315 files changed, 1057 insertions, 541 deletions
diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base
new file mode 100644
index 000000000..6e286d4af
--- /dev/null
+++ b/etc/apparmor/firejail-base
@@ -0,0 +1,27 @@
+#########################################
+# Firejail base abstraction drop-in
+#
+# Adds basic Firejail support to AppArmor profiles.
+# Please note: Firejail's nonewprivs and seccomp options
+# are not compatible with AppArmor profile transitions.
+# Also there is no support for Firejail chroot options.
+#########################################
+# Discovery of process names
+owner /proc/@{pid}/comm r,
+##########
+# Following paths only exist inside a Firejail sandbox
+##########
+# Library preloading
+/{,var/}run/firejail/lib/*.so mr,
+# Supporting seccomp
+owner /{,var/}run/firejail/mnt/seccomp/seccomp.postexec r,
+# Supporting trace
+owner /{,var/}run/firejail/mnt/trace w,
+# Supporting tracelog
+/{,var/}run/firejail/mnt/fslogger r,
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index ca32f5b0d..a7044152e 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -129,7 +129,7 @@ signal (receive),
 ##########
 # The list of recognized capabilities varies from one apparmor version to another.
 # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available
-# We allow all caps by default and remove the  ones we don't like:
+# We allow all caps by default and remove the ones we don't like:
 capability,
 deny capability audit_write,
 deny capability audit_control,
diff --git a/etc/firejail.config b/etc/firejail.config
index 2e355586b..7912b746c 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -2,6 +2,9 @@
 # keyword-argument pairs, one per line. Most features are enabled by default.
 # Use 'yes' or 'no' as configuration values.
+# Allow programs to display a tray icon
+# allow-tray no
 # Enable AppArmor functionality, default enabled.
 # apparmor yes
@@ -63,7 +66,7 @@
 # a file argument, the default filter is hardcoded (see man 1 firejail). This
 # configuration entry allows the user to change the default by specifying
 # a file containing the filter configuration. The filter file format is the
-# format of  iptables-save  and iptable-restore commands. Example:
+# format of iptables-save and iptables-restore commands. Example:
 # netfilter-default /etc/iptables.iptables.rules
 # Enable or disable networking features, default enabled.
diff --git a/etc/ids.config b/etc/ids.config
index 09b0ae912..ff55416ca 100644
--- a/etc/ids.config
+++ b/etc/ids.config
@@ -37,6 +37,7 @@ include ids.config.local
 ### shells local ###
 # bash
+${HOME}/.bash_aliases
 ${HOME}/.bash_login
 ${HOME}/.bash_logout
 ${HOME}/.bash_profile
@@ -99,10 +100,24 @@ ${HOME}/.xsessionrc
 ### window/desktop manager ###
 ${HOME}/Desktop/*.desktop
 ${HOME}/.config/autostart
+${HOME}/.config/autostart-scripts
 ${HOME}/.config/lxsession/LXDE/autostart
+${HOME}/.config/openbox/autostart
+${HOME}/.config/openbox/environment
+${HOME}/.config/plasma-workspace/env
+${HOME}/.config/plasma-workspace/shutdown
 ${HOME}/.gnomerc
 ${HOME}/.gtkrc
+${HOME}/.kde/Autostart
+${HOME}/.kde/env
+${HOME}/.kde/share/autostart
+${HOME}/.kde/shutdown
+${HOME}/.kde4/Autostart
+${HOME}/.kde4/env
+${HOME}/.kde4/share/autostart
+${HOME}/.kde4/shutdown
 ${HOME}/.kderc
+${HOME}/.local/share/autostart
 ### security ###
 /etc/aide
@@ -123,6 +138,7 @@ ${HOME}/.kderc
 /etc/tripwire
 ${HOME}/.config/firejail
 ${HOME}/.gnupg
+${HOME}/.pam_environment
 ### network security ###
 /etc/ca-certificates*
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 011bbe226..4e460fc10 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -27,5 +27,8 @@ noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.python_history
 noblacklist ${HOME}/.pythonhist
+# Ruby
+noblacklist ${HOME}/.bundle
 # Rust
-noblacklist ${HOME}/.cargo/*
+noblacklist ${HOME}/.cargo
diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc
index a8c701219..00276cac7 100644
--- a/etc/inc/allow-ruby.inc
+++ b/etc/inc/allow-ruby.inc
@@ -4,3 +4,4 @@ include allow-ruby.local
 noblacklist ${PATH}/ruby
 noblacklist /usr/lib/ruby
+noblacklist /usr/lib64/ruby
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index ae84ee38a..f3d685d18 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -458,7 +458,7 @@ blacklist /sbin
 blacklist /usr/local/sbin
 blacklist /usr/sbin
-# system management
+# system management and various SUID executables
 blacklist ${PATH}/at
 blacklist ${PATH}/busybox
 blacklist ${PATH}/chage
@@ -493,6 +493,12 @@ blacklist ${PATH}/umount
 blacklist ${PATH}/unix_chkpwd
 blacklist ${PATH}/xev
 blacklist ${PATH}/xinput
+blacklist /usr/lib/openssh/ssh-keysign
+blacklist ${PATH}/passwd
+blacklist /usr/lib/xorg/Xorg.wrap
+blacklist /usr/lib/policykit-1/polkit-agent-helper-1
+blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper
+blacklist /usr/lib/eject/dmcrypt-get-device
 # other SUID binaries
 blacklist /usr/lib/virtualbox
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index e74b1b40b..98bf5ecc8 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -60,9 +60,7 @@ blacklist /usr/lib/tcc
 blacklist ${PATH}/valgrind*
 blacklist /usr/lib/valgrind
 # Source-Code
 blacklist /usr/src
 blacklist /usr/local/src
 blacklist /usr/include
diff --git a/etc/inc/disable-exec.inc b/etc/inc/disable-exec.inc
index 9b5c40a2b..d7dcef7e7 100644
--- a/etc/inc/disable-exec.inc
+++ b/etc/inc/disable-exec.inc
@@ -6,6 +6,7 @@ noexec ${HOME}
 noexec ${RUNUSER}
 noexec /dev/mqueue
 noexec /dev/shm
+noexec /run/shm
 noexec /tmp
 # /var is noexec by default for unprivileged users
 # except there is a writable-var option, so just in case:
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 5d8a236fb..804869e2a 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -48,6 +48,7 @@ blacklist /usr/share/php*
 # Ruby
 blacklist ${PATH}/ruby
 blacklist /usr/lib/ruby
+blacklist /usr/lib64/ruby
 # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
 # Python 2
diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc
new file mode 100644
index 000000000..81a8883f3
--- /dev/null
+++ b/etc/inc/disable-proc.inc
@@ -0,0 +1,82 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-proc.local
+blacklist /proc/acpi
+blacklist /proc/asound
+blacklist /proc/bootconfig
+blacklist /proc/buddyinfo
+blacklist /proc/cgroups
+blacklist /proc/cmdline
+blacklist /proc/config.gz
+blacklist /proc/consoles
+#blacklist /proc/cpuinfo
+blacklist /proc/crypto
+blacklist /proc/devices
+blacklist /proc/diskstats
+blacklist /proc/dma
+#blacklist /proc/driver
+blacklist /proc/dynamic_debug
+blacklist /proc/execdomains
+blacklist /proc/fb
+#blacklist /proc/filesystems
+blacklist /proc/fs
+blacklist /proc/i8k
+blacklist /proc/interrupts
+blacklist /proc/iomem
+blacklist /proc/ioports
+blacklist /proc/irq
+blacklist /proc/kallsyms
+blacklist /proc/kcore
+blacklist /proc/keys
+blacklist /proc/key-users
+blacklist /proc/kmsg
+blacklist /proc/kpagecgroup
+blacklist /proc/kpagecount
+blacklist /proc/kpageflags
+blacklist /proc/latency_stats
+#blacklist /proc/loadavg
+blacklist /proc/locks
+blacklist /proc/mdstat
+#blacklist /proc/meminfo
+blacklist /proc/misc
+#blacklist /proc/modules
+#blacklist /proc/mounts
+blacklist /proc/mtrr
+#blacklist /proc/net
+blacklist /proc/partitions
+blacklist /proc/pressure
+blacklist /proc/sched_debug
+blacklist /proc/schedstat
+blacklist /proc/scsi
+#blacklist /proc/self
+blacklist /proc/slabinfo
+blacklist /proc/softirqs
+blacklist /proc/spl
+#blacklist /proc/stat
+blacklist /proc/swaps
+#blacklist /proc/sys
+blacklist /proc/sysrq-trigger
+blacklist /proc/sysvipc
+#blacklist /proc/thread-self
+blacklist /proc/timer_list
+blacklist /proc/tty
+#blacklist /proc/uptime
+#blacklist /proc/version
+blacklist /proc/version_signature
+blacklist /proc/vmallocinfo
+#blacklist /proc/vmstat
+#blacklist /proc/zoneinfo
+blacklist /proc/sys/abi
+blacklist /proc/sys/crypto
+blacklist /proc/sys/debug
+blacklist /proc/sys/dev
+blacklist /proc/sys/fs
+blacklist /proc/sys/net
+blacklist /proc/sys/user
+blacklist /proc/sys/vm
+noblacklist /proc/sys/kernel/osrelease
+noblacklist /proc/sys/kernel/yama
+blacklist /proc/sys/*/*
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 4941630a2..e78f15e10 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -49,11 +49,184 @@ blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
 blacklist ${HOME}/.blobby
 blacklist ${HOME}/.bogofilter
+blacklist ${HOME}/.bundle
 blacklist ${HOME}/.bzf
-blacklist ${HOME}/.cargo/*
+blacklist ${HOME}/.cache/0ad
+blacklist ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.cache/Authenticator
+blacklist ${HOME}/.cache/BraveSoftware
+blacklist ${HOME}/.cache/Clementine
+blacklist ${HOME}/.cache/ENCOM/Spectral
+blacklist ${HOME}/.cache/Enox
+blacklist ${HOME}/.cache/Enpass
+blacklist ${HOME}/.cache/Ferdi
+blacklist ${HOME}/.cache/Flavio Tordini
+blacklist ${HOME}/.cache/Franz
+blacklist ${HOME}/.cache/GoldenDict
+blacklist ${HOME}/.cache/INRIA
+blacklist ${HOME}/.cache/INRIA/Natron
+blacklist ${HOME}/.cache/JetBrains/CLion*
+blacklist ${HOME}/.cache/KDE/neochat
+blacklist ${HOME}/.cache/Mendeley Ltd.
+blacklist ${HOME}/.cache/MusicBrainz
+blacklist ${HOME}/.cache/NewsFlashGTK
+blacklist ${HOME}/.cache/Otter
+blacklist ${HOME}/.cache/PawelStolowski
+blacklist ${HOME}/.cache/Psi
+blacklist ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/Quotient/quaternion
+blacklist ${HOME}/.cache/Shortwave
+blacklist ${HOME}/.cache/Tox
+blacklist ${HOME}/.cache/Zeal
+blacklist ${HOME}/.cache/agenda
+blacklist ${HOME}/.cache/akonadi*
+blacklist ${HOME}/.cache/atril
+blacklist ${HOME}/.cache/attic
+blacklist ${HOME}/.cache/babl
+blacklist ${HOME}/.cache/bnox
+blacklist ${HOME}/.cache/borg
+blacklist ${HOME}/.cache/calibre
+blacklist ${HOME}/.cache/cantata
+blacklist ${HOME}/.cache/champlain
+blacklist ${HOME}/.cache/chromium
+blacklist ${HOME}/.cache/chromium-dev
+blacklist ${HOME}/.cache/cliqz
+blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
+blacklist ${HOME}/.cache/darktable
+blacklist ${HOME}/.cache/deja-dup
+blacklist ${HOME}/.cache/discover
+blacklist ${HOME}/.cache/dnox
+blacklist ${HOME}/.cache/dolphin
+blacklist ${HOME}/.cache/dolphin-emu
+blacklist ${HOME}/.cache/ephemeral
+blacklist ${HOME}/.cache/epiphany
+blacklist ${HOME}/.cache/evolution
+blacklist ${HOME}/.cache/falkon
+blacklist ${HOME}/.cache/feedreader
+blacklist ${HOME}/.cache/firedragon
+blacklist ${HOME}/.cache/flaska.net/trojita
+blacklist ${HOME}/.cache/folks
+blacklist ${HOME}/.cache/font-manager
+blacklist ${HOME}/.cache/fossamail
+blacklist ${HOME}/.cache/fractal
+blacklist ${HOME}/.cache/freecol
+blacklist ${HOME}/.cache/gajim
+blacklist ${HOME}/.cache/geary
+blacklist ${HOME}/.cache/geeqie
+blacklist ${HOME}/.cache/gegl-0.4
+blacklist ${HOME}/.cache/gfeeds
+blacklist ${HOME}/.cache/gimp
+blacklist ${HOME}/.cache/gnome-boxes
+blacklist ${HOME}/.cache/gnome-builder
+blacklist ${HOME}/.cache/gnome-control-center
+blacklist ${HOME}/.cache/gnome-recipes
+blacklist ${HOME}/.cache/gnome-screenshot
+blacklist ${HOME}/.cache/gnome-software
+blacklist ${HOME}/.cache/gnome-twitch
+blacklist ${HOME}/.cache/godot
+blacklist ${HOME}/.cache/google-chrome
+blacklist ${HOME}/.cache/google-chrome-beta
+blacklist ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.cache/gradio
+blacklist ${HOME}/.cache/gummi
+blacklist ${HOME}/.cache/icedove
+blacklist ${HOME}/.cache/inkscape
+blacklist ${HOME}/.cache/inox
+blacklist ${HOME}/.cache/io.github.lainsce.Notejot
+blacklist ${HOME}/.cache/iridium
+blacklist ${HOME}/.cache/kcmshell5
+blacklist ${HOME}/.cache/kdenlive
+blacklist ${HOME}/.cache/keepassxc
+blacklist ${HOME}/.cache/kfind
+blacklist ${HOME}/.cache/kinfocenter
+blacklist ${HOME}/.cache/kmail2
+blacklist ${HOME}/.cache/krunner
+blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/kscreenlocker_greet
+blacklist ${HOME}/.cache/ksmserver-logout-greeter
+blacklist ${HOME}/.cache/ksplashqml
+blacklist ${HOME}/.cache/kube
+blacklist ${HOME}/.cache/kwin
+blacklist ${HOME}/.cache/libgweather
+blacklist ${HOME}/.cache/librewolf
+blacklist ${HOME}/.cache/liferea
+blacklist ${HOME}/.cache/lutris
+blacklist ${HOME}/.cache/marker
+blacklist ${HOME}/.cache/matrix-mirage
+blacklist ${HOME}/.cache/microsoft-edge-beta
+blacklist ${HOME}/.cache/microsoft-edge-dev
+blacklist ${HOME}/.cache/midori
+blacklist ${HOME}/.cache/minetest
+blacklist ${HOME}/.cache/mirage
+blacklist ${HOME}/.cache/moonchild productions/basilisk
+blacklist ${HOME}/.cache/moonchild productions/pale moon
+blacklist ${HOME}/.cache/mozilla
+blacklist ${HOME}/.cache/ms-excel-online
+blacklist ${HOME}/.cache/ms-office-online
+blacklist ${HOME}/.cache/ms-onenote-online
+blacklist ${HOME}/.cache/ms-outlook-online
+blacklist ${HOME}/.cache/ms-powerpoint-online
+blacklist ${HOME}/.cache/ms-skype-online
+blacklist ${HOME}/.cache/ms-word-online
+blacklist ${HOME}/.cache/mutt
+blacklist ${HOME}/.cache/mypaint
+blacklist ${HOME}/.cache/netsurf
+blacklist ${HOME}/.cache/nheko
+blacklist ${HOME}/.cache/okular
+blacklist ${HOME}/.cache/opera
+blacklist ${HOME}/.cache/opera-beta
+blacklist ${HOME}/.cache/org.gabmus.gfeeds
+blacklist ${HOME}/.cache/org.gnome.Books
+blacklist ${HOME}/.cache/org.gnome.Maps
+blacklist ${HOME}/.cache/pdfmod
+blacklist ${HOME}/.cache/peek
+blacklist ${HOME}/.cache/pip
+blacklist ${HOME}/.cache/pipe-viewer
+blacklist ${HOME}/.cache/plasmashell
+blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/psi
+blacklist ${HOME}/.cache/qBittorrent
+blacklist ${HOME}/.cache/quodlibet
+blacklist ${HOME}/.cache/qupzilla
+blacklist ${HOME}/.cache/qutebrowser
+blacklist ${HOME}/.cache/rednotebook
+blacklist ${HOME}/.cache/rhythmbox
+blacklist ${HOME}/.cache/shotwell
+blacklist ${HOME}/.cache/simple-scan
+blacklist ${HOME}/.cache/slimjet
+blacklist ${HOME}/.cache/smuxi
+blacklist ${HOME}/.cache/snox
+blacklist ${HOME}/.cache/spotify
+blacklist ${HOME}/.cache/straw-viewer
+blacklist ${HOME}/.cache/strawberry
+blacklist ${HOME}/.cache/supertuxkart
+blacklist ${HOME}/.cache/systemsettings
+blacklist ${HOME}/.cache/telepathy
+blacklist ${HOME}/.cache/thunderbird
+blacklist ${HOME}/.cache/torbrowser
+blacklist ${HOME}/.cache/transmission
+blacklist ${HOME}/.cache/ungoogled-chromium
+blacklist ${HOME}/.cache/vivaldi
+blacklist ${HOME}/.cache/vivaldi-snapshot
+blacklist ${HOME}/.cache/vlc
+blacklist ${HOME}/.cache/vmware
+blacklist ${HOME}/.cache/warsow-2.1
+blacklist ${HOME}/.cache/waterfox
+blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/winetricks
+blacklist ${HOME}/.cache/xmms2
+blacklist ${HOME}/.cache/xournalpp
+blacklist ${HOME}/.cache/xreader
+blacklist ${HOME}/.cache/yandex-browser
+blacklist ${HOME}/.cache/yandex-browser-beta
+blacklist ${HOME}/.cache/youtube-dl
+blacklist ${HOME}/.cache/youtube-viewer
+blacklist ${HOME}/.cache/yt-dlp
+blacklist ${HOME}/.cache/zim
+blacklist ${HOME}/.cargo
 blacklist ${HOME}/.claws-mail
-blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clion*
+blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clonk
 blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/2048-qt
@@ -92,8 +265,8 @@ blacklist ${HOME}/.config/Google Play Music Desktop Player
 blacklist ${HOME}/.config/Gpredict
 blacklist ${HOME}/.config/INRIA
 blacklist ${HOME}/.config/InSilmaril
-blacklist ${HOME}/.config/Jitsi Meet
 blacklist ${HOME}/.config/JetBrains/CLion*
+blacklist ${HOME}/.config/Jitsi Meet
 blacklist ${HOME}/.config/KDE/neochat
 blacklist ${HOME}/.config/KeePass
 blacklist ${HOME}/.config/KeePassXCrc
@@ -142,6 +315,7 @@ blacklist ${HOME}/.config/SubDownloader
 blacklist ${HOME}/.config/Thunar
 blacklist ${HOME}/.config/Twitch
 blacklist ${HOME}/.config/Unknown Organization
+blacklist ${HOME}/.config/VSCodium
 blacklist ${HOME}/.config/VirtualBox
 blacklist ${HOME}/.config/Whalebird
 blacklist ${HOME}/.config/Wire
@@ -496,12 +670,14 @@ blacklist ${HOME}/.frogatto
 blacklist ${HOME}/.frozen-bubble
 blacklist ${HOME}/.funnyboat
 blacklist ${HOME}/.gallery-dl.conf
+blacklist ${HOME}/.geekbench5
 blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.gist
 blacklist ${HOME}/.gitconfig
 blacklist ${HOME}/.gl-117
 blacklist ${HOME}/.glaxiumrc
 blacklist ${HOME}/.gnome/gnome-schedule
+blacklist ${HOME}/.goldendict
 blacklist ${HOME}/.googleearth
 blacklist ${HOME}/.gradle
 blacklist ${HOME}/.gramps
@@ -954,176 +1130,3 @@ blacklist /var/games/slashem
 blacklist /var/games/vulturesclaw
 blacklist /var/games/vultureseye
 blacklist /var/lib/games/Maelstrom-Scores
-# ${HOME}/.cache directory
-blacklist ${HOME}/.cache/0ad
-blacklist ${HOME}/.cache/8pecxstudios
-blacklist ${HOME}/.cache/Authenticator
-blacklist ${HOME}/.cache/BraveSoftware
-blacklist ${HOME}/.cache/Clementine
-blacklist ${HOME}/.cache/ENCOM/Spectral
-blacklist ${HOME}/.cache/Enox
-blacklist ${HOME}/.cache/Enpass
-blacklist ${HOME}/.cache/Ferdi
-blacklist ${HOME}/.cache/Flavio Tordini
-blacklist ${HOME}/.cache/Franz
-blacklist ${HOME}/.cache/INRIA
-blacklist ${HOME}/.cache/INRIA/Natron
-blacklist ${HOME}/.cache/KDE/neochat
-blacklist ${HOME}/.cache/Mendeley Ltd.
-blacklist ${HOME}/.cache/MusicBrainz
-blacklist ${HOME}/.cache/NewsFlashGTK
-blacklist ${HOME}/.cache/Otter
-blacklist ${HOME}/.cache/PawelStolowski
-blacklist ${HOME}/.cache/Psi
-blacklist ${HOME}/.cache/QuiteRss
-blacklist ${HOME}/.cache/Quotient/quaternion
-blacklist ${HOME}/.cache/Shortwave
-blacklist ${HOME}/.cache/Tox
-blacklist ${HOME}/.cache/Zeal
-blacklist ${HOME}/.cache/agenda
-blacklist ${HOME}/.cache/akonadi*
-blacklist ${HOME}/.cache/atril
-blacklist ${HOME}/.cache/attic
-blacklist ${HOME}/.cache/babl
-blacklist ${HOME}/.cache/bnox
-blacklist ${HOME}/.cache/borg
-blacklist ${HOME}/.cache/calibre
-blacklist ${HOME}/.cache/cantata
-blacklist ${HOME}/.cache/champlain
-blacklist ${HOME}/.cache/chromium
-blacklist ${HOME}/.cache/chromium-dev
-blacklist ${HOME}/.cache/cliqz
-blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
-blacklist ${HOME}/.cache/darktable
-blacklist ${HOME}/.cache/deja-dup
-blacklist ${HOME}/.cache/discover
-blacklist ${HOME}/.cache/dnox
-blacklist ${HOME}/.cache/dolphin
-blacklist ${HOME}/.cache/dolphin-emu
-blacklist ${HOME}/.cache/ephemeral
-blacklist ${HOME}/.cache/epiphany
-blacklist ${HOME}/.cache/evolution
-blacklist ${HOME}/.cache/falkon
-blacklist ${HOME}/.cache/feedreader
-blacklist ${HOME}/.cache/firedragon
-blacklist ${HOME}/.cache/flaska.net/trojita
-blacklist ${HOME}/.cache/folks
-blacklist ${HOME}/.cache/font-manager
-blacklist ${HOME}/.cache/fossamail
-blacklist ${HOME}/.cache/fractal
-blacklist ${HOME}/.cache/freecol
-blacklist ${HOME}/.cache/gajim
-blacklist ${HOME}/.cache/geary
-blacklist ${HOME}/.cache/geeqie
-blacklist ${HOME}/.cache/gegl-0.4
-blacklist ${HOME}/.cache/gfeeds
-blacklist ${HOME}/.cache/gimp
-blacklist ${HOME}/.cache/gnome-boxes
-blacklist ${HOME}/.cache/gnome-builder
-blacklist ${HOME}/.cache/gnome-control-center
-blacklist ${HOME}/.cache/gnome-recipes
-blacklist ${HOME}/.cache/gnome-screenshot
-blacklist ${HOME}/.cache/gnome-software
-blacklist ${HOME}/.cache/gnome-twitch
-blacklist ${HOME}/.cache/godot
-blacklist ${HOME}/.cache/google-chrome
-blacklist ${HOME}/.cache/google-chrome-beta
-blacklist ${HOME}/.cache/google-chrome-unstable
-blacklist ${HOME}/.cache/gradio
-blacklist ${HOME}/.cache/gummi
-blacklist ${HOME}/.cache/icedove
-blacklist ${HOME}/.cache/inkscape
-blacklist ${HOME}/.cache/inox
-blacklist ${HOME}/.cache/io.github.lainsce.Notejot
-blacklist ${HOME}/.cache/iridium
-blacklist ${HOME}/.cache/JetBrains/CLion*
-blacklist ${HOME}/.cache/kcmshell5
-blacklist ${HOME}/.cache/kdenlive
-blacklist ${HOME}/.cache/keepassxc
-blacklist ${HOME}/.cache/kfind
-blacklist ${HOME}/.cache/kinfocenter
-blacklist ${HOME}/.cache/kmail2
-blacklist ${HOME}/.cache/krunner
-blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
-blacklist ${HOME}/.cache/kscreenlocker_greet
-blacklist ${HOME}/.cache/ksmserver-logout-greeter
-blacklist ${HOME}/.cache/ksplashqml
-blacklist ${HOME}/.cache/kube
-blacklist ${HOME}/.cache/kwin
-blacklist ${HOME}/.cache/libgweather
-blacklist ${HOME}/.cache/librewolf
-blacklist ${HOME}/.cache/liferea
-blacklist ${HOME}/.cache/lutris
-blacklist ${HOME}/.cache/marker
-blacklist ${HOME}/.cache/matrix-mirage
-blacklist ${HOME}/.cache/microsoft-edge-beta
-blacklist ${HOME}/.cache/microsoft-edge-dev
-blacklist ${HOME}/.cache/midori
-blacklist ${HOME}/.cache/minetest
-blacklist ${HOME}/.cache/mirage
-blacklist ${HOME}/.cache/moonchild productions/basilisk
-blacklist ${HOME}/.cache/moonchild productions/pale moon
-blacklist ${HOME}/.cache/mozilla
-blacklist ${HOME}/.cache/ms-excel-online
-blacklist ${HOME}/.cache/ms-office-online
-blacklist ${HOME}/.cache/ms-onenote-online
-blacklist ${HOME}/.cache/ms-outlook-online
-blacklist ${HOME}/.cache/ms-powerpoint-online
-blacklist ${HOME}/.cache/ms-skype-online
-blacklist ${HOME}/.cache/ms-word-online
-blacklist ${HOME}/.cache/mutt
-blacklist ${HOME}/.cache/mypaint
-blacklist ${HOME}/.cache/netsurf
-blacklist ${HOME}/.cache/nheko
-blacklist ${HOME}/.cache/okular
-blacklist ${HOME}/.cache/opera
-blacklist ${HOME}/.cache/opera-beta
-blacklist ${HOME}/.cache/org.gabmus.gfeeds
-blacklist ${HOME}/.cache/org.gnome.Books
-blacklist ${HOME}/.cache/org.gnome.Maps
-blacklist ${HOME}/.cache/pdfmod
-blacklist ${HOME}/.cache/peek
-blacklist ${HOME}/.cache/pip
-blacklist ${HOME}/.cache/pipe-viewer
-blacklist ${HOME}/.cache/plasmashell
-blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
-blacklist ${HOME}/.cache/psi
-blacklist ${HOME}/.cache/qBittorrent
-blacklist ${HOME}/.cache/quodlibet
-blacklist ${HOME}/.cache/qupzilla
-blacklist ${HOME}/.cache/qutebrowser
-blacklist ${HOME}/.cache/rednotebook
-blacklist ${HOME}/.cache/rhythmbox
-blacklist ${HOME}/.cache/shotwell
-blacklist ${HOME}/.cache/simple-scan
-blacklist ${HOME}/.cache/slimjet
-blacklist ${HOME}/.cache/smuxi
-blacklist ${HOME}/.cache/snox
-blacklist ${HOME}/.cache/spotify
-blacklist ${HOME}/.cache/straw-viewer
-blacklist ${HOME}/.cache/strawberry
-blacklist ${HOME}/.cache/supertuxkart
-blacklist ${HOME}/.cache/systemsettings
-blacklist ${HOME}/.cache/telepathy
-blacklist ${HOME}/.cache/thunderbird
-blacklist ${HOME}/.cache/torbrowser
-blacklist ${HOME}/.cache/transmission
-blacklist ${HOME}/.cache/ungoogled-chromium
-blacklist ${HOME}/.cache/vivaldi
-blacklist ${HOME}/.cache/vivaldi-snapshot
-blacklist ${HOME}/.cache/vlc
-blacklist ${HOME}/.cache/vmware
-blacklist ${HOME}/.cache/warsow-2.1
-blacklist ${HOME}/.cache/waterfox
-blacklist ${HOME}/.cache/wesnoth
-blacklist ${HOME}/.cache/winetricks
-blacklist ${HOME}/.cache/xmms2
-blacklist ${HOME}/.cache/xournalpp
-blacklist ${HOME}/.cache/xreader
-blacklist ${HOME}/.cache/yandex-browser
-blacklist ${HOME}/.cache/yandex-browser-beta
-blacklist ${HOME}/.cache/youtube-dl
-blacklist ${HOME}/.cache/youtube-viewer
-blacklist ${HOME}/.cache/yt-dlp
-blacklist ${HOME}/.cache/zim
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc
index 224d21064..d74655a08 100644
--- a/etc/inc/whitelist-run-common.inc
+++ b/etc/inc/whitelist-run-common.inc
@@ -7,5 +7,9 @@ whitelist /run/cups/cups.sock
 whitelist /run/dbus/system_bus_socket
 whitelist /run/media
 whitelist /run/resolvconf/resolv.conf
+whitelist /run/shm
+whitelist /run/systemd/journal/dev-log
+whitelist /run/systemd/journal/socket
 whitelist /run/systemd/resolve/resolv.conf
 whitelist /run/systemd/resolve/stub-resolv.conf
+whitelist /run/udev/data
diff --git a/etc/profile-a-l/Books.profile b/etc/profile-a-l/Books.profile
index 76fd21d32..a256e942f 100644
--- a/etc/profile-a-l/Books.profile
+++ b/etc/profile-a-l/Books.profile
@@ -1,5 +1,10 @@
 # Firejail profile for gnome-books
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Books.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index 005a502c4..0e7126458 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin abiword
 private-cache
 private-dev
-private-etc fonts,gtk-3.0,passwd
+private-etc alternatives,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd
 private-tmp
 # dbus-user none
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index fea25fd58..dd3b2e59b 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -50,7 +50,7 @@ tracelog
 private-bin agetpkg,python3
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index 168e81985..f3fb678d1 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -27,6 +27,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 # disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
index d1e7df37b..39008d67a 100644
--- a/etc/profile-a-l/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -25,6 +25,7 @@ whitelist ${HOME}/.local/share/akregator
 whitelist ${HOME}/.local/share/kssl
 whitelist ${HOME}/.local/share/kxmlgui5/akregator
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 69b499c74..5a528595b 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -53,7 +53,7 @@ disable-mnt
 # private-bin alacarte,bash,python*,sh
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
index 62857a3e2..68512e37b 100644
--- a/etc/profile-a-l/alienarena.profile
+++ b/etc/profile-a-l/alienarena.profile
@@ -29,7 +29,6 @@ caps.drop all
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index e7b78f7d0..7d8ec481d 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -39,7 +39,7 @@ dbus-user.own org.kde.amarok
 dbus-user.own org.mpris.amarok
 dbus-user.own org.mpris.MediaPlayer2.amarok
 dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 # If you're not on kde-plasma add the next lines to your amarok.local.
 #dbus-user.own org.kde.kded
 #dbus-user.own org.kde.klauncher
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile
index 3ce05c5bc..e82c145d1 100644
--- a/etc/profile-a-l/amule.profile
+++ b/etc/profile-a-l/amule.profile
@@ -32,6 +32,7 @@ nosound
 notv
 nou2f
 novideo
+# Add netlink protocol to use UPnP
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index fa4dfbb6f..f6d711b2e 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin anki,python*
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf
+private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index 737cf3095..8aef75cd1 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -45,7 +45,7 @@ private-bin aria2c,gzip
 # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
 #private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.cache,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
 private-lib libreadline.so.*
 private-tmp
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
index 45071dc62..a26592f3a 100644
--- a/etc/profile-a-l/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -16,6 +16,7 @@ include disable-interpreters.inc
 include disable-programs.inc
 whitelist /usr/share/ark
+include whitelist-run-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
index 3253fb586..6676d42e9 100644
--- a/etc/profile-a-l/arm.profile
+++ b/etc/profile-a-l/arm.profile
@@ -43,6 +43,6 @@ tracelog
 disable-mnt
 private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
 private-tmp
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index 8d74b6ba4..254f3f571 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -56,7 +56,7 @@ disable-mnt
 private-bin artha,enchant,notify-send
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-lib libnotify.so.*
 private-tmp
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index e377de2c8..6399bc1a3 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -13,7 +13,7 @@ include allow-perl.inc
 noroot
 # without login.defs atool complains and uses UID/GID 1000 by default
-private-etc alternatives,group,login.defs,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd
 private-tmp
 # Redirect
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index f7c62926f..264bc0215 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote
 private-dev
-private-etc alternatives,fonts,ld.so.cache
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 # atril uses webkit gtk to display epub files
 # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
 #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index d71370b7e..e9ecdd72e 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -17,6 +17,7 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index 411c5f4d3..a8af1928b 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin authenticator-rs
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 0f0fb7ceb..f9a03ca68 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -39,7 +39,7 @@ shell none
 disable-mnt
 # private-bin authenticator,python*
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
 # makes settings immutable
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index 252016bec..55d2453d8 100644
--- a/etc/profile-a-l/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
@@ -25,6 +25,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index 197f787ca..be3543b08 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -66,7 +66,7 @@ tracelog
 private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 writable-run-user
 writable-var
@@ -79,4 +79,4 @@ dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.gnome.keyring.SystemPrompter
 dbus-system none
-read-only ${HOME}/.mozilla/firefox/profiles.ini
-\ No newline at end of file
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 0104dc181..be29ce8a7 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -52,7 +52,7 @@ disable-mnt
 # private-bin bibletime,qt5ct
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index 61cd792b1..b86232860 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin bijiben
 # private-cache -- access to .cache/tracker is required
 private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index ba2eb2ea7..f8114c71b 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -23,7 +23,7 @@ no3d
 nosound
 ?HAS_APPIMAGE: ignore private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 private-opt Bitwarden
 # Redirect
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 61d1c3a1e..3e20ed133 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -35,7 +35,7 @@ shell none
 # private-bin bash,bless,mono,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,mono
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,mono
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
index 11d705c5b..d7df3bc49 100644
--- a/etc/profile-a-l/blobby.profile
+++ b/etc/profile-a-l/blobby.profile
@@ -41,7 +41,7 @@ tracelog
 disable-mnt
 private-bin blobby
 private-dev
-private-etc alsa,alternatives,asound.conf,drirc,group,hosts,login.defs,machine-id,passwd,pulse
+private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pulse
 private-lib
 private-tmp
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index 6e3d4256c..cc2fda3f2 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.parallelrealities/blobwars
 whitelist ${HOME}/.parallelrealities/blobwars
 whitelist /usr/share/blobwars
+whitelist /usr/share/games/blobwars
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -28,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
@@ -43,7 +43,7 @@ disable-mnt
 private-bin blobwars
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index d731a6a6e..fbc7c9056 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -6,7 +6,7 @@ include bsdtar.local
 # Persistent global definitions
 include globals.local
-private-etc alternatives,group,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
new file mode 100644
index 000000000..1b199d612
--- /dev/null
+++ b/etc/profile-a-l/build-systems-common.profile
@@ -0,0 +1,66 @@
+# Firejail profile for build-systems-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include build-systems-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+ignore noexec ${HOME}
+ignore noexec /tmp
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+# Allow ssh (blacklisted by disable-common.inc)
+#include allow-ssh.inc
+blacklist ${RUNUSER}
+include disable-common.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+whitelist /usr/share/pkgconfig
+include whitelist-run-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+machine-id
+# net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile
new file mode 100644
index 000000000..bb82022b1
--- /dev/null
+++ b/etc/profile-a-l/bundle.profile
@@ -0,0 +1,23 @@
+# Firejail profile for bundle
+# Description: Ruby Dependency Management
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bundle.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.bundle
+# Allow ruby (blacklisted by disable-interpreters.inc)
+include allow-ruby.inc
+#whitelist ${HOME}/.bundle
+#whitelist ${HOME}/.gem
+#whitelist ${HOME}/.local/share/gem
+whitelist /usr/share/gems
+whitelist /usr/share/ruby
+whitelist /usr/share/rubygems
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index ae9e0f1d2..92c455144 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -46,7 +46,7 @@ tracelog
 disable-mnt
 private-bin cameramonitor,python*
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 # dbus-user none
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index ff46cd429..4c8afd895 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -7,66 +7,18 @@ include cargo.local
 # Persistent global definitions
 include globals.local
-ignore noexec ${HOME}
+ignore read-only ${HOME}/.cargo/bin
-ignore noexec /tmp
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
 noblacklist ${HOME}/.cargo/credentials
 noblacklist ${HOME}/.cargo/credentials.toml
-# Allows files commonly used by IDEs
-include allow-common-devel.inc
-# Allow ssh (blacklisted by disable-common.inc)
-#include allow-ssh.inc
-include disable-common.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-xdg.inc
-#mkdir ${HOME}/.cargo
-#whitelist ${HOME}/YOUR_CARGO_PROJECTS
 #whitelist ${HOME}/.cargo
 #whitelist ${HOME}/.rustup
-#include whitelist-common.inc
-whitelist /usr/share/pkgconfig
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-seccomp.block-secondary
-shell none
-tracelog
-disable-mnt
 #private-bin cargo,rustc
-private-cache
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
-private-tmp
-dbus-user none
-dbus-system none
 memory-deny-write-execute
-read-write ${HOME}/.cargo/bin
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index 78df5af83..c7a98250e 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -39,7 +39,7 @@ disable-mnt
 private-bin cawbird
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
 private-tmp
 # dbus-user none
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 0beeaafdd..1a9340632 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -53,7 +53,7 @@ tracelog
 private-bin celluloid,env,gnome-mpv,python*,youtube-dl
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index c2fc064f3..713d8a5e4 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -9,17 +9,23 @@ include globals.local
 noblacklist ${VIDEOS}
 noblacklist ${PICTURES}
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 whitelist ${VIDEOS}
 whitelist ${PICTURES}
+whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
 whitelist /usr/share/gnome-video-effects
+whitelist /usr/share/gstreamer-1.0
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -30,21 +36,26 @@ machine-id
 net none
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
+nosound
 notv
 nou2f
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 disable-mnt
 private-bin cheese
 private-cache
-private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0
+private-dev
+private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user filter
+dbus-user.own org.gnome.Cheese
 dbus-user.talk ca.desrt.dconf
 dbus-system none
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 8ccf67ba1..677d2b7eb 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin bash,clawsker,perl,sh,which
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
 private-tmp
diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile
new file mode 100644
index 000000000..26cc2a00a
--- /dev/null
+++ b/etc/profile-a-l/cmake.profile
@@ -0,0 +1,13 @@
+# Firejail profile for cargo
+# Description: The Rust package manager
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cargo.local
+# Persistent global definitions
+include globals.local
+memory-deny-write-execute
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile
index 19a30e694..7421debe0 100644
--- a/etc/profile-a-l/cmus.profile
+++ b/etc/profile-a-l/cmus.profile
@@ -27,4 +27,4 @@ seccomp
 shell none
 private-bin cmus
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-a-l/codium.profile b/etc/profile-a-l/codium.profile
new file mode 100644
index 000000000..9ff87ed8a
--- /dev/null
+++ b/etc/profile-a-l/codium.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for VSCodium
+# This file is overwritten after every install/update
+# Persistent local customizations
+include codium.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include vscodium.profile
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile
index e5debfd82..97bf6d394 100644
--- a/etc/profile-a-l/cola.profile
+++ b/etc/profile-a-l/cola.profile
@@ -7,4 +7,4 @@ include cola.local
 include globals.local
 # Redirect
-include git-cola.profile
-\ No newline at end of file
+include git-cola.profile
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 8d9de93bb..27780b669 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin com.github.bleakgrey.tootle
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
 # Settings are immutable
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
index e7aa32be9..0e29d90de 100644
--- a/etc/profile-a-l/com.github.dahenson.agenda.profile
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -52,7 +52,7 @@ disable-mnt
 private-bin com.github.dahenson.agenda
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index aa9a19fcb..24222164b 100644
--- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -55,7 +55,7 @@ disable-mnt
 private-bin com.github.johnfactotum.Foliate,gjs
 private-cache
 private-dev
-private-etc dconf,fonts,gconf,gtk-3.0
+private-etc alternatives,dconf,fonts,gconf,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 read-only ${HOME}
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
index 03218d85a..099253b21 100644
--- a/etc/profile-a-l/coyim.profile
+++ b/etc/profile-a-l/coyim.profile
@@ -40,7 +40,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
index 177abf829..ed1213687 100644
--- a/etc/profile-a-l/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -39,7 +39,7 @@ shell none
 disable-mnt
 private-bin crow
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
 private-opt none
 private-tmp
 private-srv none
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 0e4b8d475..c75bc756f 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin d-feet,python*
 private-cache
 private-dev
-private-etc alternatives,dbus-1,fonts,machine-id
+private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 768f1ac2c..e1b96f186 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -51,7 +51,7 @@ private
 private-bin dbus-send
 private-cache
 private-dev
-private-etc alternatives,dbus-1
+private-etc alternatives,dbus-1,ld.so.cache,ld.so.preload
 private-lib libpcre*
 private-tmp
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index f57063ab6..8c3c22dcf 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin dconf-editor
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id
 private-lib
 private-tmp
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
index 8b7c86789..b170842c3 100644
--- a/etc/profile-a-l/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin dconf,gsettings
 private-cache
 private-dev
-private-etc alternatives,dconf
+private-etc alternatives,dconf,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 701755d93..e9b8f5c47 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -45,7 +45,7 @@ tracelog
 disable-mnt
 private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index a416bc27e..562f6b105 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin devhelp
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl
+private-etc alternatives,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
 private-tmp
 # makes settings immutable
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 89c8e1ae8..a0f24c388 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -48,7 +48,7 @@ disable-mnt
 private-bin devilspie
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib gconv
 private-tmp
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index 2613027ba..c04e38899 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -24,7 +24,7 @@ whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
 private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
 join-or-start discord
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index 0f134bd87..8a8d816a3 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -40,7 +40,7 @@ shell none
 private-bin display,python*
 private-dev
 # On Debian-based systems, display is a symlink in /etc/alternatives
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile
index 26243ab4e..d5591adfb 100644
--- a/etc/profile-a-l/dragon.profile
+++ b/etc/profile-a-l/dragon.profile
@@ -19,6 +19,7 @@ include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/dragonplayer
+include whitelist-run-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 6d5e2501f..df7be55de 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -45,7 +45,7 @@ shell none
 private-bin drawio
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index fd7f252b6..20cffae73 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -45,7 +45,7 @@ disable-mnt
 #private-bin bash,easystroke,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,group,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd
 # breaks custom shell command functionality
 #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 9aac3f570..09d14045a 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -45,7 +45,7 @@ shell none
 private-bin electron-mail
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
 private-opt ElectronMail
 private-tmp
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index 1647f2bc4..dfbe5cee4 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -47,7 +47,7 @@ private-bin electrum,python*
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl
 private-tmp
 # dbus-user none
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 03fd9033a..ac73f002f 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.signature
 # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
-# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
+# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
 noblacklist ${HOME}/Mail
 noblacklist ${DOCUMENTS}
@@ -66,7 +66,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 # encrypting and signing email
 writable-run-user
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
index dc383984e..eff0f64ea 100644
--- a/etc/profile-a-l/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -48,7 +48,7 @@ x11 none
 private-bin enchant,enchant-*
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 02112ef20..31f39e210 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -47,6 +47,6 @@ tracelog
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
index 5892374bd..65e5c6e69 100644
--- a/etc/profile-a-l/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -18,7 +18,7 @@ whitelist /usr/share/eog
 private-bin eog
-# broken on Debian 10 (buster) running LXDE got the folowing error:
+# broken on Debian 10 (buster) running LXDE got the following error:
 # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
 #dbus-user filter
 #dbus-user.own org.gnome.eog
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
index 7566f7b50..0c3b790d5 100644
--- a/etc/profile-a-l/equalx.profile
+++ b/etc/profile-a-l/equalx.profile
@@ -54,7 +54,7 @@ disable-mnt
 private-bin equalx,gs,pdflatex,pdftocairo
 private-cache
 private-dev
-private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf
+private-etc alternatives,equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.cache,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 19ad5799c..63e456488 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -54,7 +54,7 @@ tracelog
 private-bin evince,evince-previewer,evince-thumbnailer
 private-cache
 private-dev
-private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
 # private-lib might break two-page-view on some systems
 private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index 49a16f2f2..ae550e842 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -48,7 +48,7 @@ x11 none
 #private-bin exiftool,perl
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 3911a8c75..321cb0145 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/falkon
 whitelist ${HOME}/.config/falkon
 whitelist /usr/share/falkon
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -46,7 +47,7 @@ disable-mnt
 # private-bin falkon
 private-cache
 private-dev
-private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 private-tmp
 # dbus-user filter
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index 25e1082ad..ee775566e 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -42,7 +42,7 @@ private
 private-bin bash,fdns,sh
 private-cache
 #private-dev
-private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
 # private-lib
 private-tmp
diff --git a/etc/profile-a-l/feh-network.inc.profile b/etc/profile-a-l/feh-network.inc.profile
index 690b39171..7293e89a8 100644
--- a/etc/profile-a-l/feh-network.inc.profile
+++ b/etc/profile-a-l/feh-network.inc.profile
@@ -5,4 +5,4 @@ include feh-network.inc.local
 ignore net none
 netfilter
 protocol unix,inet,inet6
-private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 0fdb1d3d3..4b8d41170 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -36,7 +36,7 @@ shell none
 private-bin feh,jpegexiforient,jpegtran
 private-cache
 private-dev
-private-etc alternatives,feh
+private-etc alternatives,feh,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile
index 04134cbf4..52abb99d4 100644
--- a/etc/profile-a-l/ffplay.profile
+++ b/etc/profile-a-l/ffplay.profile
@@ -14,7 +14,7 @@ ignore nogroups
 ignore nosound
 private-bin ffplay
-private-etc alsa,asound.conf,group
+private-etc alsa,alternatives,asound.conf,group,ld.so.cache,ld.so.preload
 # Redirect
 include ffmpeg.profile
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 434466139..06a8f6170 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
 # private-tmp
 dbus-system none
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 20ae039aa..ef647b5a0 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -19,6 +19,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 mkdir ${HOME}/.pki
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index e9241efc3..f80297022 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -52,7 +52,7 @@ tracelog
 disable-mnt
 private-bin flameshot
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl
 private-dev
 #private-tmp
@@ -63,6 +63,6 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.portal.Desktop
 dbus-user.talk org.gnome.Shell
 dbus-user.talk org.kde.KWin
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
-dbus-user.own org.kde.*
+?ALLOW_TRAY: dbus-user.own org.kde.*
 dbus-system none
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index 7beb2bcba..cb00ce11b 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -16,7 +16,7 @@ mkdir ${HOME}/.config/FreeTube
 whitelist ${HOME}/.config/FreeTube
 private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index fa08b4956..8419998de 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin frogatto,sh
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index bb35c9447..88943760a 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -30,7 +30,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
index 1009f345b..4a08fca9b 100644
--- a/etc/profile-a-l/funnyboat.profile
+++ b/etc/profile-a-l/funnyboat.profile
@@ -35,7 +35,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index b0d017db9..6d764a0f9 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -59,7 +59,7 @@ disable-mnt
 private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 writable-run-user
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 50b1c319c..4efe41f8d 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin galculator
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile
index 9c8200dc4..2947873ef 100644
--- a/etc/profile-a-l/gallery-dl.profile
+++ b/etc/profile-a-l/gallery-dl.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/gallery-dl
 noblacklist ${HOME}/.gallery-dl.conf
 private-bin gallery-dl
-private-etc gallery-dl.conf
+private-etc alternatives,gallery-dl.conf,ld.so.cache,ld.so.preload
 # Redirect
 include youtube-dl.profile
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 8263423a0..ec5b733c8 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -49,7 +49,7 @@ private
 private-bin gapplication
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 # Add the next line to your gapplication.local to filter D-Bus names.
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile
index 388f4c0df..297e5d345 100644
--- a/etc/profile-a-l/gcloud.profile
+++ b/etc/profile-a-l/gcloud.profile
@@ -36,7 +36,7 @@ tracelog
 disable-mnt
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
index b01d88f80..a45374d4e 100644
--- a/etc/profile-a-l/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
@@ -54,7 +54,7 @@ disable-mnt
 private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2*
 private-cache
 private-dev
-private-etc alternatives,fonts,gconf
+private-etc alternatives,fonts,gconf,ld.so.cache,ld.so.preload
 private-lib GConf,libpython*,python2*
 private-tmp
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index 29c620556..cececd9e9 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -70,7 +70,7 @@ tracelog
 private-bin geary
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index f0e17963c..243b893b9 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -6,6 +6,10 @@ include geekbench.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.geekbench5
+noblacklist /sbin
+noblacklist /usr/sbin
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -13,6 +17,8 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.geekbench5
+whitelist ${HOME}/.geekbench5
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -39,16 +45,14 @@ shell none
 tracelog
 disable-mnt
-private-bin bash,geekbenc*,sh
+#private-bin bash,geekbench*,sh -- #4576
 private-cache
 private-dev
-private-etc alternatives,group,lsb-release,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,lsb-release,passwd
-private-lib gcc/*/*/libstdc++.so.*
-private-opt none
 private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
+read-write ${HOME}/.geekbench5
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
index b2adaa8e4..bc1199914 100644
--- a/etc/profile-a-l/gget.profile
+++ b/etc/profile-a-l/gget.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin gget
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-lib
 private-tmp
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index df9c2ac7a..28070cb9c 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -39,6 +39,7 @@ whitelist /usr/share/gegl-0.4
 whitelist /usr/share/gimp
 whitelist /usr/share/mypaint-data
 whitelist /usr/share/lensfun
+include whitelist-run-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
index 80fa18119..506ab7127 100644
--- a/etc/profile-a-l/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -52,7 +52,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index f77adef63..6439c8821 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -70,7 +70,7 @@ tracelog
 private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
 private-tmp
 writable-run-user
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 5dfb48189..16358d064 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -37,7 +37,7 @@ shell none
 disable-mnt
 private-bin bash,env,gitter
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,pulse,resolv.conf,ssl
 private-opt Gitter
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
index 35d969e6d..edb85048b 100644
--- a/etc/profile-a-l/gl-117.profile
+++ b/etc/profile-a-l/gl-117.profile
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
index dec0daef2..b5f98b411 100644
--- a/etc/profile-a-l/glaxium.profile
+++ b/etc/profile-a-l/glaxium.profile
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index 4aa4b6c20..e53297c06 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -44,7 +44,7 @@ tracelog
 disable-mnt
 #private-bin gmpc
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 writable-run-user
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index c8903a991..f9df83e2a 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -45,7 +45,7 @@ private
 private-bin gnome-calendar
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index d038d775a..dc9092a93 100644
--- a/etc/profile-a-l/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -50,5 +50,5 @@ disable-mnt
 private-bin fairymax,gnome-chess,gnuchess,hoichess
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0
+private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index 96a39f6ce..90665add6 100644
--- a/etc/profile-a-l/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -42,6 +42,6 @@ disable-mnt
 private-bin gnome-clocks,gsound-play
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl
 private-tmp
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 19a4bc5c7..ab6279608 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -42,7 +42,7 @@ private
 private-bin gnome-hexgl
 private-cache
 private-dev
-private-etc alsa,asound.conf,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 26c2c4409..39a6718a6 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -48,6 +48,6 @@ tracelog
 private-cache
 private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
-private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
+private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive
 dbus-system none
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 2c15f7592..7ee4d8b75 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -40,7 +40,7 @@ disable-mnt
 private-bin gnome-logs
 private-cache
 private-dev
-private-etc alternatives,fonts,localtime,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 writable-var-log
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index a00edfa37..7b79fa15d 100644
--- a/etc/profile-a-l/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -42,6 +42,6 @@ tracelog
 # private-bin calls a file manager - whatever is installed!
 #private-bin env,gio-launch-desktop,gnome-music,python*,yelp
 private-dev
-private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg
+private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg
 private-tmp
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index b69899c70..a96ec6f05 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin gnome-passwordsafe,python3*
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,passwd
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index 3ab2e4aad..6d30213cb 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -34,7 +34,7 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index 256a0c69f..99d569a04 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin gnome-pomodoro
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index 01162b552..b2ce4a92a 100644
--- a/etc/profile-a-l/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -47,7 +47,7 @@ shell none
 disable-mnt
 private-bin gnome-recipes,tar
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,ssl
 private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.*
 private-tmp
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index f5afa9fb3..36c6693a9 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -42,7 +42,7 @@ tracelog
 disable-mnt
 private-bin gnome-screenshot
 private-dev
-private-etc dconf,fonts,gtk-3.0,localtime,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,machine-id
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index 159145b1b..28a0205b9 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -40,5 +40,5 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg
 private-tmp
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index 3f9497e80..02b023855 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin gnome-system-log
 private-cache
 private-dev
-private-etc alternatives,fonts,localtime,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id
 private-lib
 private-tmp
 writable-var-log
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index 4640f7f43..c6cd12250 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin gnome-todo
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,passwd,xdg
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
index 4ad39a988..9b4f68808 100644
--- a/etc/profile-a-l/gnome_games-common.profile
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -41,7 +41,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pango,passwd,X11
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index 2d4ce2437..928f2c548 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin gnote
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,pango,X11
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pango,X11
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index 902e76416..c895b4ce9 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -43,7 +43,7 @@ private
 private-bin gnubik
 private-cache
 private-dev
-private-etc drirc,fonts,gtk-2.0
+private-etc alternatives,drirc,fonts,gtk-2.0,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index b3c19e97f..46b362db9 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -38,7 +38,7 @@ tracelog
 # private-bin godot
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.cache,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile
new file mode 100644
index 000000000..5251ed427
--- /dev/null
+++ b/etc/profile-a-l/goldendict.profile
@@ -0,0 +1,57 @@
+# Firejail profile for goldendict
+# This file is overwritten after every install/update
+# Persistent local customizations
+include goldendict.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.goldendict
+noblacklist ${HOME}/.cache/GoldenDict
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.goldendict
+mkdir ${HOME}/.cache/GoldenDict
+whitelist ${HOME}/.goldendict
+whitelist ${HOME}/.cache/GoldenDict
+# The default path of dictionaries
+whitelist /usr/share/stardict/dic
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+# no3d leads to the libGL MESA-LOADER errors
+#no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin goldendict
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
index b8e2b04df..a35813a09 100644
--- a/etc/profile-a-l/googler-common.profile
+++ b/etc/profile-a-l/googler-common.profile
@@ -54,7 +54,7 @@ disable-mnt
 private-bin env,python3*,sh,w3m
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
index 9a782b238..26afe6e49 100644
--- a/etc/profile-a-l/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -41,7 +41,7 @@ tracelog
 private-bin gpicview
 private-cache
 private-dev
-private-etc alternatives,fonts,group,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd
 private-lib
 private-tmp
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
index 54e52d695..511be6fcc 100644
--- a/etc/profile-a-l/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -36,6 +36,6 @@ tracelog
 private-bin gpredict
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
index 31f95fb80..9cc25e45c 100644
--- a/etc/profile-a-l/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin gradio
 private-cache
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index c5bcc85f3..d76ca105f 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -40,7 +40,7 @@ private
 private-bin gravity-beams-and-evaporating-stars
 private-cache
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index 3231374b7..ec8a614fd 100644
--- a/etc/profile-a-l/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin gtk-update-icon-cache
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index 8c4453a8b..d98d341ae 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -25,6 +25,7 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -46,7 +47,7 @@ shell none
 private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
 private-dev
-private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg
+private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,xdg
 # dbus-user none
 # dbus-system none
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
index f210a264f..74e0faa7f 100644
--- a/etc/profile-a-l/hyperrogue.profile
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -44,7 +44,7 @@ private-bin hyperrogue
 private-cache
 private-cwd ${HOME}
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index c875cad72..200b4c8b1 100644
--- a/etc/profile-a-l/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
@@ -68,5 +68,5 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-a-l/imv.profile b/etc/profile-a-l/imv.profile
new file mode 100644
index 000000000..65e7537bf
--- /dev/null
+++ b/etc/profile-a-l/imv.profile
@@ -0,0 +1,57 @@
+# Firejail profile for imv
+# Description: imv is an image viewer.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include imv.local
+# Persistent global definitions
+include globals.local
+include allow-bin-sh.inc
+blacklist /usr/libexec
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+# Users may want to view images in ${HOME}
+#include disable-xdg.inc
+# Users may want to view images in ${HOME}
+#include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+# Users may want to view images in /usr/share
+#include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+private-bin imv,imv-wayland,imv-x11,sh
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
+read-only ${HOME}
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 5e54b5441..016a4d6c8 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -1,6 +1,7 @@
 # Firejail profile for inkscape
 # Description: Vector-based drawing program
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include inkscape.local
 # Persistent global definitions
@@ -28,6 +29,7 @@ include disable-programs.inc
 include disable-xdg.inc
 whitelist /usr/share/inkscape
+include whitelist-run-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index ea4ee5ae1..6eefd2945 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -50,7 +50,7 @@ private-bin bash,ipcalc,ipcalc-ng,perl,sh
 # private-cache
 private-dev
 # empty etc directory
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-opt none
 private-tmp
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
index 1209c5e11..6ca977512 100644
--- a/etc/profile-a-l/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -34,7 +34,7 @@ tracelog
 private-bin bash,jerry,sh,stockfish
 private-dev
-private-etc fonts,gtk-2.0,gtk-3.0
+private-etc alternatives,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
index 8d391b90f..59d762f55 100644
--- a/etc/profile-a-l/jumpnbump-menu.profile
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -10,7 +10,7 @@ include jumpnbump-menu.local
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
-private-bin jumpnbump-menu,python3*
+private-bin env,jumpnbump-menu,python3*
 # Redirect
 include jumpnbump.profile
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index 77d3f6bf4..4a9232344 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -27,7 +27,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
@@ -42,7 +41,7 @@ disable-mnt
 private-bin jumpnbump
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index 8799a6f24..e74c57546 100644
--- a/etc/profile-a-l/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
@@ -22,6 +22,7 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index 210b7cf03..6ad50cf14 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin kalgebra,kalgebramobile
 private-cache
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
index d8b2dddb1..8c340d536 100644
--- a/etc/profile-a-l/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -29,6 +29,7 @@ include disable-exec.inc
 # include disable-interpreters.inc
 include disable-programs.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 # apparmor
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 7b990bf41..277db1c24 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -49,7 +49,7 @@ disable-mnt
 # private-bin kazam,python*
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,X11,xdg
 private-tmp
 dbus-system none
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index 46e8ccb82..06978cbf1 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -28,6 +28,7 @@ whitelist /usr/share/config.kcfg/kcalc.kcfg
 whitelist /usr/share/kcalc
 whitelist /usr/share/kconf_update/kcalcrc.upd
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -55,7 +56,7 @@ disable-mnt
 private-bin kcalc
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,locale,locale.conf
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.conf
 # private-lib - problems on Arch
 private-tmp
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index 7c9be2bcc..df7ee31dc 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -23,6 +23,8 @@ include disable-interpreters.inc
 include disable-shell.inc
 include disable-xdg.inc
+# Add the next line to your kdiff3.local if you don't need to compare files in /run.
+#include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 # Add the next line to your kdiff3.local if you don't need to compare files in /usr/share.
 #include whitelist-usr-share-common.inc
@@ -48,7 +50,7 @@ shell none
 tracelog
 disable-mnt
-private-bin  kdiff3
+private-bin kdiff3
 private-cache
 private-dev
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile
index 768a3cef0..5e2d6d8df 100644
--- a/etc/profile-a-l/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -41,7 +41,7 @@ tracelog
 private-bin keepassx,keepassx2
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index b915f6202..45a707071 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -88,7 +88,7 @@ tracelog
 private-bin keepassxc,keepassxc-cli,keepassxc-proxy
 private-dev
-private-etc alternatives,fonts,ld.so.cache,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 dbus-user filter
@@ -98,11 +98,10 @@ dbus-user.talk org.freedesktop.ScreenSaver
 dbus-user.talk org.gnome.ScreenSaver
 dbus-user.talk org.gnome.SessionManager
 dbus-user.talk org.xfce.ScreenSaver
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.own org.kde.*
 # Add the next line to your keepassxc.local to allow notifications.
 #dbus-user.talk org.freedesktop.Notifications
-# Add the next line to your keepassxc.local to allow the tray menu.
-#dbus-user.talk org.kde.StatusNotifierWatcher
-#dbus-user.own org.kde.*
 dbus-system filter
 dbus-system.talk org.freedesktop.login1
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
index ec315b431..9b6646725 100644
--- a/etc/profile-a-l/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -20,6 +20,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
index e66716eeb..5563aa410 100644
--- a/etc/profile-a-l/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -37,7 +37,7 @@ tracelog
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 968402a8a..837ea9e36 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -44,7 +44,7 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
index f733fa42c..46164403b 100644
--- a/etc/profile-a-l/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin bash,klavaro,sh,tclsh,tclsh*
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 2c645677c..0796e6876 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -37,6 +37,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 # apparmor
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
index 723fef0d2..1121dc8a5 100644
--- a/etc/profile-a-l/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -20,6 +20,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index 9d8aa1bd7..6e3b0c875 100644
--- a/etc/profile-a-l/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -37,6 +37,7 @@ whitelist ${HOME}/.kde4/share/config/ktorrentrc
 whitelist ${HOME}/.local/share/ktorrent
 whitelist ${HOME}/.local/share/kxmlgui5/ktorrent
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 051782172..44da8acca 100644
--- a/etc/profile-a-l/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin ktouch
 private-cache
 private-dev
-private-etc alternatives,fonts,kde5rc,machine-id
+private-etc alternatives,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 262ffb532..718cbbf40 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -68,7 +68,7 @@ tracelog
 private-bin kube,sink_synchronizer
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 writable-run-user
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index 5bbadfc73..0b8763c29 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -21,6 +21,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 caps.drop all
@@ -42,5 +43,5 @@ tracelog
 disable-mnt
 private-bin kwin_x11
 private-dev
-private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg
+private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg
 private-tmp
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 682c7782d..aff6f3181 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -24,6 +24,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -46,7 +47,7 @@ tracelog
 private-bin kbuildsycoca4,kdeinit4,kwrite
 private-dev
-private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
+private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,pulse,xdg
 private-tmp
 # dbus-user none
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index 328307705..12ff79748 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -21,6 +21,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-programs.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 # Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode.
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index bd28f25d6..84f5dc50d 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -47,11 +47,11 @@ shell none
 tracelog
 disable-mnt
-# Add  'private-bin PROGRAM1,PROGRAM2' to your links-common.local  if you want to use user-configured programs.
+# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs.
 private-bin sh
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 # Add the next line to your links-common.local to allow external media players.
 # private-etc alsa,asound.conf,machine-id,openal,pulse
 private-tmp
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
index a187ca0fc..fde338ff0 100644
--- a/etc/profile-a-l/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
@@ -37,6 +37,6 @@ seccomp
 shell none
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index fa69463d1..ae2f2d434 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -32,7 +32,7 @@ apparmor
 machine-id
 # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
-private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
 # Redirect
 include latex-common.profile
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index 15cb931dd..235640eeb 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -50,6 +50,6 @@ tracelog
 disable-mnt
 private-bin gio,QOwnNotes
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index 866d57e67..89ca53af6 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -33,5 +33,5 @@ shell none
 disable-mnt
 private-bin awk,bash,dig,sh,Viber
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
 private-tmp
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 1acd43023..722e12d9c 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -43,5 +43,5 @@ private
 # private-bin sh,xkbcomp,Xvfb
 # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
 private-dev
-private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
+private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf
 private-tmp
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
index fc5ae3ee9..47165dd3d 100644
--- a/etc/profile-m-z/magicor.profile
+++ b/etc/profile-m-z/magicor.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin magicor,python2*
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile
new file mode 100644
index 000000000..7e9638fe4
--- /dev/null
+++ b/etc/profile-m-z/make.profile
@@ -0,0 +1,13 @@
+# Firejail profile for make
+# Description: GNU make utility to maintain groups of programs
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include make.local
+# Persistent global definitions
+include globals.local
+memory-deny-write-execute
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index b2f761230..9c5959091 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -58,7 +58,7 @@ disable-mnt
 #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
 private-cache
 private-dev
-private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
+private-etc alternatives,fonts,groff,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
 #private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
index e61578ffe..764d040ab 100644
--- a/etc/profile-m-z/masterpdfeditor.profile
+++ b/etc/profile-m-z/masterpdfeditor.profile
@@ -36,6 +36,6 @@ tracelog
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
index 64b184482..2be6b9af1 100644
--- a/etc/profile-m-z/mate-calc.profile
+++ b/etc/profile-m-z/mate-calc.profile
@@ -42,7 +42,7 @@ shell none
 disable-mnt
 private-bin mate-calc,mate-calculator
-private-etc alternatives,dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-dev
 private-opt none
 private-tmp
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile
index a6b49315c..e16b0fc6c 100644
--- a/etc/profile-m-z/mate-color-select.profile
+++ b/etc/profile-m-z/mate-color-select.profile
@@ -33,7 +33,7 @@ shell none
 disable-mnt
 private-bin mate-color-select
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-dev
 private-lib
 private-tmp
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index 3f3d027b9..469416304 100644
--- a/etc/profile-m-z/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -37,7 +37,7 @@ shell none
 disable-mnt
 private-bin mate-dictionary
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-opt mate-dictionary
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile
index 7592d879c..4c4a6aa76 100644
--- a/etc/profile-m-z/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -31,4 +31,4 @@ shell none
 private-bin mcabber
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,ssl
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index 08d56ede5..bcfd59cbb 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin mdr
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
index 7597d4067..9bfbaf745 100644
--- a/etc/profile-m-z/mediainfo.profile
+++ b/etc/profile-m-z/mediainfo.profile
@@ -42,7 +42,7 @@ x11 none
 private-bin mediainfo
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index 4845e9cce..ed0758a49 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -52,7 +52,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile
new file mode 100644
index 000000000..b4909a9d8
--- /dev/null
+++ b/etc/profile-m-z/meson.profile
@@ -0,0 +1,14 @@
+# Firejail profile for meson
+# Description: A high productivity build system
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include meson.local
+# Persistent global definitions
+include globals.local
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
index 34d9f470a..095038f08 100644
--- a/etc/profile-m-z/microsoft-edge-beta.profile
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -17,4 +17,4 @@ whitelist ${HOME}/.config/microsoft-edge-beta
 private-opt microsoft
 # Redirect
-include chromium-common.profile
-\ No newline at end of file
+include chromium-common.profile
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
index ad7e40b12..16ace7ce4 100644
--- a/etc/profile-m-z/mindless.profile
+++ b/etc/profile-m-z/mindless.profile
@@ -42,7 +42,7 @@ private
 private-bin mindless
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index c47a16ffd..be846ce63 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -44,7 +44,7 @@ private
 private-bin mirrormagic
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index dbc3c1d40..313d78030 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin mocp
 private-cache
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index f0063d250..fe3c78b55 100644
--- a/etc/profile-m-z/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -37,7 +37,7 @@ tracelog
 private-bin mp3splt-gtk
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pulse
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
index 400d8a6b6..c89c72ce4 100644
--- a/etc/profile-m-z/mp3splt.profile
+++ b/etc/profile-m-z/mp3splt.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin flacsplt,mp3splt,mp3wrap,oggsplt
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 memory-deny-write-execute
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index 10964ef24..18a839363 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -49,7 +49,7 @@ shell none
 private-bin mpDris2,notify-send,python*
 private-cache
 private-dev
-private-etc alternatives,hosts,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
 private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
 private-tmp
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index fa433b672..efb11465b 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,7 +11,7 @@ include globals.local
 # edit ~/.config/mpv/foobar.conf:
 #    screenshot-directory=~/Pictures
-# Mpv has a powerfull lua-API, some off these lua-scripts interact
+# Mpv has a powerful lua-API, some off these lua-scripts interact
 # with external resources which are blocked by firejail. In such cases
 # you need to allow these resources by
 #  - adding additional binaries to private-bin
@@ -74,7 +74,7 @@ seccomp.block-secondary
 shell none
 tracelog
-private-bin env,mpv,python*,waf,youtube-dl
+private-bin env,mpv,python*,waf,youtube-dl,yt-dlp
 # private-cache causes slow OSD, see #2838
 #private-cache
 private-dev
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index 530e779fc..3fe88ec7f 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -37,7 +37,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
@@ -53,7 +52,7 @@ disable-mnt
 private-bin love,mrrescue,sh
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile
index ad12f53a4..e15b14db7 100644
--- a/etc/profile-m-z/ms-office.profile
+++ b/etc/profile-m-z/ms-office.profile
@@ -35,7 +35,7 @@ tracelog
 disable-mnt
 private-bin bash,env,fonts,jak,ms-office,python*,sh
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile
index a04d386a2..006f64ba8 100644
--- a/etc/profile-m-z/mupdf-x11-curl.profile
+++ b/etc/profile-m-z/mupdf-x11-curl.profile
@@ -12,7 +12,7 @@ ignore net none
 netfilter
 protocol unix,inet,inet6
-private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 # Redirect
 include mupdf.profile
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index 07661cac8..796d7fbb0 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -29,9 +29,9 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 disable-mnt
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,machine-id,pki,pulse,ssl
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index c4d96711c..d10c55549 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -134,7 +134,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile
index 1b4fc4346..74301df06 100644
--- a/etc/profile-m-z/mypaint.profile
+++ b/etc/profile-m-z/mypaint.profile
@@ -43,7 +43,7 @@ tracelog
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 996a1722a..f7c1f0ff7 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -49,7 +49,7 @@ private-dev
 # Add the next lines to your nano.local if you want to edit files in /etc directly.
 #ignore private-etc
 #writable-etc
-private-etc alternatives,nanorc
+private-etc alternatives,ld.so.cache,ld.so.preload,nanorc
 # Add the next line to your nano.local if you want to edit files in /var directly.
 #writable-var
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index 58cc716d9..0f55b674f 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -60,6 +60,6 @@ private-tmp
 dbus-user filter
 dbus-user.own org.kde.neochat
 dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-user.talk org.kde.kwalletd5
 dbus-system none
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 7e627a52e..f31cf9dcb 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -137,7 +137,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile
index 1bcc6a962..d6ac8d5bc 100644
--- a/etc/profile-m-z/netactview.profile
+++ b/etc/profile-m-z/netactview.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin netactview,netactview_polkit
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index fa4ccea7c..cf72bf802 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin gzip,lynx,newsboat,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
index 56cedec03..9966a0e1b 100644
--- a/etc/profile-m-z/newsflash.profile
+++ b/etc/profile-m-z/newsflash.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin com.gitlab.newsflash,newsflash
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index cb499ba34..354d3351e 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -61,12 +61,11 @@ tracelog
 disable-mnt
 private-bin nextcloud,nextcloud-desktop
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 private-dev
 private-tmp
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
-# Add the next line to your nextcloud.local for tray icon support
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
-#dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 035ad086a..89a146a09 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -51,11 +51,9 @@ private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
+dbus-user filter
-# Add the next lines to your nheko.local to enable notification support.
+dbus-user.talk org.freedesktop.secrets
-#ignore dbus-user none
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
-#dbus-user filter
+# Add the next line to your nheko.local to enable notification support.
 #dbus-user.talk org.freedesktop.Notifications
-#dbus-user.talk org.kde.StatusNotifierWatcher
-dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index d5dd4ca95..d6234cd04 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl
+private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,ssl
 # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
 private-tmp
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
index b044fb879..7ffb09e56 100644
--- a/etc/profile-m-z/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -41,5 +41,5 @@ tracelog
 #private-bin nomacs
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile
new file mode 100644
index 000000000..560ee9db3
--- /dev/null
+++ b/etc/profile-m-z/noprofile.profile
@@ -0,0 +1,28 @@
+# This is the weakest possible firejail profile.
+# If a program still fail with this profile, it is incompatible with firejail.
+# (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)
+#
+# Usage:
+#   1. download
+#   2. firejail --profile=noprofile.profile /path/to/program
+# Keep in mind that even with this profile some things are done
+# which can break the program.
+# - some env-vars are cleared
+# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'
+# - a new private pid-namespace is created
+# - a minimal hardcoded blacklist is applied
+# - ...
+noblacklist /sys/fs
+noblacklist /sys/module
+allow-debuggers
+allusers
+keep-config-pulse
+keep-dev-shm
+keep-var-tmp
+writable-etc
+writable-run-user
+writable-var
+writable-var-log
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index 5caf3374d..9f23c099d 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -49,7 +49,7 @@ private
 private-bin notify-send
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user filter
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index 886403b9e..9f4a6ec46 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -18,7 +18,7 @@ whitelist ${HOME}/.config/nuclear
 no3d
 # private-bin nuclear
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt nuclear
 # Redirect
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile
index 460a580b3..653591482 100644
--- a/etc/profile-m-z/nyx.profile
+++ b/etc/profile-m-z/nyx.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin nyx,python*
 private-cache
 private-dev
-private-etc alternatives,fonts,passwd,tor
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,passwd,tor
 private-opt none
 private-srv none
 private-tmp
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 8e87f1d5d..0bfb35333 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -45,7 +45,7 @@ tracelog
 private-bin ocenaudio
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
+private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,pulse
 private-tmp
 # breaks preferences
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
index 22cec475b..de62f4114 100644
--- a/etc/profile-m-z/odt2txt.profile
+++ b/etc/profile-m-z/odt2txt.profile
@@ -38,7 +38,7 @@ x11 none
 private-bin odt2txt
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index 84edc65ef..fb28ad89f 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -36,6 +36,7 @@ whitelist /usr/share/kconf_update/okular.upd
 whitelist /usr/share/kxmlgui5/okular
 whitelist /usr/share/okular
 whitelist /usr/share/poppler
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -61,7 +62,7 @@ tracelog
 private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
 private-dev
-private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg
+private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,xdg
 # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
 # dbus-user none
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index b0ffba19c..e05e58cad 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-cache
 private-bin onboard,python*,tput
 private-dev
-private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
+private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
 private-tmp
 dbus-system none
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index 12c7ea3d0..c2c22f42d 100644
--- a/etc/profile-m-z/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -25,7 +25,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 076a655a1..c3ac097a0 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
 private-cache
 private-dev
-private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
+private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 253465991..68362cbc8 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -28,7 +28,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index 2595d8a8f..c016b5103 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -11,6 +11,8 @@ blacklist ${RUNUSER}
 noblacklist ${DOCUMENTS}
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -19,6 +21,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+include whitelist-runuser-common.inc
 # breaks pdf output
 #include whitelist-var-common.inc
@@ -39,15 +42,15 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
 disable-mnt
-private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
 private-cache
 private-dev
-private-etc alternatives,texlive,texmf
+private-etc alternatives,ld.so.cache,ld.so.preload,texlive,texmf
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile
index 33d75f0d2..3d380542f 100644
--- a/etc/profile-m-z/parole.profile
+++ b/etc/profile-m-z/parole.profile
@@ -27,4 +27,4 @@ shell none
 private-bin dbus-launch,parole
 private-cache
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,pulse,ssl
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
index 0bd14e88e..d64aab200 100644
--- a/etc/profile-m-z/pavucontrol.profile
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin pavucontrol
 private-cache
 private-dev
-private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
+private-etc alternatives,asound.conf,avahi,fonts,ld.so.cache,ld.so.preload,machine-id,pulse
 private-lib
 private-tmp
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
index bebd4ba44..41ec98a39 100644
--- a/etc/profile-m-z/pdfchain.profile
+++ b/etc/profile-m-z/pdfchain.profile
@@ -34,7 +34,7 @@ shell none
 private-bin pdfchain,pdftk,sh
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index 0cb08aa74..9d2f2b95f 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -48,7 +48,7 @@ x11 none
 private-bin pdftotext
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index a8f925313..f5c295b5d 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -48,7 +48,7 @@ tracelog
 disable-mnt
 private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
 private-dev
-private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11
+private-etc alternatives,dconf,firejail,fonts,gtk-3.0,ld.so.cache,ld.so.preload,login.defs,pango,passwd,X11
 private-tmp
 dbus-user filter
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
index c012504c4..80efedec7 100644
--- a/etc/profile-m-z/photoflare.profile
+++ b/etc/profile-m-z/photoflare.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin photoflare
 private-cache
 private-dev
-private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index 5b2d7a5a4..69c78740d 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin pingus,pingus.bin,sh
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile
new file mode 100644
index 000000000..a0926371f
--- /dev/null
+++ b/etc/profile-m-z/pip.profile
@@ -0,0 +1,18 @@
+# Firejail profile for pip
+# Description: package manager for Python packages
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include meson.local
+# Persistent global definitions
+include globals.local
+ignore read-only ${HOME}/.local/lib
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+#whitelist ${HOME}/.local/lib/python*
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
index c2707dac4..69b954f53 100644
--- a/etc/profile-m-z/pkglog.profile
+++ b/etc/profile-m-z/pkglog.profile
@@ -44,7 +44,7 @@ private
 private-bin pkglog,python*
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-opt none
 private-tmp
 writable-var-log
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 80f768170..38ccf72e8 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin plv
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-opt none
 private-tmp
 writable-var-log
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 0b3d2b44c..6b989202f 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -47,7 +47,7 @@ x11 none
 private-bin pngquant
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile
index bc0ff0e85..fd595c27a 100644
--- a/etc/profile-m-z/pragha.profile
+++ b/etc/profile-m-z/pragha.profile
@@ -33,6 +33,6 @@ seccomp
 shell none
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile
index 705af370b..25a248425 100644
--- a/etc/profile-m-z/profanity.profile
+++ b/etc/profile-m-z/profanity.profile
@@ -44,7 +44,7 @@ shell none
 private-bin profanity
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index 450bb10c7..99a72adee 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -71,7 +71,7 @@ disable-mnt
 private-bin getopt,psi
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile
index 3dc232b55..555e1e41b 100644
--- a/etc/profile-m-z/qgis.profile
+++ b/etc/profile-m-z/qgis.profile
@@ -52,7 +52,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
index 4eee0df5f..4a3ce366e 100644
--- a/etc/profile-m-z/qnapi.profile
+++ b/etc/profile-m-z/qnapi.profile
@@ -47,7 +47,7 @@ tracelog
 private-bin 7z,qnapi
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-opt none
 private-tmp
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
index 7ef676068..dd3f24875 100644
--- a/etc/profile-m-z/qrencode.profile
+++ b/etc/profile-m-z/qrencode.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin qrencode
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib libpcre*
 private-tmp
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index bae802cc6..60e1539fa 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin qtox
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index 1de59bc7c..f1ce313e7 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin regextester
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib libgranite.so.*
 private-tmp
diff --git a/etc/profile-m-z/retroarch.profile b/etc/profile-m-z/retroarch.profile
new file mode 100644
index 000000000..1887a9b72
--- /dev/null
+++ b/etc/profile-m-z/retroarch.profile
@@ -0,0 +1,54 @@
+# Firejail profile for retroarch
+# Description: retroarch is a frontend to libretro emulator cores.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include retroarch.local
+# Persistent global definitions
+include globals.local
+blacklist /usr/libexec
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/retroarch
+whitelist ${HOME}/.config/retroarch
+whitelist /run/udev
+whitelist /usr/share/retroarch
+whitelist /usr/share/libretro
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+# If you need access to cameras, add `ignore novideo` to retroarch.local
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin retroarch
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index 23a65f54a..e44e55a12 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin rsync
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
index 1069c34ea..70b5d844a 100644
--- a/etc/profile-m-z/scorchwentbonkers.profile
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin scorchwentbonkers
 private-cache
 private-dev
-private-etc alsa,asound.conf,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index af7d5eeac..72d6d5cf7 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -48,7 +48,7 @@ private
 private-bin bash,dash,python*,seahorse-adventures,sh
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile
index 96ff74edf..9ef174606 100644
--- a/etc/profile-m-z/seahorse-tool.profile
+++ b/etc/profile-m-z/seahorse-tool.profile
@@ -8,7 +8,7 @@ include seahorse-tool.local
 #include globals.local
 # private-etc workaround for: #2877
-private-etc firejail,login.defs,passwd
+private-etc alternatives,firejail,ld.so.cache,ld.so.preload,login.defs,passwd
 private-tmp
 # Redirect
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 94a27da87..7382e4712 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -60,7 +60,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
 writable-run-user
 dbus-user filter
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
index b6a828636..3b569eeaf 100644
--- a/etc/profile-m-z/shotwell.profile
+++ b/etc/profile-m-z/shotwell.profile
@@ -49,7 +49,7 @@ tracelog
 private-bin shotwell
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-opt none
 private-tmp
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index 51f6c8b00..a511ebb1c 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
 private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
index 31d14924c..0cdb5537e 100644
--- a/etc/profile-m-z/smuxi-frontend-gnome.profile
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -48,7 +48,7 @@ disable-mnt
 private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index ebdd5c1f8..099e6a2ad 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -6,9 +6,9 @@ include softmaker-common.local
 # added by caller profile
 #include globals.local
-# The offical packages install the desktop file under /usr/local/share/applications
+# The official packages install the desktop file under /usr/local/share/applications
-# with an absolute Exec line. These files are NOT handelt by firecfg,
+# with an absolute Exec line. These files are NOT handled by firecfg,
-# therefore you must manualy copy them in you home and remove '/usr/bin/'.
+# therefore you must manually copy them in you home and remove '/usr/bin/'.
 noblacklist ${HOME}/SoftMaker
@@ -43,7 +43,7 @@ tracelog
 private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index d803fa5ce..fc4ae2b04 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -22,7 +22,7 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
-mkfile  ${HOME}/.config/spectaclerc
+mkfile ${HOME}/.config/spectaclerc
 whitelist ${HOME}/.config/spectaclerc
 whitelist ${PICTURES}
 whitelist /usr/share/kconf_update/spectacle_newConfig.upd
@@ -56,7 +56,7 @@ disable-mnt
 private-bin spectacle
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
 dbus-user filter
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index 5f17b73dc..3f7f68009 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -49,10 +49,8 @@ private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
-dbus-user none
+dbus-user filter
-# Add the next lines to your spectral.local to enable notification support.
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
-#ignore dbus-user none
+# Add the next line to your spectral.local to enable notification support.
-#dbus-user filter
 #dbus-user.talk org.freedesktop.Notifications
-#dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index ffee76d23..0ce918161 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
 private-dev
 # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local.
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
 private-opt spotify
 private-srv none
 private-tmp
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index e35f74404..deaf37f52 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -42,7 +42,7 @@ shell none
 private-bin sqlitebrowser
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,ssl
 private-tmp
 # breaks proxy creation
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index 11723664f..9d3fe9637 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -11,6 +11,7 @@ include allow-ssh.inc
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+noblacklist /usr/lib/openssh/ssh-keysign
 include disable-common.inc
 include disable-programs.inc
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 9295013e7..194b2082c 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -10,6 +10,7 @@ include globals.local
 # nc can be used as ProxyCommand, e.g. when using tor
 noblacklist ${PATH}/nc
 noblacklist ${PATH}/ncat
+noblacklist /usr/lib/openssh/ssh-keysign
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index d54ddacdd..7a59274bf 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -38,7 +38,7 @@ seccomp !chroot
 disable-mnt
 private-dev
 private-tmp
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
index d73927f2a..513abc21b 100644
--- a/etc/profile-m-z/straw-viewer.profile
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/straw-viewer
 private-bin gtk-straw-viewer,straw-viewer
 # Redirect
-include youtube-viewers-common.profile
-\ No newline at end of file
+include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
index dfb0a3e3b..32e43f079 100644
--- a/etc/profile-m-z/strawberry.profile
+++ b/etc/profile-m-z/strawberry.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin strawberry,strawberry-tagreader
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 dbus-system none
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index 100ac9d14..a9f22085b 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -44,7 +44,7 @@ tracelog
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 0e9113821..464fa1b08 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -30,7 +30,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
@@ -45,7 +44,7 @@ tracelog
 disable-mnt
 # private-bin supertux2
 private-cache
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 7ba7e7023..473472251 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -54,7 +54,7 @@ private-bin supertuxkart
 private-cache
 # Add the next line to your supertuxkart.local if you do not need controller support.
 #private-dev
-private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.cache,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile
index 7c092fccc..c04f00cab 100644
--- a/etc/profile-m-z/surf.profile
+++ b/etc/profile-m-z/surf.profile
@@ -34,6 +34,6 @@ tracelog
 disable-mnt
 private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile
index 4637419bf..046d1b4be 100644
--- a/etc/profile-m-z/sway.profile
+++ b/etc/profile-m-z/sway.profile
@@ -1,5 +1,5 @@
 # Firejail profile for Sway
-# Description: i3-compatible Wayland compositor 
+# Description: i3-compatible Wayland compositor
 # This file is overwritten after every install/update
 # Persistent local customizations
 include sway.local
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index ac4a380bb..c7119ae0f 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -63,7 +63,7 @@ disable-mnt
 #private-bin sysprof - breaks help menu
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
 # private-lib - breaks help menu
 #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
 private-tmp
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 0d3a900e9..0817adda8 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -14,7 +14,7 @@ ignore include disable-shell.inc
 # all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
-private-etc alternatives,group,localtime,login.defs,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,login.defs,passwd
 #private-lib libfakeroot,liblzma.so.*,libreadline.so.*
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index c97921d92..ee19bcd00 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -20,7 +20,7 @@ mkdir ${HOME}/.config/teams-for-linux
 whitelist ${HOME}/.config/teams-for-linux
 private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
-private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
index df54fb9ba..d0fb0d43e 100644
--- a/etc/profile-m-z/teeworlds.profile
+++ b/etc/profile-m-z/teeworlds.profile
@@ -26,7 +26,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index 115be54eb..dc1f77664 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -41,16 +41,16 @@ seccomp.block-secondary
 shell none
 disable-mnt
-#private-bin telegram,Telegram,telegram-desktop
+private-bin telegram,Telegram,telegram-desktop
 private-cache
 private-dev
-private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 dbus-user filter
 dbus-user.own org.telegram.desktop.*
 dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.freedesktop.ScreenSaver
 dbus-system none
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile
index 7c18aab50..d2db44b1c 100644
--- a/etc/profile-m-z/tilp.profile
+++ b/etc/profile-m-z/tilp.profile
@@ -30,6 +30,6 @@ tracelog
 disable-mnt
 private-bin tilp
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
index 039063c1e..1d4ee9370 100644
--- a/etc/profile-m-z/tin.profile
+++ b/etc/profile-m-z/tin.profile
@@ -58,7 +58,7 @@ disable-mnt
 private-bin rtin,tin
 private-cache
 private-dev
-private-etc passwd,resolv.conf,terminfo,tin
+private-etc alternatives,ld.so.cache,ld.so.preload,passwd,resolv.conf,terminfo,tin
 private-lib terminfo
 private-tmp
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile
index 08e949309..d8cd8eb44 100644
--- a/etc/profile-m-z/tor.profile
+++ b/etc/profile-m-z/tor.profile
@@ -46,6 +46,6 @@ private
 private-bin bash,tor
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
 private-tmp
 writable-var
diff --git a/etc/profile-m-z/torbrowser.profile b/etc/profile-m-z/torbrowser.profile
new file mode 100644
index 000000000..fc579b973
--- /dev/null
+++ b/etc/profile-m-z/torbrowser.profile
@@ -0,0 +1,26 @@
+# Firejail profile for torbrowser
+# Description: This profile was tested with www-client/torbrowser::torbrowser
+# on Gentoo Linux.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include torbrowser.local
+# Persistent global definitions
+include globals.local
+ignore dbus-user none
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.mozilla
+blacklist /usr/libexec
+mkdir ${HOME}/.cache/mozilla/torbrowser
+mkdir ${HOME}/.mozilla
+whitelist ${HOME}/.cache/mozilla/torbrowser
+whitelist ${HOME}/.mozilla
+include whitelist-usr-share-common.inc
+dbus-user filter
+dbus-user.own org.mozilla.torbrowser.*
+include firefox-common.profile
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
index a7ebaf2af..19e586db4 100644
--- a/etc/profile-m-z/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -28,7 +28,6 @@ ipc-namespace
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index 2b63f6448..4acb8e7e8 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -45,7 +45,7 @@ tracelog
 private-bin geoiplookup,geoiplookup6,transgui
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
 private-tmp
diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile
index 486be5fe6..8a1711e97 100644
--- a/etc/profile-m-z/transmission-cli.profile
+++ b/etc/profile-m-z/transmission-cli.profile
@@ -8,7 +8,7 @@ include transmission-cli.local
 include globals.local
 private-bin transmission-cli
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
index 348d3cb80..5d28f2f10 100644
--- a/etc/profile-m-z/transmission-daemon.profile
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -17,7 +17,7 @@ caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
 protocol packet
 private-bin transmission-daemon
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 read-write /var/lib/transmission
 writable-var-log
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile
index a6400e2c0..6a0f1bde3 100644
--- a/etc/profile-m-z/transmission-remote-gtk.profile
+++ b/etc/profile-m-z/transmission-remote-gtk.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/transmission-remote-gtk
 mkdir ${HOME}/.config/transmission-remote-gtk
 whitelist ${HOME}/.config/transmission-remote-gtk
-private-etc fonts,hostname,hosts,resolv.conf
+private-etc alternatives,fonts,hostname,hosts,ld.so.cache,ld.so.preload,resolv.conf
 # Problems with private-lib (see issue #2889)
 ignore private-lib
diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile
index fee4999e6..565433d99 100644
--- a/etc/profile-m-z/transmission-remote.profile
+++ b/etc/profile-m-z/transmission-remote.profile
@@ -8,7 +8,7 @@ include transmission-remote.local
 include globals.local
 private-bin transmission-remote
-private-etc alternatives,hosts,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile
index 5a3c83f58..0a5826ec4 100644
--- a/etc/profile-m-z/transmission-show.profile
+++ b/etc/profile-m-z/transmission-show.profile
@@ -8,7 +8,7 @@ include transmission-show.local
 include globals.local
 private-bin transmission-show
-private-etc alternatives,hosts,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
index 4e16df553..96541ae25 100644
--- a/etc/profile-m-z/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -8,6 +8,9 @@ include globals.local
 noblacklist ${HOME}/.tremulous
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -41,7 +44,7 @@ shell none
 tracelog
 disable-mnt
-private-bin tremded,tremulous,tremulous-wrapper
+private-bin env,sh,tremded,tremulous,tremulous-wrapper
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 41426c606..60a192ac1 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -54,7 +54,7 @@ tracelog
 private-bin trojita
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 dbus-user filter
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index d767b4c9d..987a2b719 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -18,7 +18,7 @@ mkdir ${HOME}/.config/Twitch
 whitelist ${HOME}/.config/Twitch
 private-bin electron,electron[0-9],electron[0-9][0-9],twitch
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Twitch
 # Redirect
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index 212e6d181..1b82ad881 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -49,7 +49,7 @@ private-bin unf
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib gcc/*/*/libgcc_s.so.*
 private-tmp
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
index 9d3d9b40e..443d1f415 100644
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -8,7 +8,7 @@ include unrar.local
 include globals.local
 private-bin unrar
-private-etc alternatives,group,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
 private-tmp
 # Redirect
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 0231e3dba..97df693ba 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -10,7 +10,7 @@ include globals.local
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
-private-etc alternatives,group,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile
index b164494fa..5a867a683 100644
--- a/etc/profile-m-z/utox.profile
+++ b/etc/profile-m-z/utox.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin utox
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl
 private-tmp
 memory-deny-write-execute
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
index 3b38f16e0..426766e17 100644
--- a/etc/profile-m-z/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -41,7 +41,7 @@ x11 none
 private-bin uudeview
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index 469e65542..585a8eddb 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin viewnior
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index 6ab9aa15b..227ad83cc 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -45,7 +45,7 @@ tracelog
 #disable-mnt
 #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
 private-cache
-private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index cb85836b7..1e3983f0e 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -38,6 +38,6 @@ tracelog
 #disable-mnt
 # Add the next line to your vmware.local to enable private-bin.
 #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
-private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile
index a4a4fb7d8..9c0a887b2 100644
--- a/etc/profile-m-z/vscodium.profile
+++ b/etc/profile-m-z/vscodium.profile
@@ -1,4 +1,4 @@
-# Firejail profile alias for Visual Studio Code
+# Firejail profile alias for VSCodium
 # This file is overwritten after every install/update
 # Persistent local customizations
 include vscodium.local
@@ -7,6 +7,8 @@ include vscodium.local
 #include globals.local
 noblacklist ${HOME}/.VSCodium
+noblacklist ${HOME}/.config/VSCodium
+noblacklist ${HOME}/.vscode-oss
 # Redirect
 include code.profile
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index 81c8a2f5c..c9e209142 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -62,7 +62,7 @@ disable-mnt
 private-bin perl,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
index 92e0e7a83..0a6f19b1e 100644
--- a/etc/profile-m-z/warmux.profile
+++ b/etc/profile-m-z/warmux.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin warmux
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index 5659ec69c..2f818b733 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -11,6 +11,9 @@ ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/warsow-2.1
 noblacklist ${HOME}/.local/share/warsow-2.1
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -34,19 +37,18 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
 disable-mnt
-private-bin warsow
+private-bin basename,bash,dirname,sed,sh,uname,warsow
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 2f26bf14c..92ebebdae 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -21,7 +21,7 @@ whitelist ${HOME}/.config/Whalebird
 no3d
 private-bin electron,electron[0-9],electron[0-9][0-9],whalebird
-private-etc fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 755e62f60..afff6f587 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -47,7 +47,7 @@ private
 private-bin bash,sh,whois
 private-cache
 private-dev
-private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf
+private-etc alternatives,hosts,jwhois.conf,ld.so.cache,ld.so.preload,resolv.conf,services,whois.conf
 private-lib gconv
 private-tmp
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index 151cd2adb..d8742cd71 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
-private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index b2f3341ee..3147c2ac3 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -45,7 +45,7 @@ private
 private-bin wordwarvi
 private-cache
 private-dev
-private-etc alsa,asound.conf,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index c9e408ccd..bb119996c 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -44,7 +44,7 @@ private
 private-bin xbill
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 05c46dffb..386ef2bd6 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin xfce4-mixer,xfconf-query
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,machine-id,pulse
+private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 dbus-user filter
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index b869ae005..d74ed5754 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -42,7 +42,7 @@ tracelog
 disable-mnt
 private-bin xfce4-screenshooter,xfconf-query
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile
index 070e5e0f7..c7fd0799b 100644
--- a/etc/profile-m-z/xiphos.profile
+++ b/etc/profile-m-z/xiphos.profile
@@ -47,5 +47,5 @@ disable-mnt
 private-bin xiphos
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf
 private-tmp
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile
index d5e25cfe7..404baf607 100644
--- a/etc/profile-m-z/xlinks.profile
+++ b/etc/profile-m-z/xlinks.profile
@@ -14,7 +14,7 @@ include whitelist-common.inc
 # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
 # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
 private-bin xlinks
-private-etc fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 # Redirect
 include links.profile
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2
index 1ae6a60ca..d7edd3543 100644
--- a/etc/profile-m-z/xlinks2
+++ b/etc/profile-m-z/xlinks2
@@ -14,7 +14,7 @@ include whitelist-common.inc
 # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
 # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
 private-bin xlinks2
-private-etc fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 # Redirect
 include links2.profile
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index 8179e8d76..e541436a4 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -38,7 +38,7 @@ disable-mnt
 private ${HOME}/.xmr-stak
 private-bin xmr-stak
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
 private-opt cuda
 private-tmp
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 6ffe9ece9..7c2b38d1d 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -32,7 +32,6 @@ caps.drop all
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index e4282a125..a0e77b4e7 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin xournal
 private-cache
 private-dev
-private-etc alternatives,fonts,group,machine-id,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
 # TODO should use private-lib
 private-tmp
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index f59adc6e2..8b880426f 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -39,7 +39,7 @@ tracelog
 private-bin xreader,xreader-previewer,xreader-thumbnailer
 private-dev
-private-etc alternatives,fonts,ld.so.cache
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 memory-deny-write-execute
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index 2a6dbe1bf..31a51b2c4 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -56,7 +56,7 @@ disable-mnt
 private-bin groff,man,tbl,troff,yelp
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
 private-tmp
 dbus-user filter
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile
index 5d6fb47c1..94f37a92b 100644
--- a/etc/profile-m-z/youtube-dl-gui.profile
+++ b/etc/profile-m-z/youtube-dl-gui.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,locale,locale.conf,passwd,pki,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 145e565fd..71e50ab11 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -58,7 +58,7 @@ tracelog
 private-bin env,ffmpeg,python*,youtube-dl
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
+private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index b54dd37ad..825599fcc 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/youtube-viewer
 private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer
 # Redirect
-include youtube-viewers-common.profile
-\ No newline at end of file
+include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index a05f05c51..80d551038 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index efb001ee6..5c4d697da 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -17,7 +17,7 @@ mkdir ${HOME}/.config/Youtube
 whitelist ${HOME}/.config/Youtube
 private-bin electron,electron[0-9],electron[0-9][0-9],youtube
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Youtube
 # Redirect
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index ce7161a70..2b5ffeaaf 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtubemusic-nativefier-040164
 whitelist ${HOME}/.config/youtubemusic-nativefier-040164
 private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt youtubemusic-nativefier
 # Redirect
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
index 1c3382a08..88e7a0949 100644
--- a/etc/profile-m-z/yt-dlp.profile
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.config/yt-dlp
 noblacklist ${HOME}/yt-dlp.conf
 private-bin yt-dlp
-private-etc yt-dlp.conf
+private-etc alternatives,ld.so.cache,ld.so.preload,yt-dlp.conf
 # Redirect
 include youtube-dl.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index ab46fccc2..59b6e2543 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtube-music-desktop-app
 whitelist ${HOME}/.config/youtube-music-desktop-app
 # private-bin env,ytmdesktop
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 # private-opt
 # Redirect
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile
index 604da4c8e..8acfdd651 100644
--- a/etc/profile-m-z/zulip.profile
+++ b/etc/profile-m-z/zulip.profile
@@ -44,5 +44,5 @@ disable-mnt
 private-bin locale,zulip
 private-cache
 private-dev
-private-etc asound.conf,fonts,machine-id
+private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index e580a0c0c..44197b547 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -116,6 +116,7 @@ include globals.local
 #include disable-devel.inc
 #include disable-exec.inc
 #include disable-interpreters.inc
+#include disable-proc.inc
 #include disable-programs.inc
 #include disable-shell.inc
 #include disable-write-mnt.inc
@@ -204,7 +205,7 @@ include globals.local
 # Since 0.9.63 also a more granular control of dbus is supported.
 # To get the dbus-addresses an application needs access to you can
-# check with flatpak (when the application is distriputed that way):
+# check with flatpak (when the application is distributed that way):
 #    flatpak remote-info --show-metadata flathub <APP-ID>
 # Notes:
 #  - flatpak implicitly allows an app to own <APP-ID> on the session bus