7 files changed, 38 insertions, 13 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index cc0c69df2..cbc8ef6d2 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -139,6 +139,7 @@ blacklist ${HOME}/.config/Rambox
 blacklist ${HOME}/.config/Riot
 blacklist ${HOME}/.config/Rocket.Chat
 blacklist ${HOME}/.config/RogueLegacy
+blacklist ${HOME}/.config/RogueLegacyStorageContainer
 blacklist ${HOME}/.config/Signal
 blacklist ${HOME}/.config/Sinew Software Systems
 blacklist ${HOME}/.config/Slack
@@ -616,7 +617,8 @@ blacklist ${HOME}/.local/share/QGIS
 blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
-blacklist ${HOME}/.local/share/RogueLegacy*
+blacklist ${HOME}/.local/share/RogueLegacy
+blacklist ${HOME}/.local/share/RogueLegacyStorageContainer
 blacklist ${HOME}/.local/share/Shortwave
 blacklist ${HOME}/.local/share/Steam
 blacklist ${HOME}/.local/share/SteamWorldDig
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index b2ed3b030..2c7fdc812 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 whitelist ${MUSIC}
 whitelist ${DOWNLOADS}
 whitelist /usr/share/audio-recorder
+whitelist /usr/share/gstreamer-1.0
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -44,7 +45,11 @@ tracelog
 disable-mnt
 # private-bin audio-recorder
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index b583f1a1d..b83e626d9 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -18,6 +18,7 @@ ignore dbus-user none
 ignore dbus-system none
 ignore noexec ${HOME}
+ignore novideo
 whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index cefba93d4..b22a78458 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -6,6 +6,14 @@ include firefox.local
 # Persistent global definitions
 include globals.local
+# NOTE: sandboxing web browsers is as important as it is complex. Users might be
+# interested in creating custom profiles depending on use case (e.g. one for
+# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more
+# info. Here are a few links to get you going.
+# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance
+# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
+# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index 6fb0d4b5f..bab2badb5 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -16,9 +16,8 @@ include disable-shell.inc
 include disable-xdg.inc
 whitelist /usr/share/com.github.artemanufrij.regextester
-include whitelist-usr-share-common.inc
 include whitelist-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -48,11 +47,9 @@ private-etc alternatives,fonts
 private-lib libgranite.so.*
 private-tmp
-# makes settings immutable
+dbus-user filter
-# dbus-user none
+dbus-user.talk ca.desrt.dconf
-# dbus-system none
+dbus-system none
-memory-deny-write-execute
 # never write anything
 read-only ${HOME}
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 0bcbe6da2..922823f98 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Epic
 noblacklist ${HOME}/.config/Loop_Hero
 noblacklist ${HOME}/.config/ModTheSpire
 noblacklist ${HOME}/.config/RogueLegacy
+noblacklist ${HOME}/.config/RogueLegacyStorageContainer
 noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.klei
 noblacklist ${HOME}/.local/share/3909/PapersPlease
@@ -22,7 +23,8 @@ noblacklist ${HOME}/.local/share/feral-interactive
 noblacklist ${HOME}/.local/share/IntoTheBreach
 noblacklist ${HOME}/.local/share/Paradox Interactive
 noblacklist ${HOME}/.local/share/PillarsOfEternity
-noblacklist ${HOME}/.local/share/RogueLegacy*
+noblacklist ${HOME}/.local/share/RogueLegacy
+noblacklist ${HOME}/.local/share/RogueLegacyStorageContainer
 noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/SteamWorldDig
 noblacklist ${HOME}/.local/share/SteamWorld Dig 2
@@ -69,7 +71,7 @@ mkdir ${HOME}/.local/share/feral-interactive
 mkdir ${HOME}/.local/share/IntoTheBreach
 mkdir ${HOME}/.local/share/Paradox Interactive
 mkdir ${HOME}/.local/share/PillarsOfEternity
-mkdir ${HOME}/.local/share/RogueLegacy*
+mkdir ${HOME}/.local/share/RogueLegacy
 mkdir ${HOME}/.local/share/Steam
 mkdir ${HOME}/.local/share/SteamWorldDig
 mkdir ${HOME}/.local/share/SteamWorld Dig 2
@@ -86,6 +88,7 @@ whitelist ${HOME}/.config/Epic
 whitelist ${HOME}/.config/Loop_Hero
 whitelist ${HOME}/.config/ModTheSpire
 whitelist ${HOME}/.config/RogueLegacy
+whitelist ${HOME}/.config/RogueLegacyStorageContainer
 whitelist ${HOME}/.config/unity3d
 whitelist ${HOME}/.killingfloor
 whitelist ${HOME}/.klei
@@ -99,7 +102,8 @@ whitelist ${HOME}/.local/share/feral-interactive
 whitelist ${HOME}/.local/share/IntoTheBreach
 whitelist ${HOME}/.local/share/Paradox Interactive
 whitelist ${HOME}/.local/share/PillarsOfEternity
-whitelist ${HOME}/.local/share/RogueLegacy*
+whitelist ${HOME}/.local/share/RogueLegacy
+whitelist ${HOME}/.local/share/RogueLegacyStorageContainer
 whitelist ${HOME}/.local/share/Steam
 whitelist ${HOME}/.local/share/SteamWorldDig
 whitelist ${HOME}/.local/share/SteamWorld Dig 2
@@ -115,6 +119,14 @@ whitelist ${HOME}/.steampid
 include whitelist-common.inc
 include whitelist-var-common.inc
+# Note: The following were intentionally left out as they are alternative
+# (i.e.: unnecessary and/or legacy) paths whose existence may potentially
+# clobber other paths (see #4225).  If you use any, either add the entry to
+# steam.local or move the contents to a path listed above (or open an issue if
+# it's missing above).
+#mkdir ${HOME}/.config/RogueLegacyStorageContainer
+#mkdir ${HOME}/.local/share/RogueLegacyStorageContainer
 caps.drop all
 #ipc-namespace
 netfilter
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 78cb2862c..d9d1cd393 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -19,7 +19,7 @@ include disable-xdg.inc
 mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
 whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-whitelist /usr/share/gstreamer
+whitelist /usr/share/gstreamer-*
 whitelist /usr/share/xfce4
 whitelist /usr/share/xfce4-mixer
 include whitelist-common.inc