34 files changed, 305 insertions, 36 deletions

diff --git a/etc/inc/allow-perl.inc b/etc/inc/allow-perl.inc
index 5a1952c94..a473900da 100644
--- a/etc/inc/allow-perl.inc
+++ b/etc/inc/allow-perl.inc
@@ -10,3 +10,6 @@ noblacklist ${PATH}/vendor_perl
 noblacklist /usr/lib/perl*
 noblacklist /usr/lib64/perl*
 noblacklist /usr/share/perl*
+
+# rxvt is also blacklisted in disable-interpreters.inc
+noblacklist ${PATH}/rxvt
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index b1ec25987..543fc235d 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -632,3 +632,6 @@ blacklist ${RUNUSER}/update-notifier.pid
 
 # tor-browser
 blacklist ${HOME}/.local/opt/tor-browser
+
+# pass utility (pass package in Debian etc.)
+blacklist ${HOME}/.password-store
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 804869e2a..ca43e5ed9 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -40,6 +40,15 @@ blacklist /usr/lib/perl*
 blacklist /usr/lib64/perl*
 blacklist /usr/share/perl*
 
+# rxvt needs Perl modules, thus does not work. In particular, blacklisting
+# it is needed so that Firefox can run applications with Terminal=true in
+# their .desktop file (depending on what is installed). The reason is that
+# this is done via glib, which currently uses a hardcoded list of terminal
+# emulators:
+#   https://gitlab.gnome.org/GNOME/glib/-/issues/338
+# And in this list, rxvt comes before xterm.
+blacklist ${PATH}/rxvt
+
 # PHP
 blacklist ${PATH}/php*
 blacklist /usr/lib/php*
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index a13d5a4d3..458565ab3 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -191,8 +191,10 @@ blacklist ${HOME}/.cache/qBittorrent
 blacklist ${HOME}/.cache/quodlibet
 blacklist ${HOME}/.cache/qupzilla
 blacklist ${HOME}/.cache/qutebrowser
+blacklist ${HOME}/.cache/rclone
 blacklist ${HOME}/.cache/rednotebook
 blacklist ${HOME}/.cache/rhythmbox
+blacklist ${HOME}/.cache/rpcs3
 blacklist ${HOME}/.cache/shotwell
 blacklist ${HOME}/.cache/simple-scan
 blacklist ${HOME}/.cache/slimjet
@@ -215,6 +217,7 @@ blacklist ${HOME}/.cache/vmware
 blacklist ${HOME}/.cache/warsow-2.1
 blacklist ${HOME}/.cache/waterfox
 blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/wine
 blacklist ${HOME}/.cache/winetricks
 blacklist ${HOME}/.cache/xmms2
 blacklist ${HOME}/.cache/xournalpp
@@ -232,6 +235,7 @@ blacklist ${HOME}/.clion*
 blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clonk
 blacklist ${HOME}/.config/0ad
+blacklist ${HOME}/.config/1Password
 blacklist ${HOME}/.config/2048-qt
 blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/Audaciousrc
@@ -277,6 +281,7 @@ blacklist ${HOME}/.config/KeePass
 blacklist ${HOME}/.config/KeePassXCrc
 blacklist ${HOME}/.config/Kid3
 blacklist ${HOME}/.config/Kingsoft
+blacklist ${HOME}/.config/Ledger Live
 blacklist ${HOME}/.config/LibreCAD
 blacklist ${HOME}/.config/Loop_Hero
 blacklist ${HOME}/.config/Luminance
@@ -378,6 +383,7 @@ blacklist ${HOME}/.config/chromium-flags.conf
 blacklist ${HOME}/.config/clipit
 blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
+blacklist ${HOME}/.config/cointop
 blacklist ${HOME}/.config/com.github.bleakgrey.tootle
 blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/cower
@@ -571,10 +577,12 @@ blacklist ${HOME}/.config/quodlibet
 blacklist ${HOME}/.config/qupzilla
 blacklist ${HOME}/.config/qutebrowser
 blacklist ${HOME}/.config/ranger
+blacklist ${HOME}/.config/rclone
 blacklist ${HOME}/.config/redshift
 blacklist ${HOME}/.config/redshift.conf
 blacklist ${HOME}/.config/remmina
 blacklist ${HOME}/.config/ristretto
+blacklist ${HOME}/.config/rpcs3
 blacklist ${HOME}/.config/rtv
 blacklist ${HOME}/.config/scribus
 blacklist ${HOME}/.config/scribusrc
@@ -616,6 +624,7 @@ blacklist ${HOME}/.config/vivaldi
 blacklist ${HOME}/.config/vivaldi-snapshot
 blacklist ${HOME}/.config/vlc
 blacklist ${HOME}/.config/wesnoth
+blacklist ${HOME}/.config/wget
 blacklist ${HOME}/.config/wireshark
 blacklist ${HOME}/.config/wormux
 blacklist ${HOME}/.config/xchat
@@ -976,6 +985,7 @@ blacklist ${HOME}/.local/share/vlc
 blacklist ${HOME}/.local/share/vpltd
 blacklist ${HOME}/.local/share/vulkan
 blacklist ${HOME}/.local/share/warsow-2.1
+blacklist ${HOME}/.local/share/warzone2100-3.*
 blacklist ${HOME}/.local/share/wesnoth
 blacklist ${HOME}/.local/share/wormux
 blacklist ${HOME}/.local/share/xplayer
@@ -1029,7 +1039,6 @@ blacklist ${HOME}/.opera-beta
 blacklist ${HOME}/.ostrichriders
 blacklist ${HOME}/.paradoxinteractive
 blacklist ${HOME}/.parallelrealities/blobwars
-blacklist ${HOME}/.password-store
 blacklist ${HOME}/.pcsxr
 blacklist ${HOME}/.penguin-command
 blacklist ${HOME}/.pine-crash
@@ -1136,6 +1145,7 @@ blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/yt-dlp.conf
 blacklist ${HOME}/yt-dlp.conf.txt
 blacklist ${RUNUSER}/*firefox*
+blacklist ${RUNUSER}/akonadi
 blacklist /tmp/.wine-*
 blacklist /tmp/akonadi-*
 blacklist /var/games/nethack
diff --git a/etc/profile-a-l/1password.profile b/etc/profile-a-l/1password.profile
new file mode 100644
index 000000000..bc8bfae0d
--- /dev/null
+++ b/etc/profile-a-l/1password.profile
@@ -0,0 +1,20 @@
+# Firejail profile for 1password
+# Description: 1Password is a password manager developed by AgileBits Inc.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include 1password.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/1Password
+
+mkdir ${HOME}/.config/1Password
+whitelist ${HOME}/.config/1Password
+
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+
+# Needed for keychain things, talking to Firefox, possibly other things?  Not sure how to narrow down
+ignore dbus-user none
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index f3fb678d1..2f58d9146 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.local/share/apps/korganizer
 noblacklist ${HOME}/.local/share/contacts
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
+noblacklist ${RUNUSER}/akonadi
 noblacklist /sbin
 noblacklist /tmp/akonadi-*
 noblacklist /usr/sbin
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 2992a2d6f..998ffd9da 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -9,8 +9,8 @@ include chromium-common.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 noblacklist /usr/lib/chromium/chrome-sandbox
 
 # Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser
@@ -24,11 +24,13 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
-whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
+whitelist /usr/share/mozilla/extensions
+whitelist /usr/share/webext
 include whitelist-common.inc
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
@@ -55,6 +57,7 @@ private-cache
 
 blacklist ${PATH}/curl
 blacklist ${PATH}/wget
+blacklist ${PATH}/wget2
 
 #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
 dbus-system none
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
index 9ac33aa1c..14f1bbe64 100644
--- a/etc/profile-a-l/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
@@ -16,7 +16,6 @@ whitelist ${HOME}/.cache/chromium
 whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.config/chromium-flags.conf
 whitelist /usr/share/chromium
-whitelist /usr/share/mozilla/extensions
 
 # private-bin chromium,chromium-browser,chromedriver
 
diff --git a/etc/profile-a-l/cointop.profile b/etc/profile-a-l/cointop.profile
new file mode 100644
index 000000000..4349f58fc
--- /dev/null
+++ b/etc/profile-a-l/cointop.profile
@@ -0,0 +1,63 @@
+# Firejail profile for cointop
+# Description: TUI for tracking cryptocurrency stats
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cointop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/cointop
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/cointop
+whitelist ${HOME}/.config/cointop
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin cointop
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index 131d68951..f88c64b23 100644
--- a/etc/profile-a-l/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -9,8 +9,8 @@ include globals.local
 # enforce private-cache
 #noblacklist ${HOME}/.cache/ephemeral
 
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
@@ -23,12 +23,12 @@ include disable-programs.inc
 
 # enforce private-cache
 #mkdir ${HOME}/.cache/ephemeral
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 # enforce private-cache
 #whitelist ${HOME}/.cache/ephemeral
-whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
index a2372ec8a..b6f69ccb9 100644
--- a/etc/profile-a-l/ferdi.profile
+++ b/etc/profile-a-l/ferdi.profile
@@ -9,8 +9,8 @@ ignore noexec /tmp
 
 noblacklist ${HOME}/.cache/Ferdi
 noblacklist ${HOME}/.config/Ferdi
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,13 +20,13 @@ include disable-programs.inc
 
 mkdir ${HOME}/.cache/Ferdi
 mkdir ${HOME}/.config/Ferdi
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/Ferdi
 whitelist ${HOME}/.config/Ferdi
-whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index e7d438b46..373f41ffe 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -12,8 +12,8 @@ include firefox-common.local
 # Add the next line to your firefox-common.local to allow access to common programs/addons/plugins.
 #include firefox-common-addons.profile
 
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,11 +22,11 @@ include disable-interpreters.inc
 include disable-proc.inc
 include disable-programs.inc
 
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
-whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
 include whitelist-common.inc
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
@@ -61,6 +61,7 @@ private-tmp
 
 blacklist ${PATH}/curl
 blacklist ${PATH}/wget
+blacklist ${PATH}/wget2
 
 # 'dbus-user none' breaks various desktop integration features like global menus, native notifications,
 # Gnome connector, KDE connect and power management on KDE Plasma.
diff --git a/etc/profile-a-l/firefox-developer-edition.profile b/etc/profile-a-l/firefox-developer-edition.profile
index 8c7ca3887..3a9b8cf92 100644
--- a/etc/profile-a-l/firefox-developer-edition.profile
+++ b/etc/profile-a-l/firefox-developer-edition.profile
@@ -7,5 +7,9 @@ include firefox-developer-edition.local
 # added by included profile
 #include globals.local
 
+# Edition-specific DBus filters
+dbus-user.own org.mozilla.FirefoxDeveloperEdition.*
+dbus-user.own org.mozilla.firefoxdeveloperedition.*
+
 # Redirect
 include firefox.profile
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile
index 9b780a572..b16c90caf 100644
--- a/etc/profile-a-l/franz.profile
+++ b/etc/profile-a-l/franz.profile
@@ -9,8 +9,8 @@ ignore noexec /tmp
 
 noblacklist ${HOME}/.cache/Franz
 noblacklist ${HOME}/.config/Franz
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,13 +20,13 @@ include disable-programs.inc
 
 mkdir ${HOME}/.cache/Franz
 mkdir ${HOME}/.config/Franz
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/Franz
 whitelist ${HOME}/.config/Franz
-whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 0796e6876..1bbc141e8 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -29,6 +29,7 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail
 noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
+noblacklist ${RUNUSER}/akonadi
 noblacklist /tmp/akonadi-*
 
 include disable-common.inc
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index ebffbbabf..6678e3fec 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -25,6 +25,7 @@ whitelist ${HOME}/.librewolf
 
 whitelist /usr/share/doc
 whitelist /usr/share/gtk-doc/html
+whitelist /usr/share/librewolf
 whitelist /usr/share/mozilla
 whitelist /usr/share/webext
 include whitelist-usr-share-common.inc
@@ -50,6 +51,7 @@ dbus-user.own org.mozilla.librewolf.*
 # Also add the next line to your librewolf.local if screensharing does not work with
 # the above lines (depends on the portal implementation).
 #ignore noroot
+ignore apparmor
 ignore dbus-user none
 
 # Redirect
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index bf8ab9e64..71309b48f 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${PATH}/llvm*
 noblacklist ${HOME}/Games
 noblacklist ${HOME}/.cache/lutris
+noblacklist ${HOME}/.cache/wine
 noblacklist ${HOME}/.cache/winetricks
 noblacklist ${HOME}/.config/lutris
 noblacklist ${HOME}/.local/share/lutris
@@ -34,6 +35,7 @@ include disable-xdg.inc
 
 mkdir ${HOME}/Games
 mkdir ${HOME}/.cache/lutris
+mkdir ${HOME}/.cache/wine
 mkdir ${HOME}/.cache/winetricks
 mkdir ${HOME}/.config/lutris
 mkdir ${HOME}/.local/share/lutris
@@ -41,6 +43,7 @@ mkdir ${HOME}/.local/share/lutris
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/Games
 whitelist ${HOME}/.cache/lutris
+whitelist ${HOME}/.cache/wine
 whitelist ${HOME}/.cache/winetricks
 whitelist ${HOME}/.config/lutris
 whitelist ${HOME}/.local/share/lutris
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile
index f73ef0935..f0ef7d010 100644
--- a/etc/profile-m-z/mediathekview.profile
+++ b/etc/profile-m-z/mediathekview.profile
@@ -17,6 +17,8 @@ noblacklist ${HOME}/.mediathek3
 noblacklist ${HOME}/.mplayer
 noblacklist ${VIDEOS}
 
+ignore noexec /tmp
+
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
 
@@ -27,6 +29,8 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.mediathek3
+whitelist ${HOME}/.mediathek3
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile
index 7928d124e..eb037f51b 100644
--- a/etc/profile-m-z/midori.profile
+++ b/etc/profile-m-z/midori.profile
@@ -12,10 +12,10 @@ include globals.local
 noblacklist ${HOME}/.cache/midori
 noblacklist ${HOME}/.config/midori
 noblacklist ${HOME}/.local/share/midori
+noblacklist ${HOME}/.local/share/pki
 # noblacklist ${HOME}/.local/share/webkit
 # noblacklist ${HOME}/.local/share/webkitgtk
 noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
 
 noblacklist ${HOME}/.cache/gnome-mplayer
 noblacklist ${HOME}/.config/gnome-mplayer
@@ -31,10 +31,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/midori
 mkdir ${HOME}/.config/midori
 mkdir ${HOME}/.local/share/midori
+mkdir ${HOME}/.local/share/pki
 mkdir ${HOME}/.local/share/webkit
 mkdir ${HOME}/.local/share/webkitgtk
 mkdir ${HOME}/.pki
-mkdir ${HOME}/.local/share/pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/midori
@@ -42,10 +42,10 @@ whitelist ${HOME}/.config/gnome-mplayer
 whitelist ${HOME}/.config/midori
 whitelist ${HOME}/.lastpass
 whitelist ${HOME}/.local/share/midori
+whitelist ${HOME}/.local/share/pki
 whitelist ${HOME}/.local/share/webkit
 whitelist ${HOME}/.local/share/webkitgtk
 whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index 78f92a860..e2687bf6b 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -10,8 +10,8 @@ include globals.local
 
 noblacklist ${HOME}/.cache/Otter
 noblacklist ${HOME}/.config/otter
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,13 +22,13 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/Otter
 mkdir ${HOME}/.config/otter
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/Otter
 whitelist ${HOME}/.config/otter
-whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
 whitelist /usr/share/otter-browser
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/raincat.profile b/etc/profile-m-z/raincat.profile
new file mode 100644
index 000000000..104577bdb
--- /dev/null
+++ b/etc/profile-m-z/raincat.profile
@@ -0,0 +1,49 @@
+# Firejail profile for raincat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include raincat.local
+# Persistent global definitions
+include globals.local
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/games
+whitelist /usr/share/timidity
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+net none
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin raincat
+private-cache
+private-dev
+private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,timidity,timidity.cfg
+#private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
diff --git a/etc/profile-m-z/rambox.profile b/etc/profile-m-z/rambox.profile
index ffa2022ee..a14d7862b 100644
--- a/etc/profile-m-z/rambox.profile
+++ b/etc/profile-m-z/rambox.profile
@@ -7,8 +7,8 @@ include rambox.local
 include globals.local
 
 noblacklist ${HOME}/.config/Rambox
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,12 +16,12 @@ include disable-interpreters.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/Rambox
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Rambox
-whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.pki
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile
new file mode 100644
index 000000000..147afb236
--- /dev/null
+++ b/etc/profile-m-z/rpcs3.profile
@@ -0,0 +1,62 @@
+# Firejail profile for RPCS3 emulator
+# Description: RPCS3 emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rpcs3.local 
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/rpcs3
+noblacklist ${HOME}/.cache/rpcs3
+# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
+# won't even start.
+noblacklist /sbin
+noblacklist /usr/sbin
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc # disable if PPU compilation crashes
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/rpcs3
+mkdir ${HOME}/.config/rpcs3
+whitelist ${HOME}/.cache/rpcs3
+whitelist ${HOME}/.config/rpcs3
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+netfilter
+nodvd
+nogroups
+#noinput
+nonewprivs
+noroot
+noprinters
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+#private-cache
+#private-etc ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
index 807effbeb..e67e51620 100644
--- a/etc/profile-m-z/seamonkey.profile
+++ b/etc/profile-m-z/seamonkey.profile
@@ -8,8 +8,8 @@ include globals.local
 
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.cache/mozilla
 mkdir ${HOME}/.mozilla
-mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
+mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/mozilla
@@ -28,11 +28,11 @@ whitelist ${HOME}/.config/pipelight-silverlight5.1
 whitelist ${HOME}/.config/pipelight-widevine
 whitelist ${HOME}/.keysnail.js
 whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.local/share/pki
 whitelist ${HOME}/.mozilla
 whitelist ${HOME}/.pentadactyl
 whitelist ${HOME}/.pentadactylrc
 whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
 whitelist ${HOME}/.vimperator
 whitelist ${HOME}/.vimperatorrc
 whitelist ${HOME}/.wine-pipelight
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 77a7f5b38..1166f378b 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -21,9 +21,15 @@ whitelist ${HOME}/.config/Signal
 
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 
-# allow D-Bus notifications
 dbus-user filter
+
+# allow D-Bus notifications
 dbus-user.talk org.freedesktop.Notifications
+
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.Firefox.*
+dbus-user.talk org.mozilla.firefox.*
+
 ignore dbus-user none
 
 # Redirect
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 9295013e7..4da0db517 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -50,4 +50,5 @@ writable-run-user
 dbus-user none
 dbus-system none
 
+deterministic-shutdown
 memory-deny-write-execute
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index bcf94de51..b31818274 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -147,7 +147,7 @@ shell none
 
 # private-bin is disabled while in testing, but is known to work with multiple games.
 # Add the next line to your steam.local to enable private-bin.
-#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
+#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,wget2,which,whoami,xterm,xz,zenity
 # Extra programs are available which might be needed for select games.
 # Add the next line to your steam.local to enable support for these programs.
 #private-bin java,java-config,mono
@@ -157,7 +157,7 @@ shell none
 private-dev
 # private-etc breaks a small selection of games on some systems. Add 'ignore private-etc'
 # to your steam.local to support those.
-private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl,vulkan
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 473472251..23c8a6c58 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -43,7 +43,7 @@ noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6,bluetooth
+protocol unix,inet,inet6,netlink,bluetooth
 seccomp
 seccomp.block-secondary
 shell none
diff --git a/etc/profile-m-z/uzbl-browser.profile b/etc/profile-m-z/uzbl-browser.profile
index 41487a8f2..dcdae279f 100644
--- a/etc/profile-m-z/uzbl-browser.profile
+++ b/etc/profile-m-z/uzbl-browser.profile
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/uzbl
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/uzbl
+noblacklist ${HOME}/.password-store
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 46dca0547..5519c3c1e 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -7,19 +7,22 @@ include warzone2100.local
 include globals.local
 
 noblacklist ${HOME}/.warzone2100-3.*
+noblacklist ${HOME}/.local/share/warzone2100-3.*
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-include disable-shell.inc
+#include disable-shell.inc - problems on Debian 11
 
 mkdir ${HOME}/.warzone2100-3.1
 mkdir ${HOME}/.warzone2100-3.2
+whitelist ${HOME}/.local/share/warzone2100-3.3.0 # config dir moved under .local/share
 whitelist ${HOME}/.warzone2100-3.1
 whitelist ${HOME}/.warzone2100-3.2
 whitelist /usr/share/games
+whitelist /usr/share/gdm
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -42,6 +45,6 @@ shell none
 tracelog
 
 disable-mnt
-private-bin warzone2100
+private-bin bash,dash,sh,warzone2100,which
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/wget2.profile b/etc/profile-m-z/wget2.profile
new file mode 100644
index 000000000..18918c6af
--- /dev/null
+++ b/etc/profile-m-z/wget2.profile
@@ -0,0 +1,19 @@
+# Firejail profile for wget2
+# Description: Updated version of the popular wget URL retrieval tool
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include wget2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/wget
+ignore noblacklist ${HOME}/.wgetrc
+
+private-bin wget2
+# Depending on workflow you can add the next line to your wget2.local.
+#private-etc wget2rc
+
+# Redirect
+include wget.profile
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 1e9b9341b..f30fc971f 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -6,6 +6,7 @@ include wine.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/wine
 noblacklist ${HOME}/.cache/winetricks
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.local/share/Steam
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index 80d551038..f212a6721 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -50,7 +50,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp
+private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,xterm,youtube-dl,yt-dlp
 private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 1a4c8fef9..aefb75c2c 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -155,6 +155,7 @@ include globals.local
 #nogroups
 #noinput
 #nonewprivs
+#noprinters
 #noroot
 #nosound
 #notv