150 files changed, 895 insertions, 213 deletions
diff --git a/etc/7z.profile b/etc/7z.profile
index 5ff02e1c0..b60bb9ee9 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -7,6 +7,8 @@ include 7z.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/allow-common-devel.inc b/etc/allow-common-devel.inc
index 1d794462c..63174eda6 100644
--- a/etc/allow-common-devel.inc
+++ b/etc/allow-common-devel.inc
@@ -1,17 +1,21 @@
-# Rust
+# This file is overwritten during software install.
-noblacklist ${HOME}/.cargo/config
+# Persistent customizations should go in a .local file.
-noblacklist ${HOME}/.cargo/registry
+include allow-common-devel.local
 # Git
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
+# Java
+noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.java
 # Python
 noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.python_history
 noblacklist ${HOME}/.pythonhist
-# Java
+# Rust
-noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.cargo/config
-noblacklist ${HOME}/.java
+noblacklist ${HOME}/.cargo/registry
diff --git a/etc/allow-gjs.inc b/etc/allow-gjs.inc
new file mode 100644
index 000000000..f552ede9d
--- /dev/null
+++ b/etc/allow-gjs.inc
@@ -0,0 +1,10 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-gjs.local
+noblacklist ${PATH}/gjs
+noblacklist ${PATH}/gjs-console
+noblacklist /usr/lib/gjs
+noblacklist /usr/lib64/gjs
+noblacklist /usr/lib/libgjs*
+noblacklist /usr/lib64/libgjs*
diff --git a/etc/allow-java.inc b/etc/allow-java.inc
index 5204d2dea..24d18fb77 100644
--- a/etc/allow-java.inc
+++ b/etc/allow-java.inc
@@ -1,6 +1,9 @@
-noblacklist ${HOME}/.java
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-java.local
+noblacklist ${HOME}/.java
 noblacklist ${PATH}/java
-noblacklist /usr/lib/java
 noblacklist /etc/java
+noblacklist /usr/lib/java
 noblacklist /usr/share/java
diff --git a/etc/allow-lua.inc b/etc/allow-lua.inc
index 51d76f9b1..fbdee22ee 100644
--- a/etc/allow-lua.inc
+++ b/etc/allow-lua.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-lua.local
 noblacklist ${PATH}/lua*
 noblacklist /usr/include/lua*
 noblacklist /usr/lib/lua
diff --git a/etc/allow-perl.inc b/etc/allow-perl.inc
index d37328936..f44e1e3cc 100644
--- a/etc/allow-perl.inc
+++ b/etc/allow-perl.inc
@@ -1,5 +1,9 @@
-noblacklist ${PATH}/cpan*
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-perl.local
 noblacklist ${PATH}/core_perl
+noblacklist ${PATH}/cpan*
 noblacklist ${PATH}/perl
 noblacklist ${PATH}/site_perl
 noblacklist ${PATH}/vendor_perl
diff --git a/etc/allow-php.inc b/etc/allow-php.inc
new file mode 100644
index 000000000..a0950dc26
--- /dev/null
+++ b/etc/allow-php.inc
@@ -0,0 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-php.local
+noblacklist ${PATH}/php*
+noblacklist /usr/lib/php*
+noblacklist /usr/share/php*
diff --git a/etc/allow-python2.inc b/etc/allow-python2.inc
index 8ea61648b..b0525e2e1 100644
--- a/etc/allow-python2.inc
+++ b/etc/allow-python2.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-python2.local
 noblacklist ${PATH}/python2*
 noblacklist /usr/include/python2*
 noblacklist /usr/lib/python2*
diff --git a/etc/allow-python3.inc b/etc/allow-python3.inc
index 91c7ffca4..d968886b0 100644
--- a/etc/allow-python3.inc
+++ b/etc/allow-python3.inc
@@ -1,5 +1,10 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-python3.local
 noblacklist ${PATH}/python3*
 noblacklist /usr/include/python3*
 noblacklist /usr/lib/python3*
+noblacklist /usr/lib64/python3*
 noblacklist /usr/local/lib/python3*
 noblacklist /usr/share/python3*
diff --git a/etc/allow-ruby.inc b/etc/allow-ruby.inc
index 3165a981a..a8c701219 100644
--- a/etc/allow-ruby.inc
+++ b/etc/allow-ruby.inc
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-ruby.local
 noblacklist ${PATH}/ruby
 noblacklist /usr/lib/ruby
diff --git a/etc/anki.profile b/etc/anki.profile
index c349376ff..a0a79ef48 100644
--- a/etc/anki.profile
+++ b/etc/anki.profile
@@ -42,7 +42,8 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 shell none
 tracelog
diff --git a/etc/ar.profile b/etc/ar.profile
index 6b1fb830c..e28370450 100644
--- a/etc/ar.profile
+++ b/etc/ar.profile
@@ -7,6 +7,8 @@ include ar.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
index 2fb6dd25f..7819300af 100644
--- a/etc/aria2c.profile
+++ b/etc/aria2c.profile
@@ -7,8 +7,11 @@ include aria2c.local
 include globals.local
 noblacklist ${HOME}/.aria2
+noblacklist ${HOME}/.config/aria2
+noblacklist ${HOME}/.netrc
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
@@ -37,6 +40,7 @@ seccomp
 shell none
 # disable-mnt
+# Add your custom event hook commands to 'private-bin' in your aria2c.local
 private-bin aria2c,gzip
 # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772)
 #private-cache
diff --git a/etc/artha.profile b/etc/artha.profile
index 31f8887c4..aaaede7ee 100644
--- a/etc/artha.profile
+++ b/etc/artha.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/artha.log
 noblacklist ${HOME}/.config/enchant
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/atool.profile b/etc/atool.profile
index fb75c8408..0250451fc 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -7,6 +7,8 @@ include atool.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
diff --git a/etc/audio-recorder.profile b/etc/audio-recorder.profile
index afd1033de..b2ed3b030 100644
--- a/etc/audio-recorder.profile
+++ b/etc/audio-recorder.profile
@@ -40,7 +40,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-x11 none
 disable-mnt
 # private-bin audio-recorder
diff --git a/etc/baobab.profile b/etc/baobab.profile
index e8287b448..18c862a4d 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -12,6 +12,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 # include disable-programs.inc
+# include disable-xdg.inc
 caps.drop all
 net none
@@ -32,3 +33,5 @@ shell none
 private-bin baobab
 private-dev
 private-tmp
+read-only ${HOME}
diff --git a/etc/beaker.profile b/etc/beaker.profile
index 21eeac4b3..cc1886a49 100644
--- a/etc/beaker.profile
+++ b/etc/beaker.profile
@@ -13,7 +13,6 @@ include disable-interpreters.inc
 mkdir ${HOME}/.config/Beaker Browser
 whitelist ${HOME}/.config/Beaker Browser
-whitelist ${DOWNLOADS}
 include whitelist-common.inc
 # Redirect
diff --git a/etc/bibtex.profile b/etc/bibtex.profile
new file mode 100644
index 000000000..e868dcbab
--- /dev/null
+++ b/etc/bibtex.profile
@@ -0,0 +1,12 @@
+# Firejail profile for bibtex
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bibtex.local
+# Persistent global definitions
+include globals.local
+private-bin bibtex
+# Redirect
+include latex-common.profile
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile
index 17c67ed26..5ce9b6406 100644
--- a/etc/bsdtar.profile
+++ b/etc/bsdtar.profile
@@ -6,6 +6,8 @@ include bsdtar.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 # include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index ab68c7f13..d099ba11e 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -24,12 +24,13 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nodbus -- uses dconf
+# nodbus -- uses dconf, MPRIS
 nogroups
 nonewprivs
 noroot
@@ -45,3 +46,5 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3
 private-dev
 private-tmp
+read-only ${HOME}
+read-write ${HOME}/.config/celluloid
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile
index c66776b9f..e15131dca 100644
--- a/etc/checkbashisms.profile
+++ b/etc/checkbashisms.profile
@@ -7,6 +7,8 @@ include checkbashisms.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${DOCUMENTS}
 # Allow perl (blacklisted by disable-interpreters.inc)
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index 7b88e417a..c54fb0e19 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -37,7 +37,7 @@ notv
 shell none
 disable-mnt
-private-dev
+?BROWSER_DISABLE_U2F: private-dev
 # private-tmp - problems with multiple browser sessions
 # the file dialog needs to work without d-bus
diff --git a/etc/clamav.profile b/etc/clamav.profile
index 45e7723eb..51bc58108 100644
--- a/etc/clamav.profile
+++ b/etc/clamav.profile
@@ -7,6 +7,8 @@ include clamav.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-exec.inc
 caps.drop all
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index f07e2039b..24954b2d8 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -7,43 +7,16 @@ include claws-mail.local
 include globals.local
 noblacklist ${HOME}/.claws-mail
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.signature
-# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your claws-mail.local
-# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
-noblacklist ${HOME}/Mail
-include disable-common.inc
+mkdir ${HOME}/.claws-mail
-include disable-devel.inc
+whitelist ${HOME}/.claws-mail
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-whitelist /usr/share/doc/claws-mail
+# If you use python-based plugins you need to uncomment the below (or put them in your claws-mail.local)
-whitelist /usr/share/gnupg
+# Allow python (blacklisted by disable-interpreters.inc)
-whitelist /usr/share/gnupg2
+#include allow-python2.inc
-include whitelist-usr-share-common.inc
+#include allow-python3.inc
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-private-cache
+whitelist /usr/share/doc/claws-mail
-private-dev
-private-tmp
-# If you want to read local mail stored in /var/mail, add the following to claws-mail.local:
+# Redirect
-# noblacklist /var/mail
+include email-common.profile
-# noblacklist /var/spool/mail
-# writable-var
diff --git a/etc/clipgrab.profile b/etc/clipgrab.profile
new file mode 100644
index 000000000..786d1c866
--- /dev/null
+++ b/etc/clipgrab.profile
@@ -0,0 +1,45 @@
+# Firejail profile for clipgrab
+# Description: A free video downloader and converter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clipgrab.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Philipp Schmieder
+noblacklist ${HOME}/.pki
+noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+# Breaks tray-icon, uncommend or add to clipgrab.local if you don't need it.
+#nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+disable-mnt
+private-cache
+private-dev
+private-tmp
diff --git a/etc/cmus.profile b/etc/cmus.profile
index 7e12a06de..fa1e5d722 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -27,4 +27,4 @@ seccomp
 shell none
 private-bin cmus
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
diff --git a/etc/cpio.profile b/etc/cpio.profile
index 17a765700..1156b7439 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -7,6 +7,8 @@ include cpio.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist /sbin
 noblacklist /usr/sbin
diff --git a/etc/curl.profile b/etc/curl.profile
index 2624e5545..3f93e5f7e 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -9,10 +9,14 @@ include globals.local
 noblacklist ${HOME}/.curlrc
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your curl.local
+#include disable-xdg.inc
 include whitelist-usr-share-common.inc
@@ -33,6 +37,7 @@ novideo
 protocol inet,inet6
 seccomp
 shell none
+tracelog
 # private-bin curl
 private-cache
diff --git a/etc/dconf.profile b/etc/dconf.profile
index ebb362fb6..2ee573463 100644
--- a/etc/dconf.profile
+++ b/etc/dconf.profile
@@ -6,6 +6,8 @@ include dconf.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/ddgtk.profile b/etc/ddgtk.profile
index ef65046e1..3dfc657bc 100644
--- a/etc/ddgtk.profile
+++ b/etc/ddgtk.profile
@@ -43,7 +43,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-x11 none
 disable-mnt
 private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr
diff --git a/etc/devhelp.profile b/etc/devhelp.profile
index 5c1935835..cc9553e73 100644
--- a/etc/devhelp.profile
+++ b/etc/devhelp.profile
@@ -16,6 +16,8 @@ include disable-programs.inc
 include disable-xdg.inc
 whitelist /usr/share/devhelp
+whitelist /usr/share/doc
+whitelist /usr/share/gtk-doc/html
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/devilspie.profile b/etc/devilspie.profile
index ad891ffaf..b561787d8 100644
--- a/etc/devilspie.profile
+++ b/etc/devilspie.profile
@@ -6,6 +6,8 @@ include devilspie.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${HOME}/.devilspie
 include disable-common.inc
@@ -41,6 +43,7 @@ protocol unix
 seccomp
 shell none
 tracelog
+x11 none
 disable-mnt
 private-bin devilspie
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile
index f2bacda9a..9eab3f536 100644
--- a/etc/devilspie2.profile
+++ b/etc/devilspie2.profile
@@ -4,55 +4,21 @@
 # Persistent local customizations
 include devilspie2.local
 # Persistent global definitions
-include globals.local
+#include globals.local
+blacklist ${HOME}/.devilspie
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${HOME}/.config/devilspie2
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
 mkdir ${HOME}/.config/devilspie2
 whitelist ${HOME}/.config/devilspie2
-include whitelist-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-apparmor
-caps.drop all
-ipc-namespace
-machine-id
-net none
-no3d
-nodbus
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-disable-mnt
 private-bin devilspie2
-private-cache
-private-dev
-private-etc alternatives
-private-lib gconv
-private-tmp
-memory-deny-write-execute
-read-only ${HOME}
+# Redirect
+include devilspie.profile
diff --git a/etc/dig.profile b/etc/dig.profile
index af71ff17f..054e4891d 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -9,6 +9,8 @@ include globals.local
 noblacklist ${HOME}/.digrc
+blacklist /tmp/.X11-unix
 include disable-common.inc
 # include disable-devel.inc
 include disable-exec.inc
@@ -24,7 +26,7 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
-# ipc-namespace
+ipc-namespace
 machine-id
 netfilter
 no3d
@@ -40,6 +42,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 disable-mnt
 private
diff --git a/etc/digikam.profile b/etc/digikam.profile
index 1b80981f7..e66434444 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -32,7 +32,8 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6,netlink
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 shell none
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index f50e10a00..9f351a673 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -151,6 +151,11 @@ blacklist /var/lib/systemd
 # blacklist /var/run/systemd
 # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
+# openrc
+blacklist /etc/runlevels/
+blacklist /etc/init.d/
+blacklist /etc/rc.conf
 # VirtualBox
 blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.config/VirtualBox
@@ -193,7 +198,7 @@ blacklist /var/lib/mysqld/mysql.sock
 blacklist /var/lib/pacman
 blacklist /var/lib/upower
 # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
-# every sandbox, unless --writeble-var-log switch is activated
+# every sandbox, unless --writable-var-log switch is activated
 blacklist /var/mail
 blacklist /var/opt
 blacklist /var/run/acpid.socket
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc
index 4c4eed25d..ae539e1bc 100644
--- a/etc/disable-interpreters.inc
+++ b/etc/disable-interpreters.inc
@@ -2,6 +2,14 @@
 # Persistent customizations should go in a .local file.
 include disable-interpreters.local
+# gjs
+blacklist ${PATH}/gjs
+blacklist ${PATH}/gjs-console
+blacklist /usr/lib/gjs
+blacklist /usr/lib64/gjs
+blacklist /usr/lib/libgjs*
+blacklist /usr/lib64/libgjs*
 # Lua
 blacklist ${PATH}/lua*
 blacklist /usr/include/lua*
@@ -47,5 +55,6 @@ blacklist /usr/share/python2*
 blacklist ${PATH}/python3*
 blacklist /usr/include/python3*
 blacklist /usr/lib/python3*
+blacklist /usr/lib64/python3*
 blacklist /usr/local/lib/python3*
 blacklist /usr/share/python3*
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 1c97ed8d6..baa9c3fab 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -85,6 +85,7 @@ blacklist ${HOME}/.config/Gpredict
 blacklist ${HOME}/.config/INRIA
 blacklist ${HOME}/.config/InSilmaril
 blacklist ${HOME}/.config/Kid3
+blacklist ${HOME}/.config/Kingsoft
 blacklist ${HOME}/.config/Luminance
 blacklist ${HOME}/.config/Meltytech
 blacklist ${HOME}/.config/Mendeley Ltd.
@@ -97,6 +98,7 @@ blacklist ${HOME}/.config/MusicBrainz
 blacklist ${HOME}/.config/Nathan Osman
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/PBE
+blacklist ${HOME}/.config/Philipp Schmieder
 blacklist ${HOME}/.config/QGIS
 blacklist ${HOME}/.config/QMediathekView
 blacklist ${HOME}/.config/Qlipper
@@ -118,6 +120,7 @@ blacklist ${HOME}/.config/akonadi*
 blacklist ${HOME}/.config/akregatorrc
 blacklist ${HOME}/.config/ardour4
 blacklist ${HOME}/.config/ardour5
+blacklist ${HOME}/.config/aria2
 blacklist ${HOME}/.config/arkrc
 blacklist ${HOME}/.config/artha.conf
 blacklist ${HOME}/.config/artha.log
@@ -198,6 +201,7 @@ blacklist ${HOME}/.config/google-chrome-beta
 blacklist ${HOME}/.config/google-chrome-unstable
 blacklist ${HOME}/.config/gpicview
 blacklist ${HOME}/.config/gthumb
+blacklist ${HOME}/.config/gummi
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
 blacklist ${HOME}/.config/i2p
@@ -290,6 +294,7 @@ blacklist ${HOME}/.config/redshift
 blacklist ${HOME}/.config/redshift.conf
 blacklist ${HOME}/.config/remmina
 blacklist ${HOME}/.config/ristretto
+blacklist ${HOME}/.config/rtv
 blacklist ${HOME}/.config/scribus
 blacklist ${HOME}/.config/scribusrc
 blacklist ${HOME}/.config/sinew.in
@@ -311,6 +316,7 @@ blacklist ${HOME}/.config/tox
 blacklist ${HOME}/.config/transgui
 blacklist ${HOME}/.config/transmission
 blacklist ${HOME}/.config/truecraft
+blacklist ${HOME}/.config/tvbrowser
 blacklist ${HOME}/.config/uGet
 blacklist ${HOME}/.config/uzbl
 blacklist ${HOME}/.config/viewnior
@@ -454,6 +460,7 @@ blacklist ${HOME}/.kde4/share/config/ktorrentrc
 blacklist ${HOME}/.kde4/share/config/okularpartrc
 blacklist ${HOME}/.kde4/share/config/okularrc
 blacklist ${HOME}/.killingfloor
+blacklist ${HOME}/.kingsoft
 blacklist ${HOME}/.kino-history
 blacklist ${HOME}/.kinorc
 blacklist ${HOME}/.klatexformula
@@ -470,6 +477,7 @@ blacklist ${HOME}/.local/share/Anki2
 blacklist ${HOME}/.local/share/Empathy
 blacklist ${HOME}/.local/share/Enpass
 blacklist ${HOME}/.local/share/JetBrains
+blacklist ${HOME}/.local/share/Kingsoft
 blacklist ${HOME}/.local/share/Mendeley Ltd.
 blacklist ${HOME}/.local/share/Mumble
 blacklist ${HOME}/.local/share/PBE
@@ -573,6 +581,7 @@ blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/qutebrowser
 blacklist ${HOME}/.local/share/remmina
 blacklist ${HOME}/.local/share/rhythmbox
+blacklist ${HOME}/.local/share/rtv
 blacklist ${HOME}/.local/share/scribus
 blacklist ${HOME}/.local/share/signal-cli
 blacklist ${HOME}/.local/share/spotify
@@ -662,6 +671,7 @@ blacklist ${HOME}/.torcs
 blacklist ${HOME}/.tremulous
 blacklist ${HOME}/.ts3client
 blacklist ${HOME}/.tuxguitar*
+blacklist ${HOME}/.tvbrowser
 blacklist ${HOME}/.unknown-horizons
 blacklist ${HOME}/.viking
 blacklist ${HOME}/.viking-maps
@@ -737,15 +747,17 @@ blacklist ${HOME}/.cache/freecol
 blacklist ${HOME}/.cache/gajim
 blacklist ${HOME}/.cache/gegl-0.4
 blacklist ${HOME}/.cache/geeqie
+blacklist ${HOME}/.cache/gfeeds
 blacklist ${HOME}/.cache/gimp
+blacklist ${HOME}/.cache/gnome-builder
+blacklist ${HOME}/.cache/gnome-recipes
+blacklist ${HOME}/.cache/gnome-twitch
 blacklist ${HOME}/.cache/godot
 blacklist ${HOME}/.cache/google-chrome
 blacklist ${HOME}/.cache/google-chrome-beta
 blacklist ${HOME}/.cache/google-chrome-unstable
-blacklist ${HOME}/.cache/gnome-builder
-blacklist ${HOME}/.cache/gnome-recipes
-blacklist ${HOME}/.cache/gnome-twitch
 blacklist ${HOME}/.cache/gradio
+blacklist ${HOME}/.cache/gummi
 blacklist ${HOME}/.cache/icedove
 blacklist ${HOME}/.cache/INRIA/Natron
 blacklist ${HOME}/.cache/inkscape
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index d0430d5ca..6637b8d02 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -7,6 +7,9 @@ include dnscrypt-proxy.local
 # Persistent global definitions
 include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 noblacklist /sbin
 noblacklist /usr/sbin
@@ -20,10 +23,13 @@ include disable-xdg.inc
 whitelist /usr/share/dnscrypt-proxy
 include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
 ipc-namespace
 machine-id
+netfilter
 no3d
 nodbus
 nodvd
@@ -34,6 +40,8 @@ nou2f
 novideo
 protocol inet,inet6
 seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
+shell none
+tracelog
 disable-mnt
 private
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index dfb1b61c1..6db71bd49 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -11,6 +11,7 @@ noblacklist /sbin
 noblacklist /usr/sbin
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/easystroke.profile b/etc/easystroke.profile
index 623a4cadc..1297f5f40 100644
--- a/etc/easystroke.profile
+++ b/etc/easystroke.profile
@@ -16,7 +16,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.easystroke
+whitelist ${HOME}/.easystroke
+include whitelist-common.inc
 include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 apparmor
 caps.drop all
@@ -35,6 +39,7 @@ novideo
 protocol unix
 seccomp
 shell none
+tracelog
 disable-mnt
 # breaks custom shell command functionality
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 94f4179c7..82d1ba528 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.elinks
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/email-common.profile b/etc/email-common.profile
new file mode 100644
index 000000000..f9d96858b
--- /dev/null
+++ b/etc/email-common.profile
@@ -0,0 +1,68 @@
+# Firejail profile for email-common
+# Description: Common profile for claws-mail and sylpheed email clients
+# This file is overwritten after every install/update
+# Persistent local customizations
+include email-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.signature
+# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
+# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
+noblacklist ${HOME}/Mail
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+mkfile ${HOME}/.config/mimeapps.list
+mkdir ${HOME}/.gnupg
+mkfile ${HOME}/.signature
+whitelist ${HOME}/.config/mimeapps.list
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.signature
+# when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
+whitelist ${HOME}/Mail
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
+# encrypting and signing email
+read-only ${HOME}/.config/mimeapps.list
+writable-run-user
+# If you want to read local mail stored in /var/mail, add the following to email-common.local:
+# whitelist /var/mail
+# whitelist /var/spool/mail
+# writable-var
diff --git a/etc/enchant.profile b/etc/enchant.profile
index d276cec84..fa556c7d2 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -6,6 +6,8 @@ include enchant.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${HOME}/.config/enchant
 include disable-common.inc
@@ -16,7 +18,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.config/enchant
+whitelist ${HOME}/.config/enchant
+include whitelist-common.inc
 include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 apparmor
 caps.drop all
diff --git a/etc/ephemeral.profile b/etc/ephemeral.profile
index fa7746da5..c688c2324 100644
--- a/etc/ephemeral.profile
+++ b/etc/ephemeral.profile
@@ -55,7 +55,7 @@ tracelog
 disable-mnt
 private-cache
-private-dev
+?BROWSER_DISABLE_U2F: private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
diff --git a/etc/et.profile b/etc/et.profile
new file mode 100644
index 000000000..4e70bb114
--- /dev/null
+++ b/etc/et.profile
@@ -0,0 +1,11 @@
+# Firejail profile for et
+# Description: WPS Office - Spreadsheets
+# This file is overwritten after every install/update
+# Persistent local customizations
+include et.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include wps.profile
diff --git a/etc/evince.profile b/etc/evince.profile
index 570d7d63d..143a347e6 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -17,6 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist /usr/share/doc
 whitelist /usr/share/evince
 whitelist /usr/share/poppler
 whitelist /usr/share/tracker
diff --git a/etc/exfalso.profile b/etc/exfalso.profile
index 7d91f2854..04bafdde4 100644
--- a/etc/exfalso.profile
+++ b/etc/exfalso.profile
@@ -31,6 +31,7 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
+ipc-namespace
 machine-id
 netfilter
 no3d
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index e9c7d290a..9316a0585 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -6,6 +6,8 @@ include exiftool.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
diff --git a/etc/feedreader.profile b/etc/feedreader.profile
index c12ab2399..5a72b60ea 100644
--- a/etc/feedreader.profile
+++ b/etc/feedreader.profile
@@ -40,8 +40,10 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 disable-mnt
+private-cache
 private-dev
 private-tmp
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index 67c0ed311..b392087e8 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -47,7 +47,7 @@ tracelog
 private-bin ffmpeg
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,hosts,pkcs11,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl
 private-tmp
 # memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/file.profile b/etc/file.profile
index 37c7ee9e7..9b21818f8 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -7,6 +7,8 @@ include file.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 7777d07ce..323070289 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -52,7 +52,7 @@ shell none
 #tracelog
 disable-mnt
-private-dev
+?BROWSER_DISABLE_U2F: private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
-#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
diff --git a/etc/firefox-x11.profile b/etc/firefox-x11.profile
new file mode 100644
index 000000000..ffd64aad7
--- /dev/null
+++ b/etc/firefox-x11.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for firefox-x11
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-x11.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include firefox.profile
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 0278c70f2..0530516d8 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -14,7 +14,10 @@ mkdir ${HOME}/.mozilla
 whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla
+whitelist /usr/share/doc
+whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/mozilla
+whitelist /usr/share/webext
 include whitelist-usr-share-common.inc
 # firefox requires a shell to launch on Arch.
diff --git a/etc/firejail.config b/etc/firejail.config
index 3bff2f7ed..6fb7d829a 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -62,9 +62,9 @@
 # root user can always join sandboxes.
 # join yes
-# Timeout when joining a sandbox, default five seconds. Wait up to
+# Timeout when joining a sandbox, default five seconds. It is not
-# the specified period of time to allow sandbox setup to finish.
+# possible to join a sandbox while it is still starting up. Wait up
-# It is not possible to join a sandbox while it is still starting up.
+# to the specified period of time to allow sandbox setup to finish.
 # join-timeout 5
 # Enable or disable sandbox name change, default enabled.
diff --git a/etc/freecad.profile b/etc/freecad.profile
index 079c85fb1..6f0f52a55 100644
--- a/etc/freecad.profile
+++ b/etc/freecad.profile
@@ -9,6 +9,10 @@ include globals.local
 noblacklist ${HOME}/.config/FreeCAD
 noblacklist ${DOCUMENTS}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -33,7 +37,7 @@ protocol unix
 seccomp
 shell none
-private-bin freecad,freecadcmd
+private-bin freecad,freecadcmd,python*
 private-cache
 private-dev
 private-tmp
diff --git a/etc/gconf-editor.profile b/etc/gconf-editor.profile
index a2c441a20..cb39174e5 100644
--- a/etc/gconf-editor.profile
+++ b/etc/gconf-editor.profile
@@ -9,7 +9,8 @@ include gconf-editor.local
 blacklist /tmp/.X11-unix
-ignore net none
+whitelist /usr/share/gconf-editor
 ignore x11 none
 # Redirect
diff --git a/etc/gconf.profile b/etc/gconf.profile
index 25145c77d..f070e6944 100644
--- a/etc/gconf.profile
+++ b/etc/gconf.profile
@@ -6,6 +6,8 @@ include gconf.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${HOME}/.config/gconf
 # Allow python (blacklisted by disable-interpreters.inc)
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 7dd6f270e..a4471077a 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -42,6 +42,7 @@ tracelog
 # private-bin gedit
 private-dev
-private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
+# private-lib breaks python plugins, uncomment or add to your gedit.local if you don't use them.
+#private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
diff --git a/etc/geekbench.profile b/etc/geekbench.profile
index bf9d27788..36f9f2a55 100644
--- a/etc/geekbench.profile
+++ b/etc/geekbench.profile
@@ -43,7 +43,7 @@ private-bin bash,geekbenc*,sh
 private-cache
 private-dev
 private-etc alternatives,group,lsb-release,passwd
-private-lib libstdc++.so.*
+private-lib gcc/*/*/libstdc++.so.*
 private-opt none
 private-tmp
diff --git a/etc/gfeeds.profile b/etc/gfeeds.profile
index dcb33bc38..d332c1bbe 100644
--- a/etc/gfeeds.profile
+++ b/etc/gfeeds.profile
@@ -6,6 +6,7 @@ include gfeeds.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.cache/gfeeds
 noblacklist ${HOME}/.cache/org.gabmus.gfeeds
 noblacklist ${HOME}/.config/org.gabmus.gfeeds.json
@@ -20,8 +21,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.cache/gfeeds
 mkdir ${HOME}/.cache/org.gabmus.gfeeds
 mkfile ${HOME}/.config/org.gabmus.gfeeds.json
+whitelist ${HOME}/.cache/gfeeds
 whitelist ${HOME}/.cache/org.gabmus.gfeeds
 whitelist ${HOME}/.config/org.gabmus.gfeeds.json
 whitelist /usr/share/gfeeds
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 5c0631eb2..57cea28f9 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -21,6 +21,7 @@ noblacklist ${PICTURES}
 include disable-common.inc
 include disable-exec.inc
+include disable-devel.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
@@ -44,7 +45,7 @@ nosound
 notv
 nou2f
 protocol unix
-seccomp
+seccomp !mbind
 shell none
 tracelog
diff --git a/etc/gist.profile b/etc/gist.profile
index 7413238c8..59fcb2775 100644
--- a/etc/gist.profile
+++ b/etc/gist.profile
@@ -8,6 +8,7 @@ include gist.local
 include globals.local
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${HOME}/.gist
diff --git a/etc/git.profile b/etc/git.profile
index dbaaefcc4..da55f8744 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -20,6 +20,7 @@ noblacklist ${HOME}/.vim
 noblacklist ${HOME}/.viminfo
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/gjs.profile b/etc/gjs.profile
index 871020ae0..aba020bc7 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -13,6 +13,9 @@ noblacklist ${HOME}/.cache/org.gnome.Books
 noblacklist ${HOME}/.config/libreoffice
 noblacklist ${HOME}/.local/share/gnome-photos
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index 25cd94f0c..84e38d0e1 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -10,6 +10,9 @@ include globals.local
 noblacklist ${HOME}/.cache/org.gnome.Books
 noblacklist ${DOCUMENTS}
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/gnome-characters.profile b/etc/gnome-characters.profile
index c3e9466d7..2d4724610 100644
--- a/etc/gnome-characters.profile
+++ b/etc/gnome-characters.profile
@@ -6,6 +6,9 @@ include gnome-characters.local
 # Persistent global definitions
 include globals.local
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile
index 078e8c34e..705fe624e 100644
--- a/etc/gnome-documents.profile
+++ b/etc/gnome-documents.profile
@@ -11,6 +11,9 @@ include globals.local
 noblacklist ${HOME}/.config/libreoffice
 noblacklist ${DOCUMENTS}
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 78f5ddc3a..6540186fe 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -13,6 +13,9 @@ noblacklist ${HOME}/.cache/org.gnome.Maps
 noblacklist ${HOME}/.local/share/flatpak
 noblacklist ${HOME}/.local/share/maps-places.json
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/gnome-passwordsafe.profile b/etc/gnome-passwordsafe.profile
new file mode 100644
index 000000000..685a5cc3f
--- /dev/null
+++ b/etc/gnome-passwordsafe.profile
@@ -0,0 +1,56 @@
+# Firejail profile for gnome-passwordsafe
+# Description: Password manager for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-passwordsafe.local
+# Persistent global definitions
+include globals.local
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/*.kdb
+noblacklist ${HOME}/*.kdbx
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist ${RUNUSER}/bus
+whitelist ${RUNUSER}/wayland-?
+whitelist ${RUNUSER}/gdm/Xauthority
+whitelist /usr/share/cracklib
+whitelist /usr/share/passwordsafe
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin gnome-passwordsafe,python3*
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,passwd
+private-tmp
diff --git a/etc/gnome-sound-recorder.profile b/etc/gnome-sound-recorder.profile
index 135106c1e..7f8fc8a0c 100644
--- a/etc/gnome-sound-recorder.profile
+++ b/etc/gnome-sound-recorder.profile
@@ -10,6 +10,9 @@ noblacklist ${MUSIC}
 noblacklist ${HOME}/.local/share/flatpak
 noblacklist ${HOME}/.local/share/Trash
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index a43db7e2f..10db6296b 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -10,6 +10,9 @@ include globals.local
 noblacklist ${HOME}/.cache/libgweather
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index c11773147..2710ac88e 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -10,6 +10,7 @@ include globals.local
 noblacklist ${HOME}/.gnupg
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/gpg.profile b/etc/gpg.profile
index 5eb18a0bc..a60d42cf8 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -10,6 +10,7 @@ include globals.local
 noblacklist ${HOME}/.gnupg
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/gtk-update-icon-cache.profile b/etc/gtk-update-icon-cache.profile
index fd35a563b..668a48f9a 100644
--- a/etc/gtk-update-icon-cache.profile
+++ b/etc/gtk-update-icon-cache.profile
@@ -7,6 +7,8 @@ include gtk-update-icon-cache.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/gummi.profile b/etc/gummi.profile
new file mode 100644
index 000000000..922b2cbde
--- /dev/null
+++ b/etc/gummi.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gummi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gummi.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/gummi
+noblacklist ${HOME}/.config/gummi
+include allow-lua.inc
+include allow-perl.inc
+include allow-python3.inc
+private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,lualatex,luatex,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex
+# Redirect
+include latex-common.profile
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 48e495c60..1af15d227 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -7,6 +7,8 @@ include gzip.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
diff --git a/etc/hashcat.profile b/etc/hashcat.profile
index da59984d7..b4d6d52f0 100644
--- a/etc/hashcat.profile
+++ b/etc/hashcat.profile
@@ -7,6 +7,8 @@ include hashcat.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${HOME}/.hashcat
 noblacklist /usr/include
 noblacklist ${DOCUMENTS}
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index d032c93e6..7723cbd6b 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.config/hexchat
 whitelist ${HOME}/.config/hexchat
@@ -26,14 +27,13 @@ include whitelist-common.inc
 include whitelist-var-common.inc
 caps.drop all
-machine-id
+#machine-id -- breaks sound
 netfilter
 no3d
 nodvd
 nogroups
 nonewprivs
 noroot
-nosound
 notv
 nou2f
 novideo
diff --git a/etc/highlight.profile b/etc/highlight.profile
index 249d5cd17..036de8d99 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -6,6 +6,8 @@ include highlight.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/i2prouter.profile b/etc/i2prouter.profile
index e46fb3317..9ffdb9e9b 100644
--- a/etc/i2prouter.profile
+++ b/etc/i2prouter.profile
@@ -6,19 +6,19 @@ include i2prouter.local
 # Persistent global definitions
 include globals.local
-# Notice: default browser will not be able to automatically open, due to sandbox.
+# Notice: default browser will most likely not be able to automatically open, due to sandbox.
 # Auto-opening default browser can be disabled in the I2P router console.
-# This profile will not currently work with any Arch User Repository i2p packages,
+# This profile will not currently work with any Arch User Repository I2P packages,
-# use the distro-independent official java installer instead
+# use the distro-independent official I2P java installer instead
-# Only needed if i2prouter binary is in home directory, java installer does this
+# Only needed if i2prouter binary is in home directory, official I2P java installer does this
 ignore noexec ${HOME}
 noblacklist ${HOME}/.config/i2p
 noblacklist ${HOME}/.i2p
 noblacklist ${HOME}/.local/share/i2p
 noblacklist ${HOME}/i2p
-# Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this
+# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this
 noblacklist /usr/sbin
 # Allow java (blacklisted by disable-devel.inc)
@@ -40,13 +40,13 @@ whitelist ${HOME}/.config/i2p
 whitelist ${HOME}/.i2p
 whitelist ${HOME}/.local/share/i2p
 whitelist ${HOME}/i2p
-# Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this
+# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this
 whitelist /usr/sbin/wrapper*
 include whitelist-common.inc
-# May break I2P if wrapper is placed in the home directory
+# May break I2P if wrapper is placed in the home directory; official I2P java installer does this
-# If using ubuntu official ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/
+# If using ubuntu official I2P ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/
 #apparmor
 caps.drop all
 ipc-namespace
@@ -67,5 +67,5 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,i2p,java-8-openjdk,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index c17e82870..419da765d 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -5,6 +5,8 @@ include img2txt.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
diff --git a/etc/keepass.profile b/etc/keepass.profile
index 57a24d821..9852f8a79 100644
--- a/etc/keepass.profile
+++ b/etc/keepass.profile
@@ -34,7 +34,7 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/latex-common.profile b/etc/latex-common.profile
new file mode 100644
index 000000000..712ada722
--- /dev/null
+++ b/etc/latex-common.profile
@@ -0,0 +1,39 @@
+# Firejail profile for latex-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include latex-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist /var/lib
+include whitelist-var-common.inc
+caps.drop all
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
diff --git a/etc/latex.profile b/etc/latex.profile
new file mode 100644
index 000000000..2230dd570
--- /dev/null
+++ b/etc/latex.profile
@@ -0,0 +1,12 @@
+# Firejail profile for latex
+# This file is overwritten after every install/update
+# Persistent local customizations
+include latex.local
+# Persistent global definitions
+include globals.local
+private-bin latex
+# Redirect
+include latex-common.profile
diff --git a/etc/less.profile b/etc/less.profile
index 282b033a6..00624e0f1 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -7,6 +7,8 @@ include less.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${HOME}/.lesshst
 include disable-devel.inc
diff --git a/etc/links.profile b/etc/links.profile
index bd0b0cc92..a31001c87 100644
--- a/etc/links.profile
+++ b/etc/links.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.links
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/lynx.profile b/etc/lynx.profile
index 063285316..fb6fe94ec 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -7,6 +7,7 @@ include lynx.local
 include globals.local
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index 00730c00b..fb8db3e3d 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -6,6 +6,8 @@ include mediainfo.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/meld.profile b/etc/meld.profile
index 22ec2b999..f360b1ded 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -22,8 +22,8 @@ noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.subversion
 # Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
+# Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions.
-include allow-python3.inc
+#include allow-python3.inc
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
diff --git a/etc/midori.profile b/etc/midori.profile
index ffae4919f..e11e2acaa 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -9,6 +9,7 @@ include globals.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+noblacklist ${HOME}/.cache/midori
 noblacklist ${HOME}/.config/midori
 noblacklist ${HOME}/.local/share/midori
 # noblacklist ${HOME}/.local/share/webkit
@@ -16,11 +17,17 @@ noblacklist ${HOME}/.local/share/midori
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist ${HOME}/.cache/gnome-mplayer
+noblacklist ${HOME}/.config/gnome-mplayer
+noblacklist ${HOME}/.lastpass
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+#include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.cache/midori
 mkdir ${HOME}/.config/midori
diff --git a/etc/mp3splt.profile b/etc/mp3splt.profile
index 95173a890..7754d276b 100644
--- a/etc/mp3splt.profile
+++ b/etc/mp3splt.profile
@@ -6,6 +6,8 @@ include mp3splt.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${MUSIC}
 include disable-common.inc
diff --git a/etc/multimc.profile b/etc/multimc.profile
new file mode 100644
index 000000000..338f494c9
--- /dev/null
+++ b/etc/multimc.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for multimc5
+# This file is overwritten after every install/update
+# Redirect
+include multimc5.profile
diff --git a/etc/musescore.profile b/etc/musescore.profile
index 9750a31f4..b3693c956 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -33,7 +33,8 @@ noroot
 notv
 novideo
 protocol unix,inet,inet6
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 shell none
 tracelog
diff --git a/etc/mutt.profile b/etc/mutt.profile
index 92babd50f..1fc412955 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -32,6 +32,7 @@ noblacklist ${HOME}/postponed
 noblacklist ${HOME}/sent
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/nano.profile b/etc/nano.profile
index af6fcc3fe..bc8c3dde0 100644
--- a/etc/nano.profile
+++ b/etc/nano.profile
@@ -7,6 +7,8 @@ include nano.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${HOME}/.config/nano
 noblacklist ${HOME}/.nanorc
diff --git a/etc/ncdu.profile b/etc/ncdu.profile
index 0d7915839..9fda6ebe0 100644
--- a/etc/ncdu.profile
+++ b/etc/ncdu.profile
@@ -6,6 +6,8 @@ include ncdu.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-exec.inc
 caps.drop all
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index 719753c87..c0c5b671c 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -6,6 +6,8 @@ include odt2txt.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${DOCUMENTS}
 include disable-common.inc
diff --git a/etc/pandoc.profile b/etc/pandoc.profile
index 57b5d7e39..9a8d82a96 100644
--- a/etc/pandoc.profile
+++ b/etc/pandoc.profile
@@ -7,6 +7,8 @@ include pandoc.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${DOCUMENTS}
 include disable-common.inc
diff --git a/etc/patch.profile b/etc/patch.profile
index 03f5a4b71..4a3365378 100644
--- a/etc/patch.profile
+++ b/etc/patch.profile
@@ -7,6 +7,8 @@ include patch.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${DOCUMENTS}
 include disable-common.inc
diff --git a/etc/pdflatex.profile b/etc/pdflatex.profile
new file mode 100644
index 000000000..caf980d4d
--- /dev/null
+++ b/etc/pdflatex.profile
@@ -0,0 +1,12 @@
+# Firejail profile for pdflatex
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pdflatex.local
+# Persistent global definitions
+include globals.local
+private-bin pdflatex
+# Redirect
+include latex-common.profile
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index e9572d914..73ebf4615 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -6,6 +6,8 @@ include pdftotext.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${DOCUMENTS}
 include disable-common.inc
@@ -22,6 +24,7 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
+ipc-namespace
 machine-id
 net none
 no3d
@@ -41,6 +44,7 @@ tracelog
 x11 none
 private-bin pdftotext
+private-cache
 private-dev
 private-etc alternatives
 private-tmp
diff --git a/etc/pngquant.profile b/etc/pngquant.profile
index 8c06cef1a..f9ce43c4c 100644
--- a/etc/pngquant.profile
+++ b/etc/pngquant.profile
@@ -7,6 +7,8 @@ include pngquant.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/polari.profile b/etc/polari.profile
index b9f81eece..939e2537e 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -6,6 +6,8 @@ include polari.local
 # Persistent global definitions
 include globals.local
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
index 087f90966..16fffe517 100644
--- a/etc/psi-plus.profile
+++ b/etc/psi-plus.profile
@@ -36,10 +36,10 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 shell none
 disable-mnt
 private-dev
 private-tmp
diff --git a/etc/quassel.profile b/etc/quassel.profile
index a78d1edcd..c65089e20 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -19,7 +19,8 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 private-cache
 private-tmp
diff --git a/etc/rsync-download_only.profile b/etc/rsync-download_only.profile
index bda3bca92..84147f0a5 100644
--- a/etc/rsync-download_only.profile
+++ b/etc/rsync-download_only.profile
@@ -13,6 +13,7 @@ include globals.local
 # Usage: firejail --profile=rsync-download_only rsync
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/rtv.profile b/etc/rtv.profile
new file mode 100644
index 000000000..af4b7e94b
--- /dev/null
+++ b/etc/rtv.profile
@@ -0,0 +1,56 @@
+# Firejail profile for rtv
+# Description: Browse Reddit from your terminal
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rtv.local
+# Persistent global definitions
+include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+noblacklist ${HOME}/.config/rtv
+noblacklist ${HOME}/.local/share/rtv
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/rtv
+mkdir ${HOME}/.local/share/rtv
+whitelist ${HOME}/.config/rtv
+whitelist ${HOME}/.local/share/rtv
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin python*,rtv,sh,xdg-settings
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
diff --git a/etc/server.profile b/etc/server.profile
index 6e077ff84..ce318a828 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -14,6 +14,7 @@ noblacklist /usr/sbin
 # noblacklist /var/opt
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile
index d26096c77..f8744bdf8 100644
--- a/etc/shellcheck.profile
+++ b/etc/shellcheck.profile
@@ -7,6 +7,8 @@ include shellcheck.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${DOCUMENTS}
 include disable-common.inc
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index 5b3c5439d..072cc2c0d 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -29,6 +29,7 @@ nou2f
 protocol unix
 seccomp
 shell none
+tracelog
 #private-bin melt,nice,qmelt,shotcut
 private-cache
diff --git a/etc/signal-cli.profile b/etc/signal-cli.profile
index bb1bf732d..6a2f5c434 100644
--- a/etc/signal-cli.profile
+++ b/etc/signal-cli.profile
@@ -7,6 +7,7 @@ include signal-cli.local
 include globals.local
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${HOME}/.local/share/signal-cli
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile
index 3306181e4..e27df4cc8 100644
--- a/etc/spectre-meltdown-checker.profile
+++ b/etc/spectre-meltdown-checker.profile
@@ -6,6 +6,8 @@ include spectre-meltdown-checker.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 noblacklist ${PATH}/mount
 noblacklist ${PATH}/umount
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index 8e355a176..cf509852a 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -11,6 +11,7 @@ noblacklist /tmp/ssh-*
 noblacklist ${HOME}/.ssh
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile
index aa6902854..a402aca5a 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/standardnotes-desktop.profile
@@ -39,5 +39,5 @@ seccomp !chroot
 disable-mnt
 private-dev
 private-tmp
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index a8b5d109e..f9daf8f09 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -36,5 +36,5 @@ shell none
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,readlink,realpath,rm,sed,sh,tail,test,update-desktop-database,xmessage,zenity
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index 52b762108..7dc453b1f 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -7,6 +7,8 @@ include strings.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 #include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/sylpheed.profile b/etc/sylpheed.profile
index 8e99fe1d6..4344fe73a 100644
--- a/etc/sylpheed.profile
+++ b/etc/sylpheed.profile
@@ -4,17 +4,14 @@
 # Persistent local customizations
 include sylpheed.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 noblacklist ${HOME}/.sylpheed-2.0
-# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your sylpheed.local
-# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
-blacklist ${HOME}/.claws-mail
+mkdir ${HOME}/.sylpheed-2.0
+whitelist ${HOME}/.sylpheed-2.0
-nowhitelist /usr/share/doc/claws-mail
 whitelist /usr/share/sylpheed
 # Redirect
-include claws-mail.profile
+include email-common.profile
diff --git a/etc/tar.profile b/etc/tar.profile
index 455a370de..0858dcb26 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -7,6 +7,8 @@ include tar.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
diff --git a/etc/teams-for-linux.profile b/etc/teams-for-linux.profile
index d9e874be2..882d8d0f3 100644
--- a/etc/teams-for-linux.profile
+++ b/etc/teams-for-linux.profile
@@ -1,37 +1,27 @@
 # Firejail profile for teams-for-linux
-# Description: Teams for Linux is an Electron application for Microsoft's team collaboration and chat program
+# Description: Unofficial Microsoft Teams client for Linux using Electron.
 # This file is overwritten after every install/update
 # Persistent local customizations
 include teams-for-linux.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
+ignore nodbus
 noblacklist ${HOME}/.config/teams-for-linux
-include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
 mkdir ${HOME}/.config/teams-for-linux
 whitelist ${HOME}/.config/teams-for-linux
-whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
 nou2f
 novideo
-protocol unix,inet,inet6,netlink
-seccomp
 shell none
 disable-mnt
@@ -40,3 +30,6 @@ private-cache
 private-dev
 private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
 private-tmp
+# Redirect
+include electron.profile
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 7bfc3cf0d..0362b82af 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -42,6 +42,7 @@
 #  ${HOME} (user's home)
 #  ${PATH} (contents of PATH envvar)
 #  ${MUSIC}
+#  ${RUNUSER} (/run/user/UID)
 #  ${VIDEOS}
 #
 # Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths.
@@ -59,6 +60,8 @@ include globals.local
 ##blacklist PATH
 # Disable X11 (CLI only), see also 'x11 none' below
 #blacklist /tmp/.X11-unix
+# Disable Wayland
+#blacklist ${RUNUSER}/wayland-*
 # It is common practice to add files/dirs containing program-specific configuration
 # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
@@ -90,6 +93,9 @@ include globals.local
 # Allow ruby (blacklisted by disable-interpreters.inc)
 #include allow-ruby.inc
+# Allow gjs (blacklisted by disable-interpreters.inc)
+#include allow-gjs.inc
 # Allows files commonly used by IDEs
 #include allow-common-devel.inc
diff --git a/etc/tex.profile b/etc/tex.profile
new file mode 100644
index 000000000..f56c3038e
--- /dev/null
+++ b/etc/tex.profile
@@ -0,0 +1,12 @@
+# Firejail profile for tex
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tex.local
+# Persistent global definitions
+include globals.local
+private-bin tex
+# Redirect
+include latex-common.profile
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index e30b57498..6e888c163 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -6,13 +6,16 @@ include thunderbird.local
 # Persistent global definitions
 include globals.local
-# Users have thunderbird set to open a browser by clicking a link in an email
+# writable-run-user and dbus are needed by enigmail
-# We are not allowed to blacklist browser-specific directories
+ignore nodbus
+writable-run-user
-noblacklist ${HOME}/.cache/thunderbird
+# If you want to read local mail stored in /var/mail, add the following to thunderbird.local:
-noblacklist ${HOME}/.gnupg
+#noblacklist /var/mail
-# noblacklist ${HOME}/.icedove
+#noblacklist /var/spool/mail
-noblacklist ${HOME}/.thunderbird
+#whitelist /var/mail
+#whitelist /var/spool/mail
+#writable-var
 # Uncomment the next 4 lines or put them in your thunderbird.local to
 # allow Firefox to load your profile when clicking a link in an email
@@ -21,6 +24,14 @@ noblacklist ${HOME}/.thunderbird
 #whitelist ${HOME}/.cache/mozilla/firefox
 #whitelist ${HOME}/.mozilla
+noblacklist ${HOME}/.cache/thunderbird
+noblacklist ${HOME}/.gnupg
+# noblacklist ${HOME}/.icedove
+noblacklist ${HOME}/.thunderbird
+include disable-passwdmgr.inc
+include disable-xdg.inc
 # If you have setup Thunderbird to archive emails to a local folder,
 # make sure you add the path to that folder to the mkdir and whitelist
 # rules below. Otherwise they will be deleted when you close Thunderbird.
@@ -34,23 +45,19 @@ whitelist ${HOME}/.gnupg
 # whitelist ${HOME}/.icedove
 whitelist ${HOME}/.thunderbird
-#whitelist /usr/share/mozilla
+whitelist /usr/share/gnupg
-#include whitelist-usr-share-common.inc
+whitelist /usr/share/mozilla
+whitelist /usr/share/webext
+include whitelist-usr-share-common.inc
+# machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required
+#machine-id
+novideo
 # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
 ignore private-tmp
-# machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required
-# machine-id
-read-only ${HOME}/.config/mimeapps.list
-# writable-run-user and dbus are needed by enigmail
-writable-run-user
-ignore nodbus
-# If you want to read local mail stored in /var/mail, add the following to thunderbird.local:
+read-only ${HOME}/.config/mimeapps.list
-# noblacklist /var/mail
-# noblacklist /var/spool/mail
-# writable-var
-# allow browsers
 # Redirect
 include firefox-common.profile
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index be03afdb5..72bdf9fa1 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -50,5 +50,5 @@ shell none
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/tracker.profile b/etc/tracker.profile
index 6e107d99e..d47185b1d 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -9,6 +9,7 @@ include globals.local
 # Tracker is started by systemd on most systems. Therefore it is not firejailed by default
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/transmission-common.profile b/etc/transmission-common.profile
index a8b667e91..b9f49c4a4 100644
--- a/etc/transmission-common.profile
+++ b/etc/transmission-common.profile
@@ -3,6 +3,9 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include transmission-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
 noblacklist ${HOME}/.cache/transmission
 noblacklist ${HOME}/.config/transmission
@@ -40,6 +43,7 @@ seccomp
 shell none
 tracelog
+private-cache
 private-dev
 private-lib
 private-tmp
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile
index f1e7fcb17..1841b8ed0 100644
--- a/etc/transmission-daemon.profile
+++ b/etc/transmission-daemon.profile
@@ -7,6 +7,8 @@ include transmission-daemon.local
 # Persistent global definitions
 include globals.local
+mkdir ${HOME}/.config/transmission-daemon
+whitelist ${HOME}/.config/transmission-daemon
 whitelist /var/lib/transmission
 caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
diff --git a/etc/tvbrowser.profile b/etc/tvbrowser.profile
new file mode 100644
index 000000000..6e028b086
--- /dev/null
+++ b/etc/tvbrowser.profile
@@ -0,0 +1,51 @@
+# Firejail profile for tvbrowser
+# Description: java tv programm form tvbrowser.org
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tvbrowser.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/tvbrowser
+noblacklist ${HOME}/.tvbrowser
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/tvbrowser
+mkdir ${HOME}/.tvbrowser
+whitelist ${HOME}/.config/tvbrowser
+whitelist ${HOME}/.tvbrowser
+whitelist /usr/share/tvbrowser
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-tmp
diff --git a/etc/udiskie.profile b/etc/udiskie.profile
index f6e85d60e..265f6429d 100644
--- a/etc/udiskie.profile
+++ b/etc/udiskie.profile
@@ -31,7 +31,7 @@ notv
 nou2f
 novideo
 protocol unix
-seccomp
+seccomp !request_key
 shell none
 tracelog
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 67448d766..36533a762 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -10,6 +10,7 @@ noblacklist /sbin
 noblacklist /usr/sbin
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/unf.profile b/etc/unf.profile
index 1f0b2aa32..b8eccf4dc 100644
--- a/etc/unf.profile
+++ b/etc/unf.profile
@@ -7,6 +7,8 @@ include unf.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -48,7 +50,7 @@ private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
 private-etc alternatives
-private-lib libgcc_s.so.*
+private-lib gcc/*/*/libgcc_s.so.*
 private-tmp
 memory-deny-write-execute
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 428173e7d..bf28746b0 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -7,6 +7,8 @@ include unrar.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 60e447049..7882f2b63 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -7,6 +7,8 @@ include unzip.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index 60a7f0d20..bd2ee01d5 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -7,6 +7,8 @@ include uudeview.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/w3m.profile b/etc/w3m.profile
index 76531d315..97465baa1 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.w3m
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include allow-perl.inc
diff --git a/etc/wget.profile b/etc/wget.profile
index c1f7dfc3f..401926e2d 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.wget-hsts
 noblacklist ${HOME}/.wgetrc
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/whalebird.profile b/etc/whalebird.profile
index 26932b6b3..2e24dd8e0 100644
--- a/etc/whalebird.profile
+++ b/etc/whalebird.profile
@@ -4,37 +4,27 @@
 # Persistent local customizations
 include whalebird.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
+ignore nodbus
 noblacklist ${HOME}/.config/Whalebird
-include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/Whalebird
 whitelist ${HOME}/.config/Whalebird
-whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
-apparmor
-caps.drop all
-netfilter
 no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp
 shell none
 disable-mnt
@@ -43,3 +33,6 @@ private-cache
 private-dev
 private-etc fonts,machine-id
 private-tmp
+# Redirect
+include electron.profile
diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc
index 322bdefe9..710007163 100644
--- a/etc/whitelist-usr-share-common.inc
+++ b/etc/whitelist-usr-share-common.inc
@@ -13,6 +13,7 @@ whitelist /usr/share/distro-info
 whitelist /usr/share/drirc.d
 whitelist /usr/share/enchant
 whitelist /usr/share/enchant-2
+whitelist /usr/share/file
 whitelist /usr/share/fontconfig
 whitelist /usr/share/fonts
 whitelist /usr/share/gir-1.0
@@ -26,6 +27,7 @@ whitelist /usr/share/gtksourceview-4
 whitelist /usr/share/hunspell
 whitelist /usr/share/hwdata
 whitelist /usr/share/icons
+whitelist /usr/share/icu
 whitelist /usr/share/knotifications5
 whitelist /usr/share/kservices5
 whitelist /usr/share/Kvantum
diff --git a/etc/whois.profile b/etc/whois.profile
index bd0870bea..0e60e18ab 100644
--- a/etc/whois.profile
+++ b/etc/whois.profile
@@ -8,6 +8,7 @@ include whois.local
 include globals.local
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
@@ -45,8 +46,8 @@ private
 private-bin bash,sh,whois
 private-cache
 private-dev
-private-etc alternatives,hosts,jwhois.conf,services,whois.conf
+private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf
-private-lib
+private-lib gconv
 private-tmp
 memory-deny-write-execute
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile
index 490255fa6..3c783322b 100644
--- a/etc/wire-desktop.profile
+++ b/etc/wire-desktop.profile
@@ -1,40 +1,35 @@
 # Firejail profile for wire-desktop
+# Description: End-to-end encrypted messenger with file sharing, voice calls and video conferences
 # This file is overwritten after every install/update
 # Persistent local customizations
 include wire-desktop.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
+# Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
+ignore caps.drop all
+ignore nodbus
 noblacklist ${HOME}/.config/Wire
-include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
 mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
-whitelist ${DOWNLOADS}
 include whitelist-common.inc
-caps.drop all
+caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
 nou2f
-protocol unix,inet,inet6,netlink
-seccomp
 shell none
-# Note: The current version of Wire is located in /opt/wire-desktop/wire-desktop, and therefore
-# it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop"
 disable-mnt
 private-bin bash,electron,electron4,env,sh,wire-desktop
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
 private-tmp
+# Redirect
+include electron.profile
diff --git a/etc/wpp.profile b/etc/wpp.profile
new file mode 100644
index 000000000..a219397a9
--- /dev/null
+++ b/etc/wpp.profile
@@ -0,0 +1,14 @@
+# Firejail profile for wpp
+# Description: WPS Office - Presentation
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wpp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+ignore machine-id
+ignore nosound
+# Redirect
+include wps.profile
diff --git a/etc/wps.profile b/etc/wps.profile
new file mode 100644
index 000000000..47bba2dda
--- /dev/null
+++ b/etc/wps.profile
@@ -0,0 +1,47 @@
+# Firejail profile for wps
+# Description: WPS Office - Writer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wps.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.kingsoft
+noblacklist ${HOME}/.config/Kingsoft
+noblacklist ${HOME}/.local/share/Kingsoft
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+# Uncomment the next line (or add to wps.local) if you don't use network features.
+#net none
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+# seccomp cause some minor issues, if you can live with them enable it.
+#seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
diff --git a/etc/wpspdf.profile b/etc/wpspdf.profile
new file mode 100644
index 000000000..82080acbc
--- /dev/null
+++ b/etc/wpspdf.profile
@@ -0,0 +1,11 @@
+# Firejail profile for wpspdf
+# Description: Kingsoft Pdf Reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include et.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include wps.profile
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 93c288d6e..ca6aaf1d5 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -7,6 +7,8 @@ include xzdec.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/yelp.profile b/etc/yelp.profile
index 41138cd17..acd483209 100644
--- a/etc/yelp.profile
+++ b/etc/yelp.profile
@@ -18,6 +18,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/yelp
 whitelist ${HOME}/.config/yelp
+whitelist /usr/share/doc
 whitelist /usr/share/help
 whitelist /usr/share/yelp
 whitelist /usr/share/yelp-xsl
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 5fa72c9dc..19effef47 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -21,6 +21,7 @@ include allow-python2.inc
 include allow-python3.inc
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 68a5701ee..703c8edd4 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -18,10 +18,18 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.config/zathura
+mkdir ${HOME}/.local/share/zathura
+whitelist /usr/share/doc
+whitelist /usr/share/zathura
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 caps.drop all
+ipc-namespace
 machine-id
-# net none
+net none
-# nodbus
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,11 +46,10 @@ tracelog
 private-bin zathura
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id
+private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura
 private-tmp
-mkdir ${HOME}/.config/zathura
-mkdir ${HOME}/.local/share/zathura
 read-only ${HOME}
 read-write ${HOME}/.config/zathura
 read-write ${HOME}/.local/share/zathura
diff --git a/etc/zstd.profile b/etc/zstd.profile
index ea7bbfb0d..93b849568 100644
--- a/etc/zstd.profile
+++ b/etc/zstd.profile
@@ -7,6 +7,8 @@ include zstd.local
 # Persistent global definitions
 include globals.local
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc