-write-execute
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
new file mode 100644
index 000000000..cdfebfb29
--- /dev/null
+++ b/etc/profile-m-z/xbill.profile
@@ -0,0 +1,54 @@
+# Firejail profile for xbill
+# Description: save your computers from Wingdows [TM] virus
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xbill.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /usr/share/xbill
+whitelist /var/games/xbill/scores
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin xbill
+private-cache
+private-dev
+private-etc none
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/xcalc.profile b/etc/profile-m-z/xcalc.profile
index 0ad423d30..56ce01498 100644
--- a/etc/xcalc.profile
+++ b/etc/profile-m-z/xcalc.profile
@@ -11,15 +11,15 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 net none
-netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -39,3 +39,5 @@ private-dev
 private-lib
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/xchat.profile b/etc/profile-m-z/xchat.profile
index a94444aab..a94444aab 100644
--- a/etc/xchat.profile
+++ b/etc/profile-m-z/xchat.profile
diff --git a/etc/xed.profile b/etc/profile-m-z/xed.profile
index a67230e51..b114f9ab5 100644
--- a/etc/xed.profile
+++ b/etc/profile-m-z/xed.profile
@@ -11,8 +11,8 @@ noblacklist ${HOME}/.python_history
 noblacklist ${HOME}/.pythonhist
 # Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
+include allow-python2.inc
-include allow-python3.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
@@ -20,6 +20,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include whitelist-var-common.inc
@@ -28,7 +29,6 @@ caps.drop all
 machine-id
 # net none - makes settings immutable
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -46,5 +46,9 @@ private-bin xed
 private-dev
 private-tmp
+# makes settings immutable
+# dbus-user none
+# dbus-system none
 # xed uses python plugins, memory-deny-write-execute breaks python
 # memory-deny-write-execute
diff --git a/etc/xfburn.profile b/etc/profile-m-z/xfburn.profile
index cd9561e74..cd9561e74 100644
--- a/etc/xfburn.profile
+++ b/etc/profile-m-z/xfburn.profile
diff --git a/etc/xfce4-dict.profile b/etc/profile-m-z/xfce4-dict.profile
index bc499bd30..a3e0c4633 100644
--- a/etc/xfce4-dict.profile
+++ b/etc/profile-m-z/xfce4-dict.profile
@@ -15,6 +15,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 6ef85f318..6ff4a1103 100644
--- a/etc/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
@@ -29,7 +30,6 @@ caps.drop all
 ipc-namespace
 netfilter
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,4 +48,7 @@ private-dev
 private-etc alternatives,asound.conf,fonts,machine-id,pulse
 private-tmp
+# dbus-user none
+# dbus-system none
 memory-deny-write-execute
diff --git a/etc/xfce4-notes.profile b/etc/profile-m-z/xfce4-notes.profile
index 4dad1bf7a..c3d0930ff 100644
--- a/etc/xfce4-notes.profile
+++ b/etc/profile-m-z/xfce4-notes.profile
@@ -17,6 +17,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
new file mode 100644
index 000000000..b760b44dd
--- /dev/null
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -0,0 +1,51 @@
+# Firejail profile for xfce4-screenshooter
+# Description: Xfce screenshot tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xfce4-screenshooter.local
+# Persistent global definitions
+include globals.local
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /usr/share/xfce4
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin xfce4-screenshooter,xfconf-query
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/xiphos.profile b/etc/profile-m-z/xiphos.profile
index 7114f0469..188589df3 100644
--- a/etc/xiphos.profile
+++ b/etc/profile-m-z/xiphos.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 mkdir ${HOME}/.sword
 mkdir ${HOME}/.xiphos
diff --git a/etc/xlinks.profile b/etc/profile-m-z/xlinks.profile
index 7987af280..7987af280 100644
--- a/etc/xlinks.profile
+++ b/etc/profile-m-z/xlinks.profile
diff --git a/etc/xmms.profile b/etc/profile-m-z/xmms.profile
index 7a11e1244..9391f68de 100644
--- a/etc/xmms.profile
+++ b/etc/profile-m-z/xmms.profile
@@ -13,6 +13,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 caps.drop all
diff --git a/etc/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index c6ba9bd9d..3278e295d 100644
--- a/etc/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -13,6 +13,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.xmr-stak
diff --git a/etc/xonotic-glx.profile b/etc/profile-m-z/xonotic-glx.profile
index abb91e1ec..abb91e1ec 100644
--- a/etc/xonotic-glx.profile
+++ b/etc/profile-m-z/xonotic-glx.profile
diff --git a/etc/profile-m-z/xonotic-sdl-wrapper.profile b/etc/profile-m-z/xonotic-sdl-wrapper.profile
new file mode 100644
index 000000000..6f0c7cf4c
--- /dev/null
+++ b/etc/profile-m-z/xonotic-sdl-wrapper.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for xonotic
+# This file is overwritten after every install/update
+include xonotic-sdl-wrapper.local
+# Redirect
+include xonotic.profile
diff --git a/etc/xonotic-sdl.profile b/etc/profile-m-z/xonotic-sdl.profile
index abb91e1ec..abb91e1ec 100644
--- a/etc/xonotic-sdl.profile
+++ b/etc/profile-m-z/xonotic-sdl.profile
diff --git a/etc/xonotic.profile b/etc/profile-m-z/xonotic.profile
index f4f828eda..aa8cc7d0e 100644
--- a/etc/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -14,15 +14,19 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.xonotic
 whitelist ${HOME}/.xonotic
+whitelist /usr/share/xonotic
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -33,10 +37,17 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 disable-mnt
-private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl
+private-cache
+private-bin basename,bash,blind-id,cut,darkplaces-glx,darkplaces-sdl,dirname,glxinfo,grep,head,ldd,netstat,ps,readlink,sed,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl,xonotic-sdl-wrapper,zenity
 private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
+dbus-user none
+dbus-system none
+read-only ${HOME}
+read-write ${HOME}/.xonotic
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
new file mode 100644
index 000000000..b842b5307
--- /dev/null
+++ b/etc/profile-m-z/xournal.profile
@@ -0,0 +1,50 @@
+# Firejail profile for xournal
+# Description: Note taking and PDF editing
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xournal.local
+# Persistent global definitions
+include globals.local
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /usr/share/xournal
+whitelist /usr/share/poppler
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin xournal
+private-cache
+private-dev
+private-etc alternatives,fonts,group,machine-id,passwd
+# TODO should use private-lib
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/xpdf.profile b/etc/profile-m-z/xpdf.profile
index 8c405ba1d..cdffe4eb7 100644
--- a/etc/xpdf.profile
+++ b/etc/profile-m-z/xpdf.profile
@@ -19,11 +19,11 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -39,3 +39,7 @@ shell none
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/xplayer-audio-preview.profile b/etc/profile-m-z/xplayer-audio-preview.profile
index 0559b8183..0559b8183 100644
--- a/etc/xplayer-audio-preview.profile
+++ b/etc/profile-m-z/xplayer-audio-preview.profile
diff --git a/etc/xplayer-video-thumbnailer.profile b/etc/profile-m-z/xplayer-video-thumbnailer.profile
index 6b2878476..6b2878476 100644
--- a/etc/xplayer-video-thumbnailer.profile
+++ b/etc/profile-m-z/xplayer-video-thumbnailer.profile
diff --git a/etc/xplayer.profile b/etc/profile-m-z/xplayer.profile
index 325ce7627..28df73ea5 100644
--- a/etc/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -11,8 +11,8 @@ noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
+include allow-python2.inc
-include allow-python3.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
@@ -27,7 +27,6 @@ include whitelist-var-common.inc
 # apparmor - makes settings immutable
 caps.drop all
 netfilter
-# nodbus - makes settings immutable
 nogroups
 nonewprivs
 noroot
@@ -42,3 +41,6 @@ private-dev
 # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 private-tmp
+# makes settings immutable
+# dbus-user none
+# dbus-system none
diff --git a/etc/xpra.profile b/etc/profile-m-z/xpra.profile
index 1033a7471..1033a7471 100644
--- a/etc/xpra.profile
+++ b/etc/profile-m-z/xpra.profile
diff --git a/etc/xreader-previewer.profile b/etc/profile-m-z/xreader-previewer.profile
index 6e1dcb5d2..6e1dcb5d2 100644
--- a/etc/xreader-previewer.profile
+++ b/etc/profile-m-z/xreader-previewer.profile
diff --git a/etc/xreader-thumbnailer.profile b/etc/profile-m-z/xreader-thumbnailer.profile
index a6925fcde..a6925fcde 100644
--- a/etc/xreader-thumbnailer.profile
+++ b/etc/profile-m-z/xreader-thumbnailer.profile
diff --git a/etc/xreader.profile b/etc/profile-m-z/xreader.profile
index 643c5a317..643c5a317 100644
--- a/etc/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
diff --git a/etc/xviewer.profile b/etc/profile-m-z/xviewer.profile
index b09bf8ab1..0ac0f665e 100644
--- a/etc/xviewer.profile
+++ b/etc/profile-m-z/xviewer.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include whitelist-var-common.inc
@@ -23,7 +24,6 @@ include whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -42,4 +42,8 @@ private-dev
 private-lib
 private-tmp
+# makes settings immutable
+# dbus-user none
+# dbus-system none
 memory-deny-write-execute
diff --git a/etc/xxd.profile b/etc/profile-m-z/xxd.profile
index 569f194d3..864e8ce9c 100644
--- a/etc/xxd.profile
+++ b/etc/profile-m-z/xxd.profile
@@ -1,6 +1,7 @@
 # Firejail profile for xxd
 # Description: Tool to make (or reverse) a hex dump
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include xxd.local
 # Persistent global definitions
@@ -8,4 +9,4 @@ include xxd.local
 #include globals.local
 # Redirect
-include vim.profile
+include cpio.profile
diff --git a/etc/xz.profile b/etc/profile-m-z/xz.profile
index f7410b928..d9c72407f 100644
--- a/etc/xz.profile
+++ b/etc/profile-m-z/xz.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/xzcat.profile b/etc/profile-m-z/xzcat.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzcat.profile
+++ b/etc/profile-m-z/xzcat.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/xzcmp.profile b/etc/profile-m-z/xzcmp.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzcmp.profile
+++ b/etc/profile-m-z/xzcmp.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/xzdec.profile b/etc/profile-m-z/xzdec.profile
index ca6aaf1d5..542363b57 100644
--- a/etc/xzdec.profile
+++ b/etc/profile-m-z/xzdec.profile
@@ -21,7 +21,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 #nogroups
 nonewprivs
@@ -37,3 +36,6 @@ tracelog
 x11 none
 private-dev
+dbus-user none
+dbus-system none
diff --git a/etc/xzdiff.profile b/etc/profile-m-z/xzdiff.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzdiff.profile
+++ b/etc/profile-m-z/xzdiff.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/xzegrep.profile b/etc/profile-m-z/xzegrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzegrep.profile
+++ b/etc/profile-m-z/xzegrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/xzfgrep.profile b/etc/profile-m-z/xzfgrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzfgrep.profile
+++ b/etc/profile-m-z/xzfgrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/xzgrep.profile b/etc/profile-m-z/xzgrep.profile
index f7410b928..f7410b928 100644
--- a/etc/xzgrep.profile
+++ b/etc/profile-m-z/xzgrep.profile
diff --git a/etc/xzless.profile b/etc/profile-m-z/xzless.profile
index f7410b928..f7410b928 100644
--- a/etc/xzless.profile
+++ b/etc/profile-m-z/xzless.profile
diff --git a/etc/xzmore.profile b/etc/profile-m-z/xzmore.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzmore.profile
+++ b/etc/profile-m-z/xzmore.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 # Redirect
 include cpio.profile
diff --git a/etc/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile
index 680bef677..680bef677 100644
--- a/etc/yandex-browser.profile
+++ b/etc/profile-m-z/yandex-browser.profile
diff --git a/etc/yelp.profile b/etc/profile-m-z/yelp.profile
index acd483209..fd95ceb04 100644
--- a/etc/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/yelp
@@ -21,8 +22,10 @@ whitelist ${HOME}/.config/yelp
 whitelist /usr/share/doc
 whitelist /usr/share/help
 whitelist /usr/share/yelp
+whitelist /usr/share/yelp-tools
 whitelist /usr/share/yelp-xsl
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -48,6 +51,8 @@ private-dev
 private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml
 private-tmp
+dbus-system none
 # read-only ${HOME} breaks some not necesarry featrues, comment it if
 # you need them or put 'ignore read-only ${HOME}' into your yelp.local.
 # broken features:
diff --git a/etc/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 19effef47..db3535f78 100644
--- a/etc/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -22,6 +22,7 @@ include allow-python3.inc
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-devel.inc
@@ -29,6 +30,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 include whitelist-usr-share-common.inc
@@ -40,7 +42,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -60,4 +61,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
 private-tmp
+dbus-user none
+dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
new file mode 100644
index 000000000..513cb0f6e
--- /dev/null
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -0,0 +1,57 @@
+# Firejail profile for youtube-viewer
+# Description: Trizen's CLI Youtube viewer with login support
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include youtube-viewer.local
+# Persistent global definitions
+include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+noblacklist ${HOME}/.config/youtube-viewer
+include allow-perl.inc
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/youtube-viewer
+whitelist ${HOME}/.config/youtube-viewer
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+# private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+dbus-user none
+dbus-system none
+\ No newline at end of file
diff --git a/etc/zaproxy.profile b/etc/profile-m-z/zaproxy.profile
index 6228ff3bd..6228ff3bd 100644
--- a/etc/zaproxy.profile
+++ b/etc/profile-m-z/zaproxy.profile
diff --git a/etc/zart.profile b/etc/profile-m-z/zart.profile
index 347bed8b6..ca35e3b51 100644
--- a/etc/zart.profile
+++ b/etc/profile-m-z/zart.profile
@@ -15,12 +15,12 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -34,3 +34,5 @@ shell none
 private-bin ffmpeg,ffplay,ffprobe,melt,zart
 private-dev
+dbus-user none
+dbus-system none
diff --git a/etc/zathura.profile b/etc/profile-m-z/zathura.profile
index 703c8edd4..5274e5b42 100644
--- a/etc/zathura.profile
+++ b/etc/profile-m-z/zathura.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/zathura
@@ -25,11 +26,11 @@ whitelist /usr/share/zathura
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,9 +48,13 @@ private-bin zathura
 private-cache
 private-dev
 private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id
-private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura
+# private-lib has problems on Debian 10
+#private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura
 private-tmp
+dbus-user none
+dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.config/zathura
 read-write ${HOME}/.local/share/zathura
diff --git a/etc/zcat.profile b/etc/profile-m-z/zcat.profile
index 12932ea92..bbac50712 100644
--- a/etc/zcat.profile
+++ b/etc/profile-m-z/zcat.profile
@@ -7,5 +7,8 @@ include zcat.local
 # added by included profile
 #include globals.local
+# Allow running kernel config check
+noblacklist /proc/config.gz
 # Redirect
 include gzip.profile
diff --git a/etc/zcmp.profile b/etc/profile-m-z/zcmp.profile
index 795cdae2a..795cdae2a 100644
--- a/etc/zcmp.profile
+++ b/etc/profile-m-z/zcmp.profile
diff --git a/etc/zdiff.profile b/etc/profile-m-z/zdiff.profile
index 1e75e38fe..1e75e38fe 100644
--- a/etc/zdiff.profile
+++ b/etc/profile-m-z/zdiff.profile
diff --git a/etc/zeal.profile b/etc/profile-m-z/zeal.profile
index f0fa29aa3..2d0d944fd 100644
--- a/etc/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -1,5 +1,5 @@
 # Firejail profile for zeal
-# Description: Offline documentation browser
+# Description: Offline API documentation browser
 # This file is overwritten after every install/update
 # Persistent local customizations
 include zeal.local
@@ -16,13 +16,15 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
-mkdir ${HOME}/.config/Zeal
 mkdir ${HOME}/.cache/Zeal
+mkdir ${HOME}/.config/qt5ct
+mkdir ${HOME}/.config/Zeal
 mkdir ${HOME}/.local/share/Zeal
-whitelist ${HOME}/.config/Zeal
 whitelist ${HOME}/.cache/Zeal
+whitelist ${HOME}/.config/Zeal
 whitelist ${HOME}/.local/share/Zeal
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -32,7 +34,6 @@ caps.drop all
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,7 +42,7 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
@@ -53,4 +54,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
 private-tmp
-memory-deny-write-execute
+dbus-user none
+dbus-system none
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/zegrep.profile b/etc/profile-m-z/zegrep.profile
index 54dc6b2a0..54dc6b2a0 100644
--- a/etc/zegrep.profile
+++ b/etc/profile-m-z/zegrep.profile
diff --git a/etc/zfgrep.profile b/etc/profile-m-z/zfgrep.profile
index 73b22f2e8..73b22f2e8 100644
--- a/etc/zfgrep.profile
+++ b/etc/profile-m-z/zfgrep.profile
diff --git a/etc/zforce.profile b/etc/profile-m-z/zforce.profile
index d62e57065..d62e57065 100644
--- a/etc/zforce.profile
+++ b/etc/profile-m-z/zforce.profile
diff --git a/etc/zgrep.profile b/etc/profile-m-z/zgrep.profile
index b39a58420..0e7151400 100644
--- a/etc/zgrep.profile
+++ b/etc/profile-m-z/zgrep.profile
@@ -7,5 +7,8 @@ include zgrep.local
 # added by included profile
 #include globals.local
+# Allow running kernel config check
+noblacklist /proc/config.gz
 # Redirect
 include gzip.profile
diff --git a/etc/zless.profile b/etc/profile-m-z/zless.profile
index 0a26cda1f..0a26cda1f 100644
--- a/etc/zless.profile
+++ b/etc/profile-m-z/zless.profile
diff --git a/etc/zmore.profile b/etc/profile-m-z/zmore.profile
index 3a8f63562..3a8f63562 100644
--- a/etc/zmore.profile
+++ b/etc/profile-m-z/zmore.profile
diff --git a/etc/znew.profile b/etc/profile-m-z/znew.profile
index a8593e58e..a8593e58e 100644
--- a/etc/znew.profile
+++ b/etc/profile-m-z/znew.profile
diff --git a/etc/zoom.profile b/etc/profile-m-z/zoom.profile
index 6d312aff6..b3125ee50 100644
--- a/etc/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -10,8 +10,11 @@ noblacklist ${HOME}/.zoom
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
+include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.cache/zoom
 mkfile ${HOME}/.config/zoomus.conf
@@ -20,14 +23,25 @@ whitelist ${HOME}/.cache/zoom
 whitelist ${HOME}/.config/zoomus.conf
 whitelist ${HOME}/.zoom
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 caps.drop all
 netfilter
 nodvd
+nogroups
 nonewprivs
 noroot
 notv
-protocol unix,inet,inet6
+nou2f
-seccomp
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/zpaq.profile b/etc/profile-m-z/zpaq.profile
index 80329ecfd..80329ecfd 100644
--- a/etc/zpaq.profile
+++ b/etc/profile-m-z/zpaq.profile
diff --git a/etc/zstd.profile b/etc/profile-m-z/zstd.profile
index 93b849568..be27c10e1 100644
--- a/etc/zstd.profile
+++ b/etc/profile-m-z/zstd.profile
@@ -23,7 +23,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/zstdcat.profile b/etc/profile-m-z/zstdcat.profile
index ce9af3286..ce9af3286 100644
--- a/etc/zstdcat.profile
+++ b/etc/profile-m-z/zstdcat.profile
diff --git a/etc/zstdgrep.profile b/etc/profile-m-z/zstdgrep.profile
index ce9af3286..ce9af3286 100644
--- a/etc/zstdgrep.profile
+++ b/etc/profile-m-z/zstdgrep.profile
diff --git a/etc/zstdless.profile b/etc/profile-m-z/zstdless.profile
index ce9af3286..ce9af3286 100644
--- a/etc/zstdless.profile
+++ b/etc/profile-m-z/zstdless.profile
diff --git a/etc/zstdmt.profile b/etc/profile-m-z/zstdmt.profile
index ce9af3286..ce9af3286 100644
--- a/etc/zstdmt.profile
+++ b/etc/profile-m-z/zstdmt.profile
diff --git a/etc/zulip.profile b/etc/profile-m-z/zulip.profile
index 999c2f77a..993f2a64b 100644
--- a/etc/zulip.profile
+++ b/etc/profile-m-z/zulip.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/Zulip
diff --git a/etc/ranger.profile b/etc/ranger.profile
deleted file mode 100644
index bcf39095b..000000000
--- a/etc/ranger.profile
+++ /dev/null
@@ -1,42 +0,0 @@
-# Firejail profile for ranger
-# Description: File manager with an ncurses frontend written in Python
-# This file is overwritten after every install/update
-# Persistent local customizations
-include ranger.local
-# Persistent global definitions
-include globals.local
-noblacklist ${HOME}/.config/nano
-noblacklist ${HOME}/.config/ranger
-noblacklist ${HOME}/.nanorc
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-# Allow perl
-include allow-perl.inc
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-allusers
-caps.drop all
-net none
-nodbus
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-#x11 none
-private-dev
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 0362b82af..02d9fa076 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -27,11 +27,13 @@
 #   ALLOW INCLUDES
 #   BLACKLISTS
 #   DISABLE INCLUDES
+#   NOWHITELISTS
 #   MKDIRS
 #   WHITELISTS
 #   WHITELIST INCLUDES
 #   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
 #   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
+#   DBUS FILTER
 #   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
 #   REDIRECT INCLUDES
 #
@@ -62,6 +64,8 @@ include globals.local
 #blacklist /tmp/.X11-unix
 # Disable Wayland
 #blacklist ${RUNUSER}/wayland-*
+# Disable RUNUSER (cli only)
+#blacklist ${RUNUSER}
 # It is common practice to add files/dirs containing program-specific configuration
 # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
@@ -105,6 +109,7 @@ include globals.local
 #include disable-interpreters.inc
 #include disable-passwdmgr.inc
 #include disable-programs.inc
+#include disable-shell.inc
 #include disable-xdg.inc
 # This section often mirrors noblacklist section above. The idea is
@@ -116,6 +121,7 @@ include globals.local
 ##mkfile PATH
 #whitelist PATH
 #include whitelist-common.inc
+#include whitelist-runuser-common.inc
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
@@ -132,7 +138,7 @@ include globals.local
 #net none
 #netfilter
 #no3d
-#nodbus
+##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below)
 #nodvd
 #nogroups
 #nonewprivs
@@ -182,6 +188,22 @@ include globals.local
 ##writable-var
 ##writable-var-log
+# Since 0.9.63 also a more granular regulation of dbus is supported.
+# To get the dbus-addresses to which an application needs access to.
+# You can look at flatpak if the application is also distriputed via flatpak:
+#    flatpak remote-info --show-metadata flathub <APP-ID>
+# Notes:
+#  - flatpak implicitly allows an app to own <APP-ID> on the session bus
+#  - In order to make dconf work (if it is used by the app) you need to allow
+#    'ca.desrt.dconf' even if it is not allowed by flatpak.
+# Notes and Policiy about addresses can be found at
+# <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
+#dbus-user filter
+#dbus-user.own com.github.netblue30.firejail
+#dbus-user.talk ca.desrt.dconf
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-system none
 ##env VAR=VALUE
 #memory-deny-write-execute
 ##noexec PATH