33 files changed, 214 insertions, 79 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 65159b951..5f4233363 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -556,6 +556,7 @@ blacklist ${PATH}/ss
 blacklist ${PATH}/traceroute
 # other SUID binaries
+blacklist /opt/microsoft/msedge*/msedge-sandbox
 blacklist /usr/lib/virtualbox
 blacklist /usr/lib64/virtualbox
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 40c123968..c7e2f2ca9 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -320,6 +320,7 @@ blacklist ${HOME}/.config/PacmanLogViewer
 blacklist ${HOME}/.config/PawelStolowski
 blacklist ${HOME}/.config/Philipp Schmieder
 blacklist ${HOME}/.config/Pinta
+blacklist ${HOME}/.config/Postman
 blacklist ${HOME}/.config/QGIS
 blacklist ${HOME}/.config/QMediathekView
 blacklist ${HOME}/.config/QQ
@@ -412,6 +413,7 @@ blacklist ${HOME}/.config/digikam
 blacklist ${HOME}/.config/digikamrc
 blacklist ${HOME}/.config/discord
 blacklist ${HOME}/.config/discordcanary
+blacklist ${HOME}/.config/discordptb
 blacklist ${HOME}/.config/dkl
 blacklist ${HOME}/.config/dnox
 blacklist ${HOME}/.config/dolphin-emu
@@ -479,6 +481,7 @@ blacklist ${HOME}/.config/inox
 blacklist ${HOME}/.config/iridium
 blacklist ${HOME}/.config/itch
 blacklist ${HOME}/.config/jami
+blacklist ${HOME}/.config/jami.net
 blacklist ${HOME}/.config/jd-gui.cfg
 blacklist ${HOME}/.config/jgit
 blacklist ${HOME}/.config/k3brc
@@ -1182,6 +1185,7 @@ blacklist ${HOME}/Arduino
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud
 blacklist ${HOME}/Nextcloud/Notes
+blacklist ${HOME}/Postman
 blacklist ${HOME}/Seafile/.seafile-data
 blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
diff --git a/etc/profile-a-l/DiscordPTB.profile b/etc/profile-a-l/DiscordPTB.profile
new file mode 100644
index 000000000..4570f0103
--- /dev/null
+++ b/etc/profile-a-l/DiscordPTB.profile
@@ -0,0 +1,10 @@
+# Firejail profile for DiscordPTB
+# This file is overwritten after every install/update
+# Persistent local customizations
+include DiscordPTB.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include discord-ptb.profile
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index 7a36302f1..9ebbf1cb0 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -28,7 +28,6 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
-hostname agetpkg
 ipc-namespace
 machine-id
 netfilter
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile
index 270dffaed..231b5bca0 100644
--- a/etc/profile-a-l/ani-cli.profile
+++ b/etc/profile-a-l/ani-cli.profile
@@ -30,7 +30,7 @@ noprinters
 notv
 disable-mnt
-private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,sed,sh,sort,tput,tr,uname,wc
+private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohup,patch,sed,sh,sort,tail,tput,tr,uname,wc
 #private-cache
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index ef875c5b7..487e0c5f8 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -23,7 +23,6 @@ include disable-shell.inc
 apparmor
 caps.drop all
-hostname archiver
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-a-l/chafa.profile b/etc/profile-a-l/chafa.profile
index 72f79681d..f21a34f36 100644
--- a/etc/profile-a-l/chafa.profile
+++ b/etc/profile-a-l/chafa.profile
@@ -39,6 +39,7 @@ nosound
 notv
 nou2f
 novideo
+# block socket syscall to simulate empty protocol option (see #639)
 seccomp socket
 seccomp.block-secondary
 tracelog
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile
new file mode 100644
index 000000000..c39c0d843
--- /dev/null
+++ b/etc/profile-a-l/discord-ptb.profile
@@ -0,0 +1,17 @@
+# Firejail profile for discord-ptb   
+# This file is overwritten after every install/update
+# Persistent local customizations
+include discord-ptb.local   
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/discordptb   
+mkdir ${HOME}/.config/discordptb   
+whitelist ${HOME}/.config/discordptb   
+private-bin discord-ptb,DiscordPTB   
+private-opt discord-ptb,DiscordPTB   
+# Redirect
+include discord-common.profile
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index 1118c3bf0..e1d107dc7 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -10,18 +10,21 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include whitelist-var-common.inc
 apparmor
 caps.drop all
+machine-id
 net none
 no3d
 nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -29,6 +32,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 tracelog
 # private-bin engrampa
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 4f39bec55..78e2751b3 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -29,6 +29,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -45,6 +46,10 @@ private-dev
 private-etc @x11
 # private-tmp
+dbus-user filter
+dbus-user.own org.gnome.ArchiveManager1
+dbus-user.own org.gnome.FileRoller
+dbus-user.talk ca.desrt.dconf
 dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
index a5fd05bc7..78f1327c5 100644
--- a/etc/profile-a-l/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -15,7 +15,6 @@ include disable-programs.inc
 apparmor
 caps.drop all
-hostname file
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 96ded592d..44d62cc86 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-#hostname galculator - breaks Arch Linux
 #ipc-namespace
 net none
 nodvd
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile
index 9c8200dc4..9643820e7 100644
--- a/etc/profile-a-l/gallery-dl.profile
+++ b/etc/profile-a-l/gallery-dl.profile
@@ -15,4 +15,4 @@ private-bin gallery-dl
 private-etc gallery-dl.conf
 # Redirect
-include youtube-dl.profile
+include yt-dlp.profile
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile
index 4eb94edf4..4066a1ebf 100644
--- a/etc/profile-a-l/gdu.profile
+++ b/etc/profile-a-l/gdu.profile
@@ -26,7 +26,7 @@ nosound
 notv
 nou2f
 novideo
-# block the socket syscall to simulate an be empty protocol line, see #639
+# block socket syscall to simulate empty protocol option (see #639)
 seccomp socket
 seccomp.block-secondary
 x11 none
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index 3a929774a..e8d4c013f 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -25,7 +25,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-hostname geekbench
 ipc-namespace
 machine-id
 netfilter
diff --git a/etc/profile-a-l/jami.profile b/etc/profile-a-l/jami.profile
new file mode 100644
index 000000000..deff54bcd
--- /dev/null
+++ b/etc/profile-a-l/jami.profile
@@ -0,0 +1,18 @@
+# Firejail profile for jami
+# Description: An encrypted peer-to-peer messenger
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jami.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+noblacklist ${HOME}/.config/jami.net
+mkdir ${HOME}/.config/jami.net
+mkdir ${HOME}/Videos/Jami
+whitelist ${HOME}/.config/jami.net
+whitelist ${HOME}/Videos/Jami
+# Redirect
+include jami-gnome.profile
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index f7959ca81..4e8c8e449 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -93,6 +93,7 @@ private-etc
 private-tmp
 dbus-user filter
+dbus-user.own org.freedesktop.secrets
 dbus-user.own org.keepassxc.KeePassXC.*
 dbus-user.talk com.canonical.Unity
 dbus-user.talk org.freedesktop.ScreenSaver
diff --git a/etc/profile-m-z/Postman.profile b/etc/profile-m-z/Postman.profile
new file mode 100644
index 000000000..d08acf60b
--- /dev/null
+++ b/etc/profile-m-z/Postman.profile
@@ -0,0 +1,10 @@
+# Firejail profile for Postman
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Postman.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include postman.profile
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index d3b3c6d48..7b83d61e1 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -21,7 +21,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-hostname mdr
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
index 63844ad70..6843c11c7 100644
--- a/etc/profile-m-z/microsoft-edge-beta.profile
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -1,5 +1,5 @@
 # Firejail profile for Microsoft Edge Beta
-# Description: Web browser from Microsoft,beta channel
+# Description: Web browser from Microsoft, beta channel
 # This file is overwritten after every install/update
 # Persistent local customizations
 include microsoft-edge-beta.local
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.cache/microsoft-edge-beta
 noblacklist ${HOME}/.config/microsoft-edge-beta
+noblacklist /opt/microsoft/msedge-beta/msedge-sandbox
 mkdir ${HOME}/.cache/microsoft-edge-beta
 mkdir ${HOME}/.config/microsoft-edge-beta
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge-beta
 whitelist ${HOME}/.config/microsoft-edge-beta
 whitelist /opt/microsoft/msedge-beta
+# private-opt might break the file-copy-limit, see #5307
+#private-opt microsoft
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile
index b01fd7c25..b9cdaf98b 100644
--- a/etc/profile-m-z/microsoft-edge-dev.profile
+++ b/etc/profile-m-z/microsoft-edge-dev.profile
@@ -1,5 +1,5 @@
 # Firejail profile for Microsoft Edge Dev
-# Description: Web browser from Microsoft,dev channel
+# Description: Web browser from Microsoft, dev channel
 # This file is overwritten after every install/update
 # Persistent local customizations
 include microsoft-edge-dev.local
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.cache/microsoft-edge-dev
 noblacklist ${HOME}/.config/microsoft-edge-dev
+noblacklist /opt/microsoft/msedge-dev/msedge-sandbox
 mkdir ${HOME}/.cache/microsoft-edge-dev
 mkdir ${HOME}/.config/microsoft-edge-dev
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge-dev
 whitelist ${HOME}/.config/microsoft-edge-dev
 whitelist /opt/microsoft/msedge-dev
+# private-opt might break file-copy-limit, see #5307
+#private-opt microsoft
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/microsoft-edge-stable.profile b/etc/profile-m-z/microsoft-edge-stable.profile
new file mode 100644
index 000000000..c5b2b4301
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge-stable.profile
@@ -0,0 +1,11 @@
+# Firejail profile for Microsoft Edge Stable
+# Description: Web browser from Microsoft, stable channel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge-stable.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include microsoft-edge.profile
diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile
index 4cd8c85a5..ededb9cbd 100644
--- a/etc/profile-m-z/microsoft-edge.profile
+++ b/etc/profile-m-z/microsoft-edge.profile
@@ -1,5 +1,5 @@
 # Firejail profile for Microsoft Edge
-# Description: Web browser from Microsoft,stable channel
+# Description: Web browser from Microsoft, stable channel
 # This file is overwritten after every install/update
 # Persistent local customizations
 include microsoft-edge.local
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.cache/microsoft-edge
 noblacklist ${HOME}/.config/microsoft-edge
+noblacklist /opt/microsoft/msedge/msedge-sandbox
 mkdir ${HOME}/.cache/microsoft-edge
 mkdir ${HOME}/.config/microsoft-edge
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge
 whitelist ${HOME}/.config/microsoft-edge
 whitelist /opt/microsoft/msedge
+# private-opt might break default file-copy-limit, see #5307
+#private-opt microsoft
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 34199a08d..481bade92 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -38,7 +38,7 @@ nosound
 notv
 nou2f
 novideo
-# block the socket syscall to simulate an be empty protocol line, see #639
+# block socket syscall to simulate empty protocol option (see #639)
 seccomp socket
 tracelog
 x11 none
diff --git a/etc/profile-m-z/postman.profile b/etc/profile-m-z/postman.profile
new file mode 100644
index 000000000..c8f00584d
--- /dev/null
+++ b/etc/profile-m-z/postman.profile
@@ -0,0 +1,28 @@
+# Firejail profile for postman
+# Description: API testing platform
+# This file is overwritten after every install/update
+# Persistent local customizations
+include postman.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Postman
+noblacklist ${HOME}/Postman
+mkdir ${HOME}/.config/Postman
+mkdir ${HOME}/Postman
+whitelist ${HOME}/.config/Postman
+whitelist ${HOME}/Postman
+include whitelist-run-common.inc
+protocol unix,inet,inet6,netlink
+private-bin electron,electron[0-9],electron[0-9][0-9],locale,node,Postman,postman,sh
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
+# private-opt breaks file-copy-limit, use a whitelist instead of draining RAM
+# https://github.com/netblue30/firejail/discussions/5307
+#private-opt postman
+whitelist /opt/postman
+# Redirect
+include electron-common.profile
diff --git a/etc/profile-m-z/qpdf.profile b/etc/profile-m-z/qpdf.profile
index 0c1e09e92..edec7cf0a 100644
--- a/etc/profile-m-z/qpdf.profile
+++ b/etc/profile-m-z/qpdf.profile
@@ -31,7 +31,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-hostname qpdf
 ipc-namespace
 machine-id
 net none
@@ -46,7 +45,7 @@ nosound
 notv
 nou2f
 novideo
-# block the socket syscall to simulate an be empty protocol line, see #639
+# block socket syscall to simulate empty protocol option (see #639)
 seccomp socket
 tracelog
 x11 none
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile
index 54568b7d3..5babfb8d2 100644
--- a/etc/profile-m-z/tesseract.profile
+++ b/etc/profile-m-z/tesseract.profile
@@ -31,7 +31,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-hostname tesseract
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
index 4af8b9292..4793e9dbb 100644
--- a/etc/profile-m-z/tutanota-desktop.profile
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -1,5 +1,5 @@
 # Firejail profile for tutanota-desktop
-# Description: Encrypted email client
+# Description: Official desktop client for the Tutanota E2E encrypted email provider
 # This file is overwritten after every install/update
 # Persistent local customizations
 include tutanota-desktop.local
@@ -9,8 +9,13 @@ include globals.local
 noblacklist ${HOME}/.config/tuta_integration
 noblacklist ${HOME}/.config/tutanota-desktop
+ignore dbus-user none
+ignore disable-mnt
 ignore noexec /tmp
+# sh is needed to allow Firefox to open links
+include allow-bin-sh.inc
 include disable-shell.inc
 mkdir ${HOME}/.config/tuta_integration
@@ -18,14 +23,26 @@ mkdir ${HOME}/.config/tutanota-desktop
 whitelist ${HOME}/.config/tuta_integration
 whitelist ${HOME}/.config/tutanota-desktop
-# These lines are needed to allow Firefox to open links
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
+machine-id
+nosound
 ?HAS_APPIMAGE: ignore private-dev
 private-etc @tls-ca
 private-opt tutanota-desktop
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index aac99aed5..cdfd72a5b 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-hostname unf
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
index a6d2a65e9..9a9915669 100644
--- a/etc/profile-m-z/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -19,7 +19,6 @@ include disable-shell.inc
 include whitelist-usr-share-common.inc
 caps.drop all
-hostname uudeview
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 8958564ef..8265e1ff8 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-hostname whois
 ipc-namespace
 machine-id
 netfilter
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 8376b4989..9e81d745d 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -5,63 +5,17 @@ quiet
 # Persistent local customizations
 include youtube-dl.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
-# breaks when installed under ${HOME} via `pip install --user` (see #2833)
-ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/youtube-dl
 noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${HOME}/.netrc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
-include allow-python3.inc
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-apparmor
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-seccomp.block-secondary
-tracelog
-private-bin env,ffmpeg,python*,youtube-dl
-private-cache
-private-dev
-private-etc @tls-ca,mime.types,youtube-dl.conf
-private-tmp
-dbus-user none
+private-bin youtube-dl
-dbus-system none
+private-etc youtube-dl.conf
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+# Redirect
-restrict-namespaces
+include yt-dlp.profile
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
index 49d4b3b56..97f9e620a 100644
--- a/etc/profile-m-z/yt-dlp.profile
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -5,17 +5,73 @@ quiet
 # Persistent local customizations
 include yt-dlp.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+# If you installed via pip under ${HOME}
+# add 'ignore noexec ${HOME}' in yt-dlp.local.
+# AppArmor needs to allow it too,
+# add 'ignore apparmor' in yt-dlp.local
+# OR in /etc/apparmor.d/local/firejail-default add:
+# 'owner @HOME/.local/bin/** ix,'
+# 'owner @HOME/.local/lib/python*/** ix,'
+# then run the command
+# 'sudo apparmor_parser -r /etc/apparmor.d/firejail-default'
 noblacklist ${HOME}/.cache/yt-dlp
 noblacklist ${HOME}/.config/yt-dlp
 noblacklist ${HOME}/.config/yt-dlp.conf
 noblacklist ${HOME}/yt-dlp.conf
 noblacklist ${HOME}/yt-dlp.conf.txt
+noblacklist ${HOME}/.netrc
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+private-bin env,ffmpeg,ffprobe,python*,yt-dlp
+private-cache
+private-dev
+private-etc @tls-ca,mime.types,yt-dlp.conf
+private-tmp
+dbus-user none
+dbus-system none
-private-bin ffprobe,yt-dlp
+memory-deny-write-execute
-private-etc yt-dlp.conf
-# Redirect
+restrict-namespaces
-include youtube-dl.profile