14 files changed, 22 insertions, 23 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 444446156..4941630a2 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -77,6 +77,7 @@ blacklist ${HOME}/.config/Element
 blacklist ${HOME}/.config/Element (Riot)
 blacklist ${HOME}/.config/Enox
 blacklist ${HOME}/.config/Epic
+blacklist ${HOME}/.config/Exodus
 blacklist ${HOME}/.config/Ferdi
 blacklist ${HOME}/.config/Flavio Tordini
 blacklist ${HOME}/.config/Franz
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
index 48309ffe3..a8cab8d07 100644
--- a/etc/inc/whitelist-runuser-common.inc
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -10,7 +10,7 @@ whitelist ${RUNUSER}/gdm/Xauthority
 whitelist ${RUNUSER}/ICEauthority
 whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
 whitelist ${RUNUSER}/pulse/native
-whitelist ${RUNUSER}/wayland-0
+whitelist ${RUNUSER}/pipewire-?
-whitelist ${RUNUSER}/wayland-1
+whitelist ${RUNUSER}/wayland-?
 whitelist ${RUNUSER}/xauth_*
 whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index fe0097934..0049ce804 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -45,6 +45,7 @@ whitelist /usr/share/myspell
 whitelist /usr/share/p11-kit
 whitelist /usr/share/perl
 whitelist /usr/share/perl5
+whitelist /usr/share/pipewire
 whitelist /usr/share/pixmaps
 whitelist /usr/share/pki
 whitelist /usr/share/plasma
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index b35b6ae80..c42243e02 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -37,10 +37,6 @@ include whitelist-var-common.inc
 # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
 #include chromium-common-hardened.inc.profile
-# Add the next two lines to your chromium-common.local to allow screen sharing under wayland.
-#whitelist ${RUNUSER}/pipewire-0
-#whitelist /usr/share/pipewire/client.conf
 apparmor
 caps.keep sys_admin,sys_chroot
 netfilter
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 77fb458ca..19ad5799c 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -56,7 +56,7 @@ private-cache
 private-dev
 private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
 # private-lib might break two-page-view on some systems
-private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
+private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
 # dbus-user filtering might break two-page-view on some systems
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index d282f9a60..b2b7c362a 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -2,6 +2,7 @@
 # Persistent customizations should go in a .local file.
 include firefox-common-addons.local
+ignore whitelist ${RUNUSER}/*firefox*
 ignore include whitelist-runuser-common.inc
 ignore private-cache
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 5a123d081..9138fed90 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -58,10 +58,8 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.*
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next three lines to your firefox.local to allow screen sharing under wayland.
+# Add the next line to your firefox.local to allow screen sharing under wayland.
-#whitelist ${RUNUSER}/pipewire-0
+#dbus-user.talk org.freedesktop.portal.Desktop
-#whitelist /usr/share/pipewire/client.conf
-#dbus-user.talk org.freedesktop.portal.*
 # Add the next line to your firefox.local if screen sharing sharing still does not work
 # with the above lines (might depend on the portal implementation).
 #ignore noroot
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile
index b2f482835..9c8200dc4 100644
--- a/etc/profile-a-l/gallery-dl.profile
+++ b/etc/profile-a-l/gallery-dl.profile
@@ -5,7 +5,8 @@ quiet
 # Persistent local customizations
 include gallery-dl.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 noblacklist ${HOME}/.config/gallery-dl
 noblacklist ${HOME}/.gallery-dl.conf
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index 0786da6df..df9c2ac7a 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -13,7 +13,6 @@ include globals.local
 #ignore net
 #protocol unix,inet,inet6
 # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
 # If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local.
 ignore noexec ${HOME}
@@ -26,6 +25,10 @@ noblacklist ${HOME}/.gimp*
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
+# See issue #4367, gimp 2.10.22-3: gegl:introspect broken
+noblacklist /sbin
+noblacklist /usr/sbin
 include disable-common.inc
 include disable-exec.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index da047357a..ebffbbabf 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -36,6 +36,7 @@ include whitelist-usr-share-common.inc
 #private-etc librewolf
 dbus-user filter
+dbus-user.own org.mozilla.librewolf.*
 # Add the next line to your librewolf.local to enable native notifications.
 #dbus-user.talk org.freedesktop.Notifications
 # Add the next line to your librewolf.local to allow inhibiting screensavers.
@@ -44,10 +45,8 @@ dbus-user filter
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next three lines to your librewolf.local to allow screensharing under Wayland.
+# Add the next line to your librewolf.local to allow screensharing under Wayland.
-#whitelist ${RUNUSER}/pipewire-0
+#dbus-user.talk org.freedesktop.portal.Desktop
-#whitelist /usr/share/pipewire/client.conf
-#dbus-user.talk org.freedesktop.portal.*
 # Also add the next line to your librewolf.local if screensharing does not work with
 # the above lines (depends on the portal implementation).
 #ignore noroot
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index 06e19670a..cb499ba34 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -43,7 +43,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-no3d
 nodvd
 nogroups
 noinput
@@ -68,4 +67,6 @@ private-tmp
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
+# Add the next line to your nextcloud.local for tray icon support
+#dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile
index 1ef789689..a23ad68df 100644
--- a/etc/profile-m-z/xournalpp.profile
+++ b/etc/profile-m-z/xournalpp.profile
@@ -13,7 +13,6 @@ noblacklist ${HOME}/.xournalpp
 include allow-lua.inc
-whitelist /usr/share/pipewire
 whitelist /usr/share/texlive
 whitelist /usr/share/xournalpp
 whitelist /var/lib/texmf
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
index ab90c837e..1c3382a08 100644
--- a/etc/profile-m-z/yt-dlp.profile
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -5,7 +5,8 @@ quiet
 # Persistent local customizations
 include yt-dlp.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 noblacklist ${HOME}/.cache/yt-dlp
 noblacklist ${HOME}/.config/yt-dlp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 02dcefd35..e580a0c0c 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -102,8 +102,6 @@ include globals.local
 #include allow-ssh.inc
 ##blacklist PATH
-# Disable X11 (CLI only), see also 'x11 none' below
-#blacklist /tmp/.X11-unix
 # Disable Wayland
 #blacklist ${RUNUSER}/wayland-*
 # Disable RUNUSER (cli only; supersedes Disable Wayland)
@@ -174,7 +172,7 @@ include globals.local
 ##seccomp-error-action log (only for debugging seccomp issues)
 #shell none
 #tracelog
-# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
+# Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set
 ##x11 none
 #disable-mnt