293 files changed, 1276 insertions, 791 deletions
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 9576239f3..8083ef1a8 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -2,6 +2,10 @@
 # Persistent customizations should go in a .local file.
 include allow-common-devel.local
+# Arduino
+noblacklist ${HOME}/.arduino15
+noblacklist ${HOME}/Arduino
 # Git
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
@@ -26,6 +30,9 @@ noblacklist ${HOME}/.yarn-config
 noblacklist ${HOME}/.yarncache
 noblacklist ${HOME}/.yarnrc
+# PlatformIO
+noblacklist ${HOME}/.platformio
 # Python
 noblacklist ${HOME}/.pylint.d
 noblacklist ${HOME}/.python-history
@@ -37,3 +44,4 @@ noblacklist ${HOME}/.bundle
 # Rust
 noblacklist ${HOME}/.cargo
+noblacklist ${HOME}/.rustup
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index 024d87be7..6b2c5846e 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -6,7 +6,7 @@ noblacklist ${HOME}/.ssh
 noblacklist /etc/ssh
 noblacklist /etc/ssh/ssh_config
 noblacklist /etc/ssh/ssh_config.d
-noblacklist ${PATH}/ssh
+noblacklist ${PATH}/ssh*
 noblacklist /tmp/ssh-*
 # Arch Linux and derivatives
 noblacklist /usr/lib/ssh
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index ce4f08958..55aabbc73 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -33,7 +33,8 @@ blacklist-nolog ${HOME}/.viminfo
 blacklist-nolog /tmp/clipmenu*
 # X11 session autostart
-# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
+# this will kill --x11=xpra cmdline option for all programs
+#blacklist ${HOME}/.xpra
 blacklist ${HOME}/.Xsession
 blacklist ${HOME}/.blackbox
 blacklist ${HOME}/.config/autostart
@@ -170,7 +171,7 @@ blacklist ${RUNUSER}/gsconnect
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
 blacklist ${PATH}/systemctl
-blacklist ${PATH}/systemd-run
+blacklist ${PATH}/systemd*
 blacklist ${RUNUSER}/systemd
 blacklist /etc/credstore*
 blacklist /etc/systemd/network
@@ -191,6 +192,7 @@ blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/VirtualBox VMs
 # GNOME Boxes
+blacklist ${HOME}/.cache/gnome-boxes
 blacklist ${HOME}/.config/gnome-boxes
 blacklist ${HOME}/.local/share/gnome-boxes
@@ -241,8 +243,9 @@ blacklist /var/lib/mysql/mysql.sock
 blacklist /var/lib/mysqld/mysql.sock
 blacklist /var/lib/pacman
 blacklist /var/lib/upower
-# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
+# a virtual /var/log directory (mostly empty) is build up by default for every
-# every sandbox, unless --writable-var-log switch is activated
+# sandbox, unless --writable-var-log switch is activated
+#blacklist /var/log
 blacklist /var/mail
 blacklist /var/opt
 blacklist /var/run/acpid.socket
@@ -319,7 +322,7 @@ read-only ${HOME}/.zshenv
 read-only ${HOME}/.zshrc
 read-only ${HOME}/.zshrc.local
-# Remote access
+# Remote access (used only by sshd; should always be blacklisted)
 blacklist ${HOME}/.rhosts
 blacklist ${HOME}/.shosts
 blacklist ${HOME}/.ssh/authorized_keys
@@ -327,13 +330,12 @@ blacklist ${HOME}/.ssh/authorized_keys2
 blacklist ${HOME}/.ssh/environment
 blacklist ${HOME}/.ssh/rc
 blacklist /etc/hosts.equiv
-read-only ${HOME}/.ssh/config
-read-only ${HOME}/.ssh/config.d
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
 read-only ${HOME}/.cargo/env
 read-only ${HOME}/.config/mpv
+read-only ${HOME}/.config/msmtp
 read-only ${HOME}/.config/nano
 read-only ${HOME}/.config/nvim
 read-only ${HOME}/.config/pkcs11
@@ -360,6 +362,8 @@ read-only ${HOME}/.nanorc
 read-only ${HOME}/.npmrc
 read-only ${HOME}/.pythonrc.py
 read-only ${HOME}/.reportbugrc
+read-only ${HOME}/.ssh/config
+read-only ${HOME}/.ssh/config.d
 read-only ${HOME}/.tmux.conf
 read-only ${HOME}/.vim
 read-only ${HOME}/.viminfo
@@ -422,6 +426,7 @@ blacklist /etc/group-
 blacklist /etc/gshadow
 blacklist /etc/gshadow+
 blacklist /etc/gshadow-
+blacklist /etc/msmtprc
 blacklist /etc/passwd+
 blacklist /etc/passwd-
 blacklist /etc/shadow
@@ -444,6 +449,7 @@ blacklist ${HOME}/.cargo/credentials.toml
 blacklist ${HOME}/.cert
 blacklist ${HOME}/.config/hub
 blacklist ${HOME}/.config/keybase
+blacklist ${HOME}/.config/msmtp
 blacklist ${HOME}/.davfs2/secrets
 blacklist ${HOME}/.ecryptfs
 blacklist ${HOME}/.fetchmailrc
@@ -502,6 +508,7 @@ blacklist /usr/sbin
 # system management and various SUID executables
 blacklist ${PATH}/at
+blacklist ${PATH}/bmon
 blacklist ${PATH}/busybox
 blacklist ${PATH}/chage
 blacklist ${PATH}/chfn
@@ -510,69 +517,96 @@ blacklist ${PATH}/crontab
 blacklist ${PATH}/doas
 blacklist ${PATH}/evtest
 blacklist ${PATH}/expiry
-blacklist ${PATH}/fusermount
+blacklist ${PATH}/fping
+blacklist ${PATH}/fping6
+blacklist ${PATH}/fusermount*
 blacklist ${PATH}/gksu
 blacklist ${PATH}/gksudo
 blacklist ${PATH}/gpasswd
+blacklist ${PATH}/groupmems
+blacklist ${PATH}/hostname
+#blacklist ${PATH}/ip # breaks --ip=dhcp
 blacklist ${PATH}/kdesudo
 blacklist ${PATH}/ksu
 blacklist ${PATH}/mount
-blacklist ${PATH}/mount.ecryptfs_private
+blacklist ${PATH}/mount.*
+blacklist ${PATH}/mountpoint
+blacklist ${PATH}/mtr
+blacklist ${PATH}/mtr-packet
 blacklist ${PATH}/nc
+blacklist ${PATH}/nc.openbsd
+blacklist ${PATH}/nc.traditional
 blacklist ${PATH}/ncat
-blacklist ${PATH}/nmap
+blacklist ${PATH}/netstat
+blacklist ${PATH}/networkctl
 blacklist ${PATH}/newgidmap
 blacklist ${PATH}/newgrp
 blacklist ${PATH}/newuidmap
+blacklist ${PATH}/nm-online
+blacklist ${PATH}/nmap
+blacklist ${PATH}/nmcli
+blacklist ${PATH}/nmtui
+blacklist ${PATH}/nmtui-connect
+blacklist ${PATH}/nmtui-edit
+blacklist ${PATH}/nmtui-hostname
 blacklist ${PATH}/ntfs-3g
+blacklist ${PATH}/passwd
+blacklist ${PATH}/physlock
 blacklist ${PATH}/pkexec
+blacklist ${PATH}/plocate
+blacklist ${PATH}/pmount
 blacklist ${PATH}/procmail
+blacklist ${PATH}/pumount
+blacklist ${PATH}/schroot
 blacklist ${PATH}/sg
+blacklist ${PATH}/slock
+blacklist ${PATH}/ss
+blacklist ${PATH}/ssmtp
 blacklist ${PATH}/strace
 blacklist ${PATH}/su
 blacklist ${PATH}/sudo
+blacklist ${PATH}/suexec
 blacklist ${PATH}/tcpdump
+blacklist ${PATH}/traceroute
 blacklist ${PATH}/umount
 blacklist ${PATH}/unix_chkpwd
+blacklist ${PATH}/wall
+blacklist ${PATH}/write
+blacklist ${PATH}/wshowkeys
 blacklist ${PATH}/xev
 blacklist ${PATH}/xinput
-# from 0.9.67
+blacklist /usr/lib/chromium/chrome-sandbox
-blacklist /usr/lib/openssh
-blacklist /usr/lib/ssh
-blacklist /usr/libexec/openssh
-blacklist ${PATH}/passwd
-blacklist /usr/lib/xorg/Xorg.wrap
-blacklist /usr/lib/policykit-1/polkit-agent-helper-1
 blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper
 blacklist /usr/lib/eject/dmcrypt-get-device
-blacklist /usr/lib/chromium/chrome-sandbox
+blacklist /usr/lib/openssh
 blacklist /usr/lib/opera/opera_sandbox
-blacklist /usr/lib/vmware
+blacklist /usr/lib/policykit-1/polkit-agent-helper-1
-blacklist ${PATH}/suexec
 blacklist /usr/lib/squid/basic_pam_auth
-blacklist ${PATH}/slock
+blacklist /usr/lib/ssh
-blacklist ${PATH}/physlock
+blacklist /usr/lib/vmware
-blacklist ${PATH}/schroot
+blacklist /usr/lib/xorg/Xorg.wrap
-blacklist ${PATH}/wshowkeys
+blacklist /usr/libexec/openssh
-blacklist ${PATH}/pmount
+# since firejail version 0.9.73
-blacklist ${PATH}/pumount
+blacklist ${PATH}/dpkg*
-blacklist ${PATH}/bmon
+blacklist ${PATH}/apt*
-blacklist ${PATH}/fping
+blacklist ${PATH}/dumpcap
-blacklist ${PATH}/fping6
+blacklist ${PATH}/efibootdump
-blacklist ${PATH}/hostname
+blacklist ${PATH}/efibootmgr
-# blacklist ${PATH}/ip - breaks --ip=dhcp
+blacklist ${PATH}/passmass
-blacklist ${PATH}/mtr
+blacklist ${PATH}/proxy
-blacklist ${PATH}/mtr-packet
+blacklist ${PATH}/aa-*
-blacklist ${PATH}/netstat
+blacklist ${PATH}/airscan-discover
-blacklist ${PATH}/nm-online
+blacklist ${PATH}/avahi*
-blacklist ${PATH}/nmcli
+blacklist ${PATH}/dbus-*
-blacklist ${PATH}/nmtui
+blacklist ${PATH}/debconf*
-blacklist ${PATH}/nmtui-connect
+blacklist ${PATH}/grub-*
-blacklist ${PATH}/nmtui-edit
+blacklist ${PATH}/kernel-install  # from systemd package
-blacklist ${PATH}/nmtui-hostname
-blacklist ${PATH}/networkctl
+# binaries installed by firejail
-blacklist ${PATH}/ss
+blacklist ${PATH}/firemon
-blacklist ${PATH}/traceroute
+blacklist ${PATH}/firecfg
+blacklist ${PATH}/jailcheck
+blacklist ${PATH}/firetools
 # other SUID binaries
 blacklist /opt/microsoft/msedge*/msedge-sandbox
@@ -585,11 +619,13 @@ blacklist /tmp/.lxterminal-socket*
 blacklist /tmp/tmux-*
 # disable terminals running as server resulting in sandbox escape
+blacklist ${PATH}/foot
+blacklist ${PATH}/footserver
 blacklist ${PATH}/gnome-terminal
 blacklist ${PATH}/gnome-terminal.wrapper
 blacklist ${PATH}/kgx
-# blacklist ${PATH}/konsole
 # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
+#blacklist ${PATH}/konsole
 blacklist ${PATH}/lilyterm
 blacklist ${PATH}/lxterminal
 blacklist ${PATH}/mate-terminal
@@ -653,10 +689,13 @@ blacklist ${HOME}/sent
 blacklist /proc/config.gz
 # prevent DNS malware attempting to communicate with the server using regular DNS tools
+blacklist ${PATH}/delv
 blacklist ${PATH}/dig
 blacklist ${PATH}/dlint
 blacklist ${PATH}/dns2tcp
 blacklist ${PATH}/dnssec-*
+blacklist ${PATH}/dnstap-read
+blacklist ${PATH}/mdig
 blacklist ${PATH}/dnswalk
 blacklist ${PATH}/drill
 blacklist ${PATH}/host
@@ -667,12 +706,14 @@ blacklist ${PATH}/knsupdate
 blacklist ${PATH}/ldns-*
 blacklist ${PATH}/ldnsd
 blacklist ${PATH}/nslookup
+blacklist ${PATH}/nsupdate
+blacklist ${PATH}/nstat
 blacklist ${PATH}/resolvectl
 blacklist ${PATH}/unbound-host
 # prevent an intruder to guess passwords using regular network tools
 blacklist ${PATH}/ftp
-blacklist ${PATH}/ssh
+blacklist ${PATH}/ssh*
 blacklist ${PATH}/telnet
 # rest of ${RUNUSER}
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index 360077936..ae64f456e 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -4,32 +4,72 @@ include disable-devel.local
 # development tools
+# autoconf/automake
+blacklist ${PATH}/aclocal*
+blacklist ${PATH}/autoconf
+blacklist ${PATH}/autoheader
+blacklist ${PATH}/autom4te
+blacklist ${PATH}/automake*
+blacklist ${PATH}/autoreconf
+blacklist ${PATH}/autoscan
+blacklist ${PATH}/autoupdate
+blacklist ${PATH}/ifnames
+blacklist ${PATH}/m4
+# patch
+blacklist ${PATH}/elfedit
+blacklist ${PATH}/espdiff
+blacklist ${PATH}/patch
+blacklist ${PATH}/patchview
+# packaging
+blacklist ${PATH}/dh_*
+blacklist ${PATH}/fakeroot*
+blacklist ${PATH}/lintian
+# expect
+blacklist ${PATH}/autoexpect
+blacklist ${PATH}/expect*
 # clang/llvm
+blacklist ${PATH}/analyze-build*
+blacklist ${PATH}/asan_symbolize*
+blacklist ${PATH}/bugpoint*
+blacklist ${PATH}/c-index-test*
 blacklist ${PATH}/clang*
+blacklist ${PATH}/llc*
 blacklist ${PATH}/lldb*
+blacklist ${PATH}/lli*
 blacklist ${PATH}/llvm*
+blacklist ${PATH}/scan-build
 # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
-# blacklist /usr/lib/llvm*
+#blacklist /usr/lib/llvm*
 # GCC
+blacklist ${PATH}/*-g++*
+blacklist ${PATH}/*-g++*
+blacklist ${PATH}/*-gcc*
+blacklist ${PATH}/*-gcc*
 blacklist ${PATH}/as
-blacklist ${PATH}/cc
 blacklist ${PATH}/c++*
 blacklist ${PATH}/c8*
 blacklist ${PATH}/c9*
+blacklist ${PATH}/cc
 blacklist ${PATH}/cpp*
+blacklist ${PATH}/elfedit
 blacklist ${PATH}/g++*
 blacklist ${PATH}/gcc*
+blacklist ${PATH}/gcov*
 blacklist ${PATH}/gdb
+blacklist ${PATH}/gmake
 blacklist ${PATH}/ld
-blacklist ${PATH}/*-gcc*
+blacklist ${PATH}/make
-blacklist ${PATH}/*-g++*
+blacklist ${PATH}/make-first-existing-target
-blacklist ${PATH}/*-gcc*
+blacklist ${PATH}/x86_64-linux-gnu-*
-blacklist ${PATH}/*-g++*
 # seems to create problems on Gentoo
 #blacklist /usr/lib/gcc
-#Go
+# Go
 blacklist ${PATH}/gccgo
 blacklist ${PATH}/go
 blacklist ${PATH}/gofmt
@@ -48,15 +88,14 @@ blacklist ${PATH}/scala3-compiler
 blacklist ${PATH}/scala3-repl
 blacklist ${PATH}/scalac
-#OpenSSL
+# OpenSSL
 blacklist ${PATH}/openssl
 blacklist ${PATH}/openssl-1.0
-#Rust
+# Rust
 blacklist ${PATH}/rust-gdb
 blacklist ${PATH}/rust-lldb
 blacklist ${PATH}/rustc
-blacklist ${HOME}/.rustup
 # tcc - Tiny C Compiler
 blacklist ${PATH}/tcc
@@ -68,7 +107,7 @@ blacklist ${PATH}/valgrind*
 blacklist /usr/lib/valgrind
 # Source-Code
-blacklist /usr/src
-blacklist /usr/local/src
 blacklist /usr/include
 blacklist /usr/local/include
+blacklist /usr/local/src
+blacklist /usr/src
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 38ab7221e..13b4b2078 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -22,7 +22,6 @@ blacklist ${HOME}/.Steampid
 blacklist ${HOME}/.TelegramDesktop
 blacklist ${HOME}/.VSCodium
 blacklist ${HOME}/.ViberPC
-blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.WebStorm*
 blacklist ${HOME}/.Wolfram Research
 blacklist ${HOME}/.ZAP
@@ -112,6 +111,7 @@ blacklist ${HOME}/.cache/falkon
 blacklist ${HOME}/.cache/feedreader
 blacklist ${HOME}/.cache/firedragon
 blacklist ${HOME}/.cache/flaska.net/trojita
+blacklist ${HOME}/.cache/floorp
 blacklist ${HOME}/.cache/folks
 blacklist ${HOME}/.cache/font-manager
 blacklist ${HOME}/.cache/fossamail
@@ -124,7 +124,6 @@ blacklist ${HOME}/.cache/geeqie
 blacklist ${HOME}/.cache/gegl-0.4
 blacklist ${HOME}/.cache/gfeeds
 blacklist ${HOME}/.cache/gimp
-blacklist ${HOME}/.cache/gnome-boxes
 blacklist ${HOME}/.cache/gnome-builder
 blacklist ${HOME}/.cache/gnome-control-center
 blacklist ${HOME}/.cache/gnome-recipes
@@ -157,6 +156,7 @@ blacklist ${HOME}/.cache/ksplashqml
 blacklist ${HOME}/.cache/kube
 blacklist ${HOME}/.cache/kwin
 blacklist ${HOME}/.cache/lbry-viewer
+blacklist ${HOME}/.cache/lettura
 blacklist ${HOME}/.cache/libgweather
 blacklist ${HOME}/.cache/librewolf
 blacklist ${HOME}/.cache/liferea
@@ -221,6 +221,7 @@ blacklist ${HOME}/.cache/supertuxkart
 blacklist ${HOME}/.cache/systemsettings
 blacklist ${HOME}/.cache/telepathy
 blacklist ${HOME}/.cache/thunderbird
+blacklist ${HOME}/.cache/tiny-rdm
 blacklist ${HOME}/.cache/torbrowser
 blacklist ${HOME}/.cache/transmission
 blacklist ${HOME}/.cache/ueberzugpp
@@ -345,10 +346,10 @@ blacklist ${HOME}/.config/Slack
 blacklist ${HOME}/.config/Standard Notes
 blacklist ${HOME}/.config/SubDownloader
 blacklist ${HOME}/.config/Thunar
+blacklist ${HOME}/.config/TinyRDM
 blacklist ${HOME}/.config/Twitch
 blacklist ${HOME}/.config/Unknown Organization
 blacklist ${HOME}/.config/VSCodium
-blacklist ${HOME}/.config/VirtualBox
 blacklist ${HOME}/.config/Whalebird
 blacklist ${HOME}/.config/Wire
 blacklist ${HOME}/.config/Youtube
@@ -385,6 +386,7 @@ blacklist ${HOME}/.config/borg
 blacklist ${HOME}/.config/brasero
 blacklist ${HOME}/.config/brave
 blacklist ${HOME}/.config/brave-flags.conf
+blacklist ${HOME}/.config/breezy
 blacklist ${HOME}/.config/caja
 blacklist ${HOME}/.config/calibre
 blacklist ${HOME}/.config/cantata
@@ -406,6 +408,7 @@ blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/cointop
 blacklist ${HOME}/.config/com.github.bleakgrey.tootle
+blacklist ${HOME}/.config/com.lettura.dev
 blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/coyim
 blacklist ${HOME}/.config/d-feet
@@ -715,8 +718,10 @@ blacklist ${HOME}/.emacs.d
 blacklist ${HOME}/.equalx
 blacklist ${HOME}/.ethereum
 blacklist ${HOME}/.etr
+blacklist ${HOME}/.factorio
 blacklist ${HOME}/.filezilla
 blacklist ${HOME}/.firedragon
+blacklist ${HOME}/.floorp
 blacklist ${HOME}/.flowblade
 blacklist ${HOME}/.fltk
 blacklist ${HOME}/.fossamail
@@ -832,6 +837,7 @@ blacklist ${HOME}/.klatexformula
 blacklist ${HOME}/.klei
 blacklist ${HOME}/.kodi
 blacklist ${HOME}/.lastpass
+blacklist ${HOME}/.lettura
 blacklist ${HOME}/.librewolf
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.links
@@ -843,6 +849,7 @@ blacklist ${HOME}/.local/lib/vivaldi
 blacklist ${HOME}/.local/share/0ad
 blacklist ${HOME}/.local/share/3909/PapersPlease
 blacklist ${HOME}/.local/share/Anki2
+blacklist ${HOME}/.local/share/Baba_Is_You
 blacklist ${HOME}/.local/share/Colossal Order
 blacklist ${HOME}/.local/share/Dredmor
 blacklist ${HOME}/.local/share/Empathy
@@ -902,6 +909,7 @@ blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/chatterino
 blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
+blacklist ${HOME}/.local/share/com.lettura.dev
 blacklist ${HOME}/.local/share/com.vmingueza.journal-viewer
 blacklist ${HOME}/.local/share/contacts
 blacklist ${HOME}/.local/share/cor-games
@@ -920,6 +928,7 @@ blacklist ${HOME}/.local/share/evolution
 blacklist ${HOME}/.local/share/feedreader
 blacklist ${HOME}/.local/share/feral-interactive
 blacklist ${HOME}/.local/share/five-or-more
+blacklist ${HOME}/.local/share/fluffychat
 blacklist ${HOME}/.local/share/freecol
 blacklist ${HOME}/.local/share/gajim
 blacklist ${HOME}/.local/share/gdfuse
@@ -928,7 +937,6 @@ blacklist ${HOME}/.local/share/geeqie
 blacklist ${HOME}/.local/share/ghostwriter
 blacklist ${HOME}/.local/share/gitg
 blacklist ${HOME}/.local/share/gnome-2048
-blacklist ${HOME}/.local/share/gnome-boxes
 blacklist ${HOME}/.local/share/gnome-builder
 blacklist ${HOME}/.local/share/gnome-chess
 blacklist ${HOME}/.local/share/gnome-klotski
@@ -1008,6 +1016,7 @@ blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
 blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
+blacklist ${HOME}/.local/share/pnpm
 blacklist ${HOME}/.local/share/profanity
 blacklist ${HOME}/.local/share/psi
 blacklist ${HOME}/.local/share/psi+
@@ -1030,6 +1039,7 @@ blacklist ${HOME}/.local/share/strawberry
 blacklist ${HOME}/.local/share/supertux2
 blacklist ${HOME}/.local/share/supertuxkart
 blacklist ${HOME}/.local/share/swell-foop
+blacklist ${HOME}/.local/share/telegram-desktop
 blacklist ${HOME}/.local/share/telepathy
 blacklist ${HOME}/.local/share/terasology
 blacklist ${HOME}/.local/share/torbrowser
@@ -1072,7 +1082,6 @@ blacklist ${HOME}/.mp3splt-gtk
 blacklist ${HOME}/.mpd
 blacklist ${HOME}/.mpdconf
 blacklist ${HOME}/.mplayer
-blacklist ${HOME}/.msmtprc
 blacklist ${HOME}/.mullvad/mullvadbrowser
 blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.nanorc
@@ -1115,6 +1124,7 @@ blacklist ${HOME}/.pinerc
 blacklist ${HOME}/.pinercex
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
+blacklist ${HOME}/.platformio
 blacklist ${HOME}/.prey
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.pylint.d
@@ -1129,6 +1139,7 @@ blacklist ${HOME}/.repo_.gitconfig.json
 blacklist ${HOME}/.repoconfig
 blacklist ${HOME}/.retroshare
 blacklist ${HOME}/.ripperXrc
+blacklist ${HOME}/.rustup
 blacklist ${HOME}/.sbt
 blacklist ${HOME}/.scorched3d
 blacklist ${HOME}/.scribus
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index dcf941004..03653cc16 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -40,6 +40,7 @@ whitelist /usr/share/kxmlgui5
 whitelist /usr/share/libdrm
 whitelist /usr/share/libthai
 whitelist /usr/share/locale
+whitelist /usr/share/locale-langpack
 whitelist /usr/share/mime
 whitelist /usr/share/misc
 whitelist /usr/share/Modules
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index a0eed24ca..dcd1259cf 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -44,7 +44,7 @@ private-dev
 private-etc @x11
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index 184036f24..275ff41ef 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -34,7 +34,7 @@ include whitelist-var-common.inc
 # disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
 # this affects ubuntu and debian currently
-# apparmor
+#apparmor
 caps.drop all
 ipc-namespace
 netfilter
@@ -42,17 +42,17 @@ no3d
 nodvd
 nogroups
 noinput
-# nonewprivs
+#nonewprivs
 noroot
 nosound
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6,netlink
+#protocol unix,inet,inet6,netlink
-# seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
+#seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
 tracelog
 private-dev
-# private-tmp - breaks programs that depend on akonadi
+#private-tmp # breaks programs that depend on akonadi
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
index d88a1fcad..9de992a76 100644
--- a/etc/profile-a-l/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -49,4 +49,4 @@ private-dev
 private-tmp
 deterministic-shutdown
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 22a303cdd..14c425cc6 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -49,7 +49,7 @@ seccomp.block-secondary
 tracelog
 disable-mnt
-# private-bin alacarte,bash,python*,sh
+#private-bin alacarte,bash,python*,sh
 private-cache
 private-dev
 private-etc @tls-ca,@x11,mime.types
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index 389aae602..0c78ab20d 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -26,11 +26,11 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-# seccomp
+#seccomp
-# private-bin amarok
+#private-bin amarok
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 dbus-user filter
@@ -45,4 +45,4 @@ dbus-user.talk org.freedesktop.Notifications
 #dbus-user.talk org.kde.knotify
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
index 3dfa0f95a..09289ace1 100644
--- a/etc/profile-a-l/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@@ -36,7 +36,7 @@ protocol unix,inet,inet6
 seccomp
 private-cache
-# private-tmp
+#private-tmp
 # noexec /tmp breaks 'Android Profiler'
 #noexec /tmp
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile
index f34f6270b..afd76282c 100644
--- a/etc/profile-a-l/ani-cli.profile
+++ b/etc/profile-a-l/ani-cli.profile
@@ -10,6 +10,7 @@ include ani-cli.local
 noblacklist ${HOME}/.cache/ani-cli
 noblacklist ${HOME}/.local/state/ani-cli
+noblacklist ${PATH}/patch
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index 2d0bfcb6c..acf52509c 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -55,4 +55,4 @@ private-tmp
 dbus-user none
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile
index 85ea76939..a925e223f 100644
--- a/etc/profile-a-l/arduino.profile
+++ b/etc/profile-a-l/arduino.profile
@@ -21,7 +21,7 @@ caps.drop all
 netfilter
 no3d
 nodvd
-# nogroups
+#nogroups
 nonewprivs
 noroot
 nosound
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index 7f9463c4f..65ffdfa1b 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -39,7 +39,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
-# disable-mnt
+#disable-mnt
 # Add your custom event hook commands to 'private-bin' in your aria2c.local.
 private-bin aria2c,gzip
 # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
index 272e06219..65e965248 100644
--- a/etc/profile-a-l/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -42,7 +42,7 @@ private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,
 private-dev
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index 897140857..f6369eb86 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -35,7 +35,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - breaks on Ubuntu
+#net none # breaks on Ubuntu
 no3d
 nodvd
 nogroups
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile
index c09ad7936..601ef5c13 100644
--- a/etc/profile-a-l/asunder.profile
+++ b/etc/profile-a-l/asunder.profile
@@ -26,7 +26,7 @@ apparmor
 caps.drop all
 netfilter
 no3d
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
@@ -44,5 +44,5 @@ dbus-user none
 dbus-system none
 # mdwe is disabled due to breaking hardware accelerated decoding
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index 8e8f8515f..f21a8c34a 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -26,7 +26,7 @@ noblacklist ${HOME}/.config/Atom
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
-# net none
+#net none
 nosound
 # Redirect
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index d0513d2a7..26b978158 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -22,7 +22,7 @@ include disable-xdg.inc
 include whitelist-var-common.inc
-# apparmor
+#apparmor
 caps.drop all
 machine-id
 no3d
@@ -44,7 +44,7 @@ private-dev
 private-etc
 # atril uses webkit gtk to display epub files
 # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
-#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
+#private-lib webkit2gtk-4.0 # problems on Arch with the new version of WebKit
 private-tmp
 # webkit gtk killed by memory-deny-write-execute
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index 6abd87c92..6d1a07e2d 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -36,7 +36,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# private-bin audacious
+#private-bin audacious
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index c2a482b61..e70215891 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -54,7 +54,7 @@ private-etc @x11
 private-tmp
 # problems on Fedora 27
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index deba11a47..816852a71 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -41,7 +41,7 @@ seccomp
 tracelog
 disable-mnt
-# private-bin audio-recorder
+#private-bin audio-recorder
 private-cache
 private-etc
 private-tmp
@@ -50,5 +50,5 @@ dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 96c70a838..cbd97449d 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-# apparmor
+#apparmor
 caps.drop all
 netfilter
 no3d
@@ -31,19 +31,19 @@ noroot
 nosound
 notv
 nou2f
-# novideo
+#novideo
 protocol unix,inet,inet6
 seccomp
 disable-mnt
-# private-bin authenticator,python*
+#private-bin authenticator,python*
 private-dev
 private-etc @tls-ca
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
index 834eac11a..bc47b26a9 100644
--- a/etc/profile-a-l/autokey-common.profile
+++ b/etc/profile-a-l/autokey-common.profile
@@ -38,5 +38,5 @@ private-cache
 private-dev
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index 084b7c702..de4004724 100644
--- a/etc/profile-a-l/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
@@ -7,10 +7,10 @@ include globals.local
 # Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo
 # Note: Baloo will not be able to update the "first run" key in its configuration files.
-# mkdir ${HOME}/.local/share/baloo
+#mkdir ${HOME}/.local/share/baloo
-# read-only ${HOME}
+#read-only ${HOME}
-# read-write ${HOME}/.local/share/baloo
+#read-write ${HOME}/.local/share/baloo
-# ignore read-write
+#ignore read-write
 noblacklist ${HOME}/.config/baloofilerc
 noblacklist ${HOME}/.kde/share/config/baloofilerc
@@ -31,7 +31,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 no3d
 nodvd
@@ -46,7 +46,7 @@ novideo
 protocol unix
 # blacklisting of ioprio_set system calls breaks baloo_file
 seccomp !ioprio_set
-# x11 xorg
+#x11 xorg
 private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
 private-cache
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
index 31ef66a58..942d82941 100644
--- a/etc/profile-a-l/baobab.profile
+++ b/etc/profile-a-l/baobab.profile
@@ -6,13 +6,13 @@ include baobab.local
 # Persistent global definitions
 include globals.local
-# include disable-common.inc
+#include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 include disable-shell.inc
-# include disable-xdg.inc
+#include disable-xdg.inc
 include whitelist-runuser-common.inc
@@ -37,8 +37,8 @@ private-bin baobab
 private-dev
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
index d566b94e8..c0e024445 100644
--- a/etc/profile-a-l/bcompare.profile
+++ b/etc/profile-a-l/bcompare.profile
@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 # Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
-#include disable-shell.inc - breaks launch
+#include disable-shell.inc # breaks launch
 include disable-write-mnt.inc
 apparmor
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 3fb2a82c3..dcef2bff1 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -48,7 +48,7 @@ protocol unix,inet,inet6,netlink
 seccomp !chroot
 disable-mnt
-# private-bin bibletime
+#private-bin bibletime
 private-cache
 private-dev
 private-etc @tls-ca,sword,sword.conf
@@ -57,4 +57,4 @@ private-tmp
 dbus-user none
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index 53d212e34..e596ec9d2 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -48,7 +48,7 @@ tracelog
 disable-mnt
 private-bin bijiben
-# private-cache -- access to .cache/tracker is required
+#private-cache # access to .cache/tracker is required
 private-dev
 private-etc @x11
 private-tmp
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
index 988a1479e..0f10c7ce0 100644
--- a/etc/profile-a-l/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
@@ -10,7 +10,7 @@ ignore noexec ${HOME}
 noblacklist /sbin
 noblacklist /usr/sbin
-# noblacklist /var/log
+#noblacklist /var/log
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index 56bb871e7..1572ca572 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -17,6 +17,7 @@ include disable-shell.inc
 mkdir ${HOME}/.config/Bitwarden
 whitelist ${HOME}/.config/Bitwarden
+whitelist /opt/Bitwarden
 machine-id
 no3d
@@ -24,7 +25,6 @@ nosound
 ?HAS_APPIMAGE: ignore private-dev
 private-etc @tls-ca
-private-opt Bitwarden
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile
index 52d970d89..cd1b059b4 100644
--- a/etc/profile-a-l/bleachbit.profile
+++ b/etc/profile-a-l/bleachbit.profile
@@ -18,7 +18,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 caps.drop all
 net none
@@ -36,11 +36,11 @@ protocol unix
 seccomp
 private-dev
-# private-tmp
+#private-tmp
 dbus-user none
 dbus-system none
 # memory-deny-write-execute breaks some systems, see issue #1850
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/blender-3.6.profile b/etc/profile-a-l/blender-3.6.profile
new file mode 100644
index 000000000..4e32c1f6d
--- /dev/null
+++ b/etc/profile-a-l/blender-3.6.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for blender
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blender-3.6.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include blender.profile
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 6dd540943..85f232751 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -31,7 +31,7 @@ novideo
 protocol unix
 seccomp
-# private-bin bash,bless,mono,sh
+#private-bin bash,bless,mono,sh
 private-cache
 private-dev
 private-etc mono
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile
index a483c2b0a..684504937 100644
--- a/etc/profile-a-l/brackets.profile
+++ b/etc/profile-a-l/brackets.profile
@@ -32,4 +32,4 @@ seccomp !chroot,!ioperm
 private-cache
 private-dev
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile
index 12d7062ab..92184ef18 100644
--- a/etc/profile-a-l/brasero.profile
+++ b/etc/profile-a-l/brasero.profile
@@ -29,9 +29,9 @@ protocol unix
 seccomp
 tracelog
-# private-bin brasero
+#private-bin brasero
 private-cache
-# private-dev
+#private-dev
-# private-tmp
+#private-tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/brz.profile b/etc/profile-a-l/brz.profile
new file mode 100644
index 000000000..dcc7af54b
--- /dev/null
+++ b/etc/profile-a-l/brz.profile
@@ -0,0 +1,14 @@
+# Firejail profile for brz
+# Description: Distributed VCS with support for Bazaar and Git file formats
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include brz.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+noblacklist ${HOME}/.config/breezy
+# Redirect
+include git.profile
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
index cf5f462ae..8616996d2 100644
--- a/etc/profile-a-l/build-systems-common.profile
+++ b/etc/profile-a-l/build-systems-common.profile
@@ -39,7 +39,7 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 machine-id
-# net none
+#net none
 netfilter
 no3d
 nodvd
diff --git a/etc/profile-a-l/bzr.profile b/etc/profile-a-l/bzr.profile
new file mode 100644
index 000000000..61c1aae38
--- /dev/null
+++ b/etc/profile-a-l/bzr.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for bzr
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bzr.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include brz.profile
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile
index b347941d7..cb9c92ffb 100644
--- a/etc/profile-a-l/calibre.profile
+++ b/etc/profile-a-l/calibre.profile
@@ -36,4 +36,4 @@ seccomp !chroot
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
index c2972f902..ffb83b2ed 100644
--- a/etc/profile-a-l/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 caps.drop all
 ipc-namespace
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -32,9 +32,9 @@ seccomp.block-secondary
 private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4
 private-dev
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# noexec ${HOME}
+#noexec ${HOME}
 noexec /tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index df94ac859..4f8fd7187 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -48,8 +48,8 @@ private-cache
 private-etc
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile
index 7cb56efee..36c7c1091 100644
--- a/etc/profile-a-l/cantata.profile
+++ b/etc/profile-a-l/cantata.profile
@@ -22,7 +22,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-# apparmor
+#apparmor
 caps.drop all
 ipc-namespace
 netfilter
@@ -34,7 +34,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
-# private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
+#private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
 private-bin cantata,mpd,perl
 private-dev
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile
index e2df341e9..037f6ee40 100644
--- a/etc/profile-a-l/catfish.profile
+++ b/etc/profile-a-l/catfish.profile
@@ -15,10 +15,10 @@ noblacklist ${HOME}/.config/catfish
 include allow-python2.inc
 include allow-python3.inc
-# include disable-common.inc
+#include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 whitelist /var/lib/mlocate
 include whitelist-var-common.inc
@@ -40,9 +40,9 @@ tracelog
 # These options work but are disabled in case
 # a users wants to search in these directories.
-# private-bin bash,catfish,env,locate,ls,mlocate,python*
+#private-bin bash,catfish,env,locate,ls,mlocate,python*
-# private-dev
+#private-dev
-# private-tmp
+#private-tmp
 dbus-user none
 dbus-system none
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index 17887b6cc..7fdbc3881 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -41,7 +41,7 @@ private-dev
 private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
-# dbus-user none
+#dbus-user none
 dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
index 8803a4d9d..67a3a43af 100644
--- a/etc/profile-a-l/chromium-browser-privacy.profile
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -13,7 +13,7 @@ mkdir ${HOME}/.config/ungoogled-chromium
 whitelist ${HOME}/.cache/ungoogled-chromium
 whitelist ${HOME}/.config/ungoogled-chromium
-# private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
+#private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
 # Redirect
 include chromium.profile
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 878e0fe1d..37bfa0bfe 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -33,13 +33,15 @@ include whitelist-run-common.inc
 ?BROWSER_DISABLE_U2F: nou2f
 ?BROWSER_DISABLE_U2F: private-dev
-#private-tmp - issues when using multiple browser sessions
+#private-tmp # issues when using multiple browser sessions
 blacklist ${PATH}/curl
 blacklist ${PATH}/wget
 blacklist ${PATH}/wget2
-#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
+# This prevents access to passwords saved in GNOME Keyring and KWallet, also
+# breaks Gnome connector.
+#dbus-user none
 # The file dialog needs to work without d-bus.
 ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
index 14f1bbe64..8c43aac9c 100644
--- a/etc/profile-a-l/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
@@ -17,7 +17,7 @@ whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.config/chromium-flags.conf
 whitelist /usr/share/chromium
-# private-bin chromium,chromium-browser,chromedriver
+#private-bin chromium,chromium-browser,chromedriver
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/clac.profile b/etc/profile-a-l/clac.profile
index b654b3890..cd2b2522d 100644
--- a/etc/profile-a-l/clac.profile
+++ b/etc/profile-a-l/clac.profile
@@ -16,10 +16,10 @@ include disable-interpreters.inc
 include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
-#include disable-X11.inc - x11 none
+#include disable-X11.inc # x11 none
 include disable-xdg.inc
-#include whitelist-common.inc - see #903
+#include whitelist-common.inc # see #903
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile
index 9fc73ee55..7651c5d32 100644
--- a/etc/profile-a-l/clamtk.profile
+++ b/etc/profile-a-l/clamtk.profile
@@ -1,4 +1,5 @@
 # Firejail profile for clamtk
+# Description: Easy to use, light-weight, on-demand virus scanner for Linux systems
 # This file is overwritten after every install/update
 # Persistent local customizations
 include clamtk.local
@@ -7,15 +8,22 @@ include globals.local
 include disable-exec.inc
+# Add the below lines to your clamtk.local if you update signatures databases per-user:
+#ignore net none
+#netfilter
+#protocol inet,inet6
 caps.drop all
 ipc-namespace
 net none
 no3d
 nodvd
-nogroups
+# nogroups breaks scanning
+#nogroups
 noinput
 nonewprivs
-noroot
+# noroot breaks scanning
+#noroot
 nosound
 notv
 nou2f
@@ -25,7 +33,9 @@ seccomp
 private-dev
-dbus-user none
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
 dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 7fefc68b1..53db480a4 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -18,7 +18,7 @@ whitelist ${HOME}/.claws-mail
 whitelist /usr/share/doc/claws-mail
-# private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
+#private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
 # Redirect
 include email-common.profile
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 3b8eb7bbd..37d9e9e3a 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile
index ee01fa653..3e9363bb4 100644
--- a/etc/profile-a-l/clementine.profile
+++ b/etc/profile-a-l/clementine.profile
@@ -37,6 +37,6 @@ private-dev
 private-tmp
 dbus-system none
-# dbus-user none
+#dbus-user none
 restrict-namespaces
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
index 652809f1b..0cea1c7d4 100644
--- a/etc/profile-a-l/clion.profile
+++ b/etc/profile-a-l/clion.profile
@@ -37,7 +37,7 @@ seccomp
 private-cache
 private-dev
-# private-tmp
+#private-tmp
 noexec /tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index 3f3748e1a..2657876b8 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -46,7 +46,7 @@ private-dev
 private-tmp
 # 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it.
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile
index 19862bc92..1b69effc3 100644
--- a/etc/profile-a-l/code.profile
+++ b/etc/profile-a-l/code.profile
@@ -35,7 +35,7 @@ nosound
 # Disabling noexec ${HOME} for now since it will
 # probably interfere with running some programmes
 # in VS Code
-# noexec ${HOME}
+#noexec ${HOME}
 noexec /tmp
 # Redirect
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 180282869..b1275e96b 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -48,9 +48,9 @@ private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 # Settings are immutable
-# dbus-user filter
+#dbus-user filter
-# dbus-user.own com.github.bleakgrey.tootle
+#dbus-user.own com.github.bleakgrey.tootle
-# dbus-user.talk ca.desrt.dconf
+#dbus-user.talk ca.desrt.dconf
 dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index 9b05b4416..c280cf22a 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -19,8 +19,8 @@ include disable-shell.inc
 include disable-xdg.inc
 # This profile could be significantly strengthened by adding the following to cower.local
-# whitelist ${HOME}/<Your Build Folder>
+#whitelist ${HOME}/<Your Build Folder>
-# whitelist ${HOME}/.config/cower
+#whitelist ${HOME}/.config/cower
 caps.drop all
 ipc-namespace
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index bfe8764d5..42ade7ce9 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -50,10 +50,10 @@ protocol inet,inet6
 seccomp
 tracelog
-# private-bin curl
+#private-bin curl
 private-cache
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
 private-etc @tls-ca
 private-tmp
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
index a303c5979..c7a42e0eb 100644
--- a/etc/profile-a-l/cyberfox.profile
+++ b/etc/profile-a-l/cyberfox.profile
@@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/8pecxstudios
 whitelist /usr/share/8pecxstudios
 whitelist /usr/share/cyberfox
-# private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
+#private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
 # private-etc must first be enabled in firefox-common.profile
 #private-etc cyberfox
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 7dd5ca260..75338eb6d 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -31,7 +31,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - breaks on Ubuntu
+#net none # breaks on Ubuntu
 no3d
 nodvd
 nogroups
@@ -52,5 +52,5 @@ private-dev
 private-etc dbus-1
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index e2e2492bc..e8acd60b7 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# net none - breaks application on older versions
+#net none # breaks application on older versions
 no3d
 nodvd
 nogroups
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 9811c90d6..0fa88f232 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 41794d173..c071da4b7 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -9,54 +9,54 @@ include globals.local
 # depending on your usage, you can enable some of the commands below:
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
-# include disable-exec.inc
+#include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
-# include disable-shell.inc
+#include disable-shell.inc
-# include disable-write-mnt.inc
+#include disable-write-mnt.inc
-# include disable-xdg.inc
+#include disable-xdg.inc
-# include whitelist-common.inc
+#include whitelist-common.inc
-# include whitelist-runuser-common.inc
+#include whitelist-runuser-common.inc
-# include whitelist-usr-share-common.inc
+#include whitelist-usr-share-common.inc
-# include whitelist-var-common.inc
+#include whitelist-var-common.inc
-# apparmor
+#apparmor
 caps.drop all
-# ipc-namespace
+#ipc-namespace
-# machine-id
+#machine-id
-# net none
+#net none
 netfilter
-# no3d
+#no3d
-# nodvd
+#nodvd
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
-# nou2f
+#nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# tracelog
+#tracelog
-# disable-mnt
+#disable-mnt
-# private
+#private
-# private-bin program
+#private-bin program
-# private-cache
+#private-cache
-# private-dev
+private-dev
 # see /usr/share/doc/firejail/profile.template for more common private-etc paths.
-# private-etc alternatives,fonts,machine-id
+#private-etc alternatives,fonts,machine-id
-# private-lib
+#private-lib
-# private-opt none
+#private-opt none
-# private-tmp
+private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# deterministic-shutdown
+#deterministic-shutdown
-# memory-deny-write-execute
+#memory-deny-write-execute
-# read-only ${HOME}
+#read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile
index ebc751e1a..b257f9a4c 100644
--- a/etc/profile-a-l/deluge.profile
+++ b/etc/profile-a-l/deluge.profile
@@ -13,7 +13,7 @@ include allow-python2.inc
 include allow-python3.inc
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index 066cdc8b0..7b5e692a0 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -23,7 +23,7 @@ include whitelist-usr-share-common.inc
 apparmor
 caps.drop all
-# net none - makes settings immutable
+#net none # makes settings immutable
 nodvd
 nogroups
 noinput
@@ -45,9 +45,9 @@ private-etc @tls-ca,@x11
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index 7c0fee9c3..781dfdcbc 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -14,13 +14,13 @@ blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
-#mkfile ${HOME}/.digrc - see #903
+#mkfile ${HOME}/.digrc # see #903
 whitelist ${HOME}/.digrc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
index 05f0dfba8..34d4081d4 100644
--- a/etc/profile-a-l/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -37,11 +37,13 @@ protocol unix,inet,inet6,netlink
 # QtWebengine needs chroot to set up its own sandbox
 seccomp !chroot
-# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
+# private-dev prevents libdc1394 from loading; this lib is used to connect to a
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+# camera device
+#private-dev
+#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index fe2b59a1e..44a3f0846 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -40,7 +40,8 @@ tracelog
 disable-mnt
 private-bin dino
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection
+# breaks server connection
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile
index 245b07b8d..b67729301 100644
--- a/etc/profile-a-l/discord-canary.profile
+++ b/etc/profile-a-l/discord-canary.profile
@@ -9,9 +9,10 @@ noblacklist ${HOME}/.config/discordcanary
 mkdir ${HOME}/.config/discordcanary
 whitelist ${HOME}/.config/discordcanary
+whitelist /opt/DiscordCanary
+whitelist /opt/discord-canary
 private-bin discord-canary,DiscordCanary
-private-opt discord-canary,DiscordCanary
 # Redirect
 include discord-common.profile
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index 83fca8772..b7744a83c 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -7,15 +7,7 @@ include discord-common.local
 #include globals.local
 # Disabled until someone reported positive feedback
-ignore include disable-interpreters.inc
-ignore include disable-xdg.inc
-ignore include whitelist-runuser-common.inc
-ignore include whitelist-usr-share-common.inc
 ignore apparmor
-ignore disable-mnt
-ignore private-cache
-ignore dbus-user none
-ignore dbus-system none
 ignore noexec ${HOME}
 ignore novideo
@@ -26,6 +18,11 @@ whitelist ${HOME}/.local/share/betterdiscordctl
 private-bin awk,bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,which,xdg-mime,xdg-open,zsh
 private-etc @tls-ca
+# allow D-Bus notifications
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+ignore dbus-user none
 join-or-start discord
 # Redirect
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile
index 265bf5615..a657c52b5 100644
--- a/etc/profile-a-l/discord-ptb.profile
+++ b/etc/profile-a-l/discord-ptb.profile
@@ -9,9 +9,10 @@ noblacklist ${HOME}/.config/discordptb
 mkdir ${HOME}/.config/discordptb
 whitelist ${HOME}/.config/discordptb
+whitelist /opt/DiscordPTB
+whitelist /opt/discord
 private-bin discord-ptb,DiscordPTB
-private-opt discord-ptb,DiscordPTB
 # Redirect
 include discord-common.profile
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile
index 02d1c65cd..6e7d8f91d 100644
--- a/etc/profile-a-l/discord.profile
+++ b/etc/profile-a-l/discord.profile
@@ -9,9 +9,11 @@ noblacklist ${HOME}/.config/discord
 mkdir ${HOME}/.config/discord
 whitelist ${HOME}/.config/discord
+whitelist /opt/Discord
+whitelist /opt/discord
+whitelist /usr/share/discord
 private-bin discord,Discord
-private-opt discord,Discord
 # Redirect
 include discord-common.profile
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index bf77828be..40e19dfc3 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -34,7 +34,7 @@ notv
 nou2f
 protocol unix
 seccomp
-# x11 xorg - problems on kubuntu 17.04
+#x11 xorg # problems on kubuntu 17.04
 private-bin display,python*
 private-dev
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index 9743ebfbd..0ae09ce7e 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -36,7 +36,7 @@ apparmor
 caps.drop all
 ipc-namespace
 # Add the next line to your dolphin-emu.local if you do not need NetPlay support.
-# net none
+#net none
 netfilter
 # Add the next line to your dolphin-emu.local if you do not need disc support.
 #nodvd
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 79366b8ee..c9daa939a 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -39,7 +39,7 @@ nou2f
 novideo
 protocol unix
 seccomp !chroot
-# tracelog - breaks on Arch
+#tracelog # breaks on Arch
 private-bin drawio
 private-cache
@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
index bea114dd6..63dfd6c0d 100644
--- a/etc/profile-a-l/drill.profile
+++ b/etc/profile-a-l/drill.profile
@@ -13,9 +13,9 @@ blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index 40fd8be7c..3fd5578e6 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -49,8 +49,8 @@ private-etc
 #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 766fe523b..544756877 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -18,6 +18,7 @@ include disable-shell.inc
 mkdir ${HOME}/.config/electron-mail
 whitelist ${HOME}/.config/electron-mail
+whitelist /opt/ElectronMail
 # The lines below are needed to find the default Firefox profile name, to allow
 # opening links in an existing instance of Firefox (note that it still fails if
@@ -29,7 +30,6 @@ machine-id
 nosound
 private-etc @tls-ca,@x11
-private-opt ElectronMail
 dbus-user filter
 dbus-user.talk org.freedesktop.Notifications
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index 48ce0aa22..d73ed9092 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -49,7 +49,7 @@ private-dev
 private-etc @tls-ca,@x11
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index 7b4994a85..1af2884b6 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -15,8 +15,6 @@ mkdir ${HOME}/.config/Element
 whitelist ${HOME}/.config/Element
 whitelist /opt/Element
-private-opt Element
 dbus-user filter
 dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.secrets
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 8eee662ad..cffa85fd5 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -75,7 +75,7 @@ seccomp
 seccomp.block-secondary
 tracelog
-# disable-mnt
+#disable-mnt
 private-cache
 private-dev
 private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index e1d107dc7..24e4f8a0e 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -35,9 +35,9 @@ seccomp
 seccomp.block-secondary
 tracelog
-# private-bin engrampa
+#private-bin engrampa
 private-dev
-# private-tmp
+#private-tmp
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile
index 45a1125b4..93929c6ea 100644
--- a/etc/profile-a-l/enpass.profile
+++ b/etc/profile-a-l/enpass.profile
@@ -58,5 +58,5 @@ private-dev
 private-opt Enpass
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index 8b32d08b1..795128418 100644
--- a/etc/profile-a-l/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -59,7 +59,7 @@ private-cache
 private-tmp
 # breaks preferences
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index 5b9892af3..4789afee6 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -48,7 +48,7 @@ disable-mnt
 private-bin etr
 private-cache
 private-dev
-# private-etc alternatives,drirc,machine-id,openal,passwd
+#private-etc alternatives,drirc,machine-id,openal,passwd
 private-etc @games,@x11
 private-tmp
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 75a3958ad..06a4a64b1 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -34,7 +34,7 @@ include whitelist-var-common.inc
 caps.drop all
 machine-id
-# net none - breaks AppArmor on Ubuntu systems
+#net none # breaks AppArmor on Ubuntu systems
 netfilter
 no3d
 nodvd
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index d805766eb..2a30d2e23 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -41,17 +41,17 @@ nou2f
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks falkon
 seccomp !chroot
-# tracelog
+#tracelog
 disable-mnt
-# private-bin falkon
+#private-bin falkon
 private-cache
 private-dev
 private-etc @tls-ca,@x11,adobe,mailcap,mime.types
 private-tmp
-# dbus-user filter
+#dbus-user filter
-# dbus-user.own org.kde.Falkon
+#dbus-user.own org.kde.Falkon
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index fe7f88a75..e9d5709ec 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -24,7 +24,7 @@ include disable-xdg.inc
 apparmor /usr/bin/fdns
 caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot
 ipc-namespace
-# netfilter /etc/firejail/webserver.net
+#netfilter /etc/firejail/webserver.net
 no3d
 nodvd
 nogroups
@@ -43,7 +43,7 @@ private-bin bash,fdns,sh
 private-cache
 #private-dev
 private-etc @tls-ca,fdns
-# private-lib
+#private-lib
 private-tmp
 memory-deny-write-execute
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile
index 6aa24cc86..7b205a917 100644
--- a/etc/profile-a-l/feedreader.profile
+++ b/etc/profile-a-l/feedreader.profile
@@ -29,13 +29,13 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
index 3a044542f..27920620a 100644
--- a/etc/profile-a-l/ferdi.profile
+++ b/etc/profile-a-l/ferdi.profile
@@ -45,4 +45,4 @@ disable-mnt
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index b7d54f05d..af9d556db 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -53,5 +53,5 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute - it breaks old versions of ffmpeg
+#memory-deny-write-execute # it breaks old versions of ffmpeg
 restrict-namespaces
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 78e2751b3..cc1a290ef 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -6,6 +6,8 @@ include file-roller.local
 # Persistent global definitions
 include globals.local
+noblacklist ${PATH}/dpkg*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -22,7 +24,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none - breaks on older Ubuntu versions
+#net none # breaks on older Ubuntu versions
 netfilter
 no3d
 nodvd
@@ -40,11 +42,11 @@ seccomp
 seccomp.block-secondary
 tracelog
-private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
+private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg*,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
 private-cache
 private-dev
 private-etc @x11
-# private-tmp
+#private-tmp
 dbus-user filter
 dbus-user.own org.gnome.ArchiveManager1
diff --git a/etc/profile-a-l/floorp.profile b/etc/profile-a-l/floorp.profile
new file mode 100644
index 000000000..49caed107
--- /dev/null
+++ b/etc/profile-a-l/floorp.profile
@@ -0,0 +1,45 @@
+# Firejail profile for floorp
+# Description: A customisable Firefox fork with excellent privacy protection
+# This file is overwritten after every install/update
+# Persistent local customizations
+include floorp.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/floorp
+noblacklist ${HOME}/.floorp
+mkdir ${HOME}/.cache/floorp
+mkdir ${HOME}/.floorp
+whitelist ${HOME}/.cache/floorp
+whitelist ${HOME}/.floorp
+# Add the next lines to your floorp.local if you want to use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+# To enable KeePassXC Plugin add one of the following lines to your floorp.local.
+# Note: Start KeePassXC before floorp and keep it open to allow communication between them.
+#whitelist ${RUNUSER}/kpxc_server
+#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
+dbus-user filter
+dbus-user.own org.mozilla.floorp.*
+# Add the next line to your floorp.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your floorp.local to allow inhibiting screensavers.
+#dbus-user.talk org.freedesktop.ScreenSaver
+# Add the next lines to your floorp.local for plasma browser integration.
+#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kuiserver
+# Add the next line to your floorp.local to allow screensharing under Wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
+# Also add the next line to your floorp.local if screensharing does not work with
+# the above lines (depends on the portal implementation).
+#ignore noroot
+ignore apparmor
+ignore dbus-user none
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/fluffychat.profile b/etc/profile-a-l/fluffychat.profile
new file mode 100644
index 000000000..abc5979da
--- /dev/null
+++ b/etc/profile-a-l/fluffychat.profile
@@ -0,0 +1,73 @@
+# Firejail profile for fluffychat
+# Description: Easy to use matrix messenger
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fluffychat.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/fluffychat
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+mkdir ${HOME}/.local/share/fluffychat
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.local/share/fluffychat
+whitelist /opt/fluffychat
+whitelist /usr/share/fluffychat
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-bin firefox,fluffychat,sh,which,zenity
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
+dbus-system filter
+dbus-system.talk org.freedesktop.NetworkManager
+restrict-namespaces
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile
index 88ae56c82..5b9603243 100644
--- a/etc/profile-a-l/font-manager.profile
+++ b/etc/profile-a-l/font-manager.profile
@@ -33,7 +33,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none - issues on older versions
+#net none # issues on older versions
 no3d
 nodvd
 nogroups
@@ -53,5 +53,5 @@ private-bin font-manager,python*,yelp
 private-dev
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile
index e21789d73..664773b77 100644
--- a/etc/profile-a-l/franz.profile
+++ b/etc/profile-a-l/franz.profile
@@ -45,4 +45,4 @@ disable-mnt
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile
index 9bf5a14be..80958d305 100644
--- a/etc/profile-a-l/freemind.profile
+++ b/etc/profile-a-l/freemind.profile
@@ -9,6 +9,8 @@ include globals.local
 noblacklist ${DOCUMENTS}
 noblacklist ${HOME}/.freemind
+noblacklist ${PATH}/dpkg*
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -40,7 +42,7 @@ seccomp
 tracelog
 disable-mnt
-private-bin bash,cp,dirname,dpkg,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which
+private-bin bash,cp,dirname,dpkg*,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which
 private-cache
 private-dev
 #private-etc alternatives,fonts,java*
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile
index 133d66f0d..f59094567 100644
--- a/etc/profile-a-l/freshclam.profile
+++ b/etc/profile-a-l/freshclam.profile
@@ -2,7 +2,7 @@
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
-include clamav.local
+include freshclam.local
 # Persistent global definitions
 include globals.local
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index f162a4a31..98f473654 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -41,7 +41,7 @@ seccomp
 tracelog
 disable-mnt
-# private-bin frozen-bubble
+#private-bin frozen-bubble
 private-dev
 private-etc @games,@x11
 private-tmp
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
index 8ca349d1c..bd790cab4 100644
--- a/etc/profile-a-l/funnyboat.profile
+++ b/etc/profile-a-l/funnyboat.profile
@@ -16,7 +16,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-# include disable-shell.inc
+#include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.funnyboat
@@ -41,7 +41,7 @@ notv
 novideo
 protocol unix,inet,inet6
 seccomp
-# tracelog
+#tracelog
 disable-mnt
 private-cache
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 44d62cc86..aa1b96c41 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -48,5 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index ba0837780..da240c36a 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -53,7 +53,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-#ipc-namespace - may cause issues with X11
+#ipc-namespace # may cause issues with X11
 #machine-id
 netfilter
 no3d
@@ -71,7 +71,7 @@ seccomp
 seccomp.block-secondary
 tracelog
-# disable-mnt
+#disable-mnt
 #private-bin geary,sh
 private-cache
 private-dev
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index dbb3ab971..bc265a509 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -13,18 +13,18 @@ noblacklist ${HOME}/.config/gedit
 include allow-common-devel.inc
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 machine-id
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -40,14 +40,14 @@ seccomp
 seccomp.block-secondary
 tracelog
-# private-bin gedit
+#private-bin gedit
 private-dev
 # private-lib breaks python plugins - add the next line to your gedit.local if you don't use them.
 #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index e8d4c013f..387ec615f 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -43,7 +43,7 @@ seccomp
 tracelog
 disable-mnt
-#private-bin bash,geekbench*,sh -- #4576
+#private-bin bash,geekbench*,sh # #4576
 private-cache
 private-dev
 private-etc lsb-release
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index f81a49e4f..6cd28f25d 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -32,7 +32,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
-# private-bin geeqie
+#private-bin geeqie
 private-dev
 restrict-namespaces
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index 1c97ad21c..007658138 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -58,7 +58,7 @@ tracelog
 disable-mnt
 private-bin gfeeds,python3*
-# private-cache -- feeds are stored in ~/.cache
+#private-cache # feeds are stored in ~/.cache
 private-dev
 private-etc @tls-ca,@x11,dbus-1,gconf,host.conf,mime.types,rpc,services
 private-tmp
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index dabf0dd7f..2023ca9f0 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -45,7 +45,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp !chroot
 seccomp.block-secondary
-#tracelog -- breaks
+#tracelog # breaks
 private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
 private-cache
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index ced1aa190..88134b363 100644
--- a/etc/profile-a-l/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -29,14 +29,14 @@ noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
-# no3d
+#no3d
 nosound
-# private-bin github-desktop
+#private-bin github-desktop
 ?HAS_APPIMAGE: ignore private-dev
-# private-lib
+#private-lib
-# memory-deny-write-execute
+#memory-deny-write-execute
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index e3cf87c87..54f2923ba 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -18,6 +18,7 @@ mkdir ${HOME}/.config/Gitter
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/autostart
 whitelist ${HOME}/.config/Gitter
+whitelist /opt/Gitter
 include whitelist-var-common.inc
 caps.drop all
@@ -37,7 +38,6 @@ seccomp
 disable-mnt
 private-bin bash,env,gitter
 private-etc @tls-ca
-private-opt Gitter
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile
index bd332a6d5..cad261365 100644
--- a/etc/profile-a-l/gjs.profile
+++ b/etc/profile-a-l/gjs.profile
@@ -38,9 +38,9 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
+#private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index f3e045000..4d4a0d50e 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -47,8 +47,9 @@ private-etc
 private-tmp
 writable-run-user
-# dbus-user none
+dbus-user filter
-# dbus-system none
+dbus-user.talk org.mpris.MediaPlayer2.mpd
+dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
index 812923b2d..962b8b30f 100644
--- a/etc/profile-a-l/gnome-books.profile
+++ b/etc/profile-a-l/gnome-books.profile
@@ -39,7 +39,7 @@ protocol unix
 seccomp
 tracelog
-# private-bin gjs,gnome-books
+#private-bin gjs,gnome-books
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index e5c6022e8..40f799693 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -24,7 +24,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
-#net none -- breaks currency conversion
+#net none # breaks currency conversion
 netfilter
 no3d
 nodvd
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index 9e9730e53..9f592722c 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -52,8 +52,8 @@ private-etc @x11,gconf,mime.types
 private-tmp
 # Add the next lines to your gnome-characters.local if you don't need access to recently used chars.
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index 2326115c3..25a906c69 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -21,7 +21,7 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
-#no3d - breaks on Arch
+#no3d # breaks on Arch
 nodvd
 noinput
 nonewprivs
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index 45b6fd880..aa0a7f4cc 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -55,7 +55,7 @@ private-dev
 #private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security
 private-tmp
-# dbus-user none
+#dbus-user none
 dbus-system none
 memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 61f4f4107..4d2681fbc 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -6,49 +6,15 @@ include gnome-logs.local
 # Persistent global definitions
 include globals.local
-include disable-common.inc
+whitelist /usr/share/gnome-logs
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
-whitelist /var/log/journal
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-apparmor
-caps.drop all
-ipc-namespace
-net none
-no3d
-nodvd
-noinput
-nonewprivs
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-tracelog
-disable-mnt
 private-bin gnome-logs
-private-cache
-private-dev
-private-etc
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
-private-tmp
-writable-var-log
 dbus-user filter
 dbus-user.own org.gnome.Logs
 dbus-user.talk ca.desrt.dconf
-dbus-system none
+ignore dbus-user none
-# Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}.
+# Redirect
-read-only ${HOME}
+include system-log-common.profile
-restrict-namespaces
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index 17f52e588..40c264c86 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -61,7 +61,7 @@ tracelog
 disable-mnt
 private-bin gjs,gnome-maps
-# private-cache -- gnome-maps cache all maps/satelite-images
+#private-cache # gnome-maps cache all maps/satelite-images
 private-dev
 private-etc @tls-ca,@x11,clutter-1.0,gconf,host.conf,mime.types,pkcs11,rpc,services
 private-tmp
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
index 052e9ba9c..5315cbec6 100644
--- a/etc/profile-a-l/gnome-mplayer.profile
+++ b/etc/profile-a-l/gnome-mplayer.profile
@@ -26,7 +26,7 @@ nou2f
 protocol unix,inet,inet6
 seccomp
-# private-bin gnome-mplayer,mplayer
+#private-bin gnome-mplayer,mplayer
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
index 7a9a0e336..7a8338cd7 100644
--- a/etc/profile-a-l/gnome-nettool.profile
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -14,7 +14,7 @@ include disable-programs.inc
 include disable-xdg.inc
 whitelist /usr/share/gnome-nettool
-#include whitelist-common.inc -- see #903
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 1d0291aa2..4d2a3913f 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -36,7 +36,7 @@ seccomp
 seccomp.block-secondary
 tracelog
-# private-bin gjs,gnome-photos
+#private-bin gjs,gnome-photos
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index ac0fb555d..dff6032d1 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -16,7 +16,7 @@ include disable-exec.inc
 caps.drop all
 ipc-namespace
-# net none - breaks dbus
+#net none # breaks dbus
 no3d
 nodvd
 nogroups
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile
index 8f2ab7fd6..898cdf1f8 100644
--- a/etc/profile-a-l/gnome-ring.profile
+++ b/etc/profile-a-l/gnome-ring.profile
@@ -27,7 +27,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 disable-mnt
-# private-dev
+#private-dev
 private-tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
index b71d77621..33f22136e 100644
--- a/etc/profile-a-l/gnome-schedule.profile
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -46,7 +46,7 @@ apparmor
 caps.keep chown,dac_override,setgid,setuid
 ipc-namespace
 machine-id
-#net none - breaks on Ubuntu
+#net none # breaks on Ubuntu
 no3d
 nodvd
 nogroups
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index f4e985342..0d6116f4f 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -6,51 +6,13 @@ include gnome-system-log.local
 # Persistent global definitions
 include globals.local
-include disable-common.inc
+# 'net none' breaks dbus
-include disable-devel.inc
+ignore net none
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
-whitelist /var/log
-include whitelist-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-apparmor
-caps.drop all
-ipc-namespace
-# net none - breaks dbus
-no3d
-nodvd
-# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
-# put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local.
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-disable-mnt
 private-bin gnome-system-log
-private-cache
-private-dev
-private-etc
 private-lib
-private-tmp
-writable-var-log
-# dbus-user none
-# dbus-system none
 memory-deny-write-execute
-# Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}.
-read-only ${HOME}
+# Redirect
-restrict-namespaces
+include system-log-common.profile
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index 147b84a19..8637f5019 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -41,9 +41,9 @@ seccomp.block-secondary
 tracelog
 disable-mnt
-# private-bin gjs,gnome-weather
+#private-bin gjs,gnome-weather
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index 5e41384ab..96bbffc41 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -34,7 +34,7 @@ seccomp
 tracelog
-# private-bin godot
+#private-bin godot
 private-cache
 private-dev
 private-etc @games,@tls-ca,@x11,mono
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile
index 8807a239d..96b72230d 100644
--- a/etc/profile-a-l/goobox.profile
+++ b/etc/profile-a-l/goobox.profile
@@ -28,9 +28,9 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# private-bin goobox
+#private-bin goobox
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
-# private-tmp
+#private-tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
index 4af6ce36b..1087b3d6e 100644
--- a/etc/profile-a-l/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
@@ -18,6 +18,7 @@ mkdir ${HOME}/.config/Google
 mkdir ${HOME}/.googleearth
 whitelist ${HOME}/.config/Google
 whitelist ${HOME}/.googleearth
+whitelist /opt/google
 include whitelist-common.inc
 caps.drop all
@@ -37,6 +38,5 @@ seccomp
 disable-mnt
 private-bin bash,dirname,google-earth,grep,ls,sed,sh
 private-dev
-private-opt google
 restrict-namespaces
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
index c2a7d89fd..1218631d8 100644
--- a/etc/profile-a-l/google-play-music-desktop-player.profile
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
@@ -17,8 +17,8 @@ include disable-interpreters.inc
 include disable-programs.inc
 mkdir ${HOME}/.config/Google Play Music Desktop Player
-# whitelist ${HOME}/.config/pulse
+#whitelist ${HOME}/.config/pulse
-# whitelist ${HOME}/.pulse
+#whitelist ${HOME}/.pulse
 whitelist ${HOME}/.config/Google Play Music Desktop Player
 include whitelist-common.inc
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile
index e05cdf424..25498d89e 100644
--- a/etc/profile-a-l/gpa.profile
+++ b/etc/profile-a-l/gpa.profile
@@ -28,7 +28,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# private-bin gpa,gpg
+#private-bin gpa,gpg
 private-dev
 restrict-namespaces
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
index f4cd85e3a..3b623a338 100644
--- a/etc/profile-a-l/gpg-agent.profile
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -46,7 +46,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# private-bin gpg-agent
+#private-bin gpg-agent
 private-cache
 private-dev
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile
index 60690852a..bf4a1c60b 100644
--- a/etc/profile-a-l/gpg.profile
+++ b/etc/profile-a-l/gpg.profile
@@ -42,7 +42,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# private-bin gpg
+#private-bin gpg
 private-cache
 private-dev
diff --git a/etc/profile-a-l/gpg2.profile b/etc/profile-a-l/gpg2.profile
index b831b0f62..a9d928f17 100644
--- a/etc/profile-a-l/gpg2.profile
+++ b/etc/profile-a-l/gpg2.profile
@@ -7,7 +7,7 @@ include gpg2.local
 # added by included profile
 #include globals.local
-# private-bin gpg2
+#private-bin gpg2
 # Redirect
 include gpg.profile
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index ef4aad4da..93db304da 100644
--- a/etc/profile-a-l/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-#net none - breaks dbus
+#net none # breaks dbus
 no3d
 nodvd
 nogroups
@@ -47,8 +47,8 @@ private-lib
 private-tmp
 # breaks state saving
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index 4be71f6d3..bc4084a38 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.kde/share/apps/gwenview
 noblacklist ${HOME}/.kde/share/config/gwenviewrc
 noblacklist ${HOME}/.kde4/share/apps/gwenview
 noblacklist ${HOME}/.kde4/share/config/gwenviewrc
+noblacklist ${HOME}/.local/share/Trash
 noblacklist ${HOME}/.local/share/gwenview
 noblacklist ${HOME}/.local/share/kxmlgui5/gwenview
 noblacklist ${HOME}/.local/share/org.kde.gwenview
@@ -30,7 +31,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -42,14 +43,14 @@ nou2f
 novideo
 protocol unix
 seccomp
-# tracelog
+#tracelog
 private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
 private-dev
 private-etc @x11,gimp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index df7f8f3a3..def7bf25f 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -32,7 +32,7 @@ include whitelist-common.inc
 include whitelist-var-common.inc
 caps.drop all
-#machine-id -- breaks sound
+#machine-id # breaks sound
 netfilter
 no3d
 nodvd
@@ -51,8 +51,8 @@ disable-mnt
 # debug note: private-bin requires perl, python, etc on some systems
 private-bin hexchat,python*,sh
 private-dev
-#private-lib - python problems
+#private-lib # python problems
 private-tmp
-# memory-deny-write-execute - breaks python
+#memory-deny-write-execute # breaks python
 restrict-namespaces
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index ccbb66333..d36cf0f46 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -28,7 +28,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 nodvd
 no3d
@@ -55,5 +55,5 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
index 82cba7887..47c341333 100644
--- a/etc/profile-a-l/iagno.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -43,7 +43,7 @@ private-dev
 private-etc @x11,gconf
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index 31f65962f..2b4c68a4d 100644
--- a/etc/profile-a-l/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
@@ -36,7 +36,7 @@ seccomp
 private-cache
 private-dev
-# private-tmp
+#private-tmp
 noexec /tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile
index ee341423a..8091a4c9e 100644
--- a/etc/profile-a-l/img2txt.profile
+++ b/etc/profile-a-l/img2txt.profile
@@ -41,7 +41,7 @@ seccomp
 tracelog
 x11 none
-# private-bin img2txt
+#private-bin img2txt
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index c4fc16c87..ced7a285f 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -61,7 +61,7 @@ protocol unix
 seccomp
 tracelog
-# private-bin inkscape,potrace,python* - problems on Debian stretch
+#private-bin inkscape,potrace,python* # problems on Debian stretch
 private-cache
 private-dev
 private-etc @x11,ImageMagick*,python*
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index e73ca44a8..369519947 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -14,7 +14,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-# include disable-shell.inc
+#include disable-shell.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
@@ -26,7 +26,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# machine-id
+#machine-id
 net none
 netfilter
 no3d
@@ -39,14 +39,14 @@ nosound
 notv
 nou2f
 novideo
-# protocol unix
+#protocol unix
 seccomp
-# tracelog
+#tracelog
 disable-mnt
 private
 private-bin bash,ipcalc,ipcalc-ng,perl,sh
-# private-cache
+#private-cache
 private-dev
 # empty etc directory
 private-etc
@@ -57,6 +57,6 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
-# read-only ${HOME}
+#read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/journal-viewer.profile b/etc/profile-a-l/journal-viewer.profile
index f73595fb1..eb007b765 100644
--- a/etc/profile-a-l/journal-viewer.profile
+++ b/etc/profile-a-l/journal-viewer.profile
@@ -9,60 +9,16 @@ include globals.local
 noblacklist ${HOME}/.cache/journal-viewer
 noblacklist ${HOME}/.local/share/com.vmingueza.journal-viewer
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-proc.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
 mkdir ${HOME}/.cache/journal-viewer
 mkdir ${HOME}/.local/share/com.vmingueza.journal-viewer
 whitelist ${HOME}/.cache/journal-viewer
 whitelist ${HOME}/.local/share/com.vmingueza.journal-viewer
-whitelist /run/log/journal
-whitelist /var/log/journal
-include whitelist-common.inc
-include whitelist-run-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-apparmor
-caps.drop all
-ipc-namespace
-net none
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noprinters
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-seccomp.block-secondary
-tracelog
-disable-mnt
 private-bin journal-viewer
-private-cache
-private-dev
-private-etc machine-id
 private-lib webkit2gtk-*
-private-tmp
-dbus-user none
-dbus-system none
-restrict-namespaces
-read-only ${HOME}
 read-write ${HOME}/.cache/journal-viewer
 read-write ${HOME}/.local/share/com.vmingueza.journal-viewer
-writable-var-log
+# Redirect
+include system-log-common.profile
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
index 81d4f3458..9fb609151 100644
--- a/etc/profile-a-l/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -21,19 +21,19 @@ include disable-xdg.inc
 include whitelist-var-common.inc
 caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource
-# net none
+#net none
 netfilter
 no3d
-# nonewprivs - breaks privileged helpers
+#nonewprivs # breaks privileged helpers
 noinput
-# noroot - breaks privileged helpers
+#noroot # breaks privileged helpers
 nosound
 notv
 novideo
-# protocol unix - breaks privileged helpers
+#protocol unix # breaks privileged helpers
-# seccomp - breaks privileged helpers
+#seccomp # breaks privileged helpers
 private-dev
-# private-tmp
+#private-tmp
-# restrict-namespaces - breaks privileged helpers
+#restrict-namespaces # breaks privileged helpers
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index 73417bf11..b84d144bd 100644
--- a/etc/profile-a-l/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
@@ -36,7 +36,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
-# private-bin kaffeine
+#private-bin kaffeine
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index a4e67cf6b..359c02b38 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -35,7 +35,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp !chroot
-# tracelog
+#tracelog
 disable-mnt
 private-bin kalgebra,kalgebramobile
@@ -47,4 +47,4 @@ private-tmp
 dbus-user none
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
index 152f73d5d..f141a25e1 100644
--- a/etc/profile-a-l/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -28,17 +28,17 @@ noblacklist ${HOME}/.local/share/kxmlgui5/katesearch
 include allow-common-devel.inc
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include whitelist-run-common.inc
 include whitelist-var-common.inc
-# apparmor
+#apparmor
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -52,13 +52,13 @@ novideo
 protocol unix
 seccomp
-# private-bin kate,kbuildsycoca4,kdeinit4
+#private-bin kate,kbuildsycoca4,kdeinit4
 private-dev
-# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
+#private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
 join-or-start kate
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 70414eeea..5a19d2f50 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -45,7 +45,7 @@ seccomp
 tracelog
 disable-mnt
-# private-bin kazam,python*
+#private-bin kazam,python*
 private-cache
 private-dev
 private-etc @x11
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index cfb756c43..9f10039df 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -60,7 +60,7 @@ private-bin kcalc
 private-cache
 private-dev
 private-etc
-# private-lib - problems on Arch
+#private-lib # problems on Arch
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile
index 2f426e191..dce189c59 100644
--- a/etc/profile-a-l/kdeinit4.profile
+++ b/etc/profile-a-l/kdeinit4.profile
@@ -22,7 +22,7 @@ no3d
 nogroups
 noinput
 nonewprivs
-# nosound - disabled for knotify
+#nosound # disabled for knotify
 noroot
 nou2f
 novideo
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
index d4933d816..717bfa8d6 100644
--- a/etc/profile-a-l/kdenlive.profile
+++ b/etc/profile-a-l/kdenlive.profile
@@ -21,7 +21,7 @@ include disable-programs.inc
 apparmor
 caps.drop all
-# net none
+#net none
 nodvd
 nogroups
 noinput
@@ -34,9 +34,9 @@ seccomp
 private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
 private-dev
-# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
+#private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile
index c70030a38..115f785eb 100644
--- a/etc/profile-a-l/kfind.profile
+++ b/etc/profile-a-l/kfind.profile
@@ -9,21 +9,21 @@ include globals.local
 # searching in blacklisted or masked paths fails silently
 # adjust filesystem restrictions as necessary
-# noblacklist ${HOME}/.cache/kfind - disable-programs.inc is disabled, see below
+#noblacklist ${HOME}/.cache/kfind # disable-programs.inc is disabled, see below
-# noblacklist ${HOME}/.config/kfindrc
+#noblacklist ${HOME}/.config/kfindrc
-# noblacklist ${HOME}/.kde/share/config/kfindrc
+#noblacklist ${HOME}/.kde/share/config/kfindrc
-# noblacklist ${HOME}/.kde4/share/config/kfindrc
+#noblacklist ${HOME}/.kde4/share/config/kfindrc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 no3d
 nodvd
@@ -38,11 +38,11 @@ novideo
 protocol unix
 seccomp
-# private-bin kbuildsycoca4,kdeinit4,kfind
+#private-bin kbuildsycoca4,kdeinit4,kfind
 private-dev
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
index dd45c1889..892577117 100644
--- a/etc/profile-a-l/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -40,5 +40,5 @@ seccomp
 private-dev
 private-tmp
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 2e369b945..9f41f41db 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -27,13 +27,13 @@ apparmor
 caps.drop all
 ipc-namespace
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
@@ -49,4 +49,4 @@ private-tmp
 dbus-user none
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 9724f4963..20d2c01d6 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -41,7 +41,7 @@ include disable-programs.inc
 include whitelist-run-common.inc
 include whitelist-var-common.inc
-# apparmor
+#apparmor
 caps.drop all
 netfilter
 nodvd
@@ -56,11 +56,11 @@ novideo
 protocol unix,inet,inet6,netlink
 # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
 seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
-# tracelog
+#tracelog
 private-dev
-# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
+#private-tmp # interrupts connection to akonadi, breaks opening of email attachments
 # writable-run-user is needed for signing and encrypting emails
 writable-run-user
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
index 992b312ee..7615f00c4 100644
--- a/etc/profile-a-l/kmplayer.profile
+++ b/etc/profile-a-l/kmplayer.profile
@@ -33,7 +33,7 @@ nou2f
 protocol unix,inet,inet6,netlink
 seccomp
-# private-bin kmplayer,mplayer
+#private-bin kmplayer,mplayer
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
index e4781fea3..10a823c89 100644
--- a/etc/profile-a-l/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -42,5 +42,5 @@ private-cache
 private-dev
 private-tmp
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile
index a04376430..f61bf36a8 100644
--- a/etc/profile-a-l/krita.profile
+++ b/etc/profile-a-l/krita.profile
@@ -28,7 +28,7 @@ include disable-xdg.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -46,7 +46,7 @@ private-cache
 private-dev
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index a0244ef47..8af3657d1 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -10,19 +10,19 @@ include globals.local
 # When a file is opened in krunner, the file viewer runs in its own sandbox
 # with its own profile, if it is sandboxed automatically.
-# noblacklist ${HOME}/.cache/krunner
+#noblacklist ${HOME}/.cache/krunner
-# noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
+#noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
-# noblacklist ${HOME}/.config/chromium
+#noblacklist ${HOME}/.config/chromium
 noblacklist ${HOME}/.config/krunnerrc
 noblacklist ${HOME}/.kde/share/config/krunnerrc
 noblacklist ${HOME}/.kde4/share/config/krunnerrc
-# noblacklist ${HOME}/.local/share/baloo
+#noblacklist ${HOME}/.local/share/baloo
-# noblacklist ${HOME}/.mozilla
+#noblacklist ${HOME}/.mozilla
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 include whitelist-var-common.inc
@@ -34,6 +34,6 @@ noroot
 protocol unix,inet,inet6
 seccomp
-# private-cache
+#private-cache
 restrict-namespaces
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index da267b962..63bdc0b83 100644
--- a/etc/profile-a-l/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -62,9 +62,9 @@ seccomp
 private-bin kbuildsycoca4,kdeinit4,ktmagnetdownloader,ktorrent,ktupnptest
 private-dev
-# private-lib - problems on Arch
+#private-lib # problems on Arch
 private-tmp
 deterministic-shutdown
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 82336969d..1f8757edb 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -65,7 +65,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# disable-mnt
+#disable-mnt
 # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
 private-bin kube,sink_synchronizer
 private-cache
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index 589811643..da430377e 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -5,7 +5,7 @@ include kwin_x11.local
 # Persistent global definitions
 include globals.local
-# fix automatical kwin_x11 sandboxing:
+# fix automatic kwin_x11 sandboxing:
 # echo KDEWM=kwin_x11 >> ~/.pam_environment
 noblacklist ${HOME}/.cache/kwin
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 34fe2ace6..efc6b7c56 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -29,14 +29,14 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound - KWrite is using ALSA!
+#nosound # KWrite is using ALSA!
 notv
 nou2f
 novideo
@@ -49,8 +49,8 @@ private-dev
 private-etc @x11
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
 join-or-start kwrite
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
index 6efe23ade..661c0594a 100644
--- a/etc/profile-a-l/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -36,8 +36,8 @@ x11 none
 # The user can have a custom coloring script configured in ${HOME}/.lessfilter.
 # Enable private-bin and private-lib if you are not using any filter.
-# private-bin less
+#private-bin less
-# private-lib
+#private-lib
 private-cache
 private-dev
 writable-var-log
diff --git a/etc/profile-a-l/lettura.profile b/etc/profile-a-l/lettura.profile
new file mode 100644
index 000000000..94a455355
--- /dev/null
+++ b/etc/profile-a-l/lettura.profile
@@ -0,0 +1,76 @@
+# Firejail profile for lettura
+# Description: Another free and open-source feed reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lettura.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/lettura
+noblacklist ${HOME}/.config/com.lettura.dev
+noblacklist ${HOME}/.lettura
+noblacklist ${HOME}/.local/share/com.lettura.dev
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/lettura
+mkdir ${HOME}/.config/com.lettura.dev
+mkdir ${HOME}/.lettura
+mkdir ${HOME}/.local/share/com.lettura.dev
+whitelist ${HOME}/.cache/lettura
+whitelist ${HOME}/.config/com.lettura.dev
+whitelist ${HOME}/.lettura
+whitelist ${HOME}/.local/share/com.lettura.dev
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+#nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-bin lettura
+private-cache
+private-dev
+private-etc @network,@sound,@tls-ca,@x11,mime.types
+private-tmp
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
+dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index b0e9015ee..739d2cc1e 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -33,13 +33,13 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index 838d619b7..636560789 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -52,7 +52,7 @@ private-cache
 private-dev
 private-etc @tls-ca
 # Add the next line to your links-common.local to allow external media players.
-# private-etc alsa,asound.conf,machine-id,openal,pulse
+#private-etc alsa,asound.conf,machine-id,openal,pulse
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile
index 6ca8b8103..e900c0914 100644
--- a/etc/profile-a-l/linuxqq.profile
+++ b/etc/profile-a-l/linuxqq.profile
@@ -17,6 +17,7 @@ mkdir ${HOME}/.config/QQ
 whitelist ${HOME}/.config/QQ
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${DESKTOP}
+whitelist /opt/QQ
 ignore apparmor
 noprinters
@@ -24,7 +25,6 @@ noprinters
 # If you don't need/want to save anything to disk you can add `private` to your linuxqq.local.
 #private
 private-etc @tls-ca,@x11,host.conf,os-release
-private-opt QQ
 dbus-user filter
 dbus-user.talk org.freedesktop.Notifications
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile
index 4daa1d010..f9dc4f60c 100644
--- a/etc/profile-a-l/lobster.profile
+++ b/etc/profile-a-l/lobster.profile
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.config/ueberzugpp
 noblacklist ${HOME}/.local/share/applications/lobster
 noblacklist ${HOME}/.local/share/lobster
 noblacklist ${PATH}/openssl
+noblacklist ${PATH}/patch
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 2658c5373..c3497c3bd 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.cache/wine
 noblacklist ${HOME}/.cache/winetricks
 noblacklist ${HOME}/.config/lutris
 noblacklist ${HOME}/.local/share/lutris
-# noblacklist ${HOME}/.wine
+#noblacklist ${HOME}/.wine
 noblacklist /tmp/.wine-*
 # Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
 # Lutris won't even start.
@@ -39,7 +39,7 @@ mkdir ${HOME}/.cache/wine
 mkdir ${HOME}/.cache/winetricks
 mkdir ${HOME}/.config/lutris
 mkdir ${HOME}/.local/share/lutris
-# mkdir ${HOME}/.wine
+#mkdir ${HOME}/.wine
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/Games
 whitelist ${HOME}/.cache/lutris
@@ -47,7 +47,7 @@ whitelist ${HOME}/.cache/wine
 whitelist ${HOME}/.cache/winetricks
 whitelist ${HOME}/.config/lutris
 whitelist ${HOME}/.local/share/lutris
-# whitelist ${HOME}/.wine
+#whitelist ${HOME}/.wine
 whitelist /usr/share/lutris
 whitelist /usr/share/wine
 include whitelist-common.inc
@@ -55,11 +55,11 @@ include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
-# allow-debuggers
+#allow-debuggers
-# apparmor
+#apparmor
 caps.drop all
 ipc-namespace
-# net none
+#net none
 netfilter
 nodvd
 nogroups
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index caf8de104..248061b3f 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -34,10 +34,10 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# private-bin lynx
+#private-bin lynx
 private-cache
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index c3366acef..d210333c3 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -31,7 +31,7 @@ include whitelist-usr-share-common.inc
 apparmor
 machine-id
-# private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
+#private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
 private-etc @x11,lyx,mime.types,texmf
 # Redirect
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
index e75de80ac..a6a9ba6bc 100644
--- a/etc/profile-m-z/PCSX2.profile
+++ b/etc/profile-m-z/PCSX2.profile
@@ -40,8 +40,8 @@ notv
 nou2f
 novideo
 protocol unix,netlink
-#seccomp - breaks loading with no logs
+#seccomp # breaks loading with no logs
-#tracelog - 32/64 bit incompatibility
+#tracelog # 32/64 bit incompatibility
 private-bin PCSX2
 private-cache
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index 0e18b3cdf..dd5639268 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -57,7 +57,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
@@ -81,5 +81,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index 34d500bb1..fe1f9b877 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -35,4 +35,4 @@ private-bin awk,bash,dig,sh,Viber
 private-etc @tls-ca,@x11,mailcap,proxychains.conf
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index 0c3d4c1da..aae1808dd 100644
--- a/etc/profile-m-z/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
@@ -25,7 +25,7 @@ nogroups
 noinput
 nonewprivs
 # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
-# noroot
+#noroot
 nosound
 notv
 nou2f
@@ -35,10 +35,10 @@ seccomp
 disable-mnt
 # using a private home directory
 private
-# private-bin sh,Xephyr,xkbcomp
+#private-bin sh,Xephyr,xkbcomp
-# private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp
+#private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp
 private-dev
-# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
+#private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
 #private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 2bb9f171a..052ea520d 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -39,8 +39,8 @@ seccomp
 disable-mnt
 # using a private home directory
 private
-# private-bin sh,xkbcomp,Xvfb
+#private-bin sh,xkbcomp,Xvfb
-# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
+#private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
 private-dev
 private-etc gai.conf,host.conf
 private-tmp
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index 266d00395..b6afbad59 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -14,8 +14,8 @@ blacklist ${RUNUSER}/wayland-*
 # for potential issues and their solutions when Firejailing makepkg
 # This profile could be significantly strengthened by adding the following to makepkg.local
-# whitelist ${HOME}/<Your Build Folder>
+#whitelist ${HOME}/<Your Build Folder>
-# whitelist ${HOME}/.gnupg
+#whitelist ${HOME}/.gnupg
 # Enable severely restricted access to ${HOME}/.gnupg
 noblacklist ${HOME}/.gnupg
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
index 6843c11c7..e07bbe6e5 100644
--- a/etc/profile-m-z/microsoft-edge-beta.profile
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -14,10 +14,7 @@ mkdir ${HOME}/.cache/microsoft-edge-beta
 mkdir ${HOME}/.config/microsoft-edge-beta
 whitelist ${HOME}/.cache/microsoft-edge-beta
 whitelist ${HOME}/.config/microsoft-edge-beta
 whitelist /opt/microsoft/msedge-beta
-# private-opt might break the file-copy-limit, see #5307
-#private-opt microsoft
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile
index d1655fabb..fcc4845df 100644
--- a/etc/profile-m-z/midori.profile
+++ b/etc/profile-m-z/midori.profile
@@ -13,8 +13,8 @@ noblacklist ${HOME}/.cache/midori
 noblacklist ${HOME}/.config/midori
 noblacklist ${HOME}/.local/share/midori
 noblacklist ${HOME}/.local/share/pki
-# noblacklist ${HOME}/.local/share/webkit
+#noblacklist ${HOME}/.local/share/webkit
-# noblacklist ${HOME}/.local/share/webkitgtk
+#noblacklist ${HOME}/.local/share/webkitgtk
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.cache/gnome-mplayer
@@ -54,7 +54,7 @@ caps.drop all
 netfilter
 nodvd
 nonewprivs
-# noroot - problems on Ubuntu 14.04
+#noroot # problems on Ubuntu 14.04
 notv
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index 2ba03ec97..0a5e4255a 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -10,15 +10,24 @@ include globals.local
 noblacklist ${HOME}/.moc
 noblacklist ${MUSIC}
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-xdg.inc
-include whitelist-usr-share-common.inc
+mkdir ${HOME}/.moc
+whitelist ${HOME}/.moc
+whitelist ${MUSIC}
+include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -30,18 +39,20 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6,netlink
+protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 tracelog
 private-bin mocp
 private-cache
 private-dev
-private-etc @tls-ca
+private-etc @network,@tls-ca
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index a9631733c..ab1c93eaf 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -52,7 +52,11 @@ private-etc
 private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+dbus-user filter
+dbus-user.own org.mpris.MediaPlayer2.mpd
+dbus-system none
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile
index d1c4bd24f..6bf881faf 100644
--- a/etc/profile-m-z/mpd.profile
+++ b/etc/profile-m-z/mpd.profile
@@ -41,4 +41,8 @@ private-cache
 private-dev
 private-tmp
+dbus-user filter
+dbus-user.talk org.mpris.MediaPlayer2.mpd
+dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index 7d9ff39ad..bdb9fa51d 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -24,9 +24,9 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# net none - mplayer can be used for streaming.
+#net none # mplayer can be used for streaming.
 netfilter
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
diff --git a/etc/profile-m-z/mullvad-browser.profile b/etc/profile-m-z/mullvad-browser.profile
index b9eb57743..6706386aa 100644
--- a/etc/profile-m-z/mullvad-browser.profile
+++ b/etc/profile-m-z/mullvad-browser.profile
@@ -73,13 +73,12 @@ novideo
 protocol unix,inet,inet6
 seccomp !chroot
 seccomp.block-secondary
-#tracelog - may cause issues, see #1930
+#tracelog # may cause issues, see #1930
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity
 private-dev
 private-etc @tls-ca
-#private-opt mullvad-browser - can cause slow startup
 private-tmp
 blacklist ${PATH}/curl
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile
index 73107680c..41f82bd07 100644
--- a/etc/profile-m-z/multimc5.profile
+++ b/etc/profile-m-z/multimc5.profile
@@ -41,12 +41,12 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-# seccomp
+#seccomp
 disable-mnt
 # private-bin works, but causes weirdness
-# private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper
+#private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile
index ef09e6fca..52dc46800 100644
--- a/etc/profile-m-z/mumble.profile
+++ b/etc/profile-m-z/mumble.profile
@@ -41,5 +41,5 @@ disable-mnt
 private-bin mumble
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile
index ca951f70c..b62674ad6 100644
--- a/etc/profile-m-z/musescore.profile
+++ b/etc/profile-m-z/musescore.profile
@@ -37,7 +37,7 @@ protocol unix,inet,inet6
 seccomp !chroot
 tracelog
-# private-bin musescore,mscore
+#private-bin musescore,mscore
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index 7ce7fbd19..d67cd24bd 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -35,4 +35,4 @@ disable-mnt
 private-dev
 private-etc @tls-ca
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 288ffedf1..ab1e0ab02 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -13,6 +13,7 @@ noblacklist ${DOCUMENTS}
 noblacklist ${HOME}/.Mail
 noblacklist ${HOME}/.bogofilter
 noblacklist ${HOME}/.cache/mutt
+noblacklist ${HOME}/.config/msmtp
 noblacklist ${HOME}/.config/mutt
 noblacklist ${HOME}/.config/nano
 noblacklist ${HOME}/.elinks
@@ -35,6 +36,7 @@ noblacklist ${HOME}/Mail
 noblacklist ${HOME}/mail
 noblacklist ${HOME}/postponed
 noblacklist ${HOME}/sent
+noblacklist /etc/msmtprc
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
@@ -69,6 +71,7 @@ whitelist ${DOWNLOADS}
 whitelist ${HOME}/.Mail
 whitelist ${HOME}/.bogofilter
 whitelist ${HOME}/.cache/mutt
+whitelist ${HOME}/.config/msmtp
 whitelist ${HOME}/.config/mutt
 whitelist ${HOME}/.config/nano
 whitelist ${HOME}/.elinks
@@ -121,10 +124,10 @@ seccomp
 seccomp.block-secondary
 tracelog
-# disable-mnt
+#disable-mnt
 private-cache
 private-dev
-private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo
+private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 6b4074dfb..ba63b2067 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -41,7 +41,7 @@ seccomp
 tracelog
 x11 none
-# disable-mnt
+#disable-mnt
 private-bin nano,rnano
 private-cache
 private-dev
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile
index 09687199b..5cfd8290a 100644
--- a/etc/profile-m-z/ncdu.profile
+++ b/etc/profile-m-z/ncdu.profile
@@ -29,7 +29,7 @@ seccomp
 x11 none
 private-dev
-# private-tmp
+#private-tmp
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index 80e28a5e5..d1a36e079 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -45,7 +45,7 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 seccomp.block-secondary
 tracelog
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 5bd1e7cba..b15e98424 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -10,6 +10,7 @@ include globals.local
 noblacklist ${DOCUMENTS}
 noblacklist ${HOME}/.Mail
 noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.config/msmtp
 noblacklist ${HOME}/.config/mutt
 noblacklist ${HOME}/.config/nano
 noblacklist ${HOME}/.config/neomutt
@@ -34,6 +35,7 @@ noblacklist ${HOME}/Mail
 noblacklist ${HOME}/mail
 noblacklist ${HOME}/postponed
 noblacklist ${HOME}/sent
+noblacklist /etc/msmtprc
 noblacklist /var/mail
 noblacklist /var/spool/mail
@@ -59,6 +61,7 @@ whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.Mail
 whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.config/msmtp
 whitelist ${HOME}/.config/mutt
 whitelist ${HOME}/.config/nano
 whitelist ${HOME}/.config/neomutt
@@ -113,10 +116,10 @@ seccomp
 seccomp.block-secondary
 tracelog
-# disable-mnt
+#disable-mnt
 private-cache
 private-dev
-private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver
+private-etc @tls-ca,@x11,msmtprc,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index 568899eea..d1680e666 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -43,7 +43,6 @@ noinput
 nonewprivs
 noprinters
 noroot
-nosound
 notv
 nou2f
 novideo
@@ -57,7 +56,9 @@ private-cache
 private-dev
 private-tmp
-dbus-user none
+dbus-user filter
+dbus-user.own org.nicotine_plus.Nicotine
+dbus-user.talk ca.desrt.dconf
 dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index 7a97ca825..254eb789a 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -42,11 +42,11 @@ private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,ni
 private-cache
 private-dev
 private-etc @tls-ca,@x11
-# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
+#private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index 4c463521c..f301196c6 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,7 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
-# Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# Note: gulp, node-gyp, npm, npx, pnpm, pnpx, semver and yarn are all node scripts
 # using the `#!/usr/bin/env node` shebang. By sandboxing node the full
 # node.js stack will be firejailed. The only exception is nvm, which is implemented
 # as a sourced shell function, not an executable binary. Hence it is not
@@ -22,6 +22,7 @@ ignore read-only ${HOME}/.npmrc
 ignore read-only ${HOME}/.nvm
 ignore read-only ${HOME}/.yarnrc
+noblacklist ${HOME}/.local/share/pnpm
 noblacklist ${HOME}/.node-gyp
 noblacklist ${HOME}/.npm
 noblacklist ${HOME}/.npmrc
@@ -43,6 +44,7 @@ include disable-xdg.inc
 # If you want whitelisting, change ${HOME}/Projects below to your node projects directory
 # and add the next lines to your nodejs-common.local.
+#mkdir ${HOME}/.local/share/pnpm
 #mkdir ${HOME}/.node-gyp
 #mkdir ${HOME}/.npm
 #mkdir ${HOME}/.npm-packages
@@ -52,6 +54,7 @@ include disable-xdg.inc
 #mkdir ${HOME}/.yarn-config
 #mkdir ${HOME}/.yarncache
 #mkfile ${HOME}/.yarnrc
+#whitelist ${HOME}/.local/share/pnpm
 #whitelist ${HOME}/.node-gyp
 #whitelist ${HOME}/.npm
 #whitelist ${HOME}/.npm-packages
diff --git a/etc/profile-m-z/notable.profile b/etc/profile-m-z/notable.profile
index 9fbbf94c0..4bd3d45ac 100644
--- a/etc/profile-m-z/notable.profile
+++ b/etc/profile-m-z/notable.profile
@@ -14,11 +14,12 @@ include globals.local
 noblacklist ${HOME}/.config/Notable
 noblacklist ${HOME}/.notable
+whitelist /opt/Notable
 net none
 nosound
 ?HAS_APPIMAGE: ignore private-dev
-private-opt Notable
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index dec48c827..6d1e3cd8a 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -14,12 +14,12 @@ include disable-shell.inc
 mkdir ${HOME}/.config/nuclear
 whitelist ${HOME}/.config/nuclear
+whitelist /opt/nuclear
 no3d
-# private-bin nuclear
+#private-bin nuclear
 private-etc @tls-ca,@x11,host.conf,mime.types
-private-opt nuclear
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 830483bd4..3fe5a4712 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -25,6 +25,7 @@ whitelist ${HOME}/.cache/ocenaudio
 whitelist ${HOME}/.local/share/ocenaudio
 whitelist ${DOWNLOADS}
 whitelist ${MUSIC}
+whitelist /opt/ocenaudio
 include whitelist-common.inc
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
@@ -54,7 +55,6 @@ private-bin ocenaudio,ocenvst
 private-cache
 private-dev
 private-etc @tls-ca,@x11,mime.types
-private-opt ocenaudio
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index 8e0758c37..ac573dc47 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -44,7 +44,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -62,12 +62,13 @@ tracelog
 private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
 private-dev
 private-etc @x11,cups
-# private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
+# on KDE we need access to the real /tmp for data exchange with email clients
+#private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
 join-or-start okular
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index 47ac9fc05..3338cadf5 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -50,7 +50,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 seccomp.block-secondary
-#tracelog - may cause issues, see #1930
+#tracelog # may cause issues, see #1930
 disable-mnt
 private-bin onionshare,onionshare-cli,onionshare-gui,python*,tor*
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 3449ac686..e10f6011b 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -24,7 +24,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - networked game
+#net none # networked game
 netfilter
 nodvd
 nogroups
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile
index fa16c05e2..c4849b958 100644
--- a/etc/profile-m-z/orage.profile
+++ b/etc/profile-m-z/orage.profile
@@ -24,7 +24,7 @@ nogroups
 noinput
 nonewprivs
 noroot
-# nosound - calendar application, It must be able to play sound to wake you up.
+#nosound # calendar application, It must be able to play sound to wake you up.
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index a1c0462ba..76d4a2c52 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -57,4 +57,4 @@ private-tmp
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
index ab4e24595..8917a9bc5 100644
--- a/etc/profile-m-z/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/moonchild productions/pale moon
 mkdir ${HOME}/.moonchild productions
 whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
+whitelist /opt/palemoon
 whitelist /usr/share/moonchild productions
 whitelist /usr/share/palemoon
@@ -22,7 +23,6 @@ ignore seccomp
 #private-bin palemoon
 # private-etc must first be enabled in firefox-common.profile
 #private-etc palemoon
-#private-opt palemoon
 restrict-namespaces
 ignore restrict-namespaces
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 5a0f69f79..23e734b43 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -10,6 +10,7 @@ include globals.local
 blacklist ${RUNUSER}
 noblacklist ${DOCUMENTS}
+noblacklist ${PATH}/patch
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pavucontrol-qt.profile b/etc/profile-m-z/pavucontrol-qt.profile
index f96ba14d2..79ed8777d 100644
--- a/etc/profile-m-z/pavucontrol-qt.profile
+++ b/etc/profile-m-z/pavucontrol-qt.profile
@@ -9,8 +9,9 @@ include pavucontrol-qt.local
 noblacklist ${HOME}/.config/pavucontrol-qt
-mkdir ${HOME}/.config/pavucontrol-qt
+# whitelisting in ${HOME} is broken, see #3112
-whitelist ${HOME}/.config/pavucontrol-qt
+#mkdir ${HOME}/.config/pavucontrol-qt
+#whitelist ${HOME}/.config/pavucontrol-qt
 private-bin pavucontrol-qt
 ignore private-lib
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index a852a2a18..5bc0bd700 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -40,7 +40,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 tracelog
-# private-bin pidgin
+#private-bin pidgin
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index d563064e1..c3aa0a501 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -55,7 +55,7 @@ tracelog
 disable-mnt
 private
-#private-bin ping - has mammoth problems with execvp: "No such file or directory"
+#private-bin ping # has mammoth problems with execvp: "No such file or directory"
 private-cache
 private-dev
 private-etc @tls-ca
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile
index efcdaa661..6e56208d5 100644
--- a/etc/profile-m-z/pluma.profile
+++ b/etc/profile-m-z/pluma.profile
@@ -21,10 +21,10 @@ include disable-shell.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 machine-id
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -45,8 +45,8 @@ private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
 join-or-start pluma
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 34e18cbd7..38fa01553 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -53,7 +53,7 @@ writable-var-log
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks opening file-chooser
+#memory-deny-write-execute # breaks opening file-chooser
 read-only ${HOME}
 read-write ${HOME}/.config/PacmanLogViewer
 read-only /var/log/pacman.log
diff --git a/etc/profile-m-z/pnpm.profile b/etc/profile-m-z/pnpm.profile
new file mode 100644
index 000000000..08f88be43
--- /dev/null
+++ b/etc/profile-m-z/pnpm.profile
@@ -0,0 +1,11 @@
+# Firejail profile for pnpm
+# Description: Fast, disk space efficient package manager
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pnpm.local
+# Persistent global definitions
+include globals.local
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/pnpx.profile b/etc/profile-m-z/pnpx.profile
new file mode 100644
index 000000000..a99d1232a
--- /dev/null
+++ b/etc/profile-m-z/pnpx.profile
@@ -0,0 +1,11 @@
+# Firejail profile for pnpx
+# Description: Part of the Node.js stack
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pnpx.local
+# Persistent global definitions
+include globals.local
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
index af117c3b5..7a735bba7 100644
--- a/etc/profile-m-z/psi-plus.profile
+++ b/etc/profile-m-z/psi-plus.profile
@@ -43,4 +43,4 @@ disable-mnt
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index a1a0606b9..1417a87c9 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -62,7 +62,7 @@ novideo
 nou2f
 protocol unix,inet,inet6,netlink
 seccomp !chroot
-#tracelog - breaks on Arch
+#tracelog # breaks on Arch
 disable-mnt
 # Add the next line to your psi.local to enable GPG support.
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile
index 875b83e8e..fa307fc88 100644
--- a/etc/profile-m-z/pycharm-community.profile
+++ b/etc/profile-m-z/pycharm-community.profile
@@ -34,8 +34,8 @@ nou2f
 novideo
 tracelog
-# private-etc alternatives,fonts,passwd - minimal required to run but will probably break
+# minimum required to run but will probably break the program!
-# program!
+#private-etc alternatives,fonts,passwd
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
index 9605da3ac..ae0a2cdf1 100644
--- a/etc/profile-m-z/qbittorrent.profile
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -55,12 +55,12 @@ seccomp
 private-bin python*,qbittorrent
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
 private-tmp
 # See https://github.com/netblue30/firejail/issues/3707 for tray-icon
 dbus-user none
 dbus-system none
-# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
+#memory-deny-write-execute # problems on Arch, see #1690 on GitHub repo
 restrict-namespaces
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile
index ecd62a7d1..66c8f3238 100644
--- a/etc/profile-m-z/qmmp.profile
+++ b/etc/profile-m-z/qmmp.profile
@@ -18,7 +18,7 @@ include disable-xdg.inc
 caps.drop all
 netfilter
-# no3d
+#no3d
 nogroups
 noinput
 nonewprivs
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
index 4caa0917f..784d2fafd 100644
--- a/etc/profile-m-z/qpdfview.profile
+++ b/etc/profile-m-z/qpdfview.profile
@@ -41,7 +41,7 @@ private-dev
 private-tmp
 # needs D-Bus when started from a file manager
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index ab0f9425a..20c84c5a8 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -48,5 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/quassel.profile b/etc/profile-m-z/quassel.profile
index 4589c9e4a..4ec990e95 100644
--- a/etc/profile-m-z/quassel.profile
+++ b/etc/profile-m-z/quassel.profile
@@ -25,4 +25,4 @@ seccomp !chroot
 private-cache
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile
index a59f01f85..4102b1ea0 100644
--- a/etc/profile-m-z/quiterss.profile
+++ b/etc/profile-m-z/quiterss.profile
@@ -50,6 +50,6 @@ tracelog
 disable-mnt
 private-bin quiterss
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
+#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
 restrict-namespaces
diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile
index 405ab818d..603ec8ff4 100644
--- a/etc/profile-m-z/rpcs3.profile
+++ b/etc/profile-m-z/rpcs3.profile
@@ -54,7 +54,8 @@ tracelog
 disable-mnt
 #private-cache
-#private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk
+# seems to need awk
+#private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/rssguard.profile b/etc/profile-m-z/rssguard.profile
index 81381c205..ce455baba 100644
--- a/etc/profile-m-z/rssguard.profile
+++ b/etc/profile-m-z/rssguard.profile
@@ -31,13 +31,13 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile
index 34cf783fe..8e25375b0 100644
--- a/etc/profile-m-z/scribus.profile
+++ b/etc/profile-m-z/scribus.profile
@@ -55,7 +55,7 @@ protocol unix
 seccomp
 tracelog
-# private-bin gimp*,gs,scribus
+#private-bin gimp*,gs,scribus
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
index c2dbbc2c6..1171a52f0 100644
--- a/etc/profile-m-z/seamonkey.profile
+++ b/etc/profile-m-z/seamonkey.profile
@@ -55,7 +55,7 @@ seccomp
 tracelog
 disable-mnt
-# private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
+#private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
 writable-run-user
 restrict-namespaces
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 667f9c557..74587c992 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -34,36 +34,36 @@ include globals.local
 noblacklist /sbin
 noblacklist /usr/sbin
 noblacklist /etc/init.d
-# noblacklist /var/opt
+#noblacklist /var/opt
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
-# include disable-exec.inc
+#include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
-# include whitelist-runuser-common.inc
+#include whitelist-runuser-common.inc
-# include whitelist-usr-share-common.inc
+#include whitelist-usr-share-common.inc
-# include whitelist-var-common.inc
+#include whitelist-var-common.inc
 # people use to install servers all over the place!
 # apparmor runs executable only from default system locations
-# apparmor
+#apparmor
 caps
-# ipc-namespace
+#ipc-namespace
 machine-id
-# netfilter /etc/firejail/webserver.net
+#netfilter /etc/firejail/webserver.net
 no3d
 nodvd
-# nogroups
+#nogroups
 noinput
 nonewprivs
-# noroot
+#noroot
 nosound
 notv
 nou2f
@@ -74,22 +74,22 @@ tab # allow tab completion
 disable-mnt
 private
-# private-bin program
+#private-bin program
-# private-cache
+#private-cache
 private-dev
 # see /usr/share/doc/firejail/profile.template for more common private-etc paths.
-# private-etc alternatives
+#private-etc alternatives
-# private-lib
+#private-lib
-# private-opt none
+#private-opt none
 private-tmp
-# writable-run-user
+#writable-run-user
-# writable-var
+#writable-var
-# writable-var-log
+#writable-var-log
 dbus-user none
-# dbus-system none
+#dbus-system none
-# deterministic-shutdown
+#deterministic-shutdown
-# memory-deny-write-execute
+#memory-deny-write-execute
-# read-only ${HOME}
+#read-only ${HOME}
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile
index 96e4cf283..154e29ccf 100644
--- a/etc/profile-m-z/silentarmy.profile
+++ b/etc/profile-m-z/silentarmy.profile
@@ -7,7 +7,7 @@ include globals.local
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile
index 14846cf58..f8bcd3c6e 100644
--- a/etc/profile-m-z/simple-scan.profile
+++ b/etc/profile-m-z/simple-scan.profile
@@ -28,15 +28,15 @@ nonewprivs
 noroot
 nosound
 notv
-# novideo
+#novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks simple-scan
 seccomp !ioperm
 tracelog
-# private-bin simple-scan
+#private-bin simple-scan
-# private-dev
+#private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
-# private-tmp
+#private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile
index f88ae65c8..995b59538 100644
--- a/etc/profile-m-z/simutrans.profile
+++ b/etc/profile-m-z/simutrans.profile
@@ -33,7 +33,7 @@ novideo
 protocol unix
 seccomp
-# private-bin simutrans
+#private-bin simutrans
 private-dev
 private-etc @games,@x11
 private-tmp
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile
index 6b73b2289..3b78f7fd2 100644
--- a/etc/profile-m-z/skanlite.profile
+++ b/etc/profile-m-z/skanlite.profile
@@ -22,16 +22,16 @@ nonewprivs
 noroot
 nosound
 notv
-# novideo
+#novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks skanlite
 seccomp !ioperm
-# private-bin kbuildsycoca4,kdeinit4,skanlite
+#private-bin kbuildsycoca4,kdeinit4,skanlite
-# private-dev
+#private-dev
-# private-tmp
+#private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 9dd41fd27..ece191b73 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -36,7 +36,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
@@ -49,7 +49,7 @@ private-dev
 private-tmp
 # problems with KDE
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/sniffnet.profile b/etc/profile-m-z/sniffnet.profile
index eb18c1f01..940c35b2e 100644
--- a/etc/profile-m-z/sniffnet.profile
+++ b/etc/profile-m-z/sniffnet.profile
@@ -29,8 +29,8 @@ netfilter
 nodvd
 nogroups
 noinput
-# nonewprivs - breaks network traffic capture for unprivileged users
+#nonewprivs # breaks network traffic capture for unprivileged users
-# noroot
+#noroot
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile
index e2be4e9e0..07f9b0094 100644
--- a/etc/profile-m-z/sol.profile
+++ b/etc/profile-m-z/sol.profile
@@ -21,13 +21,13 @@ apparmor
 caps.drop all
 ipc-namespace
 net none
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
@@ -43,5 +43,5 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
index f5ac6c739..5c5763538 100644
--- a/etc/profile-m-z/sound-juicer.profile
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -38,7 +38,7 @@ private-cache
 private-dev
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index c893a92fb..63c2c5086 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -26,6 +26,7 @@ whitelist ${HOME}/.cache/spotify
 whitelist ${HOME}/.config/spotify
 whitelist ${HOME}/.config/spotify-adblock
 whitelist ${HOME}/.local/share/spotify
+whitelist /opt/spotify
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -48,7 +49,6 @@ private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
 private-dev
 # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local.
 private-etc @tls-ca,host.conf,spotify-adblock
-private-opt spotify
 private-srv none
 private-tmp
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index ce356367f..013c7ac13 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -46,8 +46,8 @@ private-etc @tls-ca
 private-tmp
 # breaks proxy creation
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index a7956a76e..fde85be64 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -32,10 +32,10 @@ nodvd
 nogroups
 noinput
 nonewprivs
-# noroot - see issue #1543
+#noroot # see issue #1543
 nosound
 notv
-# nou2f - OpenSSH >= 8.2 supports U2F
+#nou2f # OpenSSH >= 8.2 supports U2F
 novideo
 protocol unix,inet,inet6
 seccomp
@@ -43,7 +43,7 @@ tracelog
 private-cache
 private-dev
-# private-tmp # Breaks when exiting
+#private-tmp # Breaks when exiting
 writable-run-user
 dbus-user none
diff --git a/etc/profile-m-z/ssmtp.profile b/etc/profile-m-z/ssmtp.profile
index 1a224e7b0..b87f514f9 100644
--- a/etc/profile-m-z/ssmtp.profile
+++ b/etc/profile-m-z/ssmtp.profile
@@ -16,6 +16,7 @@ noblacklist /sbin
 noblacklist /usr/sbin
 noblacklist ${DOCUMENTS}
+noblacklist ${PATH}/ssmtp
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 3fe0963a9..fe4e4b6d7 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -47,4 +47,4 @@ private-etc @tls-ca,@x11,host.conf
 dbus-user none
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 99317c9dc..34cb3631a 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -12,10 +12,12 @@ noblacklist ${HOME}/.config/MangoHud
 noblacklist ${HOME}/.config/ModTheSpire
 noblacklist ${HOME}/.config/RogueLegacy
 noblacklist ${HOME}/.config/RogueLegacyStorageContainer
+noblacklist ${HOME}/.factorio
 noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.klei
 noblacklist ${HOME}/.local/share/3909/PapersPlease
 noblacklist ${HOME}/.local/share/aspyr-media
+noblacklist ${HOME}/.local/share/Baba_Is_You
 noblacklist ${HOME}/.local/share/bohemiainteractive
 noblacklist ${HOME}/.local/share/cdprojektred
 noblacklist ${HOME}/.local/share/Colossal Order
@@ -64,10 +66,12 @@ mkdir ${HOME}/.config/MangoHud
 mkdir ${HOME}/.config/ModTheSpire
 mkdir ${HOME}/.config/RogueLegacy
 mkdir ${HOME}/.config/unity3d
+mkdir ${HOME}/.factorio
 mkdir ${HOME}/.killingfloor
 mkdir ${HOME}/.klei
 mkdir ${HOME}/.local/share/3909/PapersPlease
 mkdir ${HOME}/.local/share/aspyr-media
+mkdir ${HOME}/.local/share/Baba_Is_You
 mkdir ${HOME}/.local/share/bohemiainteractive
 mkdir ${HOME}/.local/share/cdprojektred
 mkdir ${HOME}/.local/share/Colossal Order
@@ -100,10 +104,12 @@ whitelist ${HOME}/.config/ModTheSpire
 whitelist ${HOME}/.config/RogueLegacy
 whitelist ${HOME}/.config/RogueLegacyStorageContainer
 whitelist ${HOME}/.config/unity3d
+whitelist ${HOME}/.factorio
 whitelist ${HOME}/.killingfloor
 whitelist ${HOME}/.klei
 whitelist ${HOME}/.local/share/3909/PapersPlease
 whitelist ${HOME}/.local/share/aspyr-media
+whitelist ${HOME}/.local/share/Baba_Is_You
 whitelist ${HOME}/.local/share/bohemiainteractive
 whitelist ${HOME}/.local/share/cdprojektred
 whitelist ${HOME}/.local/share/Colossal Order
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index 6de288c46..8b5d7e253 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -49,5 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 2ad107f1a..65aea6667 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -41,7 +41,7 @@ seccomp.block-secondary
 tracelog
 disable-mnt
-# private-bin supertux2
+#private-bin supertux2
 private-cache
 private-etc
 private-dev
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile
index 7b6a87b31..728db012e 100644
--- a/etc/profile-m-z/sushi.profile
+++ b/etc/profile-m-z/sushi.profile
@@ -13,7 +13,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 include disable-shell.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 5fb35aa04..7cef394c2 100644
--- a/etc/profile-m-z/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
@@ -13,7 +13,7 @@ whitelist ${HOME}/.sylpheed-2.0
 whitelist /usr/share/sylpheed
-# private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
+#private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
 # Redirect
 include email-common.profile
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index 726baf336..b0a80fc27 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -59,11 +59,11 @@ seccomp
 tracelog
 disable-mnt
-#private-bin sysprof - breaks help menu
+#private-bin sysprof # breaks help menu
 private-cache
 private-dev
 private-etc @tls-ca
-# private-lib - breaks help menu
+#private-lib # breaks help menu
 #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
 private-tmp
@@ -73,5 +73,5 @@ dbus-user.own org.gnome.Yelp
 dbus-user.own org.gnome.Sysprof3
 dbus-user.talk ca.desrt.dconf
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-m-z/system-log-common.profile b/etc/profile-m-z/system-log-common.profile
new file mode 100644
index 000000000..dda8bdc47
--- /dev/null
+++ b/etc/profile-m-z/system-log-common.profile
@@ -0,0 +1,60 @@
+# Firejail profile for system-log-common
+# Description: Common profile for GUI system log viewers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include system-log-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /run/log/journal
+whitelist /var/log/journal
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+#nogroups
+noinput
+nonewprivs
+noprinters
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+dbus-user none
+dbus-system none
+restrict-namespaces
+# Add 'ignore read-only ${HOME}' to your system-log-common.local
+# if you export logs to a file under your ${HOME}.
+read-only ${HOME}
+writable-var-log
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
index 41da4ee13..06b547b3d 100644
--- a/etc/profile-m-z/teamspeak3.profile
+++ b/etc/profile-m-z/teamspeak3.profile
@@ -39,4 +39,4 @@ disable-mnt
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index ba915c2d4..fa992ad1a 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -7,6 +7,7 @@ include globals.local
 noblacklist ${HOME}/.TelegramDesktop
 noblacklist ${HOME}/.local/share/TelegramDesktop
+noblacklist ${HOME}/.local/share/telegram-desktop
 # Allow opening hyperlinks
 include allow-bin-sh.inc
@@ -21,8 +22,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.TelegramDesktop
 mkdir ${HOME}/.local/share/TelegramDesktop
+mkdir ${HOME}/.local/share/telegram-desktop
 whitelist ${HOME}/.TelegramDesktop
 whitelist ${HOME}/.local/share/TelegramDesktop
+whitelist ${HOME}/.local/share/telegram-desktop
 whitelist ${DOWNLOADS}
 whitelist /usr/share/TelegramDesktop
 include whitelist-common.inc
diff --git a/etc/profile-m-z/termshark.profile b/etc/profile-m-z/termshark.profile
new file mode 100644
index 000000000..630d5dda6
--- /dev/null
+++ b/etc/profile-m-z/termshark.profile
@@ -0,0 +1,15 @@
+# Firejail profile for termshark
+# Description: Terminal UI for tshark, inspired by Wireshark
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include termshark.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+# Redirect
+include wireshark.profile
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile
index 5babfb8d2..c0293406d 100644
--- a/etc/profile-m-z/tesseract.profile
+++ b/etc/profile-m-z/tesseract.profile
@@ -26,6 +26,7 @@ include whitelist-common.inc
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 whitelist /usr/share/tessdata
+whitelist /usr/share/tesseract-ocr
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile
index 46a1e57c8..e01a9d2d8 100644
--- a/etc/profile-m-z/thunderbird-beta.profile
+++ b/etc/profile-m-z/thunderbird-beta.profile
@@ -6,7 +6,7 @@ include thunderbird-beta.local
 # added by included profile
 #include globals.local
-private-opt thunderbird-beta
+whitelist /opt/thunderbird-beta
 # Redirect
 include thunderbird.profile
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 17e2f0856..979971ac2 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -35,7 +35,7 @@ whitelist ${HOME}/.mozilla/firefox/profiles.ini
 noblacklist ${HOME}/.cache/thunderbird
 noblacklist ${HOME}/.gnupg
-# noblacklist ${HOME}/.icedove
+#noblacklist ${HOME}/.icedove
 noblacklist ${HOME}/.thunderbird
 include disable-xdg.inc
@@ -46,11 +46,11 @@ include disable-xdg.inc
 # See https://github.com/netblue30/firejail/issues/2357
 mkdir ${HOME}/.cache/thunderbird
 mkdir ${HOME}/.gnupg
-# mkdir ${HOME}/.icedove
+#mkdir ${HOME}/.icedove
 mkdir ${HOME}/.thunderbird
 whitelist ${HOME}/.cache/thunderbird
 whitelist ${HOME}/.gnupg
-# whitelist ${HOME}/.icedove
+#whitelist ${HOME}/.icedove
 whitelist ${HOME}/.thunderbird
 whitelist /usr/share/gnupg
diff --git a/etc/profile-m-z/tidal-hifi.profile b/etc/profile-m-z/tidal-hifi.profile
new file mode 100644
index 000000000..d2e23239e
--- /dev/null
+++ b/etc/profile-m-z/tidal-hifi.profile
@@ -0,0 +1,39 @@
+# Firejail profile for tidal-hifi
+# Description: The web version of Tidal running in electron with hifi support thanks to widevine.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tidal-hifi.local
+# Persistent global definitions
+include globals.local
+ignore noexec ${HOME}
+noblacklist ${HOME}/.config/tidal-hifi
+include disable-proc.inc
+include disable-shell.inc
+whitelist ${HOME}/.config/tidal-hifi
+caps.drop all
+no3d
+nonewprivs
+noprinters
+noroot
+protocol unix,inet,inet6
+seccomp !chroot
+seccomp.block-secondary
+tracelog
+private-bin chrome-sandbox,tidal-hifi
+private-etc @network,@sound,@tls-ca,@xdg
+private-opt tidal-hifi
+ignore dbus-user none
+dbus-user filter
+dbus-user.own org.mpris.MediaPlayer2.tidal-hifi
+dbus-user.talk org.freedesktop.Notifications
+join-or-start tidal-hifi
+include electron-common.profile
diff --git a/etc/profile-m-z/tiny-rdm.profile b/etc/profile-m-z/tiny-rdm.profile
new file mode 100644
index 000000000..4134d666c
--- /dev/null
+++ b/etc/profile-m-z/tiny-rdm.profile
@@ -0,0 +1,61 @@
+# Firejail profile for tiny-rdm
+# Description: A Modern Redis GUI Client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tiny-rdm.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/tiny-rdm
+noblacklist ${HOME}/.config/TinyRDM
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-proc.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/tiny-rdm
+mkdir ${HOME}/.config/TinyRDM
+whitelist ${HOME}/.cache/tiny-rdm
+whitelist ${HOME}/.config/TinyRDM
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+notv
+nou2f
+novideo
+nosound
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-bin tiny-rdm
+private-cache
+private-dev
+private-etc @network,@tls-ca,@x11
+private-tmp
+dbus-user none
+dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile
index a855ff839..ddd2aa85f 100644
--- a/etc/profile-m-z/tmux.profile
+++ b/etc/profile-m-z/tmux.profile
@@ -12,10 +12,10 @@ blacklist ${RUNUSER}
 noblacklist /tmp/tmux-*
-# include disable-common.inc
+#include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
-# include disable-exec.inc
+#include disable-exec.inc
-# include disable-programs.inc
+#include disable-programs.inc
 caps.drop all
 ipc-namespace
@@ -36,9 +36,9 @@ seccomp
 seccomp.block-secondary
 tracelog
-# private-cache
+#private-cache
 private-dev
-# private-tmp
+#private-tmp
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 86746c7f1..b9fdcf92c 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -56,13 +56,12 @@ novideo
 protocol unix,inet,inet6
 seccomp !chroot
 seccomp.block-secondary
-#tracelog - may cause issues, see #1930
+#tracelog # may cause issues, see #1930
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
 private-dev
 private-etc @tls-ca
-#private-opt tor-browser - can cause slow startup
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index a4cb49171..73d3b0b6f 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -35,7 +35,7 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 netfilter
 nogroups
@@ -55,7 +55,7 @@ private-etc @tls-ca,@x11,python*
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
 dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile
index f30b0aef6..c46b00fc9 100644
--- a/etc/profile-m-z/tracker.profile
+++ b/etc/profile-m-z/tracker.profile
@@ -33,8 +33,8 @@ protocol unix
 seccomp
 tracelog
-# private-bin tracker
+#private-bin tracker
-# private-dev
+#private-dev
-# private-tmp
+#private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index 645c55c3b..9f1f1c241 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -12,6 +12,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
@@ -19,7 +20,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/transgui
 whitelist ${HOME}/.config/transgui
 whitelist ${DOWNLOADS}
+whitelist /usr/share/transgui
 include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -44,7 +48,7 @@ tracelog
 private-bin geoiplookup,geoiplookup6,transgui
 private-cache
 private-dev
-private-etc
+private-etc @network,@tls-ca,@x11
 private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
 private-tmp
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 2578eb0be..5e9e7f127 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -52,7 +52,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 tracelog
-# disable-mnt
+#disable-mnt
 private-bin trojita
 private-cache
 private-dev
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile
index 3f5a9647e..f2273e6a7 100644
--- a/etc/profile-m-z/tshark.profile
+++ b/etc/profile-m-z/tshark.profile
@@ -7,5 +7,8 @@ include tshark.local
 # added by included profile
 #include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
 # Redirect
 include wireshark.profile
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
index 55e4a4392..f0a0cacaf 100644
--- a/etc/profile-m-z/tutanota-desktop.profile
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -22,6 +22,7 @@ mkdir ${HOME}/.config/tuta_integration
 mkdir ${HOME}/.config/tutanota-desktop
 whitelist ${HOME}/.config/tuta_integration
 whitelist ${HOME}/.config/tutanota-desktop
+whitelist /opt/tutanota-desktop
 # The lines below are needed to find the default Firefox profile name, to allow
 # opening links in an existing instance of Firefox (note that it still fails if
@@ -34,7 +35,6 @@ nosound
 ?HAS_APPIMAGE: ignore private-dev
 private-etc @tls-ca
-private-opt tutanota-desktop
 dbus-user filter
 dbus-user.talk org.freedesktop.Notifications
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
index 518dc95c7..16162f989 100644
--- a/etc/profile-m-z/tvbrowser.profile
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -1,5 +1,5 @@
 # Firejail profile for tvbrowser
-# Description: java tv programm form tvbrowser.org
+# Description: java tv program form tvbrowser.org
 # This file is overwritten after every install/update
 # Persistent local customizations
 include tvbrowser.local
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index d53acdaf7..55106d622 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -1,5 +1,5 @@
 # Firejail profile for twitch
-# Description: Unofficial electron based desktop warpper for Twitch
+# Description: Unofficial electron based desktop wrapper for Twitch
 # This file is overwritten after every install/update
 # Persistent local customizations
 include twitch.local
@@ -16,10 +16,10 @@ include disable-shell.inc
 mkdir ${HOME}/.config/Twitch
 whitelist ${HOME}/.config/Twitch
+whitelist /opt/Twitch
 private-bin electron,electron[0-9],electron[0-9][0-9],twitch
 private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
-private-opt Twitch
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile
index c182326bb..175ae4591 100644
--- a/etc/profile-m-z/udiskie.profile
+++ b/etc/profile-m-z/udiskie.profile
@@ -36,8 +36,8 @@ tracelog
 private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop
 # add your configured file browser in udiskie.local, e. g.
-# private-bin nautilus
+#private-bin nautilus
-# private-bin thunar
+#private-bin thunar
 private-cache
 private-dev
 private-etc @x11,mime.types
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
index 3e2b28dec..4e7dc3705 100644
--- a/etc/profile-m-z/unknown-horizons.profile
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -34,11 +34,11 @@ protocol unix,inet,inet6,netlink
 seccomp
 disable-mnt
-# private-bin unknown-horizons
+#private-bin unknown-horizons
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
 # doesn't work - maybe all Tcl/Tk programs have this problem
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index aa8199442..8c6efaa1c 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -49,5 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808)
+#memory-deny-write-execute # breaks on Arch (see issues #1803 and #1808)
 restrict-namespaces
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index ae8afbbf1..b768a635a 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -9,7 +9,7 @@ include globals.local
 noblacklist ${HOME}/.VirtualBox
 noblacklist ${HOME}/.config/VirtualBox
 noblacklist ${HOME}/VirtualBox VMs
-# noblacklist /usr/bin/virtualbox
+#noblacklist /usr/bin/virtualbox
 noblacklist /usr/lib/virtualbox
 noblacklist /usr/lib64/virtualbox
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 79ba41d44..a7b0f5f1d 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -15,7 +15,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-#include disable-shell.inc - problems on Debian 11
+#include disable-shell.inc # problems on Debian 11
 mkdir ${HOME}/.local/share/warzone2100
 mkdir ${HOME}/.local/share/warzone2100-3.3.0
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 1e2b164b9..33f404464 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -20,23 +20,23 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
-# whitelist /usr/share/wine
+#whitelist /usr/share/wine
-# include whitelist-usr-share-common.inc
+#include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 # Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this.
 allow-debuggers
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
-# novideo
+#novideo
 seccomp
 private-dev
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
index d1b757a25..55c4e6ac7 100644
--- a/etc/profile-m-z/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.config/wireshark
 noblacklist ${HOME}/.wireshark
 noblacklist ${DOCUMENTS}
+noblacklist ${PATH}/dumpcap
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -25,29 +26,30 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
-# caps.drop all
+#caps.drop all
 caps.keep dac_override,dac_read_search,net_admin,net_raw
 netfilter
 no3d
-# nogroups - breaks network traffic capture for unprivileged users
+#nogroups # breaks network traffic capture for unprivileged users
 noinput
-# nonewprivs - breaks network traffic capture for unprivileged users
+#nonewprivs # breaks network traffic capture for unprivileged users
-# noroot
+#noroot
 nodvd
 nosound
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols
+# commented out in case they bring in new protocols
+#protocol unix,inet,inet6,netlink,packet,bluetooth
 #seccomp
 tracelog
-# private-bin wireshark
+#private-bin wireshark
 private-cache
 # private-dev prevents (some) interfaces from being shown.
 # Add the below line to your wirehsark.local if you only want to inspect pcap files.
 #private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile
index dda803bd5..b47437e2d 100644
--- a/etc/profile-m-z/xed.profile
+++ b/etc/profile-m-z/xed.profile
@@ -23,10 +23,10 @@ include disable-shell.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 machine-id
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -46,9 +46,9 @@ private-dev
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 # xed uses python plugins, memory-deny-write-execute breaks python
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile
index 141fda909..96edc15ab 100644
--- a/etc/profile-m-z/xfburn.profile
+++ b/etc/profile-m-z/xfburn.profile
@@ -25,8 +25,8 @@ protocol unix
 seccomp
 tracelog
-# private-bin xfburn
+#private-bin xfburn
-# private-dev
+#private-dev
-# private-tmp
+#private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 9c4fa8293..6c3a5812b 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -53,5 +53,5 @@ dbus-user.own org.xfce.xfce4-mixer
 dbus-user.talk org.xfce.Xfconf
 dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index 4d841b35c..9094a7872 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -47,5 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute -- see #3790
+#memory-deny-write-execute # see #3790
 restrict-namespaces
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index b8bf0ae96..06f0b5833 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -16,6 +16,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.xmr-stak
+whitelist /opt/cuda
 include whitelist-var-common.inc
 caps.drop all
@@ -39,7 +40,6 @@ private-bin xmr-stak
 private-dev
 private-etc @tls-ca
 #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
-private-opt cuda
 private-tmp
 memory-deny-write-execute
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index a673d6aa3..9741888f0 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -27,7 +27,7 @@ include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 netfilter
 nogroups
@@ -41,11 +41,11 @@ tracelog
 private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile
index 05c12b9a2..b00307394 100644
--- a/etc/profile-m-z/xpra.profile
+++ b/etc/profile-m-z/xpra.profile
@@ -45,11 +45,11 @@ seccomp
 disable-mnt
 # private home directory doesn't work on some distros, so we go for a regular home
-# private
+#private
 # older Xpra versions also use Xvfb
-# private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
+#private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
 private-dev
-# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
+#private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
 private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index 6edbf9357..cad836fdc 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -18,9 +18,9 @@ include disable-programs.inc
 include disable-xdg.inc
 # Breaks xreader on Mint 18.3
-# include whitelist-var-common.inc
+#include whitelist-var-common.inc
-# apparmor
+#apparmor
 caps.drop all
 no3d
 nodvd
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile
index 6c31df4a9..575c1bf68 100644
--- a/etc/profile-m-z/xviewer.profile
+++ b/etc/profile-m-z/xviewer.profile
@@ -19,9 +19,9 @@ include disable-shell.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -42,8 +42,8 @@ private-lib
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index f5dd0c309..f957954dd 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -33,16 +33,14 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# machine-id breaks sound - add the next line to your yelp.local if you don't need sound support.
+#machine-id # add this to your yelp.local if you don't need sound support.
-#machine-id
 net none
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound - add the next line to your yelp.local if you don't need sound support.
+#nosound # add this to your yelp.local if you don't need sound support.
-#nosound
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index 4d1e9a063..0fb87f747 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -1,5 +1,5 @@
 # Firejail profile for youtube
-# Description: Unofficial electron based desktop warpper for YouTube
+# Description: Unofficial electron based desktop wrapper for YouTube
 # This file is overwritten after every install/update
 # Persistent local customizations
 include youtube.local
@@ -15,10 +15,10 @@ include disable-shell.inc
 mkdir ${HOME}/.config/Youtube
 whitelist ${HOME}/.config/Youtube
+whitelist /opt/Youtube
 private-bin electron,electron[0-9],electron[0-9][0-9],youtube
 private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
-private-opt Youtube
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index cfee8c426..e5ece41bc 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -1,8 +1,8 @@
 # Firejail profile for youtubemusic-nativefier
-# Description: Unofficial electron based desktop warpper for YouTube Music
+# Description: Unofficial electron based desktop wrapper for YouTube Music
 # This file is overwritten after every install/update
 # Persistent local customizations
-include youtube.local
+include youtubemusic-nativefier.local
 # Persistent global definitions
 include globals.local
@@ -12,10 +12,10 @@ include disable-shell.inc
 mkdir ${HOME}/.config/youtubemusic-nativefier-040164
 whitelist ${HOME}/.config/youtubemusic-nativefier-040164
+whitelist /opt/youtubemusic-nativefier
 private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier
 private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
-private-opt youtubemusic-nativefier
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index de07e3ddf..ccf5f1e63 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -13,9 +13,9 @@ noblacklist ${HOME}/.config/youtube-music-desktop-app
 mkdir ${HOME}/.config/youtube-music-desktop-app
 whitelist ${HOME}/.config/youtube-music-desktop-app
-# private-bin env,ytmdesktop
+#private-bin env,ytmdesktop
 private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
-# private-opt
+#private-opt
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index 09a1d37a3..d576dbefd 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -67,5 +67,5 @@ dbus-user.talk org.mozilla.*
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 9329fe297..6299d42cd 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -196,6 +196,13 @@ include globals.local
 #    Extra: gai.conf,proxychains.conf
 #  Qt: Trolltech.conf
 ##private-lib LIBS
+## Note: private-opt copies the entire path(s) to RAM, which may break
+## file-copy-limit in firejail.config (see firejail(1)).
+## For sizeable apps (if in doubt, do this):
+##  - never use 'private-opt NAME'
+##  - place 'whitelist /opt/NAME' in the whitelist section above
+## For acceptable apps:
+##  - use 'private-opt NAME'
 ##private-opt NAME
 #private-tmp
 ##writable-etc
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index c33e6d602..569509534 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -47,7 +47,7 @@ Definition of groups
 @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
 @privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup
 @process=arch_prctl,capget,clone,clone3,execveat,fork,getrusage,kill,pidfd_open,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
-@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
+@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_pci_mmio_read,s390_pci_mmio_write
 @reboot=kexec_load,kexec_file_load,reboot
 @resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy
 @setuid=setgid,setgid32,setgroups,setgroups32,setregid,setregid32,setresgid,setresgid32,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32