diff -Nru firejail-0.9.64/configure firejail-0.9.64.4/configure
--- firejail-0.9.64/configure	2020-10-21 11:45:13.000000000 +0000
+++ firejail-0.9.64.4/configure	2021-02-05 22:05:18.000000000 +0000
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.64.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.64.4.
 #
 # Report bugs to <netblue30@protonmail.com>.
 #
@@ -580,8 +580,8 @@
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.64'
-PACKAGE_STRING='firejail 0.9.64'
+PACKAGE_VERSION='0.9.64.4'
+PACKAGE_STRING='firejail 0.9.64.4'
 PACKAGE_BUGREPORT='netblue30@protonmail.com'
 PACKAGE_URL='https://firejail.wordpress.com'
 
@@ -644,6 +644,7 @@
 HAVE_FIRETUNNEL
 HAVE_GAWK
 HAVE_MAN
+HAVE_USERTMPFS
 HAVE_OVERLAYFS
 HAVE_DBUSPROXY
 EXTRA_LDFLAGS
@@ -710,7 +711,7 @@
 enable_analyzer
 enable_apparmor
 enable_dbusproxy
-enable_overlayfs
+enable_usertmpfs
 enable_man
 enable_firetunnel
 enable_private_home
@@ -1292,7 +1293,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.64 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.64.4 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1354,7 +1355,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.64:";;
+     short | recursive ) echo "Configuration of firejail 0.9.64.4:";;
    esac
   cat <<\_ACEOF
 
@@ -1365,7 +1366,7 @@
   --enable-analyzer       enable GCC 10 static analyzer
   --enable-apparmor       enable apparmor
   --disable-dbusproxy     disable dbus proxy
-  --disable-overlayfs     disable overlayfs
+  --disable-usertmpfs     disable tmpfs as regular user
   --disable-man           disable man pages
   --disable-firetunnel    disable firetunnel
   --disable-private-home  disable private home feature
@@ -1470,7 +1471,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.64
+firejail configure 0.9.64.4
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1772,7 +1773,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.64, which was
+It was created by firejail $as_me 0.9.64.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3527,15 +3528,26 @@
 
 fi
 
+# overlayfs features temporarely disabled pending fixes
 HAVE_OVERLAYFS=""
-# Check whether --enable-overlayfs was given.
-if test "${enable_overlayfs+set}" = set; then :
-  enableval=$enable_overlayfs;
+
+#
+#AC_ARG_ENABLE([overlayfs],
+#    AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
+#AS_IF([test "x$enable_overlayfs" != "xno"], [
+#	HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
+#	AC_SUBST(HAVE_OVERLAYFS)
+#])
+
+HAVE_USERTMPS=""
+# Check whether --enable-usertmpfs was given.
+if test "${enable_usertmpfs+set}" = set; then :
+  enableval=$enable_usertmpfs;
 fi
 
-if test "x$enable_overlayfs" != "xno"; then :
+if test "x$enable_usertmpfs" != "xno"; then :
 
-	HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
+	HAVE_USERTMPFS="-DHAVE_USERTMPFS"
 
 
 fi
@@ -4257,7 +4269,7 @@
 
 ac_config_files="$ac_config_files mkdeb.sh"
 
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile"
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile test/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4801,7 +4813,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.64, which was
+This file was extended by firejail $as_me 0.9.64.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4855,7 +4867,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.64
+firejail config.status 0.9.64.4
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -4988,6 +5000,7 @@
     "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;;
     "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;;
     "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;;
+    "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
@@ -5463,6 +5476,7 @@
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
 echo "   DBUS proxy support: $HAVE_DBUSPROXY"
+echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
 echo "   Manpage support: $HAVE_MAN"
 echo "   firetunnel support: $HAVE_FIRETUNNEL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
diff -Nru firejail-0.9.64/configure.ac firejail-0.9.64.4/configure.ac
--- firejail-0.9.64/configure.ac	2020-10-21 11:43:57.000000000 +0000
+++ firejail-0.9.64.4/configure.ac	2021-02-05 22:05:05.000000000 +0000
@@ -12,7 +12,7 @@
 #
 
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.64, netblue30@protonmail.com, , https://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.64.4, netblue30@protonmail.com, , https://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 
 AC_CONFIG_MACRO_DIR([m4])
@@ -66,12 +66,23 @@
 	AC_SUBST(HAVE_DBUSPROXY)
 ])
 
+# overlayfs features temporarely disabled pending fixes
 HAVE_OVERLAYFS=""
-AC_ARG_ENABLE([overlayfs],
-    AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
-AS_IF([test "x$enable_overlayfs" != "xno"], [
-	HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
-	AC_SUBST(HAVE_OVERLAYFS)
+AC_SUBST(HAVE_OVERLAYFS)
+#
+#AC_ARG_ENABLE([overlayfs],
+#    AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
+#AS_IF([test "x$enable_overlayfs" != "xno"], [
+#	HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
+#	AC_SUBST(HAVE_OVERLAYFS)
+#])
+
+HAVE_USERTMPS=""
+AC_ARG_ENABLE([usertmpfs],
+    AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user]))
+AS_IF([test "x$enable_usertmpfs" != "xno"], [
+	HAVE_USERTMPFS="-DHAVE_USERTMPFS"
+	AC_SUBST(HAVE_USERTMPFS)
 ])
 
 HAVE_MAN="no"
@@ -223,7 +234,7 @@
 AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
-src/profstats/Makefile src/man/Makefile)
+src/profstats/Makefile src/man/Makefile test/Makefile)
 
 echo
 echo "Configuration options:"
@@ -240,6 +251,7 @@
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
 echo "   DBUS proxy support: $HAVE_DBUSPROXY"
+echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
 echo "   Manpage support: $HAVE_MAN"
 echo "   firetunnel support: $HAVE_FIRETUNNEL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
diff -Nru firejail-0.9.64/contrib/firejail-welcome.sh firejail-0.9.64.4/contrib/firejail-welcome.sh
--- firejail-0.9.64/contrib/firejail-welcome.sh	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/contrib/firejail-welcome.sh	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,128 @@
+#!/bin/bash
+
+# This file is part of Firejail project
+# Copyright (C) 2020 Firejail Authors
+# License GPL v2
+
+if ! command -v zenity >/dev/null; then
+	echo "Please install zenity."
+	exit 1
+fi
+if ! command -v sudo >/dev/null; then
+	echo "Please install sudo."
+	exit 1
+fi
+
+export LANG=en_US.UTF8
+
+zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM
+Welcome to firejail!
+
+This is a quick setup guide for newbies.
+
+Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named
+<profile-name>.local in ~/.config/firejal.
+
+Firejail's own configuration can be found at /etc/firejail/firejail.config.
+
+Please note that running this script a second time can set new options, but does not unset options
+set in a previous run.
+
+Website: https://firejail.wordpress.com
+Bug-Tracker: https://github.com/netblue30/firejail/issues
+Documentation:
+- https://github.com/netblue30/firejail/wiki
+- https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
+- https://firejail.wordpress.com/documentation-2
+- man:firejail(1) and man:firejail-profile(5)
+
+PS: If you have any improvements for this script, open an issue or pull request.
+EOM
+[[ $? -eq 1 ]] && exit 0
+
+sed_scripts=()
+
+read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
+<big><b>Should browsers be allowed to access u2f hardware?</b></big>
+EOM
+
+read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
+<big><b>Should browsers be able to play DRM content?</b></big>
+
+\$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing programs which are located in \$HOME,
+is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary
+DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to
+allow their execution. Clearly, this may help an attacker to start malicious code.
+
+NOTE: Other software written in an interpreter language such as bash, python or java can always be started from \$HOME.
+
+HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
+EOM
+
+read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM
+You maybe want to set some of these advanced options.
+EOM
+
+read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
+<big><b>Should most programs be started in firejail by default?</b></big>
+EOM
+
+read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM
+In order to apply these changes, root privileges are required.
+You will now be asked to enter your password.
+EOM
+
+read -r -d $'\0' MSG_I_FINISH <<EOM
+🥳
+EOM
+
+if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
+	sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
+fi
+
+if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
+	sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
+fi
+
+advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \
+	--text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \
+	--column="" --column=Option --column=Description <<EOM
+
+force-nonewprivs
+Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore.
+
+restricted-network
+Restrict all network related commands except 'net none' to root only.
+
+seccomp-error-action=kill
+Kill programs which violate seccomp rules (default: return a error).
+EOM
+)
+
+if [[ $advanced_options == *force-nonewprivs* ]]; then
+	sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
+fi
+if [[ $advanced_options == *restricted-network* ]]; then
+	sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
+fi
+if [[ $advanced_options == *seccomp-error-action=kill* ]]; then
+	sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
+fi
+
+if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
+	run_firecfg=true
+fi
+
+zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED"
+
+passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK)
+if [[ -n "${sed_scripts[*]}" ]]; then
+	sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
+fi
+if [[ "$run_firecfg" == "true" ]]; then
+	sudo -S -p "" -- firecfg <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
+fi
+sudo -k
+unset passwd
+
+zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH"
diff -Nru firejail-0.9.64/contrib/sort.py firejail-0.9.64.4/contrib/sort.py
--- firejail-0.9.64/contrib/sort.py	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/contrib/sort.py	2021-02-04 15:29:49.000000000 +0000
@@ -34,7 +34,7 @@
 
 
 def sort_protocol(protocols):
-    """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet"""
+    """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
     # shortcut for common protocol lines
     if protocols in ("unix", "unix,inet,inet6"):
         return protocols
@@ -45,6 +45,7 @@
         "inet6": False,
         "netlink": False,
         "packet": False,
+        "bluetooth": False,
     }
     for protocol in protocols.split(","):
         if protocol == "unix":
@@ -57,6 +58,8 @@
             present_protocols["netlink"] = True
         elif protocol == "packet":
             present_protocols["packet"] = True
+        elif protocol == "bluetooth":
+            present_protocols["bluetooth"] = True
     if present_protocols["unix"]:
         fixed_protocols += "unix,"
     if present_protocols["inet"]:
@@ -67,6 +70,8 @@
         fixed_protocols += "netlink,"
     if present_protocols["packet"]:
         fixed_protocols += "packet,"
+    if present_protocols["bluetooth"]:
+        fixed_protocols += "bluetooth,"
     return fixed_protocols[:-1]
 
 
diff -Nru firejail-0.9.64/debian/changelog firejail-0.9.64.4/debian/changelog
--- firejail-0.9.64/debian/changelog	2020-10-31 13:52:57.000000000 +0000
+++ firejail-0.9.64.4/debian/changelog	2021-02-08 17:45:09.000000000 +0000
@@ -1,9 +1,30 @@
-firejail (0.9.64-1~0ubuntu16.04.0) xenial; urgency=medium
+firejail (0.9.64.4-1~0ubuntu16.04.0) xenial; urgency=medium
 
   * Upload to Ubuntu PPA.
   * Revert to debhelper 9 and drop dh_missing.
 
- -- Reiner Herrmann <reiner@reiner-h.de>  Sat, 31 Oct 2020 14:52:57 +0100
+ -- Reiner Herrmann <reiner@reiner-h.de>  Mon, 08 Feb 2021 18:45:09 +0100
+
+firejail (0.9.64.4-1) unstable; urgency=high
+
+  * New upstream release.
+    - disable overlayfs support because of security issue (local privilege
+      escalation). (CVE pending)
+  * Drop d/clean.
+
+ -- Reiner Herrmann <reiner@reiner-h.de>  Mon, 08 Feb 2021 18:23:11 +0100
+
+firejail (0.9.64.2-1) unstable; urgency=medium
+
+  * New upstream release.
+  * Fix paths of docs referenced in manpages. (Closes: #975980)
+  * Bump Standards-Version to 4.5.1.
+  * Don't compress contrib scripts.
+  * Drop removed and move renamed conffile.
+  * Prevent fixing permissions of binaries expected to be execute-only.
+  * Remove leftover Makefile.
+
+ -- Reiner Herrmann <reiner@reiner-h.de>  Sat, 30 Jan 2021 14:28:46 +0100
 
 firejail (0.9.64-1) unstable; urgency=medium
 
diff -Nru firejail-0.9.64/debian/control firejail-0.9.64.4/debian/control
--- firejail-0.9.64/debian/control	2020-10-31 13:52:24.000000000 +0000
+++ firejail-0.9.64.4/debian/control	2021-02-08 17:44:44.000000000 +0000
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Reiner Herrmann <reiner@reiner-h.de>
 Build-Depends: debhelper (>= 9), dh-apparmor, gawk, libapparmor-dev, libselinux1-dev, pkg-config
-Standards-Version: 4.5.0
+Standards-Version: 4.5.1
 Rules-Requires-Root: no
 Homepage: https://firejail.wordpress.com
 Vcs-Git: https://salsa.debian.org/reiner/firejail.git
diff -Nru firejail-0.9.64/debian/firejail.docs firejail-0.9.64.4/debian/firejail.docs
--- firejail-0.9.64/debian/firejail.docs	2020-10-05 20:12:39.000000000 +0000
+++ firejail-0.9.64.4/debian/firejail.docs	2020-12-14 17:17:46.000000000 +0000
@@ -1,3 +1,3 @@
 README
 contrib
-etc/templates
+etc/templates/*
diff -Nru firejail-0.9.64/debian/firejail.maintscript firejail-0.9.64.4/debian/firejail.maintscript
--- firejail-0.9.64/debian/firejail.maintscript	2019-12-30 17:03:50.000000000 +0000
+++ firejail-0.9.64.4/debian/firejail.maintscript	2021-01-29 18:41:01.000000000 +0000
@@ -160,3 +160,5 @@
 rm_conffile /etc/firejail/xzdec.profile         0.9.46~rc1~
 rm_conffile /etc/firejail/zathura.profile       0.9.46~rc1~
 rm_conffile /etc/apparmor.d/local/firejail-local      0.9.58.2-1~
+rm_conffile /etc/firejail/softmaker-common.inc  0.9.64.2-1~
+mv_conffile /etc/firejail/whitelist-players.inc  /etc/firejail/whitelist-player-common.inc  0.9.64.2-1~
diff -Nru firejail-0.9.64/debian/rules firejail-0.9.64.4/debian/rules
--- firejail-0.9.64/debian/rules	2020-10-31 13:52:35.000000000 +0000
+++ firejail-0.9.64.4/debian/rules	2021-02-08 17:44:26.000000000 +0000
@@ -11,7 +11,7 @@
 	dh_auto_configure -- --enable-apparmor --enable-selinux --enable-contrib-install=no
 
 override_dh_fixperms-arch:
-	dh_fixperms
+	dh_fixperms -Xfshaper.sh -Xfcopy -Xfldd -Xfnet -Xfnetfilter -Xfsec-optimize -Xfsec-print -Xfseccomp
 	chmod 4755 debian/firejail/usr/bin/firejail
 
 override_dh_installchangelogs:
@@ -32,3 +32,6 @@
 
 override_dh_auto_test:
 	# skip tests here as they are run as autopkgtest
+
+override_dh_compress:
+	dh_compress -Xsyscalls.txt -Xprofile.template -Xcontrib
diff -Nru firejail-0.9.64/etc/apparmor/firejail-default firejail-0.9.64.4/etc/apparmor/firejail-default
--- firejail-0.9.64/etc/apparmor/firejail-default	2020-10-13 11:43:23.000000000 +0000
+++ firejail-0.9.64.4/etc/apparmor/firejail-default	2021-02-04 15:29:49.000000000 +0000
@@ -112,7 +112,8 @@
 network unix,
 network netlink,
 network raw,
-# needed for wireshark
+# needed for wireshark, tcpdump etc
+network bluetooth,
 network packet,
 
 ##########
diff -Nru firejail-0.9.64/etc/inc/allow-bin-sh.inc firejail-0.9.64.4/etc/inc/allow-bin-sh.inc
--- firejail-0.9.64/etc/inc/allow-bin-sh.inc	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/allow-bin-sh.inc	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-bin-sh.local
+
+noblacklist ${PATH}/bash
+noblacklist ${PATH}/dash
+noblacklist ${PATH}/sh
diff -Nru firejail-0.9.64/etc/inc/allow-common-devel.inc firejail-0.9.64.4/etc/inc/allow-common-devel.inc
--- firejail-0.9.64/etc/inc/allow-common-devel.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/allow-common-devel.inc	2021-02-04 15:29:49.000000000 +0000
@@ -11,6 +11,15 @@
 noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.java
 
+# Node.js
+noblacklist ${HOME}/.node-gyp
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+noblacklist ${HOME}/.yarn
+noblacklist ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarncache
+noblacklist ${HOME}/.yarnrc
+
 # Python
 noblacklist ${HOME}/.pylint.d
 noblacklist ${HOME}/.python-history
diff -Nru firejail-0.9.64/etc/inc/allow-lua.inc firejail-0.9.64.4/etc/inc/allow-lua.inc
--- firejail-0.9.64/etc/inc/allow-lua.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/allow-lua.inc	2021-02-04 15:29:49.000000000 +0000
@@ -6,5 +6,7 @@
 noblacklist /usr/include
 noblacklist /usr/lib/liblua*
 noblacklist /usr/lib/lua
+noblacklist /usr/lib64/liblua*
+noblacklist /usr/lib64/lua
 noblacklist /usr/share/lua
 noblacklist /usr/share/lua*
diff -Nru firejail-0.9.64/etc/inc/allow-nodejs.inc firejail-0.9.64.4/etc/inc/allow-nodejs.inc
--- firejail-0.9.64/etc/inc/allow-nodejs.inc	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/allow-nodejs.inc	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-nodejs.local
+
+noblacklist ${PATH}/node
+noblacklist /usr/include/node
diff -Nru firejail-0.9.64/etc/inc/allow-perl.inc firejail-0.9.64.4/etc/inc/allow-perl.inc
--- firejail-0.9.64/etc/inc/allow-perl.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/allow-perl.inc	2021-02-04 15:29:49.000000000 +0000
@@ -8,4 +8,5 @@
 noblacklist ${PATH}/site_perl
 noblacklist ${PATH}/vendor_perl
 noblacklist /usr/lib/perl*
+noblacklist /usr/lib64/perl*
 noblacklist /usr/share/perl*
diff -Nru firejail-0.9.64/etc/inc/archiver-common.inc firejail-0.9.64.4/etc/inc/archiver-common.inc
--- firejail-0.9.64/etc/inc/archiver-common.inc	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/archiver-common.inc	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,53 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include archiver-common.local
+
+# common profile for archiver/compression tools
+
+blacklist ${RUNUSER}
+
+# WARNING:
+# Users can (un)restrict file access for **all** archivers by commenting/uncommenting the needed
+# include file(s) here or by putting those into archiver-common.local.
+# Another option is to do this **per archiver** in the relevant <archiver>.local.
+# Just beware that things tend to break when overtightening profiles. For example, because you only
+# need to (un)compress files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
+
+# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-common.inc.
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-programs.inc.
+#include disable-programs.inc
+include disable-shell.inc
+
+apparmor
+caps.drop all
+hostname archiver
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff -Nru firejail-0.9.64/etc/inc/chromium-common-hardened.inc firejail-0.9.64.4/etc/inc/chromium-common-hardened.inc
--- firejail-0.9.64/etc/inc/chromium-common-hardened.inc	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/chromium-common-hardened.inc	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,5 @@
+caps.drop all
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp !chroot
diff -Nru firejail-0.9.64/etc/inc/disable-common.inc firejail-0.9.64.4/etc/inc/disable-common.inc
--- firejail-0.9.64/etc/inc/disable-common.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/disable-common.inc	2021-02-04 15:29:49.000000000 +0000
@@ -69,6 +69,7 @@
 #?HAS_X11: blacklist /tmp/.ICE-unix
 
 # KDE config
+blacklist ${HOME}/.cache/konsole
 blacklist ${HOME}/.config/khotkeysrc
 blacklist ${HOME}/.config/krunnerrc
 blacklist ${HOME}/.config/kscreenlockerrc
@@ -76,6 +77,7 @@
 blacklist ${HOME}/.config/kwalletrc
 blacklist ${HOME}/.config/kwinrc
 blacklist ${HOME}/.config/kwinrulesrc
+blacklist ${HOME}/.config/plasma-locale-settings.sh
 blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
 blacklist ${HOME}/.config/plasmashellrc
 blacklist ${HOME}/.config/plasmavaultrc
@@ -106,6 +108,7 @@
 blacklist ${HOME}/.local/share/plasma
 blacklist ${HOME}/.local/share/plasmashell
 blacklist ${HOME}/.local/share/solid
+blacklist /tmp/konsole-*.history
 read-only ${HOME}/.cache/ksycoca5_*
 read-only ${HOME}/.config/*notifyrc
 read-only ${HOME}/.config/kdeglobals
@@ -144,6 +147,8 @@
 # gnome
 # contains extensions, last used times of applications, and notifications
 blacklist ${HOME}/.local/share/gnome-shell
+# contains recently used files and serials of static/removable storage
+blacklist ${HOME}/.local/share/gvfs-metadata
 # no direct modification of dconf database
 read-only ${HOME}/.config/dconf
 blacklist ${RUNUSER}/gnome-session-leader-fifo
@@ -263,9 +268,11 @@
 read-only ${HOME}/.csh_files
 read-only ${HOME}/.cshrc
 read-only ${HOME}/.forward
+read-only ${HOME}/.kshrc
 read-only ${HOME}/.local/share/fish
 read-only ${HOME}/.login
 read-only ${HOME}/.logout
+read-only ${HOME}/.mkshrc
 read-only ${HOME}/.oh-my-zsh
 read-only ${HOME}/.pam_environment
 read-only ${HOME}/.pgpkey
@@ -273,6 +280,7 @@
 read-only ${HOME}/.profile
 read-only ${HOME}/.project
 read-only ${HOME}/.tcshrc
+read-only ${HOME}/.zfunc
 read-only ${HOME}/.zlogin
 read-only ${HOME}/.zlogout
 read-only ${HOME}/.zprofile
@@ -295,12 +303,14 @@
 read-only ${HOME}/.gvimrc
 read-only ${HOME}/.homesick
 read-only ${HOME}/.iscreenrc
+read-only ${HOME}/.local/lib
 read-only ${HOME}/.local/share/cool-retro-term
 read-only ${HOME}/.mailcap
 read-only ${HOME}/.msmtprc
 read-only ${HOME}/.mutt/muttrc
 read-only ${HOME}/.muttrc
 read-only ${HOME}/.nano
+read-only ${HOME}/.npmrc
 read-only ${HOME}/.pythonrc.py
 read-only ${HOME}/.reportbugrc
 read-only ${HOME}/.tmux.conf
@@ -309,6 +319,7 @@
 read-only ${HOME}/.vimrc
 read-only ${HOME}/.xmonad
 read-only ${HOME}/.xscreensaver
+read-only ${HOME}/.yarnrc
 read-only ${HOME}/_exrc
 read-only ${HOME}/_gvimrc
 read-only ${HOME}/_vimrc
@@ -480,6 +491,7 @@
 blacklist ${RUNUSER}/doc
 blacklist ${RUNUSER}/.dbus-proxy
 blacklist ${RUNUSER}/.flatpak
+blacklist ${RUNUSER}/.flatpak-cache
 blacklist ${RUNUSER}/.flatpak-helper
 blacklist /usr/share/flatpak
 noblacklist /var/lib/flatpak/exports
@@ -505,18 +517,24 @@
 # prevent DNS malware attempting to communicate with the server
 # using regular DNS tools
 blacklist ${PATH}/dig
-blacklist ${PATH}/kdig
-blacklist ${PATH}/nslookup
-blacklist ${PATH}/host
 blacklist ${PATH}/dlint
-blacklist ${PATH}/dnswalk
 blacklist ${PATH}/dns2tcp
+blacklist ${PATH}/dnssec-*
+blacklist ${PATH}/dnswalk
+blacklist ${PATH}/drill
+blacklist ${PATH}/host
 blacklist ${PATH}/iodine
+blacklist ${PATH}/kdig
+blacklist ${PATH}/khost
 blacklist ${PATH}/knsupdate
+blacklist ${PATH}/ldns-*
+blacklist ${PATH}/ldnsd
+blacklist ${PATH}/nslookup
 blacklist ${PATH}/resolvectl
+blacklist ${PATH}/unbound-host
 
 # rest of ${RUNUSER}
 blacklist ${RUNUSER}/*.lock
 blacklist ${RUNUSER}/inaccessible
-blacklist ${RUNUSER}/update-notifier.pid
 blacklist ${RUNUSER}/pk-debconf-socket
+blacklist ${RUNUSER}/update-notifier.pid
diff -Nru firejail-0.9.64/etc/inc/disable-exec.inc firejail-0.9.64.4/etc/inc/disable-exec.inc
--- firejail-0.9.64/etc/inc/disable-exec.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/disable-exec.inc	2021-02-04 15:29:49.000000000 +0000
@@ -4,6 +4,7 @@
 
 noexec ${HOME}
 noexec ${RUNUSER}
+noexec /dev/mqueue
 noexec /dev/shm
 noexec /tmp
 # /var is noexec by default for unprivileged users
diff -Nru firejail-0.9.64/etc/inc/disable-interpreters.inc firejail-0.9.64.4/etc/inc/disable-interpreters.inc
--- firejail-0.9.64/etc/inc/disable-interpreters.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/disable-interpreters.inc	2021-02-04 15:29:49.000000000 +0000
@@ -15,6 +15,8 @@
 blacklist /usr/include/lua*
 blacklist /usr/lib/liblua*
 blacklist /usr/lib/lua
+blacklist /usr/lib64/liblua*
+blacklist /usr/lib64/lua
 blacklist /usr/share/lua*
 
 # mozjs
@@ -34,6 +36,7 @@
 blacklist ${PATH}/site_perl
 blacklist ${PATH}/vendor_perl
 blacklist /usr/lib/perl*
+blacklist /usr/lib64/perl*
 blacklist /usr/share/perl*
 
 # PHP
diff -Nru firejail-0.9.64/etc/inc/disable-programs.inc firejail-0.9.64.4/etc/inc/disable-programs.inc
--- firejail-0.9.64/etc/inc/disable-programs.inc	2020-10-17 15:28:33.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/disable-programs.inc	2021-02-04 15:29:49.000000000 +0000
@@ -142,6 +142,7 @@
 blacklist ${HOME}/.config/Youtube
 blacklist ${HOME}/.config/Zeal
 blacklist ${HOME}/.config/ZeGrapher Project
+blacklist ${HOME}/.config/aacs
 blacklist ${HOME}/.config/abiword
 blacklist ${HOME}/.config/agenda
 blacklist ${HOME}/.config/akonadi*
@@ -187,8 +188,10 @@
 blacklist ${HOME}/.config/clipit
 blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
+blacklist ${HOME}/.config/com.github.bleakgrey.tootle
 blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/cower
+blacklist ${HOME}/.config/coyim
 blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
@@ -199,6 +202,7 @@
 blacklist ${HOME}/.config/discordcanary
 blacklist ${HOME}/.config/dkl
 blacklist ${HOME}/.config/dnox
+blacklist ${HOME}/.config/dolphin-emu
 blacklist ${HOME}/.config/dolphinrc
 blacklist ${HOME}/.config/dragonplayerrc
 blacklist ${HOME}/.config/draw.io
@@ -250,6 +254,7 @@
 blacklist ${HOME}/.config/gpicview
 blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gummi
+blacklist ${HOME}/.config/guvcview2
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
 blacklist ${HOME}/.config/homebank
@@ -271,6 +276,8 @@
 blacklist ${HOME}/.config/kazam
 blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/kdenliverc
+blacklist ${HOME}/.config/kdiff3fileitemactionrc
+blacklist ${HOME}/.config/kdiff3rc
 blacklist ${HOME}/.config/kfindrc
 blacklist ${HOME}/.config/kgetrc
 blacklist ${HOME}/.config/kid3rc
@@ -290,7 +297,9 @@
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
+blacklist ${HOME}/.config/linphone
 blacklist ${HOME}/.config/lugaru
+blacklist ${HOME}/.config/lutris
 blacklist ${HOME}/.config/lximage-qt
 blacklist ${HOME}/.config/mailtransports
 blacklist ${HOME}/.local/share/man
@@ -298,11 +307,13 @@
 blacklist ${HOME}/.config/mate-calc
 blacklist ${HOME}/.config/mate/eom
 blacklist ${HOME}/.config/mate/mate-dictionary
+blacklist ${HOME}/.config/matrix-mirage
 blacklist ${HOME}/.config/meld
 blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/menulibre.cfg
 blacklist ${HOME}/.config/mfusion
 blacklist ${HOME}/.config/Microsoft
+blacklist ${HOME}/.config/microsoft-edge-dev
 blacklist ${HOME}/.config/midori
 blacklist ${HOME}/.config/mirage
 blacklist ${HOME}/.config/mono
@@ -350,6 +361,7 @@
 blacklist ${HOME}/.config/psi+
 blacklist ${HOME}/.config/qBittorrent
 blacklist ${HOME}/.config/qBittorrentrc
+blacklist ${HOME}/.config/qnapi.ini
 blacklist ${HOME}/.config/qpdfview
 blacklist ${HOME}/.config/qupzilla
 blacklist ${HOME}/.config/qutebrowser
@@ -371,10 +383,12 @@
 blacklist ${HOME}/.config/snox
 blacklist ${HOME}/.config/sound-juicer
 blacklist ${HOME}/.config/specialmailcollectionsrc
+blacklist ${HOME}/.config/spectaclerc
 blacklist ${HOME}/.config/spotify
 blacklist ${HOME}/.config/sqlitebrowser
 blacklist ${HOME}/.config/stellarium
 blacklist ${HOME}/.config/strawberry
+blacklist ${HOME}/.config/straw-viewer
 blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/synfig
 blacklist ${HOME}/.config/teams
@@ -386,8 +400,11 @@
 blacklist ${HOME}/.config/transgui
 blacklist ${HOME}/.config/transmission
 blacklist ${HOME}/.config/truecraft
+blacklist ${HOME}/.config/tuta_integration
+blacklist ${HOME}/.config/tutanota-desktop
 blacklist ${HOME}/.config/tvbrowser
 blacklist ${HOME}/.config/uGet
+blacklist ${HOME}/.config/ungoogled-chromium
 blacklist ${HOME}/.config/uzbl
 blacklist ${HOME}/.config/viewnior
 blacklist ${HOME}/.config/vivaldi
@@ -423,6 +440,7 @@
 blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.crawl
 blacklist ${HOME}/.cups
+blacklist ${HOME}/.curl-hsts
 blacklist ${HOME}/.curlrc
 blacklist ${HOME}/.dashcore
 blacklist ${HOME}/.devilspie
@@ -454,10 +472,7 @@
 blacklist ${HOME}/.gist
 blacklist ${HOME}/.gitconfig
 blacklist ${HOME}/.gnome/gnome-schedule
-blacklist ${HOME}/.googleearth/Cache
-blacklist ${HOME}/.googleearth/Temp
-blacklist ${HOME}/.googleearth/myplaces.backup.kml
-blacklist ${HOME}/.googleearth/myplaces.kml
+blacklist ${HOME}/.googleearth
 blacklist ${HOME}/.gradle
 blacklist ${HOME}/.gramps
 blacklist ${HOME}/.guayadeque
@@ -545,6 +560,7 @@
 blacklist ${HOME}/.kinorc
 blacklist ${HOME}/.klatexformula
 blacklist ${HOME}/.kodi
+blacklist ${HOME}/.librewolf
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.links
 blacklist ${HOME}/.linphone-history.db
@@ -580,11 +596,13 @@
 blacklist ${HOME}/.local/share/apps/korganizer
 blacklist ${HOME}/.local/share/aspyr-media
 blacklist ${HOME}/.local/share/autokey
+blacklist ${HOME}/.local/share/authenticator-rs
 blacklist ${HOME}/.local/share/backintime
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/barrier
 blacklist ${HOME}/.local/share/bibletime
 blacklist ${HOME}/.local/share/bijiben
+blacklist ${HOME}/.local/share/bohemiainteractive
 blacklist ${HOME}/.local/share/caja-python
 blacklist ${HOME}/.local/share/cantata
 blacklist ${HOME}/.local/share/cdprojektred
@@ -599,6 +617,7 @@
 blacklist ${HOME}/.local/share/data/qBittorrent
 blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
+blacklist ${HOME}/.local/share/dolphin-emu
 blacklist ${HOME}/.local/share/emailidentities
 blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
@@ -652,12 +671,15 @@
 blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/kxmlgui5/*
 blacklist ${HOME}/.local/share/liferea
+blacklist ${HOME}/.local/share/linphone
 blacklist ${HOME}/.local/share/local-mail
 blacklist ${HOME}/.local/share/lollypop
 blacklist ${HOME}/.local/share/love
 blacklist ${HOME}/.local/share/lugaru
+blacklist ${HOME}/.local/share/lutris
 blacklist ${HOME}/.local/share/mana
 blacklist ${HOME}/.local/share/maps-places.json
+blacklist ${HOME}/.local/share/matrix-mirage
 blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/midori
 blacklist ${HOME}/.local/share/mirage
@@ -690,6 +712,7 @@
 blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/rtv
 blacklist ${HOME}/.local/share/scribus
+blacklist ${HOME}/.local/share/shotwell
 blacklist ${HOME}/.local/share/signal-cli
 blacklist ${HOME}/.local/share/sink
 blacklist ${HOME}/.local/share/smuxi
@@ -741,6 +764,9 @@
 blacklist ${HOME}/.newsbeuter
 blacklist ${HOME}/.newsboat
 blacklist ${HOME}/.nicotine
+blacklist ${HOME}/.node-gyp
+blacklist ${HOME}/.npm
+blacklist ${HOME}/.npmrc
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.openarena
@@ -788,7 +814,7 @@
 blacklist ${HOME}/.tb
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.teeworlds
-blacklist ${HOME}/.texlive2018
+blacklist ${HOME}/.texlive20*
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tilp
 blacklist ${HOME}/.tooling
@@ -827,6 +853,10 @@
 blacklist ${HOME}/.xonotic
 blacklist ${HOME}/.xournalpp
 blacklist ${HOME}/.xpdfrc
+blacklist ${HOME}/.yarn
+blacklist ${HOME}/.yarn-config
+blacklist ${HOME}/.yarncache
+blacklist ${HOME}/.yarnrc
 blacklist ${HOME}/.zoom
 blacklist /tmp/akonadi-*
 blacklist /tmp/ssh-*
@@ -878,6 +908,7 @@
 blacklist ${HOME}/.cache/discover
 blacklist ${HOME}/.cache/dnox
 blacklist ${HOME}/.cache/dolphin
+blacklist ${HOME}/.cache/dolphin-emu
 blacklist ${HOME}/.cache/ephemeral
 blacklist ${HOME}/.cache/epiphany
 blacklist ${HOME}/.cache/evolution
@@ -926,8 +957,13 @@
 blacklist ${HOME}/.cache/kube
 blacklist ${HOME}/.cache/kwin
 blacklist ${HOME}/.cache/libgweather
+blacklist ${HOME}/.cache/librewolf
 blacklist ${HOME}/.cache/liferea
+blacklist ${HOME}/.cache/lutris
 blacklist ${HOME}/.cache/Mendeley Ltd.
+blacklist ${HOME}/.cache/marker
+blacklist ${HOME}/.cache/matrix-mirage
+blacklist ${HOME}/.cache/microsoft-edge-dev
 blacklist ${HOME}/.cache/midori
 blacklist ${HOME}/.cache/minetest
 blacklist ${HOME}/.cache/mirage
@@ -943,7 +979,7 @@
 blacklist ${HOME}/.cache/ms-word-online
 blacklist ${HOME}/.cache/mutt
 blacklist ${HOME}/.cache/mypaint
-blacklist ${HOME}/.cache/nheko/nheko
+blacklist ${HOME}/.cache/nheko
 blacklist ${HOME}/.cache/netsurf
 blacklist ${HOME}/.cache/okular
 blacklist ${HOME}/.cache/opera
@@ -961,18 +997,21 @@
 blacklist ${HOME}/.cache/qupzilla
 blacklist ${HOME}/.cache/qutebrowser
 blacklist ${HOME}/.cache/rhythmbox
+blacklist ${HOME}/.cache/shotwell
 blacklist ${HOME}/.cache/simple-scan
 blacklist ${HOME}/.cache/slimjet
 blacklist ${HOME}/.cache/smuxi
 blacklist ${HOME}/.cache/snox
 blacklist ${HOME}/.cache/spotify
 blacklist ${HOME}/.cache/strawberry
+blacklist ${HOME}/.cache/straw-viewer
 blacklist ${HOME}/.cache/supertuxkart
 blacklist ${HOME}/.cache/systemsettings
 blacklist ${HOME}/.cache/telepathy
 blacklist ${HOME}/.cache/thunderbird
 blacklist ${HOME}/.cache/torbrowser
 blacklist ${HOME}/.cache/transmission
+blacklist ${HOME}/.cache/ungoogled-chromium
 blacklist ${HOME}/.cache/vivaldi
 blacklist ${HOME}/.cache/vivaldi-snapshot
 blacklist ${HOME}/.cache/vlc
@@ -980,6 +1019,7 @@
 blacklist ${HOME}/.cache/warsow-2.1
 blacklist ${HOME}/.cache/waterfox
 blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/winetricks
 blacklist ${HOME}/.cache/xmms2
 blacklist ${HOME}/.cache/xreader
 blacklist ${HOME}/.cache/yandex-browser
diff -Nru firejail-0.9.64/etc/inc/disable-shell.inc firejail-0.9.64.4/etc/inc/disable-shell.inc
--- firejail-0.9.64/etc/inc/disable-shell.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/disable-shell.inc	2021-02-04 15:29:49.000000000 +0000
@@ -7,6 +7,8 @@
 blacklist ${PATH}/dash
 blacklist ${PATH}/fish
 blacklist ${PATH}/ksh
+blacklist ${PATH}/mksh
+blacklist ${PATH}/oksh
 blacklist ${PATH}/sh
 blacklist ${PATH}/tclsh
 blacklist ${PATH}/tcsh
diff -Nru firejail-0.9.64/etc/inc/disable-write-mnt.inc firejail-0.9.64.4/etc/inc/disable-write-mnt.inc
--- firejail-0.9.64/etc/inc/disable-write-mnt.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/disable-write-mnt.inc	2021-02-04 15:29:49.000000000 +0000
@@ -2,7 +2,7 @@
 # Persistent customizations should go in a .local file.
 include disable-write-mnt.local
 
-read-only /mnt
 read-only /media
-read-only /run/mount
+read-only /mnt
 read-only /run/media
+read-only /run/mount
diff -Nru firejail-0.9.64/etc/inc/firefox-common-addons.inc firejail-0.9.64.4/etc/inc/firefox-common-addons.inc
--- firejail-0.9.64/etc/inc/firefox-common-addons.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/firefox-common-addons.inc	2021-02-04 15:29:49.000000000 +0000
@@ -2,6 +2,8 @@
 # Persistent customizations should go in a .local file.
 include firefox-common-addons.local
 
+ignore include whitelist-runuser-common.inc
+
 noblacklist ${HOME}/.config/kgetrc
 noblacklist ${HOME}/.config/okularpartrc
 noblacklist ${HOME}/.config/okularrc
@@ -69,3 +71,20 @@
 # Flash plugin
 # private-etc must first be enabled in firefox-common.profile and in profiles including it.
 #private-etc adobe
+
+# ff2mpv
+#ignore noexec ${HOME}
+#noblacklist ${HOME}/.config/mpv
+#noblacklist ${HOME}/.config/youtube-dl
+#noblacklist ${HOME}/.netrc
+#include allow-lua.inc
+#include allow-python3.inc
+#mkdir ${HOME}/.config/mpv
+#mkdir ${HOME}/.config/youtube-dl
+#whitelist ${HOME}/.config/mpv
+#whitelist ${HOME}/.config/youtube-dl
+#whitelist ${HOME}/.netrc
+#whitelist /usr/share/lua
+#whitelist /usr/share/lua*
+#whitelist /usr/share/vulkan
+#private-bin env,mpv,python3*,waf,youtube-dl
diff -Nru firejail-0.9.64/etc/inc/softmaker-common.inc firejail-0.9.64.4/etc/inc/softmaker-common.inc
--- firejail-0.9.64/etc/inc/softmaker-common.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/softmaker-common.inc	1970-01-01 00:00:00.000000000 +0000
@@ -1,50 +0,0 @@
-# Firejail profile for softmaker-common
-# This file is overwritten after every install/update
-# Persistent local customizations
-include softmaker-common.local
-# Persistent global definitions
-# added by caller profile
-#include globals.local
-
-# The offical packages install the desktop file under /usr/local/share/applications
-# with an absolute Exec line. These files are NOT handelt by firecfg,
-# therefore you must manualy copy them in you home and remove '/usr/bin/'.
-
-noblacklist ${HOME}/SoftMaker
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-whitelist /usr/share/office2018
-whitelist /usr/share/freeoffice2018
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-ipc-namespace
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free
-private-cache
-private-dev
-private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
-private-tmp
-
-dbus-user none
-dbus-system none
diff -Nru firejail-0.9.64/etc/inc/whitelist-common.inc firejail-0.9.64.4/etc/inc/whitelist-common.inc
--- firejail-0.9.64/etc/inc/whitelist-common.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/whitelist-common.inc	2021-02-04 15:29:49.000000000 +0000
@@ -1,9 +1,11 @@
-# Local customizations come here
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
 include whitelist-common.local
 
 # common whitelist for all profiles
 
 whitelist ${HOME}/.XCompose
+whitelist ${HOME}/.alsaequal.bin
 whitelist ${HOME}/.asoundrc
 whitelist ${HOME}/.config/ibus
 whitelist ${HOME}/.config/mimeapps.list
@@ -60,11 +62,13 @@
 whitelist ${HOME}/.cache/kioexec/krun
 whitelist ${HOME}/.config/Kvantum
 whitelist ${HOME}/.config/Trolltech.conf
+whitelist ${HOME}/.config/QtProject.conf
 whitelist ${HOME}/.config/kdeglobals
 whitelist ${HOME}/.config/kio_httprc
 whitelist ${HOME}/.config/kioslaverc
 whitelist ${HOME}/.config/ksslcablacklist
 whitelist ${HOME}/.config/qt5ct
+whitelist ${HOME}/.config/qtcurve
 whitelist ${HOME}/.kde/share/config/kdeglobals
 whitelist ${HOME}/.kde/share/config/kio_httprc
 whitelist ${HOME}/.kde/share/config/kioslaverc
diff -Nru firejail-0.9.64/etc/inc/whitelist-player-common.inc firejail-0.9.64.4/etc/inc/whitelist-player-common.inc
--- firejail-0.9.64/etc/inc/whitelist-player-common.inc	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/whitelist-player-common.inc	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include whitelist-player-common.local
+
+# common whitelist for all media players
+
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
diff -Nru firejail-0.9.64/etc/inc/whitelist-players.inc firejail-0.9.64.4/etc/inc/whitelist-players.inc
--- firejail-0.9.64/etc/inc/whitelist-players.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/whitelist-players.inc	1970-01-01 00:00:00.000000000 +0000
@@ -1,10 +0,0 @@
-# Local customizations come here
-include whitelist-players.local
-
-# common whitelist for all media players
-
-whitelist ${DESKTOP}
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
-whitelist ${PICTURES}
-whitelist ${VIDEOS}
diff -Nru firejail-0.9.64/etc/inc/whitelist-runuser-common.inc firejail-0.9.64.4/etc/inc/whitelist-runuser-common.inc
--- firejail-0.9.64/etc/inc/whitelist-runuser-common.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/whitelist-runuser-common.inc	2021-02-04 15:29:49.000000000 +0000
@@ -1,4 +1,5 @@
-# Local customizations come here
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
 include whitelist-runuser-common.local
 
 # common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
@@ -10,3 +11,5 @@
 whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
 whitelist ${RUNUSER}/pulse/native
 whitelist ${RUNUSER}/wayland-0
+whitelist ${RUNUSER}/wayland-1
+whitelist ${RUNUSER}/xauth_*
diff -Nru firejail-0.9.64/etc/inc/whitelist-usr-share-common.inc firejail-0.9.64.4/etc/inc/whitelist-usr-share-common.inc
--- firejail-0.9.64/etc/inc/whitelist-usr-share-common.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/whitelist-usr-share-common.inc	2021-02-04 15:29:49.000000000 +0000
@@ -1,4 +1,5 @@
-# Local customizations come here
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
 include whitelist-usr-share-common.local
 
 # common /usr/share whitelist for all profiles
@@ -16,6 +17,7 @@
 whitelist /usr/share/file
 whitelist /usr/share/fontconfig
 whitelist /usr/share/fonts
+whitelist /usr/share/fonts-config
 whitelist /usr/share/gir-1.0
 whitelist /usr/share/gjs-1.0
 whitelist /usr/share/glib-2.0
@@ -59,6 +61,8 @@
 whitelist /usr/share/texmf
 whitelist /usr/share/themes
 whitelist /usr/share/thumbnail.so
+whitelist /usr/share/vulkan
 whitelist /usr/share/X11
 whitelist /usr/share/xml
+whitelist /usr/share/zenity
 whitelist /usr/share/zoneinfo
diff -Nru firejail-0.9.64/etc/inc/whitelist-var-common.inc firejail-0.9.64.4/etc/inc/whitelist-var-common.inc
--- firejail-0.9.64/etc/inc/whitelist-var-common.inc	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/inc/whitelist-var-common.inc	2021-02-04 15:29:49.000000000 +0000
@@ -1,4 +1,5 @@
-# Local customizations come here
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
 include whitelist-var-common.local
 
 # common /var whitelist for all profiles
diff -Nru firejail-0.9.64/etc/net/nolocal6.net firejail-0.9.64.4/etc/net/nolocal6.net
--- firejail-0.9.64/etc/net/nolocal6.net	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/net/nolocal6.net	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,41 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+###################################################################
+# Client filter rejecting local network traffic, with the exception of
+# DNS traffic
+#
+# Usage:
+#     firejail --net=eth0 --netfilter6=/etc/firejail/nolocal6.net firefox
+#
+###################################################################
+
+#allow all loopback traffic
+-A INPUT -i lo -j ACCEPT
+
+# no incoming connections
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow ping etc.
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT
+# required for ipv6
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT
+
+# accept dns requests going out to a server on the local network
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+
+# drop all local network traffic
+-A OUTPUT -d FC00::/7 -j DROP
+
+# drop multicast traffic
+# required for ipv6
+-A OUTPUT -d ff02::2 -j ACCEPT
+-A OUTPUT -d ff00::/8 -j DROP
+COMMIT
diff -Nru firejail-0.9.64/etc/profile-a-l/0ad.profile firejail-0.9.64.4/etc/profile-a-l/0ad.profile
--- firejail-0.9.64/etc/profile-a-l/0ad.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/0ad.profile	2021-02-04 15:29:49.000000000 +0000
@@ -16,6 +16,7 @@
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.cache/0ad
 mkdir ${HOME}/.config/0ad
@@ -40,6 +41,7 @@
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/7z.profile firejail-0.9.64.4/etc/profile-a-l/7z.profile
--- firejail-0.9.64/etc/profile-a-l/7z.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/7z.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,41 +7,5 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname 7z
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-#nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-#private-bin 7z,7z*,p7zip
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
+ignore include disable-shell.inc
+include archiver-common.inc
diff -Nru firejail-0.9.64/etc/profile-a-l/agetpkg.profile firejail-0.9.64.4/etc/profile-a-l/agetpkg.profile
--- firejail-0.9.64/etc/profile-a-l/agetpkg.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/agetpkg.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,60 @@
+# Firejail profile for agetpkg
+# Description: CLI tool to list/get/install packages from the Arch Linux Archive
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include agetpkg.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+hostname agetpkg
+ipc-namespace
+machine-id
+noautopulse
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin agetpkg,python3
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff -Nru firejail-0.9.64/etc/profile-a-l/alacarte.profile firejail-0.9.64.4/etc/profile-a-l/alacarte.profile
--- firejail-0.9.64/etc/profile-a-l/alacarte.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/alacarte.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,64 @@
+# Firejail profile for alacarte
+# Description: Create desktop and menu launchers easily
+# This file is overwritten after every install/update
+# Persistent local customizations
+include alacarte.local
+# Persistent global definitions
+include globals.local
+
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-xdg.inc
+
+# Whitelist your system icon directory,varies by distro
+whitelist /usr/share/alacarte
+whitelist /usr/share/app-info
+whitelist /usr/share/desktop-directories
+whitelist /usr/share/icons
+whitelist /var/lib/app-info/icons
+whitelist /var/lib/flatpak/exports/share/applications
+whitelist /var/lib/flatpak/exports/share/icons
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+# private-bin alacarte,bash,python*,sh
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-write ${HOME}/.config/menus
+read-write ${HOME}/.gnome/apps
+read-write ${HOME}/.local/share/applications
+read-write ${HOME}/.local/share/flatpak/exports
diff -Nru firejail-0.9.64/etc/profile-a-l/apostrophe.profile firejail-0.9.64.4/etc/profile-a-l/apostrophe.profile
--- firejail-0.9.64/etc/profile-a-l/apostrophe.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/apostrophe.profile	2021-02-04 15:29:49.000000000 +0000
@@ -9,6 +9,9 @@
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
diff -Nru firejail-0.9.64/etc/profile-a-l/ardour4.profile firejail-0.9.64.4/etc/profile-a-l/ardour4.profile
--- firejail-0.9.64/etc/profile-a-l/ardour4.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/ardour4.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for ardour5
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include ardur4.local
+
 # Redirect
 include ardour5.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/ar.profile firejail-0.9.64.4/etc/profile-a-l/ar.profile
--- firejail-0.9.64/etc/profile-a-l/ar.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/ar.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,42 +7,4 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-shell.inc
-
-apparmor
-caps.drop all
-hostname ar
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-private-bin ar
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
+include archiver-common.inc
diff -Nru firejail-0.9.64/etc/profile-a-l/assogiate.profile firejail-0.9.64.4/etc/profile-a-l/assogiate.profile
--- firejail-0.9.64/etc/profile-a-l/assogiate.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/assogiate.profile	2021-02-04 15:29:49.000000000 +0000
@@ -51,3 +51,4 @@
 dbus-system none
 
 memory-deny-write-execute
+read-write ${HOME}/.local/share/mime
diff -Nru firejail-0.9.64/etc/profile-a-l/atom.profile firejail-0.9.64.4/etc/profile-a-l/atom.profile
--- firejail-0.9.64/etc/profile-a-l/atom.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/atom.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,31 +6,26 @@
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore disable-mnt
+
 noblacklist ${HOME}/.atom
 noblacklist ${HOME}/.config/Atom
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
 
-include disable-common.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-caps.keep sys_admin,sys_chroot
 # net none
-netfilter
-nodvd
-nogroups
 nosound
-notv
-nou2f
-novideo
-shell none
-
-private-cache
-private-dev
-private-tmp
 
-dbus-user none
-dbus-system none
+# Redirect
+include electron.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/atool.profile firejail-0.9.64.4/etc/profile-a-l/atool.profile
--- firejail-0.9.64/etc/profile-a-l/atool.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/atool.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,47 +7,12 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
+include archiver-common.inc
 
-include disable-common.inc
-# include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname atool
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
 noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
 
-# private-bin atool,perl
-private-cache
-private-dev
 # without login.defs atool complains and uses UID/GID 1000 by default
 private-etc alternatives,group,login.defs,passwd
 private-tmp
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
diff -Nru firejail-0.9.64/etc/profile-a-l/authenticator-rs.profile firejail-0.9.64.4/etc/profile-a-l/authenticator-rs.profile
--- firejail-0.9.64/etc/profile-a-l/authenticator-rs.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/authenticator-rs.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,55 @@
+# Firejail profile for authenticator-rs
+# Description: Rust based 2FA authentication program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include authenticator-rs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/authenticator-rs
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/authenticator-rs
+whitelist ${HOME}/.local/share/authenticator-rs
+whitelist ${DOWNLOADS}
+whitelist /usr/share/uk.co.grumlimited.authenticator-rs
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin authenticator-rs
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-a-l/balsa.profile firejail-0.9.64.4/etc/profile-a-l/balsa.profile
--- firejail-0.9.64/etc/profile-a-l/balsa.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/balsa.profile	2021-02-04 15:29:49.000000000 +0000
@@ -9,6 +9,7 @@
 noblacklist ${HOME}/.balsa
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.signature
 noblacklist ${HOME}/mail
 noblacklist /var/mail
 noblacklist /var/spool/mail
@@ -24,10 +25,12 @@
 
 mkdir ${HOME}/.balsa
 mkdir ${HOME}/.gnupg
+mkfile ${HOME}/.signature
 mkdir ${HOME}/mail
 whitelist ${HOME}/.balsa
 whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.signature
 whitelist ${HOME}/mail
 whitelist ${RUNUSER}/gnupg
 whitelist /usr/share/balsa
@@ -58,9 +61,9 @@
 tracelog
 
 # disable-mnt
-# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
 # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
-private-bin balsa,balsa-ab
+private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
 private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
@@ -71,8 +74,9 @@
 dbus-user filter
 dbus-user.own org.desktop.Balsa
 dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
\ No newline at end of file
diff -Nru firejail-0.9.64/etc/profile-a-l/baobab.profile firejail-0.9.64.4/etc/profile-a-l/baobab.profile
--- firejail-0.9.64/etc/profile-a-l/baobab.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/baobab.profile	2021-02-04 15:29:49.000000000 +0000
@@ -30,6 +30,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/beaker.profile firejail-0.9.64.4/etc/profile-a-l/beaker.profile
--- firejail-0.9.64/etc/profile-a-l/beaker.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/beaker.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,17 +3,26 @@
 # Persistent local customizations
 include beaker.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
-noblacklist ${HOME}/.config/Beaker Browser
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore shell none
+ignore disable-mnt
+ignore private-cache
+ignore private-dev
+ignore private-tmp
 
-include disable-devel.inc
-include disable-interpreters.inc
+noblacklist ${HOME}/.config/Beaker Browser
 
 mkdir ${HOME}/.config/Beaker Browser
 whitelist ${HOME}/.config/Beaker Browser
-include whitelist-common.inc
 
 # Redirect
 include electron.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/bibletime.profile firejail-0.9.64.4/etc/profile-a-l/bibletime.profile
--- firejail-0.9.64/etc/profile-a-l/bibletime.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/bibletime.profile	2021-02-04 15:29:49.000000000 +0000
@@ -26,6 +26,7 @@
 whitelist ${HOME}/.sword
 whitelist ${HOME}/.local/share/bibletime
 whitelist /usr/share/bibletime
+whitelist /usr/share/doc/bibletime
 whitelist /usr/share/sword
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
diff -Nru firejail-0.9.64/etc/profile-a-l/bijiben.profile firejail-0.9.64.4/etc/profile-a-l/bijiben.profile
--- firejail-0.9.64/etc/profile-a-l/bijiben.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/bijiben.profile	2021-02-04 15:29:49.000000000 +0000
@@ -41,6 +41,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/blackbox.profile firejail-0.9.64.4/etc/profile-a-l/blackbox.profile
--- firejail-0.9.64/etc/profile-a-l/blackbox.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/blackbox.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,7 +6,7 @@
 # Persistent global definitions
 include globals.local
 
-# all applications started in awesome will run in this profile
+# all applications started in blackbox will run in this profile
 noblacklist ${HOME}/.blackbox
 include disable-common.inc
 
diff -Nru firejail-0.9.64/etc/profile-a-l/blender-2.8.profile firejail-0.9.64.4/etc/profile-a-l/blender-2.8.profile
--- firejail-0.9.64/etc/profile-a-l/blender-2.8.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/blender-2.8.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for blender
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include blender-2.8.local
+
 # Redirect
 include blender.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/bnox.profile firejail-0.9.64.4/etc/profile-a-l/bnox.profile
--- firejail-0.9.64/etc/profile-a-l/bnox.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/bnox.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,6 +5,11 @@
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/bnox
 noblacklist ${HOME}/.config/bnox
 
diff -Nru firejail-0.9.64/etc/profile-a-l/brave-browser-beta.profile firejail-0.9.64.4/etc/profile-a-l/brave-browser-beta.profile
--- firejail-0.9.64/etc/profile-a-l/brave-browser-beta.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/brave-browser-beta.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave (beta channel)
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include brave-browser-beta.local
+
 # Redirect
 include brave.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/brave-browser-dev.profile firejail-0.9.64.4/etc/profile-a-l/brave-browser-dev.profile
--- firejail-0.9.64/etc/profile-a-l/brave-browser-dev.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/brave-browser-dev.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave (development channel)
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include brave-browser-dev.local
+
 # Redirect
 include brave.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/brave-browser-nightly.profile firejail-0.9.64.4/etc/profile-a-l/brave-browser-nightly.profile
--- firejail-0.9.64/etc/profile-a-l/brave-browser-nightly.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/brave-browser-nightly.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave (nightly channel)
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include brave-browser-nightly.local
+
 # Redirect
 include brave.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/brave-browser.profile firejail-0.9.64.4/etc/profile-a-l/brave-browser.profile
--- firejail-0.9.64/etc/profile-a-l/brave-browser.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/brave-browser.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include brave-browser.local
+
 # Redirect
 include brave.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/brave-browser-stable.profile firejail-0.9.64.4/etc/profile-a-l/brave-browser-stable.profile
--- firejail-0.9.64/etc/profile-a-l/brave-browser-stable.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/brave-browser-stable.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave (release channel)
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include brave-browser-stable.local
+
 # Redirect
 include brave.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/brave.profile firejail-0.9.64.4/etc/profile-a-l/brave.profile
--- firejail-0.9.64/etc/profile-a-l/brave.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/brave.profile	2021-02-04 15:29:49.000000000 +0000
@@ -8,6 +8,8 @@
 
 # noexec /tmp is included in chromium-common.profile and breaks Brave
 ignore noexec /tmp
+# TOR is installed in ${HOME}
+ignore noexec ${HOME}
 
 noblacklist ${HOME}/.cache/BraveSoftware
 noblacklist ${HOME}/.config/BraveSoftware
diff -Nru firejail-0.9.64/etc/profile-a-l/bsdcat.profile firejail-0.9.64.4/etc/profile-a-l/bsdcat.profile
--- firejail-0.9.64/etc/profile-a-l/bsdcat.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/bsdcat.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for bsdtar
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include bsdcat.local
+
 # Redirect
 include bsdtar.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/bsdcpio.profile firejail-0.9.64.4/etc/profile-a-l/bsdcpio.profile
--- firejail-0.9.64/etc/profile-a-l/bsdcpio.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/bsdcpio.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for bsdtar
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include bsdcpio.local
+
 # Redirect
 include bsdtar.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/bsdtar.profile firejail-0.9.64.4/etc/profile-a-l/bsdtar.profile
--- firejail-0.9.64/etc/profile-a-l/bsdtar.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/bsdtar.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,43 +6,6 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+include archiver-common.inc
 
-include disable-common.inc
-# include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname bsdtar
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-# noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-# support compressed archives
-private-bin bash,bsdcat,bsdcpio,bsdtar,bzip2,compress,gtar,gzip,lbzip2,libarchive,lz4,lzip,lzma,lzop,sh,xz
-private-cache
-private-dev
 private-etc alternatives,group,localtime,passwd
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
diff -Nru firejail-0.9.64/etc/profile-a-l/Builder.profile firejail-0.9.64.4/etc/profile-a-l/Builder.profile
--- firejail-0.9.64/etc/profile-a-l/Builder.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/Builder.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-builder
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Builder.local
+
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-builder.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/calligraauthor.profile firejail-0.9.64.4/etc/profile-a-l/calligraauthor.profile
--- firejail-0.9.64/etc/profile-a-l/calligraauthor.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/calligraauthor.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligraauthor.local
+
 # Redirect
 include calligra.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/calligraconverter.profile firejail-0.9.64.4/etc/profile-a-l/calligraconverter.profile
--- firejail-0.9.64/etc/profile-a-l/calligraconverter.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/calligraconverter.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligraconverter.local
+
 # Redirect
 include calligra.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/calligraflow.profile firejail-0.9.64.4/etc/profile-a-l/calligraflow.profile
--- firejail-0.9.64/etc/profile-a-l/calligraflow.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/calligraflow.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligraflow.local
+
 # Redirect
 include calligra.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/calligraplan.profile firejail-0.9.64.4/etc/profile-a-l/calligraplan.profile
--- firejail-0.9.64/etc/profile-a-l/calligraplan.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/calligraplan.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligraplan.local
+
 noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan
 
 # Redirect
diff -Nru firejail-0.9.64/etc/profile-a-l/calligraplanwork.profile firejail-0.9.64.4/etc/profile-a-l/calligraplanwork.profile
--- firejail-0.9.64/etc/profile-a-l/calligraplanwork.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/calligraplanwork.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligraplanwork.local
+
 noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork
 
 # Redirect
diff -Nru firejail-0.9.64/etc/profile-a-l/calligrasheets.profile firejail-0.9.64.4/etc/profile-a-l/calligrasheets.profile
--- firejail-0.9.64/etc/profile-a-l/calligrasheets.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/calligrasheets.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligrasheets.local
+
 noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets
 
 # Redirect
diff -Nru firejail-0.9.64/etc/profile-a-l/calligrastage.profile firejail-0.9.64.4/etc/profile-a-l/calligrastage.profile
--- firejail-0.9.64/etc/profile-a-l/calligrastage.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/calligrastage.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligrastage.local
+
 noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage
 
 # Redirect
diff -Nru firejail-0.9.64/etc/profile-a-l/calligrawords.profile firejail-0.9.64.4/etc/profile-a-l/calligrawords.profile
--- firejail-0.9.64/etc/profile-a-l/calligrawords.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/calligrawords.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligrawords.local
+
 noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords
 
 # Redirect
diff -Nru firejail-0.9.64/etc/profile-a-l/celluloid.profile firejail-0.9.64.4/etc/profile-a-l/celluloid.profile
--- firejail-0.9.64/etc/profile-a-l/celluloid.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/celluloid.profile	2021-02-04 15:29:49.000000000 +0000
@@ -14,6 +14,9 @@
 include allow-python2.inc
 include allow-python3.inc
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -29,7 +32,7 @@
 whitelist ${HOME}/.config/gnome-mpv
 whitelist ${HOME}/.config/youtube-dl
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -43,6 +46,7 @@
 nou2f
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/cheese.profile firejail-0.9.64.4/etc/profile-a-l/cheese.profile
--- firejail-0.9.64/etc/profile-a-l/cheese.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/cheese.profile	2021-02-04 15:29:49.000000000 +0000
@@ -19,7 +19,10 @@
 
 whitelist ${VIDEOS}
 whitelist ${PICTURES}
+whitelist /usr/share/gnome-video-effects
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -43,5 +46,6 @@
 private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0
 private-tmp
 
-dbus-user none
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
 dbus-system none
diff -Nru firejail-0.9.64/etc/profile-a-l/Cheese.profile firejail-0.9.64.4/etc/profile-a-l/Cheese.profile
--- firejail-0.9.64/etc/profile-a-l/Cheese.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/Cheese.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile for cheese
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Cheese.local
+
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include cheese.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/chromium-browser-privacy.profile firejail-0.9.64.4/etc/profile-a-l/chromium-browser-privacy.profile
--- firejail-0.9.64/etc/profile-a-l/chromium-browser-privacy.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/chromium-browser-privacy.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,17 @@
+# Firejail profile for chromium-browser-privacy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chromium-browser-privacy.local
+
+noblacklist ${HOME}/.cache/ungoogled-chromium
+noblacklist ${HOME}/.config/ungoogled-chromium
+
+mkdir ${HOME}/.cache/ungoogled-chromium
+mkdir ${HOME}/.config/ungoogled-chromium
+whitelist ${HOME}/.cache/ungoogled-chromium
+whitelist ${HOME}/.config/ungoogled-chromium
+
+# private-bin basename,bash,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
+
+# Redirect
+include chromium.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/chromium-browser.profile firejail-0.9.64.4/etc/profile-a-l/chromium-browser.profile
--- firejail-0.9.64/etc/profile-a-l/chromium-browser.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/chromium-browser.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for chromium
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include chromium-browser.local
+
 # Redirect
 include chromium.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/chromium-common.profile firejail-0.9.64.4/etc/profile-a-l/chromium-common.profile
--- firejail-0.9.64/etc/profile-a-l/chromium-common.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/chromium-common.profile	2021-02-04 15:29:49.000000000 +0000
@@ -16,7 +16,9 @@
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+# include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
@@ -24,8 +26,14 @@
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+# Uncomment the next line (or add it to your chromium-common.local)
+# if your kernel allows unprivileged userns clone.
+#include chromium-common-hardened.inc
+
 apparmor
 caps.keep sys_admin,sys_chroot
 netfilter
@@ -36,8 +44,10 @@
 shell none
 
 disable-mnt
+private-cache
 ?BROWSER_DISABLE_U2F: private-dev
-# private-tmp - problems with multiple browser sessions
+# problems with multiple browser sessions
+#private-tmp
 
 # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
 # dbus-user none
diff -Nru firejail-0.9.64/etc/profile-a-l/chromium-freeworld.profile firejail-0.9.64.4/etc/profile-a-l/chromium-freeworld.profile
--- firejail-0.9.64/etc/profile-a-l/chromium-freeworld.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/chromium-freeworld.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile for chromium-freeworld
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include chromium-freeworld.local
+
 # Redirect
 include chromium.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/chromium.profile firejail-0.9.64.4/etc/profile-a-l/chromium.profile
--- firejail-0.9.64/etc/profile-a-l/chromium.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/chromium.profile	2021-02-04 15:29:49.000000000 +0000
@@ -15,6 +15,7 @@
 whitelist ${HOME}/.cache/chromium
 whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.config/chromium-flags.conf
+whitelist /usr/share/chromium
 
 # private-bin chromium,chromium-browser,chromedriver
 
diff -Nru firejail-0.9.64/etc/profile-a-l/cinelerra.profile firejail-0.9.64.4/etc/profile-a-l/cinelerra.profile
--- firejail-0.9.64/etc/profile-a-l/cinelerra.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/cinelerra.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for cin
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include cinelerra.local
+
 # Redirect
 include cin.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/clamdscan.profile firejail-0.9.64.4/etc/profile-a-l/clamdscan.profile
--- firejail-0.9.64/etc/profile-a-l/clamdscan.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/clamdscan.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for clamav
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include clamdscan.local
+
 # Redirect
 include clamav.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/clamdtop.profile firejail-0.9.64.4/etc/profile-a-l/clamdtop.profile
--- firejail-0.9.64/etc/profile-a-l/clamdtop.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/clamdtop.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for clamav
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include clamdtop.local
+
 # Redirect
 include clamav.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/clamscan.profile firejail-0.9.64.4/etc/profile-a-l/clamscan.profile
--- firejail-0.9.64/etc/profile-a-l/clamscan.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/clamscan.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for clamav
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include clamscan.local
+
 # Redirect
 include clamav.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/claws-mail.profile firejail-0.9.64.4/etc/profile-a-l/claws-mail.profile
--- firejail-0.9.64/etc/profile-a-l/claws-mail.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/claws-mail.profile	2021-02-04 15:29:49.000000000 +0000
@@ -18,5 +18,10 @@
 
 whitelist /usr/share/doc/claws-mail
 
+# if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local)
+#ignore dbus-user none
+#dbus-user filter
+#dbus-user.talk org.freedesktop.Notifications
+
 # Redirect
 include email-common.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/clementine.profile firejail-0.9.64.4/etc/profile-a-l/clementine.profile
--- firejail-0.9.64/etc/profile-a-l/clementine.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/clementine.profile	2021-02-04 15:29:49.000000000 +0000
@@ -12,22 +12,29 @@
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
 include whitelist-var-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
 
+apparmor
 caps.drop all
 nonewprivs
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 # blacklisting of ioprio_set system calls breaks clementine
 seccomp !ioprio_set
 
 private-dev
 private-tmp
+
+dbus-system none
+# dbus-user none
diff -Nru firejail-0.9.64/etc/profile-a-l/clocks.profile firejail-0.9.64.4/etc/profile-a-l/clocks.profile
--- firejail-0.9.64/etc/profile-a-l/clocks.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/clocks.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-clocks
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include clocks.local
+
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-clocks.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/com.github.bleakgrey.tootle.profile firejail-0.9.64.4/etc/profile-a-l/com.github.bleakgrey.tootle.profile
--- firejail-0.9.64/etc/profile-a-l/com.github.bleakgrey.tootle.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/com.github.bleakgrey.tootle.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,55 @@
+# Firejail profile for com.github.bleakgrey.tootle
+# Description: Gtk Mastodon client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.bleakgrey.tootle.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/com.github.bleakgrey.tootle
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/com.github.bleakgrey.tootle
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/com.github.bleakgrey.tootle
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin com.github.bleakgrey.tootle
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+# Settings are immutable
+# dbus-user filter
+# dbus-user.own com.github.bleakgrey.tootle
+# dbus-user.talk ca.desrt.dconf
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-a-l/com.gitlab.newsflash.profile firejail-0.9.64.4/etc/profile-a-l/com.gitlab.newsflash.profile
--- firejail-0.9.64/etc/profile-a-l/com.gitlab.newsflash.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/com.gitlab.newsflash.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for newsflash
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include com.gitlab.newsflash.local
+
 # Redirect
 include newsflash.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/cower.profile firejail-0.9.64.4/etc/profile-a-l/cower.profile
--- firejail-0.9.64/etc/profile-a-l/cower.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/cower.profile	2021-02-04 15:29:49.000000000 +0000
@@ -46,5 +46,4 @@
 private-tmp
 
 memory-deny-write-execute
-
 read-only ${HOME}/.config/cower/config
diff -Nru firejail-0.9.64/etc/profile-a-l/coyim.profile firejail-0.9.64.4/etc/profile-a-l/coyim.profile
--- firejail-0.9.64/etc/profile-a-l/coyim.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/coyim.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,49 @@
+# Firejail profile for coyim
+# Description: GTK Jabber client written in Go
+# This file is overwritten after every install/update
+# Persistent local customizations
+include coyim.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/coyim
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/coyim
+whitelist ${HOME}/.config/coyim
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute
diff -Nru firejail-0.9.64/etc/profile-a-l/cpio.profile firejail-0.9.64.4/etc/profile-a-l/cpio.profile
--- firejail-0.9.64/etc/profile-a-l/cpio.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/cpio.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,40 +7,7 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 noblacklist /sbin
 noblacklist /usr/sbin
 
-include disable-common.inc
-# include disable-devel.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname cpio
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-nosound
-notv
-nou2f
-novideo
-seccomp
-shell none
-tracelog
-x11 none
-
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
+include archiver-common.inc
diff -Nru firejail-0.9.64/etc/profile-a-l/crawl-tiles.profile firejail-0.9.64.4/etc/profile-a-l/crawl-tiles.profile
--- firejail-0.9.64/etc/profile-a-l/crawl-tiles.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/crawl-tiles.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for crawl
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include crawl-titles.local
+
 ignore no3d
 
 # Redirect
diff -Nru firejail-0.9.64/etc/profile-a-l/cryptocat.profile firejail-0.9.64.4/etc/profile-a-l/cryptocat.profile
--- firejail-0.9.64/etc/profile-a-l/cryptocat.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/cryptocat.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for Cryptocat
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include cryptocat.local
+
 # Redirect
 include Cryptocat.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/curl.profile firejail-0.9.64.4/etc/profile-a-l/curl.profile
--- firejail-0.9.64/etc/profile-a-l/curl.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/curl.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,10 +7,15 @@
 # Persistent global definitions
 include globals.local
 
+# curl 7.74.0 introduces experimental support for HSTS cache
+# https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/
+# technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts
+# if your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local
+# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact
+noblacklist ${HOME}/.curl-hsts
 noblacklist ${HOME}/.curlrc
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff -Nru firejail-0.9.64/etc/profile-a-l/Cyberfox.profile firejail-0.9.64.4/etc/profile-a-l/Cyberfox.profile
--- firejail-0.9.64/etc/profile-a-l/Cyberfox.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/Cyberfox.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for cyberfox
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Cyberfox.local
+
 # Redirect
 include cyberfox.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/dconf-editor.profile firejail-0.9.64.4/etc/profile-a-l/dconf-editor.profile
--- firejail-0.9.64/etc/profile-a-l/dconf-editor.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/dconf-editor.profile	2021-02-04 15:29:49.000000000 +0000
@@ -35,6 +35,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/default.profile firejail-0.9.64.4/etc/profile-a-l/default.profile
--- firejail-0.9.64/etc/profile-a-l/default.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/default.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,7 +5,7 @@
 # Persistent global definitions
 include globals.local
 
-# generic gui profile
+# generic GUI profile
 # depending on your usage, you can enable some of the commands below:
 
 include disable-common.inc
@@ -14,12 +14,13 @@
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+# include disable-shell.inc
 # include disable-write-mnt.inc
 # include disable-xdg.inc
 
 # include whitelist-common.inc
-# include whitelist-usr-share-common.inc
 # include whitelist-runuser-common.inc
+# include whitelist-usr-share-common.inc
 # include whitelist-var-common.inc
 
 # apparmor
diff -Nru firejail-0.9.64/etc/profile-a-l/devhelp.profile firejail-0.9.64.4/etc/profile-a-l/devhelp.profile
--- firejail-0.9.64/etc/profile-a-l/devhelp.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/devhelp.profile	2021-02-04 15:29:49.000000000 +0000
@@ -50,5 +50,4 @@
 # dbus-system none
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
-
 read-only ${HOME}
diff -Nru firejail-0.9.64/etc/profile-a-l/devilspie.profile firejail-0.9.64.4/etc/profile-a-l/devilspie.profile
--- firejail-0.9.64/etc/profile-a-l/devilspie.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/devilspie.profile	2021-02-04 15:29:49.000000000 +0000
@@ -56,5 +56,4 @@
 dbus-system none
 
 memory-deny-write-execute
-
 read-only ${HOME}
diff -Nru firejail-0.9.64/etc/profile-a-l/dia.profile firejail-0.9.64.4/etc/profile-a-l/dia.profile
--- firejail-0.9.64/etc/profile-a-l/dia.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/dia.profile	2021-02-04 15:29:49.000000000 +0000
@@ -9,16 +9,24 @@
 noblacklist ${HOME}/.dia
 noblacklist ${DOCUMENTS}
 
+include allow-python2.inc
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include allow-python2.inc
-include allow-python3.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+#mkdir ${HOME}/.dia
+#whitelist ${HOME}/.dia
+#whitelist ${DOCUMENTS}
+#include whitelist-common.inc
+whitelist /usr/share/dia
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -36,6 +44,7 @@
 protocol unix
 seccomp
 shell none
+tracelog
 
 disable-mnt
 #private-bin dia
diff -Nru firejail-0.9.64/etc/profile-a-l/dig.profile firejail-0.9.64.4/etc/profile-a-l/dig.profile
--- firejail-0.9.64/etc/profile-a-l/dig.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/dig.profile	2021-02-04 15:29:49.000000000 +0000
@@ -11,7 +11,6 @@
 noblacklist ${PATH}/dig
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff -Nru firejail-0.9.64/etc/profile-a-l/discord-common.profile firejail-0.9.64.4/etc/profile-a-l/discord-common.profile
--- firejail-0.9.64/etc/profile-a-l/discord-common.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/discord-common.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,33 +6,24 @@
 # added by caller profile
 #include globals.local
 
-ignore noexec ${HOME}
+# Disabled until someone reported positive feedback
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore apparmor
+ignore disable-mnt
+ignore private-cache
+ignore dbus-user none
+ignore dbus-system none
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
+ignore noexec ${HOME}
 
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
-include whitelist-common.inc
-include whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
 
 private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
-private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
-private-tmp
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
+
+# Redirect
+include electron.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/dnox.profile firejail-0.9.64.4/etc/profile-a-l/dnox.profile
--- firejail-0.9.64/etc/profile-a-l/dnox.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/dnox.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,6 +5,11 @@
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/dnox
 noblacklist ${HOME}/.config/dnox
 
diff -Nru firejail-0.9.64/etc/profile-a-l/Documents.profile firejail-0.9.64.4/etc/profile-a-l/Documents.profile
--- firejail-0.9.64/etc/profile-a-l/Documents.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/Documents.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-documents
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Documents.local
+
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-documents.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/dolphin-emu.profile firejail-0.9.64.4/etc/profile-a-l/dolphin-emu.profile
--- firejail-0.9.64/etc/profile-a-l/dolphin-emu.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/dolphin-emu.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,63 @@
+# Firejail profile for dolphin-emu
+# Description: An emulator for Gamecube and Wii games
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dolphin-emu.local
+# Persistent global definitions
+include globals.local
+
+# Note: you must whitelist your games folder in a dolphin-emu.local
+
+noblacklist ${HOME}/.cache/dolphin-emu
+noblacklist ${HOME}/.config/dolphin-emu
+noblacklist ${HOME}/.local/share/dolphin-emu
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/dolphin-emu
+mkdir ${HOME}/.config/dolphin-emu
+mkdir ${HOME}/.local/share/dolphin-emu
+whitelist ${HOME}/.cache/dolphin-emu
+whitelist ${HOME}/.config/dolphin-emu
+whitelist ${HOME}/.local/share/dolphin-emu
+whitelist /usr/share/dolphin-emu
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# uncomment the following line if you do not need NetPlay support
+# net none
+netfilter
+# uncomment the following line if you do not need disc support
+#nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink,bluetooth
+seccomp
+shell none
+tracelog
+
+private-bin bash,dolphin-emu,dolphin-emu-x11,sh
+private-cache
+# uncomment the following line if you do not need controller support
+#private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-a-l/dooble-qt4.profile firejail-0.9.64.4/etc/profile-a-l/dooble-qt4.profile
--- firejail-0.9.64/etc/profile-a-l/dooble-qt4.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/dooble-qt4.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for dooble
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include dooble-qt4.local
+
 # Redirect
 include dooble.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/drill.profile firejail-0.9.64.4/etc/profile-a-l/drill.profile
--- firejail-0.9.64/etc/profile-a-l/drill.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/drill.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,55 @@
+# Firejail profile for drill
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include drill.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/drill
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+# include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin bash,drill,sh
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff -Nru firejail-0.9.64/etc/profile-a-l/electron.profile firejail-0.9.64.4/etc/profile-a-l/electron.profile
--- firejail-0.9.64/etc/profile-a-l/electron.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/electron.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,25 +3,39 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include electron.local
-# Persistent global definitions
-include globals.local
 
 include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# Uncomment the next line (or add it to your chromium-common.local)
+# if your kernel allows unprivileged userns clone.
+#include chromium-common-hardened.inc
 
 apparmor
-caps.drop all
+caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
-nonewprivs
-noroot
 notv
-protocol unix,inet,inet6,netlink
-seccomp
+nou2f
+novideo
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
 
 dbus-user none
 dbus-system none
diff -Nru firejail-0.9.64/etc/profile-a-l/element-desktop.profile firejail-0.9.64.4/etc/profile-a-l/element-desktop.profile
--- firejail-0.9.64/etc/profile-a-l/element-desktop.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/element-desktop.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,16 +7,18 @@
 # added by included profile
 #include globals.local
 
+ignore dbus-user none
+
 noblacklist ${HOME}/.config/Element
-noblacklist ${HOME}/.config/Element (Riot)
 
 mkdir ${HOME}/.config/Element
-mkdir ${HOME}/.config/Element (Riot)
 whitelist ${HOME}/.config/Element
-whitelist ${HOME}/.config/Element (Riot)
 whitelist /opt/Element
 
 private-opt Element
 
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+
 # Redirect
 include riot-desktop.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/email-common.profile firejail-0.9.64.4/etc/profile-a-l/email-common.profile
--- firejail-0.9.64/etc/profile-a-l/email-common.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/email-common.profile	2021-02-04 15:29:49.000000000 +0000
@@ -58,8 +58,10 @@
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 # encrypting and signing email
-read-only ${HOME}/.config/mimeapps.list
 writable-run-user
 
 # If you want to read local mail stored in /var/mail, add the following to email-common.local:
diff -Nru firejail-0.9.64/etc/profile-a-l/enox.profile firejail-0.9.64.4/etc/profile-a-l/enox.profile
--- firejail-0.9.64/etc/profile-a-l/enox.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/enox.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,6 +5,11 @@
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/Enox
 noblacklist ${HOME}/.config/Enox
 
diff -Nru firejail-0.9.64/etc/profile-a-l/eo-common.profile firejail-0.9.64.4/etc/profile-a-l/eo-common.profile
--- firejail-0.9.64/etc/profile-a-l/eo-common.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/eo-common.profile	2021-02-04 15:29:49.000000000 +0000
@@ -27,6 +27,7 @@
 caps.drop all
 ipc-namespace
 machine-id
+net none
 no3d
 nodvd
 nogroups
@@ -38,6 +39,7 @@
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/evince.profile firejail-0.9.64.4/etc/profile-a-l/evince.profile
--- firejail-0.9.64/etc/profile-a-l/evince.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/evince.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,6 +6,10 @@
 # Persistent global definitions
 include globals.local
 
+# Uncomment this line and the bottom ones to use bookmarks
+# NOTE: This possibly exposes information, including file history from other programs.
+#noblacklist ${HOME}/.local/share/gvfs-metadata
+
 noblacklist ${HOME}/.config/evince
 noblacklist ${DOCUMENTS}
 
@@ -41,6 +45,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
@@ -53,5 +58,8 @@
 private-tmp
 
 # might break two-page-view on some systems
-dbus-user none
+dbus-user filter
+# Also uncomment these two lines if you want to use bookmarks
+#dbus-user.talk org.gtk.vfs.Daemon
+#dbus-user.talk org.gtk.vfs.Metadata
 dbus-system none
diff -Nru firejail-0.9.64/etc/profile-a-l/evolution.profile firejail-0.9.64.4/etc/profile-a-l/evolution.profile
--- firejail-0.9.64/etc/profile-a-l/evolution.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/evolution.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,15 +6,16 @@
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/mail
-noblacklist /var/spool/mail
 noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.cache/evolution
 noblacklist ${HOME}/.config/evolution
-noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/evolution
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist /var/mail
+noblacklist /var/spool/mail
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,13 +23,42 @@
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
 
+mkdir ${HOME}/.bogofilter
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.cache/evolution
+mkdir ${HOME}/.config/evolution
+mkdir ${HOME}/.local/share/evolution
+mkdir ${HOME}/.local/share/pki
+whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.cache/evolution
+whitelist ${HOME}/.config/evolution
+whitelist ${HOME}/.local/share/evolution
+whitelist ${HOME}/.local/share/pki
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/evolution
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 # no3d breaks under wayland
-#no3d
+# no3d
 nodvd
 nogroups
 nonewprivs
@@ -40,7 +70,27 @@
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
+# disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+# To use private-bin add all evolution,gpg,pinentry binaries and follow firefox.profile for hyperlink support
+# private-bin evolution
+private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
+writable-run-user
 writable-var
+
+dbus-user filter
+dbus-user.own org.gnome.Evolution
+dbus-user.talk ca.desrt.dconf
+# Uncomment to have keyring access
+# dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
+dbus-user.talk org.gnome.OnlineAccounts
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff -Nru firejail-0.9.64/etc/profile-a-l/falkon.profile firejail-0.9.64.4/etc/profile-a-l/falkon.profile
--- firejail-0.9.64/etc/profile-a-l/falkon.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/falkon.profile	2021-02-04 15:29:49.000000000 +0000
@@ -15,15 +15,20 @@
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.cache/falkon
 mkdir ${HOME}/.config/falkon
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/falkon
 whitelist ${HOME}/.config/falkon
+whitelist /usr/share/falkon
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -37,7 +42,13 @@
 seccomp !chroot
 # tracelog
 
+disable-mnt
+# private-bin falkon
+private-cache
 private-dev
-# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
-# private-tmp - interferes with the opening of downloaded files
+private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-tmp
 
+# dbus-user filter
+# dbus-user.own org.kde.Falkon
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-a-l/feh.profile firejail-0.9.64.4/etc/profile-a-l/feh.profile
--- firejail-0.9.64/etc/profile-a-l/feh.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/feh.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,7 @@
 # Firejail profile for feh
 # Description: imlib2 based image viewer
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include feh.local
 # Persistent global definitions
diff -Nru firejail-0.9.64/etc/profile-a-l/ffmpeg.profile firejail-0.9.64.4/etc/profile-a-l/ffmpeg.profile
--- firejail-0.9.64/etc/profile-a-l/ffmpeg.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/ffmpeg.profile	2021-02-04 15:29:49.000000000 +0000
@@ -41,6 +41,7 @@
 protocol inet,inet6
 # allow set_mempolicy, which is required to encode using libx265
 seccomp !set_mempolicy
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/file.profile firejail-0.9.64.4/etc/profile-a-l/file.profile
--- firejail-0.9.64/etc/profile-a-l/file.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/file.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,7 +7,6 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff -Nru firejail-0.9.64/etc/profile-a-l/file-roller.profile firejail-0.9.64.4/etc/profile-a-l/file-roller.profile
--- firejail-0.9.64/etc/profile-a-l/file-roller.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/file-roller.profile	2021-02-04 15:29:49.000000000 +0000
@@ -34,6 +34,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/filezilla.profile firejail-0.9.64.4/etc/profile-a-l/filezilla.profile
--- firejail-0.9.64/etc/profile-a-l/filezilla.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/filezilla.profile	2021-02-04 15:29:49.000000000 +0000
@@ -8,6 +8,7 @@
 
 noblacklist ${HOME}/.config/filezilla
 noblacklist ${HOME}/.filezilla
+noblacklist ${HOME}/.ssh
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff -Nru firejail-0.9.64/etc/profile-a-l/firefox-common.profile firejail-0.9.64.4/etc/profile-a-l/firefox-common.profile
--- firejail-0.9.64/etc/profile-a-l/firefox-common.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/firefox-common.profile	2021-02-04 15:29:49.000000000 +0000
@@ -27,6 +27,7 @@
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff -Nru firejail-0.9.64/etc/profile-a-l/firefox.profile firejail-0.9.64.4/etc/profile-a-l/firefox.profile
--- firejail-0.9.64/etc/profile-a-l/firefox.profile	2020-10-17 15:28:33.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/firefox.profile	2021-02-04 15:29:49.000000000 +0000
@@ -16,6 +16,7 @@
 
 whitelist /usr/share/doc
 whitelist /usr/share/firefox
+whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
 whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/mozilla
 whitelist /usr/share/webext
@@ -29,10 +30,17 @@
 #private-etc firefox
 
 dbus-user filter
+dbus-user.own org.mozilla.Firefox.*
 dbus-user.own org.mozilla.firefox.*
 dbus-user.own org.mpris.MediaPlayer2.firefox.*
 # Uncomment or put in your firefox.local to enable native notifications.
 #dbus-user.talk org.freedesktop.Notifications
+# Uncomment or put in your firefox.local to allow to inhibit screensavers
+#dbus-user.talk org.freedesktop.ScreenSaver
+# Uncomment or put in your firefox.local for plasma browser integration
+#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kuiserver
 ignore dbus-user none
 
 # Redirect
diff -Nru firejail-0.9.64/etc/profile-a-l/flameshot.profile firejail-0.9.64.4/etc/profile-a-l/flameshot.profile
--- firejail-0.9.64/etc/profile-a-l/flameshot.profile	2020-10-17 15:28:33.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/flameshot.profile	2021-02-04 15:29:49.000000000 +0000
@@ -45,6 +45,7 @@
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/flashpeak-slimjet.profile firejail-0.9.64.4/etc/profile-a-l/flashpeak-slimjet.profile
--- firejail-0.9.64/etc/profile-a-l/flashpeak-slimjet.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/flashpeak-slimjet.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,6 +5,11 @@
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/slimjet
 noblacklist ${HOME}/.config/slimjet
 
diff -Nru firejail-0.9.64/etc/profile-a-l/fluxbox.profile firejail-0.9.64.4/etc/profile-a-l/fluxbox.profile
--- firejail-0.9.64/etc/profile-a-l/fluxbox.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/fluxbox.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,7 +6,7 @@
 # Persistent global definitions
 include globals.local
 
-# all applications started in awesome will run in this profile
+# all applications started in fluxbox will run in this profile
 noblacklist ${HOME}/.fluxbox
 include disable-common.inc
 
diff -Nru firejail-0.9.64/etc/profile-a-l/FossaMail.profile firejail-0.9.64.4/etc/profile-a-l/FossaMail.profile
--- firejail-0.9.64/etc/profile-a-l/FossaMail.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/FossaMail.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for fossamail
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include FossaMail.local
+
 # Redirect
 include fossamail.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/fractal.profile firejail-0.9.64.4/etc/profile-a-l/fractal.profile
--- firejail-0.9.64/etc/profile-a-l/fractal.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/fractal.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,5 @@
 # Firejail profile for fractal
-# Description: Desktop client for Matrix 
+# Description: Desktop client for Matrix
 # This file is overwritten after every install/update
 # Persistent local customizations
 include fractal.local
@@ -8,6 +8,9 @@
 
 noblacklist ${HOME}/.cache/fractal
 
+include allow-python2.inc
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -21,7 +24,7 @@
 whitelist ${HOME}/.cache/fractal
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -49,6 +52,6 @@
 dbus-user filter
 dbus-user.own org.gnome.Fractal
 dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
 dbus-system none
diff -Nru firejail-0.9.64/etc/profile-a-l/freecadcmd.profile firejail-0.9.64.4/etc/profile-a-l/freecadcmd.profile
--- firejail-0.9.64/etc/profile-a-l/freecadcmd.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/freecadcmd.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for freecad
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include freecadcms.local
+
 # Redirect
 include freecad.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/freeciv-gtk3.profile firejail-0.9.64.4/etc/profile-a-l/freeciv-gtk3.profile
--- firejail-0.9.64/etc/profile-a-l/freeciv-gtk3.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/freeciv-gtk3.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for freeciv
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include freeciv-gtk3.local
+
 # Redirect
 include freeciv.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/freeciv-mp-gtk3.profile firejail-0.9.64.4/etc/profile-a-l/freeciv-mp-gtk3.profile
--- firejail-0.9.64/etc/profile-a-l/freeciv-mp-gtk3.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/freeciv-mp-gtk3.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for freeciv
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include freeciv-mp-gtk3.local
+
 # Redirect
 include freeciv.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/freeoffice-planmaker.profile firejail-0.9.64.4/etc/profile-a-l/freeoffice-planmaker.profile
--- firejail-0.9.64/etc/profile-a-l/freeoffice-planmaker.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/freeoffice-planmaker.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,4 +7,4 @@
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/freeoffice-presentations.profile firejail-0.9.64.4/etc/profile-a-l/freeoffice-presentations.profile
--- firejail-0.9.64/etc/profile-a-l/freeoffice-presentations.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/freeoffice-presentations.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,4 +7,4 @@
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/freeoffice-textmaker.profile firejail-0.9.64.4/etc/profile-a-l/freeoffice-textmaker.profile
--- firejail-0.9.64/etc/profile-a-l/freeoffice-textmaker.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/freeoffice-textmaker.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,4 +6,4 @@
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/freetube.profile firejail-0.9.64.4/etc/profile-a-l/freetube.profile
--- firejail-0.9.64/etc/profile-a-l/freetube.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/freetube.profile	2021-02-04 15:29:49.000000000 +0000
@@ -8,24 +8,13 @@
 
 noblacklist ${HOME}/.config/FreeTube
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/FreeTube
 whitelist ${HOME}/.config/FreeTube
 
-seccomp !chroot
-shell none
-
-disable-mnt
 private-bin freetube
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
-private-tmp
 
 # Redirect
 include electron.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/frogatto.profile firejail-0.9.64.4/etc/profile-a-l/frogatto.profile
--- firejail-0.9.64/etc/profile-a-l/frogatto.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/frogatto.profile	2021-02-04 15:29:49.000000000 +0000
@@ -36,6 +36,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/gajim-history-manager.profile firejail-0.9.64.4/etc/profile-a-l/gajim-history-manager.profile
--- firejail-0.9.64/etc/profile-a-l/gajim-history-manager.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gajim-history-manager.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for gajim-history-manager
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include gajim-history-manager.local
+
 # Redirect
 include gajim.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/gajim.profile firejail-0.9.64.4/etc/profile-a-l/gajim.profile
--- firejail-0.9.64/etc/profile-a-l/gajim.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gajim.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,6 +6,7 @@
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.cache/gajim
 noblacklist ${HOME}/.config/gajim
 noblacklist ${HOME}/.local/share/gajim
@@ -20,19 +21,27 @@
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-# Comment the following line if you need to whitelist other folders than ~/Downloads
+# Comment the following line if you need to whitelist folders other than ~/Downloads
 include disable-xdg.inc
 
+mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.cache/gajim
 mkdir ${HOME}/.config/gajim
 mkdir ${HOME}/.local/share/gajim
+whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.cache/gajim
 whitelist ${HOME}/.config/gajim
 whitelist ${HOME}/.local/share/gajim
 whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -47,9 +56,24 @@
 tracelog
 
 disable-mnt
-private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python,python3,sh,zsh
+private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh
+private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
+writable-run-user
+
+dbus-user filter
+dbus-user.own org.gajim.Gajim
+dbus-user.talk org.gnome.Mutter.IdleMonitor
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.kde.kwalletd5
+dbus-user.talk org.mpris.MediaPlayer2.*
+dbus-system filter
+dbus-system.talk org.freedesktop.login1
+# Uncomment for location plugin support
+#dbus-system.talk org.freedesktop.GeoClue2
 
 join-or-start gajim
diff -Nru firejail-0.9.64/etc/profile-a-l/gapplication.profile firejail-0.9.64.4/etc/profile-a-l/gapplication.profile
--- firejail-0.9.64/etc/profile-a-l/gapplication.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gapplication.profile	2021-02-04 15:29:49.000000000 +0000
@@ -38,6 +38,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff -Nru firejail-0.9.64/etc/profile-a-l/geary.profile firejail-0.9.64.4/etc/profile-a-l/geary.profile
--- firejail-0.9.64/etc/profile-a-l/geary.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/geary.profile	2021-02-04 15:29:49.000000000 +0000
@@ -26,8 +26,6 @@
 whitelist ${HOME}/.local/share/geary
 whitelist /usr/share/geary
 
-read-only ${HOME}/.config/mimeapps.list
-
 # allow Mozilla browsers
 # Redirect
 include firefox.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/gedit.profile firejail-0.9.64.4/etc/profile-a-l/gedit.profile
--- firejail-0.9.64/etc/profile-a-l/gedit.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gedit.profile	2021-02-04 15:29:49.000000000 +0000
@@ -37,6 +37,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/geekbench.profile firejail-0.9.64.4/etc/profile-a-l/geekbench.profile
--- firejail-0.9.64/etc/profile-a-l/geekbench.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/geekbench.profile	2021-02-04 15:29:49.000000000 +0000
@@ -51,5 +51,4 @@
 dbus-system none
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
-
 read-only ${HOME}
diff -Nru firejail-0.9.64/etc/profile-a-l/gfeeds.profile firejail-0.9.64.4/etc/profile-a-l/gfeeds.profile
--- firejail-0.9.64/etc/profile-a-l/gfeeds.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gfeeds.profile	2021-02-04 15:29:49.000000000 +0000
@@ -49,6 +49,7 @@
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/ghb.profile firejail-0.9.64.4/etc/profile-a-l/ghb.profile
--- firejail-0.9.64/etc/profile-a-l/ghb.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/ghb.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for handbrake
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include ghb.local
+
 # Redirect
 include handbrake.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/ghostwriter.profile firejail-0.9.64.4/etc/profile-a-l/ghostwriter.profile
--- firejail-0.9.64/etc/profile-a-l/ghostwriter.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/ghostwriter.profile	2021-02-04 15:29:49.000000000 +0000
@@ -11,6 +11,8 @@
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -26,6 +28,7 @@
 whitelist /usr/share/pandoc*
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 apparmor
 caps.drop all
@@ -41,6 +44,7 @@
 novideo
 protocol unix,inet,inet6,netlink
 seccomp !chroot
+seccomp.block-secondary
 shell none
 #tracelog -- breaks
 
diff -Nru firejail-0.9.64/etc/profile-a-l/gimp-2.10.profile firejail-0.9.64.4/etc/profile-a-l/gimp-2.10.profile
--- firejail-0.9.64/etc/profile-a-l/gimp-2.10.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gimp-2.10.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for gimp
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include gimp-2.10.local
+
 # Redirect
 include gimp.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/gimp-2.8.profile firejail-0.9.64.4/etc/profile-a-l/gimp-2.8.profile
--- firejail-0.9.64/etc/profile-a-l/gimp-2.8.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gimp-2.8.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for gimp
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include gimp-2.8.local
+
 # Redirect
 include gimp.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/gimp.profile firejail-0.9.64.4/etc/profile-a-l/gimp.profile
--- firejail-0.9.64/etc/profile-a-l/gimp.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gimp.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,6 +6,14 @@
 # Persistent global definitions
 include globals.local
 
+# Uncomment or add to gimp.local in order to support scanning via xsane (see #3640).
+# TODO: Replace 'ignore seccomp' with a less permissive option.
+#ignore seccomp
+#ignore dbus-system
+#ignore net
+#protocol unix,inet,inet6
+
+
 # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
 # if you are not using external plugins, you can comment 'ignore noexec' statement below
 # or put 'noexec ${HOME}' in your gimp.local
@@ -44,7 +52,7 @@
 notv
 nou2f
 protocol unix
-seccomp
+seccomp !mbind
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/gitg.profile firejail-0.9.64.4/etc/profile-a-l/gitg.profile
--- firejail-0.9.64/etc/profile-a-l/gitg.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gitg.profile	2021-02-04 15:29:49.000000000 +0000
@@ -45,6 +45,7 @@
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/github-desktop.profile firejail-0.9.64.4/etc/profile-a-l/github-desktop.profile
--- firejail-0.9.64/etc/profile-a-l/github-desktop.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/github-desktop.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,43 +6,35 @@
 # Persistent global definitions
 include globals.local
 
+# Note: On debian-based distributions the binary might be located in
+# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
+# If that's the case you can start GitHub Desktop with firejail via
+# `firejail "/opt/GitHub Desktop/github-desktop"`.
+
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore dbus-user none
+ignore dbus-system none
+
 noblacklist ${HOME}/.config/GitHub Desktop
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 
-include disable-common.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-
-caps.drop all
-netfilter
 # no3d
-nodvd
-nogroups
-nonewprivs
-noroot
 nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
 
-# Note: On debian-based distributions the binary might be located in
-# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
-# If that's the case you can start GitHub Desktop with firejail via
-# `firejail "/opt/GitHub Desktop/github-desktop"`.
-
-disable-mnt
 # private-bin github-desktop
-private-cache
 ?HAS_APPIMAGE: ignore private-dev
-private-dev
 # private-lib
-private-tmp
 
 # memory-deny-write-execute
+
+# Redirect
+include electron.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/Gitter.profile firejail-0.9.64.4/etc/profile-a-l/Gitter.profile
--- firejail-0.9.64/etc/profile-a-l/Gitter.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/Gitter.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for Gitter
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Gitter.local
+
 # Redirect
 include gitter.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-calculator.profile firejail-0.9.64.4/etc/profile-a-l/gnome-calculator.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-calculator.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-calculator.profile	2021-02-04 15:29:49.000000000 +0000
@@ -38,6 +38,7 @@
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-calendar.profile firejail-0.9.64.4/etc/profile-a-l/gnome-calendar.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-calendar.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-calendar.profile	2021-02-04 15:29:49.000000000 +0000
@@ -36,6 +36,7 @@
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-characters.profile firejail-0.9.64.4/etc/profile-a-l/gnome-characters.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-characters.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-characters.profile	2021-02-04 15:29:49.000000000 +0000
@@ -39,6 +39,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-contacts.profile firejail-0.9.64.4/etc/profile-a-l/gnome-contacts.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-contacts.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-contacts.profile	2021-02-04 15:29:49.000000000 +0000
@@ -32,6 +32,7 @@
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 
 disable-mnt
 private-dev
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome_games-common.profile firejail-0.9.64.4/etc/profile-a-l/gnome_games-common.profile
--- firejail-0.9.64/etc/profile-a-l/gnome_games-common.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome_games-common.profile	2021-02-04 15:29:49.000000000 +0000
@@ -34,6 +34,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-hexgl.profile firejail-0.9.64.4/etc/profile-a-l/gnome-hexgl.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-hexgl.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-hexgl.profile	2021-02-04 15:29:49.000000000 +0000
@@ -33,6 +33,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-keyring.profile firejail-0.9.64.4/etc/profile-a-l/gnome-keyring.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-keyring.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-keyring.profile	2021-02-04 15:29:49.000000000 +0000
@@ -9,8 +9,6 @@
 
 noblacklist ${HOME}/.gnupg
 
-whitelist ${HOME}/.gnupg
-whitelist ${DOWNLOADS}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -19,9 +17,15 @@
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
+whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -41,6 +45,7 @@
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
@@ -52,6 +57,6 @@
 private-tmp
 
 # dbus-user none
-# dbus-system none
+dbus-system none
 
 memory-deny-write-execute
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-latex.profile firejail-0.9.64.4/etc/profile-a-l/gnome-latex.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-latex.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-latex.profile	2021-02-04 15:29:49.000000000 +0000
@@ -41,6 +41,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-maps.profile firejail-0.9.64.4/etc/profile-a-l/gnome-maps.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-maps.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-maps.profile	2021-02-04 15:29:49.000000000 +0000
@@ -54,6 +54,7 @@
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-mpv.profile firejail-0.9.64.4/etc/profile-a-l/gnome-mpv.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-mpv.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-mpv.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for celluloid (formerly GNOME MPV)
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include gnome-mpv.local
+
 # Redirect
 include celluloid.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-passwordsafe.profile firejail-0.9.64.4/etc/profile-a-l/gnome-passwordsafe.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-passwordsafe.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-passwordsafe.profile	2021-02-04 15:29:49.000000000 +0000
@@ -43,6 +43,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-photos.profile firejail-0.9.64.4/etc/profile-a-l/gnome-photos.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-photos.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-photos.profile	2021-02-04 15:29:49.000000000 +0000
@@ -33,6 +33,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-screenshot.profile firejail-0.9.64.4/etc/profile-a-l/gnome-screenshot.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-screenshot.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-screenshot.profile	2021-02-04 15:29:49.000000000 +0000
@@ -35,6 +35,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-sound-recorder.profile firejail-0.9.64.4/etc/profile-a-l/gnome-sound-recorder.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-sound-recorder.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-sound-recorder.profile	2021-02-04 15:29:49.000000000 +0000
@@ -33,6 +33,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-system-log.profile firejail-0.9.64.4/etc/profile-a-l/gnome-system-log.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-system-log.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-system-log.profile	2021-02-04 15:29:49.000000000 +0000
@@ -53,7 +53,6 @@
 # dbus-system none
 
 memory-deny-write-execute
-
-# comment this if you export logs to a file in your ${HOME}
+# Comment the line below if you export logs to a file in your ${HOME}
 # or put 'ignore read-only ${HOME}' in your gnome-system-log.local
 read-only ${HOME}
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-todo.profile firejail-0.9.64.4/etc/profile-a-l/gnome-todo.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-todo.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-todo.profile	2021-02-04 15:29:49.000000000 +0000
@@ -53,8 +53,8 @@
 dbus-user.own org.gnome.Todo
 dbus-user.talk ca.desrt.dconf
 #dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
-#dbus-user.talk org.gnome.evolution.dataserver.Calendar8
-#dbus-user.talk org.gnome.evolution.dataserver.Sources5
+dbus-user.talk org.gnome.evolution.dataserver.Calendar8
+dbus-user.talk org.gnome.evolution.dataserver.Sources5
 #dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
 #dbus-user.talk org.gnome.OnlineAccounts
 dbus-system none
diff -Nru firejail-0.9.64/etc/profile-a-l/gnome-weather.profile firejail-0.9.64.4/etc/profile-a-l/gnome-weather.profile
--- firejail-0.9.64/etc/profile-a-l/gnome-weather.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gnome-weather.profile	2021-02-04 15:29:49.000000000 +0000
@@ -37,6 +37,7 @@
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/godot.profile firejail-0.9.64.4/etc/profile-a-l/godot.profile
--- firejail-0.9.64/etc/profile-a-l/godot.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/godot.profile	2021-02-04 15:29:49.000000000 +0000
@@ -38,7 +38,7 @@
 # private-bin godot
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff -Nru firejail-0.9.64/etc/profile-a-l/google-chrome-beta.profile firejail-0.9.64.4/etc/profile-a-l/google-chrome-beta.profile
--- firejail-0.9.64/etc/profile-a-l/google-chrome-beta.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/google-chrome-beta.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,6 +5,11 @@
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/google-chrome-beta
 noblacklist ${HOME}/.config/google-chrome-beta
 
diff -Nru firejail-0.9.64/etc/profile-a-l/google-chrome.profile firejail-0.9.64.4/etc/profile-a-l/google-chrome.profile
--- firejail-0.9.64/etc/profile-a-l/google-chrome.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/google-chrome.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,6 +5,11 @@
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/google-chrome
 noblacklist ${HOME}/.config/google-chrome
 
diff -Nru firejail-0.9.64/etc/profile-a-l/google-chrome-stable.profile firejail-0.9.64.4/etc/profile-a-l/google-chrome-stable.profile
--- firejail-0.9.64/etc/profile-a-l/google-chrome-stable.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/google-chrome-stable.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for google-chrome
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include google-chrome-stable.local
+
 # Redirect
 include google-chrome.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/google-chrome-unstable.profile firejail-0.9.64.4/etc/profile-a-l/google-chrome-unstable.profile
--- firejail-0.9.64/etc/profile-a-l/google-chrome-unstable.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/google-chrome-unstable.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,6 +5,11 @@
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/google-chrome-unstable
 noblacklist ${HOME}/.config/google-chrome-unstable
 
diff -Nru firejail-0.9.64/etc/profile-a-l/google-earth.profile firejail-0.9.64.4/etc/profile-a-l/google-earth.profile
--- firejail-0.9.64/etc/profile-a-l/google-earth.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/google-earth.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,10 +6,7 @@
 include globals.local
 
 noblacklist ${HOME}/.config/Google
-noblacklist ${HOME}/.googleearth/Cache
-noblacklist ${HOME}/.googleearth/Temp
-noblacklist ${HOME}/.googleearth/myplaces.backup.kml
-noblacklist ${HOME}/.googleearth/myplaces.kml
+noblacklist ${HOME}/.googleearth
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,15 +16,9 @@
 include disable-programs.inc
 
 mkdir ${HOME}/.config/Google
-mkdir ${HOME}/.googleearth/Cache
-mkdir ${HOME}/.googleearth/Temp
-mkfile ${HOME}/.googleearth/myplaces.backup.kml
-mkfile ${HOME}/.googleearth/myplaces.kml
+mkdir ${HOME}/.googleearth
 whitelist ${HOME}/.config/Google
-whitelist ${HOME}/.googleearth/Cache
-whitelist ${HOME}/.googleearth/Temp
-whitelist ${HOME}/.googleearth/myplaces.backup.kml
-whitelist ${HOME}/.googleearth/myplaces.kml
+whitelist ${HOME}/.googleearth
 include whitelist-common.inc
 
 caps.drop all
diff -Nru firejail-0.9.64/etc/profile-a-l/google-earth-pro.profile firejail-0.9.64.4/etc/profile-a-l/google-earth-pro.profile
--- firejail-0.9.64/etc/profile-a-l/google-earth-pro.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/google-earth-pro.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,7 +1,14 @@
-# Firejail profile alias for google-earth
+# Firejail profile for google-earth-pro
 # This file is overwritten after every install/update
+# Persistent local customizations
+include google-earth-pro.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
 
-private-bin google-earth-pro
+# If you see errors about missing commands, uncomment the below or put 'ignore private-bin' into your google-earth-pro.local
+#ignore private-bin
+private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,which,xdg-mime,xdg-settings
 
 # Redirect
 include google-earth.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/gtar.profile firejail-0.9.64.4/etc/profile-a-l/gtar.profile
--- firejail-0.9.64/etc/profile-a-l/gtar.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gtar.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for tar
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include gtar.local
+
 # Redirect
 include tar.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/gtk2-youtube-viewer firejail-0.9.64.4/etc/profile-a-l/gtk2-youtube-viewer
--- firejail-0.9.64/etc/profile-a-l/gtk2-youtube-viewer	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gtk2-youtube-viewer	1970-01-01 00:00:00.000000000 +0000
@@ -1,18 +0,0 @@
-# Firejail profile for gtk2-youtube-viewer
-# Description: Gtk front-end to youtube-viewer
-# This file is overwritten after every install/update
-# Persistent local customizations
-include gtk2-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
-
-ignore quiet
-
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}/wayland-*
-noblacklist ${RUNUSER}
-
-include whitelist-runuser-common.inc
-
-# Redirect
-include youtube-viewer.profile
\ No newline at end of file
diff -Nru firejail-0.9.64/etc/profile-a-l/gtk2-youtube-viewer.profile firejail-0.9.64.4/etc/profile-a-l/gtk2-youtube-viewer.profile
--- firejail-0.9.64/etc/profile-a-l/gtk2-youtube-viewer.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gtk2-youtube-viewer.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,17 @@
+# Firejail profile for gtk2-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk2-youtube-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include youtube-viewer.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/gtk3-youtube-viewer firejail-0.9.64.4/etc/profile-a-l/gtk3-youtube-viewer
--- firejail-0.9.64/etc/profile-a-l/gtk3-youtube-viewer	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gtk3-youtube-viewer	1970-01-01 00:00:00.000000000 +0000
@@ -1,18 +0,0 @@
-# Firejail profile for gtk3-youtube-viewer
-# Description: Gtk front-end to youtube-viewer
-# This file is overwritten after every install/update
-# Persistent local customizations
-include gtk3-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
-
-ignore quiet
-
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}/wayland-*
-noblacklist ${RUNUSER}
-
-include whitelist-runuser-common.inc
-
-# Redirect
-include youtube-viewer.profile
\ No newline at end of file
diff -Nru firejail-0.9.64/etc/profile-a-l/gtk3-youtube-viewer.profile firejail-0.9.64.4/etc/profile-a-l/gtk3-youtube-viewer.profile
--- firejail-0.9.64/etc/profile-a-l/gtk3-youtube-viewer.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gtk3-youtube-viewer.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,17 @@
+# Firejail profile for gtk3-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk3-youtube-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include youtube-viewer.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/gtk-straw-viewer.profile firejail-0.9.64.4/etc/profile-a-l/gtk-straw-viewer.profile
--- firejail-0.9.64/etc/profile-a-l/gtk-straw-viewer.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gtk-straw-viewer.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,14 @@
+# Firejail profile for gtk-straw-viewer
+# Description: Gtk front-end to straw-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-straw-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include straw-viewer.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/gtk-youtube-viewer firejail-0.9.64.4/etc/profile-a-l/gtk-youtube-viewer
--- firejail-0.9.64/etc/profile-a-l/gtk-youtube-viewer	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gtk-youtube-viewer	1970-01-01 00:00:00.000000000 +0000
@@ -1,18 +0,0 @@
-# Firejail profile for gtk-youtube-viewer
-# Description: Gtk front-end to youtube-viewer
-# This file is overwritten after every install/update
-# Persistent local customizations
-include gtk-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
-
-ignore quiet
-
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}/wayland-*
-noblacklist ${RUNUSER}
-
-include whitelist-runuser-common.inc
-
-# Redirect
-include youtube-viewer.profile
\ No newline at end of file
diff -Nru firejail-0.9.64/etc/profile-a-l/gtk-youtube-viewer.profile firejail-0.9.64.4/etc/profile-a-l/gtk-youtube-viewer.profile
--- firejail-0.9.64/etc/profile-a-l/gtk-youtube-viewer.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gtk-youtube-viewer.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,14 @@
+# Firejail profile for gtk-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-youtube-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include youtube-viewer.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/gucharmap.profile firejail-0.9.64.4/etc/profile-a-l/gucharmap.profile
--- firejail-0.9.64/etc/profile-a-l/gucharmap.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gucharmap.profile	2021-02-04 15:29:49.000000000 +0000
@@ -35,6 +35,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-a-l/guvcview.profile firejail-0.9.64.4/etc/profile-a-l/guvcview.profile
--- firejail-0.9.64/etc/profile-a-l/guvcview.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/guvcview.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,55 @@
+# Firejail profile for guvcview
+# Description: GTK+ base UVC Viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include guvcview.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/guvcview2
+
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/guvcview2
+whitelist ${HOME}/.config/guvcview2
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin guvcview
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,dconf,drirc,fonts,glvnd,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pango,pulse,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-a-l/gzip.profile firejail-0.9.64.4/etc/profile-a-l/gzip.profile
--- firejail-0.9.64/etc/profile-a-l/gzip.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/gzip.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,43 +7,7 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname gzip
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-private-cache
-private-dev
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
+include archiver-common.inc
diff -Nru firejail-0.9.64/etc/profile-a-l/handbrake-gtk.profile firejail-0.9.64.4/etc/profile-a-l/handbrake-gtk.profile
--- firejail-0.9.64/etc/profile-a-l/handbrake-gtk.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/handbrake-gtk.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for handbrake
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include handbrake-gtk.local
+
 # Redirect
 include handbrake.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/highlight.profile firejail-0.9.64.4/etc/profile-a-l/highlight.profile
--- firejail-0.9.64/etc/profile-a-l/highlight.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/highlight.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,7 +6,6 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff -Nru firejail-0.9.64/etc/profile-a-l/homebank.profile firejail-0.9.64.4/etc/profile-a-l/homebank.profile
--- firejail-0.9.64/etc/profile-a-l/homebank.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/homebank.profile	2021-02-04 15:29:49.000000000 +0000
@@ -10,7 +10,7 @@
 
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
diff -Nru firejail-0.9.64/etc/profile-a-l/i3.profile firejail-0.9.64.4/etc/profile-a-l/i3.profile
--- firejail-0.9.64/etc/profile-a-l/i3.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/i3.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,7 +6,7 @@
 # Persistent global definitions
 include globals.local
 
-# all applications started in awesome will run in this profile
+# all applications started in i3 will run in this profile
 noblacklist ${HOME}/.config/i3
 include disable-common.inc
 
diff -Nru firejail-0.9.64/etc/profile-a-l/inox.profile firejail-0.9.64.4/etc/profile-a-l/inox.profile
--- firejail-0.9.64/etc/profile-a-l/inox.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/inox.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,6 +5,11 @@
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/inox
 noblacklist ${HOME}/.config/inox
 
diff -Nru firejail-0.9.64/etc/profile-a-l/iridium-browser.profile firejail-0.9.64.4/etc/profile-a-l/iridium-browser.profile
--- firejail-0.9.64/etc/profile-a-l/iridium-browser.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/iridium-browser.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for iridium
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include iridium-browser.local
+
 # Redirect
 include iridium.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/iridium.profile firejail-0.9.64.4/etc/profile-a-l/iridium.profile
--- firejail-0.9.64/etc/profile-a-l/iridium.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/iridium.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,6 +5,11 @@
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/iridium
 noblacklist ${HOME}/.config/iridium
 
diff -Nru firejail-0.9.64/etc/profile-a-l/jitsi-meet-desktop.profile firejail-0.9.64.4/etc/profile-a-l/jitsi-meet-desktop.profile
--- firejail-0.9.64/etc/profile-a-l/jitsi-meet-desktop.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/jitsi-meet-desktop.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,34 +6,22 @@
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore nou2f
+ignore novideo
+ignore shell none
+
 ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Jitsi Meet
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-xdg.inc
-
 nowhitelist ${DOWNLOADS}
 
 mkdir ${HOME}/.config/Jitsi Meet
-
 whitelist ${HOME}/.config/Jitsi Meet
 
-include whitelist-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-runuser-common.inc
-include whitelist-var-common.inc
-
-seccomp !chroot
-
-disable-mnt
 private-bin bash,jitsi-meet-desktop
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
-private-tmp
 
 # Redirect
 include electron.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/kalgebramobile.profile firejail-0.9.64.4/etc/profile-a-l/kalgebramobile.profile
--- firejail-0.9.64/etc/profile-a-l/kalgebramobile.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/kalgebramobile.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile for kalgebramobile
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include kalgebramobile.local
+
 # Redirect
 include kalgebra.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/karbon.profile firejail-0.9.64.4/etc/profile-a-l/karbon.profile
--- firejail-0.9.64/etc/profile-a-l/karbon.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/karbon.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for krita
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include karbon.local
+
 noblacklist ${HOME}/.local/share/kxmlgui5/karbon
 
 # Redirect
diff -Nru firejail-0.9.64/etc/profile-a-l/kazam.profile firejail-0.9.64.4/etc/profile-a-l/kazam.profile
--- firejail-0.9.64/etc/profile-a-l/kazam.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/kazam.profile	2021-02-04 15:29:49.000000000 +0000
@@ -12,12 +12,12 @@
 noblacklist ${VIDEOS}
 noblacklist ${HOME}/.config/kazam
 
-include allow-python2.inc 
-include allow-python3.inc 
+include allow-python2.inc
+include allow-python3.inc
 
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -25,7 +25,7 @@
 include disable-xdg.inc
 
 whitelist /usr/share/kazam
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff -Nru firejail-0.9.64/etc/profile-a-l/kdiff3.profile firejail-0.9.64.4/etc/profile-a-l/kdiff3.profile
--- firejail-0.9.64/etc/profile-a-l/kdiff3.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/kdiff3.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,52 @@
+# Firejail profile for kdiff3
+# Description: KDiff3 is a file and folder diff and merge tool.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kdiff3.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/kdiff3fileitemactionrc
+noblacklist ${HOME}/.config/kdiff3rc
+
+# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc.
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-programs.inc.
+#include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+           
+include whitelist-runuser-common.inc
+# Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share.
+#include whitelist-usr-share-common.inc
+# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in /var.
+#include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin  kdiff3
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-a-l/keepass2.profile firejail-0.9.64.4/etc/profile-a-l/keepass2.profile
--- firejail-0.9.64/etc/profile-a-l/keepass2.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/keepass2.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for keepass
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include keepass2.local
+
 # Redirect
 include keepass.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/keepassx2.profile firejail-0.9.64.4/etc/profile-a-l/keepassx2.profile
--- firejail-0.9.64/etc/profile-a-l/keepassx2.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/keepassx2.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: Cross platform password manager
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include keepassx2.local
+
 # Redirects
 include keepassx.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/keepassxc.profile firejail-0.9.64.4/etc/profile-a-l/keepassxc.profile
--- firejail-0.9.64/etc/profile-a-l/keepassxc.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/keepassxc.profile	2021-02-04 15:29:49.000000000 +0000
@@ -54,7 +54,8 @@
 nou2f
 novideo
 protocol unix,netlink
-seccomp
+seccomp !name_to_handle_at
+seccomp.block-secondary
 shell none
 tracelog
 
@@ -74,7 +75,9 @@
 dbus-user.talk org.gnome.SessionManager.Presence
 # Uncomment or add to your keepassxc.local to allow Notifications.
 #dbus-user.talk org.freedesktop.Notifications
+# Uncomment or add to your keepassxc.local to allow Tray.
 #dbus-user.talk org.kde.StatusNotifierWatcher
+#dbus-user.own org.kde.*
 dbus-system none
 
 # Mutex is stored in /tmp by default, which is broken by private-tmp
diff -Nru firejail-0.9.64/etc/profile-a-l/klatexformula_cmdl.profile firejail-0.9.64.4/etc/profile-a-l/klatexformula_cmdl.profile
--- firejail-0.9.64/etc/profile-a-l/klatexformula_cmdl.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/klatexformula_cmdl.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for klatexformula_cmdl
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include klatexformula_cmdl.local
+
 # Redirect
 include klatexformula.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/kmail.profile firejail-0.9.64.4/etc/profile-a-l/kmail.profile
--- firejail-0.9.64/etc/profile-a-l/kmail.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/kmail.profile	2021-02-04 15:29:49.000000000 +0000
@@ -9,6 +9,10 @@
 # kmail has problems launching akonadi in debian and ubuntu.
 # one solution is to have akonadi already running when kmail is started
 
+noblacklist ${HOME}/.gnupg
+# noblacklist ${HOME}/.kde/
+# noblacklist ${HOME}/.kde4/
+noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.cache/akonadi*
 noblacklist ${HOME}/.cache/kmail2
 noblacklist ${HOME}/.config/akonadi*
@@ -19,7 +23,6 @@
 noblacklist ${HOME}/.config/kmailsearchindexingrc
 noblacklist ${HOME}/.config/mailtransports
 noblacklist ${HOME}/.config/specialmailcollectionsrc
-noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/akonadi*
 noblacklist ${HOME}/.local/share/apps/korganizer
 noblacklist ${HOME}/.local/share/contacts
@@ -30,6 +33,8 @@
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
 noblacklist /tmp/akonadi-*
+noblacklist /var/mail
+noblacklist /var/spool/mail
 
 include disable-common.inc
 include disable-devel.inc
@@ -37,10 +42,73 @@
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
+mkdir ${HOME}/.gnupg
+# mkdir ${HOME}/.kde/
+# mkdir ${HOME}/.kde4/
+mkdir ${HOME}/.cache/akonadi*
+mkdir ${HOME}/.cache/kmail2
+mkdir ${HOME}/.config/akonadi*
+mkdir ${HOME}/.config/baloorc
+mkdir ${HOME}/.config/emaildefaults
+mkdir ${HOME}/.config/emailidentities
+mkdir ${HOME}/.config/kmail2rc
+mkdir ${HOME}/.config/kmailsearchindexingrc
+mkdir ${HOME}/.config/mailtransports
+mkdir ${HOME}/.config/specialmailcollectionsrc
+mkdir ${HOME}/.local/share/akonadi*
+mkdir ${HOME}/.local/share/apps/korganizer
+mkdir ${HOME}/.local/share/contacts
+mkdir ${HOME}/.local/share/emailidentities
+mkdir ${HOME}/.local/share/kmail2
+mkdir ${HOME}/.local/share/kxmlgui5/kmail
+mkdir ${HOME}/.local/share/kxmlgui5/kmail2
+mkdir ${HOME}/.local/share/local-mail
+mkdir ${HOME}/.local/share/notes
+mkdir /tmp/akonadi-*
+whitelist ${HOME}/.gnupg
+# whitelist ${HOME}/.kde/
+# whitelist ${HOME}/.kde4/
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.cache/akonadi*
+whitelist ${HOME}/.cache/kmail2
+whitelist ${HOME}/.config/akonadi*
+whitelist ${HOME}/.config/baloorc
+whitelist ${HOME}/.config/emaildefaults
+whitelist ${HOME}/.config/emailidentities
+whitelist ${HOME}/.config/kmail2rc
+whitelist ${HOME}/.config/kmailsearchindexingrc
+whitelist ${HOME}/.config/mailtransports
+whitelist ${HOME}/.config/specialmailcollectionsrc
+whitelist ${HOME}/.local/share/akonadi*
+whitelist ${HOME}/.local/share/apps/korganizer
+whitelist ${HOME}/.local/share/contacts
+whitelist ${HOME}/.local/share/emailidentities
+whitelist ${HOME}/.local/share/kmail2
+whitelist ${HOME}/.local/share/kxmlgui5/kmail
+whitelist ${HOME}/.local/share/kxmlgui5/kmail2
+whitelist ${HOME}/.local/share/local-mail
+whitelist ${HOME}/.local/share/notes
+whitelist ${DOWNLOADS}
+whitelist ${DOCUMENTS}
+whitelist ${RUNUSER}/gnupg
+whitelist /tmp/akonadi-*
+whitelist /usr/share/akonadi
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /usr/share/kconf_update
+whitelist /usr/share/kf5
+whitelist /usr/share/kservices5
+whitelist /usr/share/qlogging-categories5
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-# apparmor
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -56,7 +124,14 @@
 seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
 # tracelog
 
+private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 # private-tmp - interrupts connection to akonadi, breaks opening of email attachments
-# writable-run-user is needed for signing and encrypting emails
 writable-run-user
+writable-var
+
+# dbus-user none
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
\ No newline at end of file
diff -Nru firejail-0.9.64/etc/profile-a-l/krunner.profile firejail-0.9.64.4/etc/profile-a-l/krunner.profile
--- firejail-0.9.64/etc/profile-a-l/krunner.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/krunner.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,9 +6,9 @@
 # Persistent global definitions
 include globals.local
 
-# - programs started in krunner run with this generic profile.
+# - programs started in krunner run with this generic profile
 # - when a file is opened in krunner, the file viewer runs in its own sandbox
-#   with its own profile, if it is sandboxed automatically.
+#   with its own profile, if it is sandboxed automatically
 
 # noblacklist ${HOME}/.cache/krunner
 # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
diff -Nru firejail-0.9.64/etc/profile-a-l/kube.profile firejail-0.9.64.4/etc/profile-a-l/kube.profile
--- firejail-0.9.64/etc/profile-a-l/kube.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/kube.profile	2021-02-04 15:29:49.000000000 +0000
@@ -63,7 +63,7 @@
 tracelog
 
 # disable-mnt
-# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
 # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin kube,sink_synchronizer
 private-cache
diff -Nru firejail-0.9.64/etc/profile-a-l/lbunzip2.profile firejail-0.9.64.4/etc/profile-a-l/lbunzip2.profile
--- firejail-0.9.64/etc/profile-a-l/lbunzip2.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lbunzip2.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: GNU compression utilities
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lbunzip2.local
+
 # Redirect
 include gzip.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lbzcat.profile firejail-0.9.64.4/etc/profile-a-l/lbzcat.profile
--- firejail-0.9.64/etc/profile-a-l/lbzcat.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lbzcat.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: GNU compression utilities
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lbzcat.local
+
 # Redirect
 include gzip.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lbzip2.profile firejail-0.9.64.4/etc/profile-a-l/lbzip2.profile
--- firejail-0.9.64/etc/profile-a-l/lbzip2.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lbzip2.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: GNU compression utilities
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lbzip2.local
+
 # Redirect
 include gzip.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/less.profile firejail-0.9.64.4/etc/profile-a-l/less.profile
--- firejail-0.9.64/etc/profile-a-l/less.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/less.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,7 +7,6 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 noblacklist ${HOME}/.lesshst
diff -Nru firejail-0.9.64/etc/profile-a-l/libreoffice.profile firejail-0.9.64.4/etc/profile-a-l/libreoffice.profile
--- firejail-0.9.64/etc/profile-a-l/libreoffice.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/libreoffice.profile	2021-02-04 15:29:49.000000000 +0000
@@ -43,6 +43,8 @@
 # comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile
 tracelog
 
+#private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls
+private-cache
 private-dev
 private-tmp
 
diff -Nru firejail-0.9.64/etc/profile-a-l/librewolf.profile firejail-0.9.64.4/etc/profile-a-l/librewolf.profile
--- firejail-0.9.64/etc/profile-a-l/librewolf.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/librewolf.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,28 @@
+# Firejail profile for Librewolf
+# Description: Firefox fork based on privacy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include librewolf.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/librewolf
+noblacklist ${HOME}/.librewolf
+
+mkdir ${HOME}/.cache/librewolf
+mkdir ${HOME}/.librewolf
+whitelist ${HOME}/.cache/librewolf
+whitelist ${HOME}/.librewolf
+
+# Uncomment (or add to librewolf.local) the following lines if you want to
+# use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# librewolf requires a shell to launch on Arch. We can possibly remove sh though.
+#private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which
+# private-etc must first be enabled in firefox-common.profile
+#private-etc librewolf
+
+# Redirect
+include firefox-common.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/liferea.profile firejail-0.9.64.4/etc/profile-a-l/liferea.profile
--- firejail-0.9.64/etc/profile-a-l/liferea.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/liferea.profile	2021-02-04 15:29:49.000000000 +0000
@@ -42,7 +42,7 @@
 # nosound
 notv
 nou2f
-# novideo
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
@@ -51,3 +51,12 @@
 disable-mnt
 private-dev
 private-tmp
+
+dbus-user filter
+dbus-user.own net.sourceforge.liferea
+dbus-user.talk ca.desrt.dconf
+# Uncomment the below if you use the 'Popup Notifications' plugin or add 'dbus-user.talk org.freedesktop.Notifications' to your liferea.local
+#dbus-user.talk org.freedesktop.Notifications
+# Uncomment the below if you use the 'Libsecret Support' plugin or add 'dbus-user.talk org.freedesktop.secrets' to your liferea.local
+#dbus-user.talk org.freedesktop.secrets
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-a-l/links.profile firejail-0.9.64.4/etc/profile-a-l/links.profile
--- firejail-0.9.64/etc/profile-a-l/links.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/links.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,7 @@
 # Firejail profile for links
 # Description: Text WWW browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include links.local
 # Persistent global definitions
diff -Nru firejail-0.9.64/etc/profile-a-l/linphone.profile firejail-0.9.64.4/etc/profile-a-l/linphone.profile
--- firejail-0.9.64/etc/profile-a-l/linphone.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/linphone.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,8 +6,10 @@
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.config/linphone
 noblacklist ${HOME}/.linphone-history.db
 noblacklist ${HOME}/.linphonerc
+noblacklist ${HOME}/.local/share/linphone
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,10 +18,15 @@
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-mkfile ${HOME}/.linphone-history.db
-mkfile ${HOME}/.linphonerc
+# linphone 4.0 (released 2017-06-26) moved config and database files to respect
+# freedesktop standards. For backward compatibility we continue to whitelist
+# ${HOME}/.linphone-history.db and ${HOME}/.linphonerc but no longer mkfile.
+mkdir ${HOME}/.config/linphone
+mkdir ${HOME}/.local/share/linphone
+whitelist ${HOME}/.config/linphone
 whitelist ${HOME}/.linphone-history.db
 whitelist ${HOME}/.linphonerc
+whitelist ${HOME}/.local/share/linphone
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
 
diff -Nru firejail-0.9.64/etc/profile-a-l/lobase.profile firejail-0.9.64.4/etc/profile-a-l/lobase.profile
--- firejail-0.9.64/etc/profile-a-l/lobase.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lobase.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lobase.local
+
 # Redirect
 include libreoffice.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/localc.profile firejail-0.9.64.4/etc/profile-a-l/localc.profile
--- firejail-0.9.64/etc/profile-a-l/localc.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/localc.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include localc.local
+
 # Redirect
 include libreoffice.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lodraw.profile firejail-0.9.64.4/etc/profile-a-l/lodraw.profile
--- firejail-0.9.64/etc/profile-a-l/lodraw.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lodraw.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lodraw.local
+
 # Redirect
 include libreoffice.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/loffice.profile firejail-0.9.64.4/etc/profile-a-l/loffice.profile
--- firejail-0.9.64/etc/profile-a-l/loffice.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/loffice.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include loffice.local
+
 # Redirect
 include libreoffice.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lofromtemplate.profile firejail-0.9.64.4/etc/profile-a-l/lofromtemplate.profile
--- firejail-0.9.64/etc/profile-a-l/lofromtemplate.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lofromtemplate.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lofromtemplate.local
+
 # Redirect
 include libreoffice.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/Logs.profile firejail-0.9.64.4/etc/profile-a-l/Logs.profile
--- firejail-0.9.64/etc/profile-a-l/Logs.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/Logs.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-logs
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Logs.local
+
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-logs.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/loimpress.profile firejail-0.9.64.4/etc/profile-a-l/loimpress.profile
--- firejail-0.9.64/etc/profile-a-l/loimpress.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/loimpress.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include loimpress.local
+
 # Redirect
 include libreoffice.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lomath.profile firejail-0.9.64.4/etc/profile-a-l/lomath.profile
--- firejail-0.9.64/etc/profile-a-l/lomath.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lomath.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lomath.local
+
 # Redirect
 include libreoffice.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/loweb.profile firejail-0.9.64.4/etc/profile-a-l/loweb.profile
--- firejail-0.9.64/etc/profile-a-l/loweb.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/loweb.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include loweb.local
+
 # Redirect
 include libreoffice.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lowriter.profile firejail-0.9.64.4/etc/profile-a-l/lowriter.profile
--- firejail-0.9.64/etc/profile-a-l/lowriter.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lowriter.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lowriter.local
+
 # Redirect
 include libreoffice.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lsar.profile firejail-0.9.64.4/etc/profile-a-l/lsar.profile
--- firejail-0.9.64/etc/profile-a-l/lsar.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lsar.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,13 @@
+# Firejail profile for lsar
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lsar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin lsar
+
+# Redirect
+include ar.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lutris.profile firejail-0.9.64.4/etc/profile-a-l/lutris.profile
--- firejail-0.9.64/etc/profile-a-l/lutris.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lutris.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,74 @@
+# Firejail profile for lutris
+# Description: Multi-library game handler with special support for Wine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lutris.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/llvm*
+noblacklist ${HOME}/Games
+noblacklist ${HOME}/.cache/lutris
+noblacklist ${HOME}/.cache/winetricks
+noblacklist ${HOME}/.config/lutris
+noblacklist ${HOME}/.local/share/lutris
+# noblacklist ${HOME}/.wine
+noblacklist /tmp/.wine-*
+
+ignore noexec ${HOME}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/Games
+mkdir ${HOME}/.cache/lutris
+mkdir ${HOME}/.cache/winetricks
+mkdir ${HOME}/.config/lutris
+mkdir ${HOME}/.local/share/lutris
+# mkdir ${HOME}/.wine
+whitelist ${HOME}/Downloads
+whitelist ${HOME}/Games
+whitelist ${HOME}/.cache/lutris
+whitelist ${HOME}/.cache/winetricks
+whitelist ${HOME}/.config/lutris
+whitelist ${HOME}/.local/share/lutris
+# whitelist ${HOME}/.wine
+whitelist /usr/share/lutris
+whitelist /usr/share/wine
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+# allow-debuggers
+# apparmor
+caps.drop all
+ipc-namespace
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+# uncomment the following line if you do not need controller support
+# private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-a-l/lynx.profile firejail-0.9.64.4/etc/profile-a-l/lynx.profile
--- firejail-0.9.64/etc/profile-a-l/lynx.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lynx.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,7 @@
 # Firejail profile for lynx
 # Description: Classic non-graphical (text-mode) web browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lynx.local
 # Persistent global definitions
diff -Nru firejail-0.9.64/etc/profile-a-l/lyx.profile firejail-0.9.64.4/etc/profile-a-l/lyx.profile
--- firejail-0.9.64/etc/profile-a-l/lyx.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lyx.profile	2021-02-04 15:29:49.000000000 +0000
@@ -27,7 +27,7 @@
 machine-id
 
 # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
-private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,mime.types,passwd,texmf,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
 
 # Redirect
 include latex-common.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lzcat.profile firejail-0.9.64.4/etc/profile-a-l/lzcat.profile
--- firejail-0.9.64/etc/profile-a-l/lzcat.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lzcat.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzcat.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lzcmp.profile firejail-0.9.64.4/etc/profile-a-l/lzcmp.profile
--- firejail-0.9.64/etc/profile-a-l/lzcmp.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lzcmp.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzcmp.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lzdiff.profile firejail-0.9.64.4/etc/profile-a-l/lzdiff.profile
--- firejail-0.9.64/etc/profile-a-l/lzdiff.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lzdiff.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lzdiff.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lzegrep.profile firejail-0.9.64.4/etc/profile-a-l/lzegrep.profile
--- firejail-0.9.64/etc/profile-a-l/lzegrep.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lzegrep.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzegrep.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lzfgrep.profile firejail-0.9.64.4/etc/profile-a-l/lzfgrep.profile
--- firejail-0.9.64/etc/profile-a-l/lzfgrep.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lzfgrep.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzfgrep.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lzgrep.profile firejail-0.9.64.4/etc/profile-a-l/lzgrep.profile
--- firejail-0.9.64/etc/profile-a-l/lzgrep.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lzgrep.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzgrep.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lzip.profile firejail-0.9.64.4/etc/profile-a-l/lzip.profile
--- firejail-0.9.64/etc/profile-a-l/lzip.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lzip.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzip.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lzless.profile firejail-0.9.64.4/etc/profile-a-l/lzless.profile
--- firejail-0.9.64/etc/profile-a-l/lzless.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lzless.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzless.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lzmadec.profile firejail-0.9.64.4/etc/profile-a-l/lzmadec.profile
--- firejail-0.9.64/etc/profile-a-l/lzmadec.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lzmadec.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lzmadec.local
+
 # Redirect
 include xzdec.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lzmainfo.profile firejail-0.9.64.4/etc/profile-a-l/lzmainfo.profile
--- firejail-0.9.64/etc/profile-a-l/lzmainfo.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lzmainfo.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzmainfo.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lzma.profile firejail-0.9.64.4/etc/profile-a-l/lzma.profile
--- firejail-0.9.64/etc/profile-a-l/lzma.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lzma.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzma.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-a-l/lzmore.profile firejail-0.9.64.4/etc/profile-a-l/lzmore.profile
--- firejail-0.9.64/etc/profile-a-l/lzmore.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-a-l/lzmore.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzmore.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/Maps.profile firejail-0.9.64.4/etc/profile-m-z/Maps.profile
--- firejail-0.9.64/etc/profile-m-z/Maps.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/Maps.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-maps
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Maps.local
+
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-maps.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/marker.profile firejail-0.9.64.4/etc/profile-m-z/marker.profile
--- firejail-0.9.64/etc/profile-m-z/marker.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/marker.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,59 @@
+# Firejail profile for marker
+# Description: Marker is a markdown editor for Linux made with Gtk+-3.0
+# This file is overwritten after every install/update
+# Persistent local customizations
+include marker.local
+# Persistent global definitions
+include globals.local
+
+# Uncomment (or add to your marker.local) if you need internet access.
+#ignore net none
+#protocol unix,inet,inet6
+#private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf
+
+noblacklist ${HOME}/.cache/marker
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/com.github.fabiocolacio.marker
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin marker
+private-cache
+private-dev
+private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.own com.github.fabiocolacio.marker
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/mate-calculator.profile firejail-0.9.64.4/etc/profile-m-z/mate-calculator.profile
--- firejail-0.9.64/etc/profile-m-z/mate-calculator.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/mate-calculator.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for mate-calc
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include mate-calculator.local
+
 # Redirect
 include mate-calc.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/mathematica.profile firejail-0.9.64.4/etc/profile-m-z/mathematica.profile
--- firejail-0.9.64/etc/profile-m-z/mathematica.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/mathematica.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for Mathematica
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include mathematica.local
+
 # Redirect
 include Mathematica.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/matrix-mirage.profile firejail-0.9.64.4/etc/profile-m-z/matrix-mirage.profile
--- firejail-0.9.64/etc/profile-m-z/matrix-mirage.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/matrix-mirage.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,24 @@
+# Firejail profile for matrix-mirage
+# Description: Debian name for mirage binary/package
+# This file is overwritten after every install/update
+# Persistent local customizations
+include matrix-mirage.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/matrix-mirage
+noblacklist ${HOME}/.config/matrix-mirage
+noblacklist ${HOME}/.local/share/matrix-mirage
+
+mkdir ${HOME}/.cache/matrix-mirage
+mkdir ${HOME}/.config/matrix-mirage
+mkdir ${HOME}/.local/share/matrix-mirage
+whitelist ${HOME}/.cache/matrix-mirage
+whitelist ${HOME}/.config/matrix-mirage
+whitelist ${HOME}/.local/share/matrix-mirage
+
+private-bin matrix-mirage
+
+# Redirect
+include mirage.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/mattermost-desktop.profile firejail-0.9.64.4/etc/profile-m-z/mattermost-desktop.profile
--- firejail-0.9.64/etc/profile-m-z/mattermost-desktop.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/mattermost-desktop.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,42 +5,25 @@
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore apparmor
+ignore dbus-user none
+ignore dbus-system none
+
 noblacklist ${HOME}/.config/Mattermost
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-passwdmgr.inc
 include disable-shell.inc
-include disable-xdg.inc
 
 mkdir ${HOME}/.config/Mattermost
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Mattermost
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-nou2f
-novideo
-shell none
-
-disable-mnt
-private-cache
-private-dev
+
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
-private-tmp
 
 # Not tested
 #dbus-user filter
 #dbus-user.own com.mattermost.Desktop
 #dbus-user.talk org.freedesktop.Notifications
 #dbus-system none
+
+# Redirect
+include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/mdr.profile firejail-0.9.64.4/etc/profile-m-z/mdr.profile
--- firejail-0.9.64/etc/profile-m-z/mdr.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/mdr.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,55 @@
+# Firejail profile for mdr
+# Description: A standalone Markdown renderer for the terminal
+# Persistent local customizations
+include mdr.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+hostname mdr
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin mdr
+private-cache
+private-dev
+private-etc none
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff -Nru firejail-0.9.64/etc/profile-m-z/megaglest_editor.profile firejail-0.9.64.4/etc/profile-m-z/megaglest_editor.profile
--- firejail-0.9.64/etc/profile-m-z/megaglest_editor.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/megaglest_editor.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for megaglest
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include megaglest_editor.local
+
 # Redirect
 include megaglest.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/megaglest.profile firejail-0.9.64.4/etc/profile-m-z/megaglest.profile
--- firejail-0.9.64/etc/profile-m-z/megaglest.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/megaglest.profile	2021-02-04 15:29:49.000000000 +0000
@@ -14,6 +14,7 @@
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.megaglest
@@ -37,6 +38,7 @@
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-m-z/meld.profile firejail-0.9.64.4/etc/profile-m-z/meld.profile
--- firejail-0.9.64/etc/profile-m-z/meld.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/meld.profile	2021-02-04 15:29:49.000000000 +0000
@@ -62,6 +62,7 @@
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-m-z/menulibre.profile firejail-0.9.64.4/etc/profile-m-z/menulibre.profile
--- firejail-0.9.64/etc/profile-m-z/menulibre.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/menulibre.profile	2021-02-04 15:29:49.000000000 +0000
@@ -11,7 +11,7 @@
 
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -25,7 +25,7 @@
 whitelist /var/lib/app-info/icons
 whitelist /var/lib/flatpak/exports/share/applications
 whitelist /var/lib/flatpak/exports/share/icons
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -44,6 +44,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-m-z/microsoft-edge-dev.profile firejail-0.9.64.4/etc/profile-m-z/microsoft-edge-dev.profile
--- firejail-0.9.64/etc/profile-m-z/microsoft-edge-dev.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/microsoft-edge-dev.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,20 @@
+# Firejail profile for Microsoft Edge Dev
+# Description: Web browser from Microsoft,dev channel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge-dev.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/microsoft-edge-dev
+noblacklist ${HOME}/.config/microsoft-edge-dev
+
+mkdir ${HOME}/.cache/microsoft-edge-dev
+mkdir ${HOME}/.config/microsoft-edge-dev
+whitelist ${HOME}/.cache/microsoft-edge-dev
+whitelist ${HOME}/.config/microsoft-edge-dev
+
+private-opt microsoft
+
+# Redirect
+include chromium-common.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/microsoft-edge.profile firejail-0.9.64.4/etc/profile-m-z/microsoft-edge.profile
--- firejail-0.9.64/etc/profile-m-z/microsoft-edge.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/microsoft-edge.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,11 @@
+# Firejail profile for Microsoft Edge
+# Description: Web browser from Microsoft
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include microsoft-edge-dev.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/minetest.profile firejail-0.9.64.4/etc/profile-m-z/minetest.profile
--- firejail-0.9.64/etc/profile-m-z/minetest.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/minetest.profile	2021-02-04 15:29:49.000000000 +0000
@@ -12,6 +12,9 @@
 noblacklist ${HOME}/.cache/minetest
 noblacklist ${HOME}/.minetest
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -25,6 +28,7 @@
 mkdir ${HOME}/.minetest
 whitelist ${HOME}/.cache/minetest
 whitelist ${HOME}/.minetest
+whitelist /usr/share/games/minetest
 whitelist /usr/share/minetest
 include whitelist-common.inc
 include whitelist-runuser-common.inc
@@ -43,12 +47,14 @@
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 disable-mnt
-private-bin minetest
-private-cache
+private-bin minetest,rm
+# cache is used for storing assets when connecting to servers
+#private-cache
 private-dev
 # private-etc needs to be updated, see #1702
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
diff -Nru firejail-0.9.64/etc/profile-m-z/minitube.profile firejail-0.9.64.4/etc/profile-m-z/minitube.profile
--- firejail-0.9.64/etc/profile-m-z/minitube.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/minitube.profile	2021-02-04 15:29:49.000000000 +0000
@@ -19,7 +19,7 @@
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-shell.inc 
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/Flavio Tordini
@@ -30,8 +30,8 @@
 whitelist ${HOME}/.config/Flavio Tordini
 whitelist ${HOME}/.local/share/Flavio Tordini
 whitelist /usr/share/minitube
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
+include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff -Nru firejail-0.9.64/etc/profile-m-z/mirage.profile firejail-0.9.64.4/etc/profile-m-z/mirage.profile
--- firejail-0.9.64/etc/profile-m-z/mirage.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/mirage.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,5 @@
 # Firejail profile for mirage
-# Description: Desktop client for Matrix 
+# Description: Desktop client for Matrix
 # This file is overwritten after every install/update
 # Persistent local customizations
 include mirage.local
@@ -9,6 +9,7 @@
 noblacklist ${HOME}/.cache/mirage
 noblacklist ${HOME}/.config/mirage
 noblacklist ${HOME}/.local/share/mirage
+noblacklist /sbin
 
 include allow-python2.inc
 include allow-python3.inc
@@ -30,7 +31,7 @@
 whitelist ${HOME}/.local/share/mirage
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -49,7 +50,7 @@
 tracelog
 
 disable-mnt
-private-bin mirage
+private-bin ldconfig,mirage
 private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff -Nru firejail-0.9.64/etc/profile-m-z/mplayer.profile firejail-0.9.64.4/etc/profile-m-z/mplayer.profile
--- firejail-0.9.64/etc/profile-m-z/mplayer.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/mplayer.profile	2021-02-04 15:29:49.000000000 +0000
@@ -19,7 +19,7 @@
 mkdir ${HOME}/.mplayer
 whitelist ${HOME}/.mplayer
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff -Nru firejail-0.9.64/etc/profile-m-z/mpsyt.profile firejail-0.9.64.4/etc/profile-m-z/mpsyt.profile
--- firejail-0.9.64/etc/profile-m-z/mpsyt.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/mpsyt.profile	2021-02-04 15:29:49.000000000 +0000
@@ -13,6 +13,9 @@
 noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/mps
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
@@ -41,7 +44,7 @@
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/mps
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff -Nru firejail-0.9.64/etc/profile-m-z/mpv.profile firejail-0.9.64.4/etc/profile-m-z/mpv.profile
--- firejail-0.9.64/etc/profile-m-z/mpv.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/mpv.profile	2021-02-04 15:29:49.000000000 +0000
@@ -21,7 +21,7 @@
 #  - ...
 #
 # Often these scripts require a shell:
-#noblacklist ${PATH}/sh
+#include allow-bin-sh.inc
 #private-bin sh
 
 noblacklist ${HOME}/.config/mpv
@@ -50,7 +50,7 @@
 whitelist ${HOME}/.config/youtube-dl
 whitelist ${HOME}/.netrc
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 whitelist /usr/share/lua
 whitelist /usr/share/lua*
 whitelist /usr/share/vulkan
@@ -67,6 +67,7 @@
 nou2f
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-m-z/mtpaint.profile firejail-0.9.64.4/etc/profile-m-z/mtpaint.profile
--- firejail-0.9.64/etc/profile-m-z/mtpaint.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/mtpaint.profile	2021-02-04 15:29:49.000000000 +0000
@@ -10,14 +10,14 @@
 
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff -Nru firejail-0.9.64/etc/profile-m-z/multimc.profile firejail-0.9.64.4/etc/profile-m-z/multimc.profile
--- firejail-0.9.64/etc/profile-m-z/multimc.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/multimc.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for multimc5
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include multimc.local
+
 # Redirect
 include multimc5.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/musictube.profile firejail-0.9.64.4/etc/profile-m-z/musictube.profile
--- firejail-0.9.64/etc/profile-m-z/musictube.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/musictube.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,5 @@
 # Firejail profile for musictube
-# Description: Stream music 
+# Description: Stream music
 # This file is overwritten after every install/update
 # Persistent local customizations
 include musictube.local
@@ -16,7 +16,7 @@
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-shell.inc 
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/Flavio Tordini
@@ -26,8 +26,8 @@
 whitelist ${HOME}/.config/Flavio Tordini
 whitelist ${HOME}/.local/share/Flavio Tordini
 whitelist /usr/share/musictube
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
+include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff -Nru firejail-0.9.64/etc/profile-m-z/mypaint-ora-thumbnailer.profile firejail-0.9.64.4/etc/profile-m-z/mypaint-ora-thumbnailer.profile
--- firejail-0.9.64/etc/profile-m-z/mypaint-ora-thumbnailer.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/mypaint-ora-thumbnailer.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for mypaint-ora-thumbnailer
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include mypaint-ora-thumbnailer.local
+
 # Redirect
 include mypaint.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/Natron.profile firejail-0.9.64.4/etc/profile-m-z/Natron.profile
--- firejail-0.9.64/etc/profile-m-z/Natron.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/Natron.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for natron
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Natron.local
+
 # Redirect
 include natron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/newsboat.profile firejail-0.9.64.4/etc/profile-m-z/newsboat.profile
--- firejail-0.9.64/etc/profile-m-z/newsboat.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/newsboat.profile	2021-02-04 15:29:49.000000000 +0000
@@ -38,10 +38,10 @@
 shell none
 
 disable-mnt
-private-bin newsboat
+private-bin gzip,lynx,newsboat,sh
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
+private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
 private-tmp
 
 dbus-user none
diff -Nru firejail-0.9.64/etc/profile-m-z/nheko.profile firejail-0.9.64.4/etc/profile-m-z/nheko.profile
--- firejail-0.9.64/etc/profile-m-z/nheko.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/nheko.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,7 +7,7 @@
 include globals.local
 
 noblacklist ${HOME}/.config/nheko
-noblacklist ${HOME}/.cache/nheko/nheko
+noblacklist ${HOME}/.cache/nheko
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,14 +16,19 @@
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.config/nheko
 mkdir ${HOME}/.cache/nheko/nheko
 whitelist ${HOME}/.config/nheko
-whitelist ${HOME}/.cache/nheko/nheko
+whitelist ${HOME}/.cache/nheko
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -38,5 +43,14 @@
 
 disable-mnt
 private-bin nheko
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
 
+dbus-user none
+# Comment the above line and uncomment below lines for notification popups
+# dbus-user filter
+# dbus-user.talk org.freedesktop.Notifications
+# dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/nitroshare-cli.profile firejail-0.9.64.4/etc/profile-m-z/nitroshare-cli.profile
--- firejail-0.9.64/etc/profile-m-z/nitroshare-cli.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/nitroshare-cli.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: Network File Transfer Application
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include nitroshare-cli.local
+
 # Redirect
 include nitroshare.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/nitroshare-nmh.profile firejail-0.9.64.4/etc/profile-m-z/nitroshare-nmh.profile
--- firejail-0.9.64/etc/profile-m-z/nitroshare-nmh.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/nitroshare-nmh.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: Network File Transfer Application
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include nitroshare-nmh.local
+
 # Redirect
 include nitroshare.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/nitroshare-send.profile firejail-0.9.64.4/etc/profile-m-z/nitroshare-send.profile
--- firejail-0.9.64/etc/profile-m-z/nitroshare-send.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/nitroshare-send.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: Network File Transfer Application
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include nitroshare-send.local
+
 # Redirect
 include nitroshare.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/nitroshare-ui.profile firejail-0.9.64.4/etc/profile-m-z/nitroshare-ui.profile
--- firejail-0.9.64/etc/profile-m-z/nitroshare-ui.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/nitroshare-ui.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: Network File Transfer Application
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include nitroshare-ui.local
+
 # Redirect
 include nitroshare.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/nodejs-common.profile firejail-0.9.64.4/etc/profile-m-z/nodejs-common.profile
--- firejail-0.9.64/etc/profile-m-z/nodejs-common.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/nodejs-common.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,52 @@
+# Firejail profile for Node.js
+# Description: Common profile for npm/yarn
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nodejs-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+ignore noexec ${HOME}
+
+include allow-bin-sh.inc
+
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+
+disable-mnt
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/npm.profile firejail-0.9.64.4/etc/profile-m-z/npm.profile
--- firejail-0.9.64/etc/profile-m-z/npm.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/npm.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,29 @@
+# Firejail profile for npm
+# Description: The Node.js Package Manager
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include npm.local
+# Persistent global definitions
+include globals.local
+
+ignore read-only ${HOME}/.npm-packages
+ignore read-only ${HOME}/.npmrc
+
+noblacklist ${HOME}/.node-gyp
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+
+# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory
+# and uncomment the lines below.
+#mkdir ${HOME}/.node-gyp
+#mkdir ${HOME}/.npm
+#mkfile ${HOME}/.npmrc
+#whitelist ${HOME}/.node-gyp
+#whitelist ${HOME}/.npm
+#whitelist ${HOME}/.npmrc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+# Redirect
+include nodejs-common.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/nslookup.profile firejail-0.9.64.4/etc/profile-m-z/nslookup.profile
--- firejail-0.9.64/etc/profile-m-z/nslookup.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/nslookup.profile	2021-02-04 15:29:49.000000000 +0000
@@ -8,7 +8,6 @@
 include globals.local
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 noblacklist ${PATH}/nslookup
diff -Nru firejail-0.9.64/etc/profile-m-z/nuclear.profile firejail-0.9.64.4/etc/profile-m-z/nuclear.profile
--- firejail-0.9.64/etc/profile-m-z/nuclear.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/nuclear.profile	2021-02-04 15:29:49.000000000 +0000
@@ -10,31 +10,16 @@
 
 noblacklist ${HOME}/.config/nuclear
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/nuclear
 whitelist ${HOME}/.config/nuclear
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
 no3d
-nou2f
-novideo
-shell none
 
-disable-mnt
 # private-bin nuclear
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt nuclear
-private-tmp
 
 # Redirect
 include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/okular.profile firejail-0.9.64.4/etc/profile-m-z/okular.profile
--- firejail-0.9.64/etc/profile-m-z/okular.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/okular.profile	2021-02-04 15:29:49.000000000 +0000
@@ -53,7 +53,7 @@
 shell none
 tracelog
 
-private-bin kbuildsycoca4,kdeinit4,lpr,okular
+private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
 private-dev
 private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg
 # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
diff -Nru firejail-0.9.64/etc/profile-m-z/onboard.profile firejail-0.9.64.4/etc/profile-m-z/onboard.profile
--- firejail-0.9.64/etc/profile-m-z/onboard.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/onboard.profile	2021-02-04 15:29:49.000000000 +0000
@@ -13,7 +13,7 @@
 
 include disable-common.inc
 include disable-devel.inc
-include disable-exec.inc 
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -23,9 +23,9 @@
 mkdir ${HOME}/.config/onboard
 whitelist ${HOME}/.config/onboard
 whitelist /usr/share/onboard
-include whitelist-common.inc 
+include whitelist-common.inc
 include whitelist-usr-share-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff -Nru firejail-0.9.64/etc/profile-m-z/ooffice.profile firejail-0.9.64.4/etc/profile-m-z/ooffice.profile
--- firejail-0.9.64/etc/profile-m-z/ooffice.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/ooffice.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include ooffice.local
+
 # Redirect
 include libreoffice.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/ooviewdoc.profile firejail-0.9.64.4/etc/profile-m-z/ooviewdoc.profile
--- firejail-0.9.64/etc/profile-m-z/ooviewdoc.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/ooviewdoc.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include ooviewdoc.local
+
 # Redirect
 include libreoffice.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/openarena_ded.profile firejail-0.9.64.4/etc/profile-m-z/openarena_ded.profile
--- firejail-0.9.64/etc/profile-m-z/openarena_ded.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/openarena_ded.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for openarena
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include openarena_ded.local
+
 # Redirect
 include openarena.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/openbox.profile firejail-0.9.64.4/etc/profile-m-z/openbox.profile
--- firejail-0.9.64/etc/profile-m-z/openbox.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/openbox.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,7 +6,7 @@
 # Persistent global definitions
 include globals.local
 
-# all applications started in OpenBox will run in this profile
+# all applications started in openbox will run in this profile
 noblacklist ${HOME}/.config/openbox
 include disable-common.inc
 
diff -Nru firejail-0.9.64/etc/profile-m-z/openoffice.org.profile firejail-0.9.64.4/etc/profile-m-z/openoffice.org.profile
--- firejail-0.9.64/etc/profile-m-z/openoffice.org.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/openoffice.org.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include openoffice.org.local
+
 # Redirect
 include libreoffice.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/openshot.profile firejail-0.9.64.4/etc/profile-m-z/openshot.profile
--- firejail-0.9.64/etc/profile-m-z/openshot.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/openshot.profile	2021-02-04 15:29:49.000000000 +0000
@@ -19,6 +19,10 @@
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+whitelist /usr/share/blender
+whitelist /usr/share/inkscape
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -32,11 +36,14 @@
 nou2f
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
+private-bin blender,inkscape,openshot,openshot-qt,python3*
+private-cache
 private-dev
 private-tmp
 
-dbus-user none
+dbus-user filter
 dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/openshot-qt.profile firejail-0.9.64.4/etc/profile-m-z/openshot-qt.profile
--- firejail-0.9.64/etc/profile-m-z/openshot-qt.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/openshot-qt.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for openshot
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include openshot-qt.local
+
 # Redirect
 include openshot.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/opera-beta.profile firejail-0.9.64.4/etc/profile-m-z/opera-beta.profile
--- firejail-0.9.64/etc/profile-m-z/opera-beta.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/opera-beta.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,6 +5,11 @@
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/opera
 noblacklist ${HOME}/.config/opera-beta
 
diff -Nru firejail-0.9.64/etc/profile-m-z/opera.profile firejail-0.9.64.4/etc/profile-m-z/opera.profile
--- firejail-0.9.64/etc/profile-m-z/opera.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/opera.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,6 +6,11 @@
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/opera
 noblacklist ${HOME}/.config/opera
 noblacklist ${HOME}/.opera
diff -Nru firejail-0.9.64/etc/profile-m-z/ostrichriders.profile firejail-0.9.64.4/etc/profile-m-z/ostrichriders.profile
--- firejail-0.9.64/etc/profile-m-z/ostrichriders.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/ostrichriders.profile	2021-02-04 15:29:49.000000000 +0000
@@ -42,7 +42,7 @@
 disable-mnt
 private-bin ostrichriders
 private-cache
-# private-dev should be commented for controllers
+# comment the following line if you need controller support
 private-dev
 private-tmp
 
diff -Nru firejail-0.9.64/etc/profile-m-z/otter-browser.profile firejail-0.9.64.4/etc/profile-m-z/otter-browser.profile
--- firejail-0.9.64/etc/profile-m-z/otter-browser.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/otter-browser.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,5 @@
 # Firejail profile for otter-browser
-# Description: Lightweight web browser based on Qt5 
+# Description: Lightweight web browser based on Qt5
 # This file is overwritten after every install/update
 # Persistent local customizations
 include otter-browser.local
@@ -32,7 +32,7 @@
 whitelist ${HOME}/.local/share/pki
 whitelist /usr/share/otter-browser
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -54,6 +54,6 @@
 private-cache
 ?BROWSER_DISABLE_U2F: private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
-private-tmp 
+private-tmp
 
 dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/pandoc.profile firejail-0.9.64.4/etc/profile-m-z/pandoc.profile
--- firejail-0.9.64/etc/profile-m-z/pandoc.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/pandoc.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,7 +7,6 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
diff -Nru firejail-0.9.64/etc/profile-m-z/patch.profile firejail-0.9.64.4/etc/profile-m-z/patch.profile
--- firejail-0.9.64/etc/profile-m-z/patch.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/patch.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,7 +7,6 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
@@ -37,6 +36,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff -Nru firejail-0.9.64/etc/profile-m-z/pdftotext.profile firejail-0.9.64.4/etc/profile-m-z/pdftotext.profile
--- firejail-0.9.64/etc/profile-m-z/pdftotext.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/pdftotext.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,13 +6,13 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -40,6 +40,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff -Nru firejail-0.9.64/etc/profile-m-z/peek.profile firejail-0.9.64.4/etc/profile-m-z/peek.profile
--- firejail-0.9.64/etc/profile-m-z/peek.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/peek.profile	2021-02-04 15:29:49.000000000 +0000
@@ -17,7 +17,18 @@
 include disable-programs.inc
 include disable-xdg.inc
 
+#mkdir ${HOME}/.cache/peek
+#whitelist ${HOME}/.cache/peek
+#whitelist ${PICTURES}
+#whitelist ${VIDEOS}
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
+machine-id
 net none
 no3d
 nodvd
@@ -30,14 +41,22 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
+tracelog
 
-# private-bin breaks gif mode, mp4 and webm mode work fine however
-# private-bin convert,ffmpeg,peek
+disable-mnt
+private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
 private-dev
+private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11
 private-tmp
 
-dbus-user none
+dbus-user filter
+dbus-user.own com.uploadedlobster.peek
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.FileManager1
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.gnome.Shell.Screencast
 dbus-system none
 
 memory-deny-write-execute
diff -Nru firejail-0.9.64/etc/profile-m-z/photoflare.profile firejail-0.9.64.4/etc/profile-m-z/photoflare.profile
--- firejail-0.9.64/etc/profile-m-z/photoflare.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/photoflare.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,50 @@
+# Firejail profile for photoflare
+# Description: Simple painting and editing program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include photoflare.local
+# Persistent global definitions
+include photoflare.local
+
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin photoflare
+private-cache
+private-dev
+private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/ping.profile firejail-0.9.64.4/etc/profile-m-z/ping.profile
--- firejail-0.9.64/etc/profile-m-z/ping.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/ping.profile	2021-02-04 15:29:49.000000000 +0000
@@ -8,7 +8,6 @@
 include globals.local
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
@@ -54,3 +53,6 @@
 
 # memory-deny-write-execute is built using seccomp; nonewprivs will kill it
 #memory-deny-write-execute
+
+dbus-user none
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/pkglog.profile firejail-0.9.64.4/etc/profile-m-z/pkglog.profile
--- firejail-0.9.64/etc/profile-m-z/pkglog.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/pkglog.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,59 @@
+# Firejail profile for pklog
+# Description: Reports log of package updates
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pkglog.local
+# Persistent global definitions
+include globals.local
+
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /var/log/apt/history.log
+whitelist /var/log/dnf.rpm.log
+whitelist /var/log/pacman.log
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin pkglog,python*
+private-cache
+private-dev
+private-etc alternatives
+private-opt none
+private-tmp
+writable-var-log
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+read-only /var/log/apt/history.log
+read-only /var/log/dnf.rpm.log
+read-only /var/log/pacman.log
diff -Nru firejail-0.9.64/etc/profile-m-z/planmaker18free.profile firejail-0.9.64.4/etc/profile-m-z/planmaker18free.profile
--- firejail-0.9.64/etc/profile-m-z/planmaker18free.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/planmaker18free.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,4 +7,4 @@
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/planmaker18.profile firejail-0.9.64.4/etc/profile-m-z/planmaker18.profile
--- firejail-0.9.64/etc/profile-m-z/planmaker18.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/planmaker18.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,4 +7,4 @@
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/playonlinux.profile firejail-0.9.64.4/etc/profile-m-z/playonlinux.profile
--- firejail-0.9.64/etc/profile-m-z/playonlinux.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/playonlinux.profile	2021-02-04 15:29:49.000000000 +0000
@@ -4,34 +4,17 @@
 # Persistent local customizations
 include playonlinux.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.local/share/Steam
-noblacklist ${HOME}/.local/share/steam
-noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.PlayOnLinux
 
 # nc is needed to run playonlinux
 noblacklist ${PATH}/nc
 
-# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
-
-# Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-seccomp
+# Redirect
+include wine.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/plv.profile firejail-0.9.64.4/etc/profile-m-z/plv.profile
--- firejail-0.9.64/etc/profile-m-z/plv.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/plv.profile	2021-02-04 15:29:49.000000000 +0000
@@ -18,7 +18,7 @@
 
 mkdir ${HOME}/.config/PacmanLogViewer
 whitelist ${HOME}/.config/PacmanLogViewer
-whitelist /var/log/pacman*
+whitelist /var/log/pacman.log
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
@@ -57,3 +57,4 @@
 #memory-deny-write-execute - breaks opening file-chooser
 read-only ${HOME}
 read-write ${HOME}/.config/PacmanLogViewer
+read-only /var/log/pacman.log
diff -Nru firejail-0.9.64/etc/profile-m-z/pngquant.profile firejail-0.9.64.4/etc/profile-m-z/pngquant.profile
--- firejail-0.9.64/etc/profile-m-z/pngquant.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/pngquant.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,6 +7,8 @@
 # Persistent global definitions
 include globals.local
 
+noblacklist ${PICTURES}
+
 blacklist ${RUNUSER}/wayland-*
 
 include disable-common.inc
@@ -16,6 +18,7 @@
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-xdg.inc
 
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff -Nru firejail-0.9.64/etc/profile-m-z/ppsspp.profile firejail-0.9.64.4/etc/profile-m-z/ppsspp.profile
--- firejail-0.9.64/etc/profile-m-z/ppsspp.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/ppsspp.profile	2021-02-04 15:29:49.000000000 +0000
@@ -32,7 +32,7 @@
 seccomp
 shell none
 
-# private-dev is disabled to allow controller support
+# uncomment the following line if you do not need controller support
 #private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-opt ppsspp
diff -Nru firejail-0.9.64/etc/profile-m-z/presentations18free.profile firejail-0.9.64.4/etc/profile-m-z/presentations18free.profile
--- firejail-0.9.64/etc/profile-m-z/presentations18free.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/presentations18free.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,4 +7,4 @@
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/presentations18.profile firejail-0.9.64.4/etc/profile-m-z/presentations18.profile
--- firejail-0.9.64/etc/profile-m-z/presentations18.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/presentations18.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,5 +7,5 @@
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
 
diff -Nru firejail-0.9.64/etc/profile-m-z/pycharm-professional.profile firejail-0.9.64.4/etc/profile-m-z/pycharm-professional.profile
--- firejail-0.9.64/etc/profile-m-z/pycharm-professional.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/pycharm-professional.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profilen alias for pycharm-professional
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include pyucharm-professional.local
+
 noblacklist ${HOME}/.PyCharm*
 
 # Redirect
diff -Nru firejail-0.9.64/etc/profile-m-z/pzstd.profile firejail-0.9.64.4/etc/profile-m-z/pzstd.profile
--- firejail-0.9.64/etc/profile-m-z/pzstd.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/pzstd.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include pzstd.local
+
 # Redirect
 include zstd.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/qbittorrent.profile firejail-0.9.64.4/etc/profile-m-z/qbittorrent.profile
--- firejail-0.9.64/etc/profile-m-z/qbittorrent.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/qbittorrent.profile	2021-02-04 15:29:49.000000000 +0000
@@ -56,6 +56,7 @@
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
 private-tmp
 
+# See https://github.com/netblue30/firejail/issues/3707 for tray-icon
 dbus-user none
 dbus-system none
 
diff -Nru firejail-0.9.64/etc/profile-m-z/QMediathekView.profile firejail-0.9.64.4/etc/profile-m-z/QMediathekView.profile
--- firejail-0.9.64/etc/profile-m-z/QMediathekView.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/QMediathekView.profile	2021-02-04 15:29:49.000000000 +0000
@@ -53,7 +53,7 @@
 private-dev
 private-tmp
 
-# dbus-user none
-# dbus-system none
+dbus-user none
+dbus-system none
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff -Nru firejail-0.9.64/etc/profile-m-z/qnapi.profile firejail-0.9.64.4/etc/profile-m-z/qnapi.profile
--- firejail-0.9.64/etc/profile-m-z/qnapi.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/qnapi.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,55 @@
+# Firejail profile for qnapi
+# Description: Qt client for downloading movie subtitles from NapiProjekt, OpenSubtitles and Napisy24
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qnapi.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/qnapi.ini
+
+ignore noexec /tmp
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.config/qnapi.ini
+whitelist ${HOME}/.config/qnapi.ini
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin 7z,qnapi
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/qrencode.profile firejail-0.9.64.4/etc/profile-m-z/qrencode.profile
--- firejail-0.9.64/etc/profile-m-z/qrencode.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/qrencode.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,7 +7,6 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff -Nru firejail-0.9.64/etc/profile-m-z/quaternion.profile firejail-0.9.64.4/etc/profile-m-z/quaternion.profile
--- firejail-0.9.64/etc/profile-m-z/quaternion.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/quaternion.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,5 @@
 # Firejail profile for quaternion
-# Description: Desktop client for Matrix 
+# Description: Desktop client for Matrix
 # This file is overwritten after every install/update
 # Persistent local customizations
 include quaternion.local
@@ -25,7 +25,7 @@
 whitelist ${DOWNLOADS}
 whitelist /usr/share/Quotient/quaternion
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff -Nru firejail-0.9.64/etc/profile-m-z/rhythmbox.profile firejail-0.9.64.4/etc/profile-m-z/rhythmbox.profile
--- firejail-0.9.64/etc/profile-m-z/rhythmbox.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/rhythmbox.profile	2021-02-04 15:29:49.000000000 +0000
@@ -45,10 +45,12 @@
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 private-bin rhythmbox,rhythmbox-client
+private-cache
 private-dev
 private-tmp
 
@@ -57,6 +59,7 @@
 dbus-user.own org.mpris.MediaPlayer2.rhythmbox
 dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox
 dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.*
 dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
 dbus-system filter
diff -Nru firejail-0.9.64/etc/profile-m-z/riot-desktop.profile firejail-0.9.64.4/etc/profile-m-z/riot-desktop.profile
--- firejail-0.9.64/etc/profile-m-z/riot-desktop.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/riot-desktop.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,7 +7,5 @@
 # added by included profile
 #include globals.local
 
-seccomp !chroot
-
 # Redirect
 include riot-web.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/riot-web.profile firejail-0.9.64.4/etc/profile-m-z/riot-web.profile
--- firejail-0.9.64/etc/profile-m-z/riot-web.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/riot-web.profile	2021-02-04 15:29:49.000000000 +0000
@@ -4,14 +4,15 @@
 # Persistent local customizations
 include riot-web.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Riot
 
 mkdir ${HOME}/.config/Riot
 whitelist ${HOME}/.config/Riot
-include whitelist-common.inc
+whitelist /usr/share/webapps/element
 
 # Redirect
 include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/rocketchat.profile firejail-0.9.64.4/etc/profile-m-z/rocketchat.profile
--- firejail-0.9.64/etc/profile-m-z/rocketchat.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/rocketchat.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,14 +3,28 @@
 # Persistent local customizations
 include rocketchat.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-exec.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore shell none
+ignore disable-mnt
+ignore private-cache
+ignore private-dev
+ignore private-tmp
 
 noblacklist ${HOME}/.config/Rocket.Chat
 
 mkdir ${HOME}/.config/Rocket.Chat
 whitelist ${HOME}/.config/Rocket.Chat
-include whitelist-common.inc
 
 # Redirect
 include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/rsync-download_only.profile firejail-0.9.64.4/etc/profile-m-z/rsync-download_only.profile
--- firejail-0.9.64/etc/profile-m-z/rsync-download_only.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/rsync-download_only.profile	2021-02-04 15:29:49.000000000 +0000
@@ -13,7 +13,6 @@
 # Usage: firejail --profile=rsync-download_only rsync
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
diff -Nru firejail-0.9.64/etc/profile-m-z/runenpass.sh.profile firejail-0.9.64.4/etc/profile-m-z/runenpass.sh.profile
--- firejail-0.9.64/etc/profile-m-z/runenpass.sh.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/runenpass.sh.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail alias profile for enpass
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include runenpass.sh.local
+
 # Redirect
 include enpass.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/Screenshot.profile firejail-0.9.64.4/etc/profile-m-z/Screenshot.profile
--- firejail-0.9.64/etc/profile-m-z/Screenshot.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/Screenshot.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-screenshot
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Screenshot.local
+
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-screenshot.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/seahorse.profile firejail-0.9.64.4/etc/profile-m-z/seahorse.profile
--- firejail-0.9.64/etc/profile-m-z/seahorse.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/seahorse.profile	2021-02-04 15:29:49.000000000 +0000
@@ -63,6 +63,7 @@
 writable-run-user
 
 dbus-user filter
+dbus-user.own org.gnome.seahorse
 dbus-user.own org.gnome.seahorse.Application
 dbus-user.talk org.freedesktop.secrets
 dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/seamonkey-bin.profile firejail-0.9.64.4/etc/profile-m-z/seamonkey-bin.profile
--- firejail-0.9.64/etc/profile-m-z/seamonkey-bin.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/seamonkey-bin.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for seamonkey
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include seamonkey-bin.local
+
 # Redirect
 include seamonkey.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/server.profile firejail-0.9.64.4/etc/profile-m-z/server.profile
--- firejail-0.9.64/etc/profile-m-z/server.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/server.profile	2021-02-04 15:29:49.000000000 +0000
@@ -45,10 +45,17 @@
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-# include disable-xdg.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
 
+# include whitelist-runuser-common.inc
+# include whitelist-usr-share-common.inc
+# include whitelist-var-common.inc
+
+apparmor
 caps
 # ipc-namespace
+machine-id
 # netfilter /etc/firejail/webserver.net
 no3d
 nodvd
@@ -59,19 +66,26 @@
 notv
 nou2f
 novideo
+# protocol unix,inet,inet6,netlink
 seccomp
 # shell none
 
-# disable-mnt
+disable-mnt
 private
 # private-bin program
 # private-cache
 private-dev
+# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
 # private-etc alternatives
 # private-lib
+# private-opt none
 private-tmp
 
-# dbus-user none
+dbus-user none
 # dbus-system none
 
 # memory-deny-write-execute
+# read-only ${HOME}
+# writable-run-user
+# writable-var
+# writable-var-log
diff -Nru firejail-0.9.64/etc/profile-m-z/servo.profile firejail-0.9.64.4/etc/profile-m-z/servo.profile
--- firejail-0.9.64/etc/profile-m-z/servo.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/servo.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,48 @@
+# Firejail profile for servo
+# Description: The Servo Browser Engine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include servo.local
+# Persistent global definitions
+include globals.local
+
+# Servo is usually installed inside $HOME
+ignore noexec ${HOME}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# Add a whitelist for the directory where servo is installed and uncomment the lines below.
+#whitelist ${DOWNLOADS}
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin servo,sh
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/shellcheck.profile firejail-0.9.64.4/etc/profile-m-z/shellcheck.profile
--- firejail-0.9.64/etc/profile-m-z/shellcheck.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/shellcheck.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,7 +7,6 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
@@ -40,6 +39,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff -Nru firejail-0.9.64/etc/profile-m-z/shotwell.profile firejail-0.9.64.4/etc/profile-m-z/shotwell.profile
--- firejail-0.9.64/etc/profile-m-z/shotwell.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/shotwell.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,60 @@
+# Firejail profile for shotwell
+# Description: A digital photo organizer designed for the GNOME desktop environment
+# This file is overwritten after every install/update
+# Persistent local customizations
+include shotwell.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/shotwell
+noblacklist ${HOME}/.local/share/shotwell
+
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/shotwell
+mkdir ${HOME}/.local/share/shotwell
+whitelist ${HOME}/.cache/shotwell
+whitelist ${HOME}/.local/share/shotwell
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin shotwell
+private-cache
+private-dev
+private-etc alternatives,fonts,machine-id
+private-opt none
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Shotwell
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/signal-desktop.profile firejail-0.9.64.4/etc/profile-m-z/signal-desktop.profile
--- firejail-0.9.64/etc/profile-m-z/signal-desktop.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/signal-desktop.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,6 +5,13 @@
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore include-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore private-cache
+ignore novideo
+
 ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Signal
@@ -14,32 +21,10 @@
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-passwdmgr.inc
-
 mkdir ${HOME}/.config/Signal
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Signal
-include whitelist-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-nou2f
-shell none
 
-disable-mnt
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
-private-tmp
 
-dbus-user none
-dbus-system none
+# Redirect
+include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/skypeforlinux.profile firejail-0.9.64.4/etc/profile-m-z/skypeforlinux.profile
--- firejail-0.9.64/etc/profile-m-z/skypeforlinux.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/skypeforlinux.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,27 +5,24 @@
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore private-dev
+ignore dbus-user none
+ignore dbus-system none
+
 # breaks Skype
 ignore noexec /tmp
 
 noblacklist ${HOME}/.config/skypeforlinux
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-disable-mnt
-private-cache
 # private-dev - needs /dev/disk
-private-tmp
+
+# Redirect
+include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/slack.profile firejail-0.9.64.4/etc/profile-m-z/slack.profile
--- firejail-0.9.64/etc/profile-m-z/slack.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/slack.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,31 +5,26 @@
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore apparmor
+ignore novideo
+ignore private-tmp
+ignore dbus-user none
+ignore dbus-system none
+
 noblacklist ${HOME}/.config/Slack
 
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
-whitelist ${DOWNLOADS}
-include whitelist-common.inc
-include whitelist-var-common.inc
-
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-nou2f
-shell none
 
-disable-mnt
 private-bin locale,slack
-private-cache
-private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
+
+# Redirect
+include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/snox.profile firejail-0.9.64.4/etc/profile-m-z/snox.profile
--- firejail-0.9.64/etc/profile-m-z/snox.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/snox.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,6 +5,11 @@
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/snox
 noblacklist ${HOME}/.config/snox
 
diff -Nru firejail-0.9.64/etc/profile-m-z/soffice.profile firejail-0.9.64.4/etc/profile-m-z/soffice.profile
--- firejail-0.9.64/etc/profile-m-z/soffice.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/soffice.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include soffice.local
+
 # Redirect
 include libreoffice.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/softmaker-common.profile firejail-0.9.64.4/etc/profile-m-z/softmaker-common.profile
--- firejail-0.9.64/etc/profile-m-z/softmaker-common.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/softmaker-common.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,50 @@
+# Firejail profile for softmaker-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include softmaker-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+# The offical packages install the desktop file under /usr/local/share/applications
+# with an absolute Exec line. These files are NOT handelt by firecfg,
+# therefore you must manualy copy them in you home and remove '/usr/bin/'.
+
+noblacklist ${HOME}/SoftMaker
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+whitelist /usr/share/office2018
+whitelist /usr/share/freeoffice2018
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/spectacle.profile firejail-0.9.64.4/etc/profile-m-z/spectacle.profile
--- firejail-0.9.64/etc/profile-m-z/spectacle.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/spectacle.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,64 @@
+# Firejail profile for spectacle
+# Description: Spectacle is a simple application for capturing desktop screenshots.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include spectacle.local
+# Persistent global definitions
+include globals.local
+
+# Uncomment the following lines to use sharing services.
+#netfilter
+#ignore net none
+#private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
+#protocol unix,inet,inet6
+
+noblacklist ${HOME}/.config/spectaclerc
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkfile  ${HOME}/.config/spectaclerc
+whitelist ${HOME}/.config/spectaclerc
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin spectacle
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.conf
+private-tmp
+
+dbus-user filter
+dbus-user.own org.kde.spectacle
+dbus-user.talk org.freedesktop.FileManager1
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kglobalaccel
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/spectral.profile firejail-0.9.64.4/etc/profile-m-z/spectral.profile
--- firejail-0.9.64/etc/profile-m-z/spectral.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/spectral.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,5 @@
 # Firejail profile for spectral
-# Description: Desktop client for Matrix 
+# Description: Desktop client for Matrix
 # This file is overwritten after every install/update
 # Persistent local customizations
 include spectral.local
@@ -24,7 +24,7 @@
 whitelist ${HOME}/.config/ENCOM
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
-include whitelist-runuser-common.inc 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -50,4 +50,8 @@
 private-tmp
 
 dbus-user none
+# Comment the above line and uncomment below lines for notification popups
+# dbus-user filter
+# dbus-user.talk org.freedesktop.Notifications
+# dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/sqlitebrowser.profile firejail-0.9.64.4/etc/profile-m-z/sqlitebrowser.profile
--- firejail-0.9.64/etc/profile-m-z/sqlitebrowser.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/sqlitebrowser.profile	2021-02-04 15:29:49.000000000 +0000
@@ -18,6 +18,7 @@
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -35,6 +36,7 @@
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 
 private-bin sqlitebrowser
diff -Nru firejail-0.9.64/etc/profile-m-z/ssh.profile firejail-0.9.64.4/etc/profile-m-z/ssh.profile
--- firejail-0.9.64/etc/profile-m-z/ssh.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/ssh.profile	2021-02-04 15:29:49.000000000 +0000
@@ -19,8 +19,8 @@
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist ${RUNUSER}/keyring/ssh
 whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
+whitelist ${RUNUSER}/keyring/ssh
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
 
@@ -34,7 +34,7 @@
 # noroot - see issue #1543
 nosound
 notv
-nou2f
+# nou2f - OpenSSH >= 8.2 supports U2F
 novideo
 protocol unix,inet,inet6
 seccomp
diff -Nru firejail-0.9.64/etc/profile-m-z/steam-native.profile firejail-0.9.64.4/etc/profile-m-z/steam-native.profile
--- firejail-0.9.64/etc/profile-m-z/steam-native.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/steam-native.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for steam
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include steam-native.local
+
 # Redirect
 include steam.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/steam.profile firejail-0.9.64.4/etc/profile-m-z/steam.profile
--- firejail-0.9.64/etc/profile-m-z/steam.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/steam.profile	2021-02-04 15:29:49.000000000 +0000
@@ -9,6 +9,7 @@
 noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.local/share/3909/PapersPlease
 noblacklist ${HOME}/.local/share/aspyr-media
+noblacklist ${HOME}/.local/share/bohemiainteractive
 noblacklist ${HOME}/.local/share/cdprojektred
 noblacklist ${HOME}/.local/share/FasterThanLight
 noblacklist ${HOME}/.local/share/feral-interactive
@@ -45,6 +46,7 @@
 mkdir ${HOME}/.killingfloor
 mkdir ${HOME}/.local/share/3909/PapersPlease
 mkdir ${HOME}/.local/share/aspyr-media
+mkdir ${HOME}/.local/share/bohemiainteractive
 mkdir ${HOME}/.local/share/cdprojektred
 mkdir ${HOME}/.local/share/FasterThanLight
 mkdir ${HOME}/.local/share/feral-interactive
@@ -64,6 +66,7 @@
 whitelist ${HOME}/.killingfloor
 whitelist ${HOME}/.local/share/3909/PapersPlease
 whitelist ${HOME}/.local/share/aspyr-media
+whitelist ${HOME}/.local/share/bohemiainteractive
 whitelist ${HOME}/.local/share/cdprojektred
 whitelist ${HOME}/.local/share/FasterThanLight
 whitelist ${HOME}/.local/share/feral-interactive
@@ -109,10 +112,10 @@
 # picture viewers are needed for viewing screenshots
 #private-bin eog,eom,gthumb,pix,viewnior,xviewer
 
-# private-dev should be commented for controllers
+# comment the following line if you need controller support
 private-dev
 # private-etc breaks a small selection of games on some systems, comment to support those
-private-etc alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
 private-tmp
 
 # breaks appindicator support
diff -Nru firejail-0.9.64/etc/profile-m-z/steam-runtime.profile firejail-0.9.64.4/etc/profile-m-z/steam-runtime.profile
--- firejail-0.9.64/etc/profile-m-z/steam-runtime.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/steam-runtime.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for steam
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include steam-runtime.local
+
 # Redirect
 include steam.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/strawberry.profile firejail-0.9.64.4/etc/profile-m-z/strawberry.profile
--- firejail-0.9.64/etc/profile-m-z/strawberry.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/strawberry.profile	2021-02-04 15:29:49.000000000 +0000
@@ -21,7 +21,7 @@
 
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
-include whitelist-var-common.inc 
+include whitelist-var-common.inc
 
 apparmor
 caps.drop all
diff -Nru firejail-0.9.64/etc/profile-m-z/straw-viewer.profile firejail-0.9.64.4/etc/profile-m-z/straw-viewer.profile
--- firejail-0.9.64/etc/profile-m-z/straw-viewer.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/straw-viewer.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,58 @@
+# Firejail profile for straw-viewer
+# Description: Fork of youtube-viewer acts like an invidious frontend
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include straw-viewer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/straw-viewer
+noblacklist ${HOME}/.config/straw-viewer
+
+include allow-lua.inc
+include allow-perl.inc
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/straw-viewer
+mkdir ${HOME}/.cache/straw-viewer
+whitelist ${HOME}/.cache/straw-viewer
+whitelist ${HOME}/.config/straw-viewer
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,ffmpeg,ffprobe,gtk-straw-viewer,mpv,perl,python*,sh,smplayer,straw-viewer,stty,vlc,wget,which,youtube-dl
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/strings.profile firejail-0.9.64.4/etc/profile-m-z/strings.profile
--- firejail-0.9.64/etc/profile-m-z/strings.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/strings.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,7 +7,6 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 #include disable-common.inc
@@ -38,6 +37,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff -Nru firejail-0.9.64/etc/profile-m-z/studio.sh.profile firejail-0.9.64.4/etc/profile-m-z/studio.sh.profile
--- firejail-0.9.64/etc/profile-m-z/studio.sh.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/studio.sh.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for Android Studio
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include studio.sh.local
+
 # Redirect
 include android-studio.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/supertux2.profile firejail-0.9.64.4/etc/profile-m-z/supertux2.profile
--- firejail-0.9.64/etc/profile-m-z/supertux2.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/supertux2.profile	2021-02-04 15:29:49.000000000 +0000
@@ -36,6 +36,7 @@
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-m-z/supertuxkart.profile firejail-0.9.64.4/etc/profile-m-z/supertuxkart.profile
--- firejail-0.9.64/etc/profile-m-z/supertuxkart.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/supertuxkart.profile	2021-02-04 15:29:49.000000000 +0000
@@ -41,15 +41,17 @@
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,bluetooth
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 disable-mnt
 private-bin supertuxkart
 private-cache
-private-dev
+# uncomment the following line if you do not need controller support
+#private-dev
 private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl
 private-tmp
 private-opt none
diff -Nru firejail-0.9.64/etc/profile-m-z/sysprof.profile firejail-0.9.64.4/etc/profile-m-z/sysprof.profile
--- firejail-0.9.64/etc/profile-m-z/sysprof.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/sysprof.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,6 +6,7 @@
 # Persistent global definitions
 include globals.local
 
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -14,6 +15,19 @@
 include disable-programs.inc
 include disable-xdg.inc
 
+# help menu functionality (yelp) - comment or add this block prepended with 'ignore'
+# to your sysprof.local if you don't need the help functionality
+noblacklist ${HOME}/.config/yelp
+mkdir ${HOME}/.config/yelp
+whitelist ${HOME}/.config/yelp
+whitelist /usr/share/help/C/sysprof
+whitelist /usr/share/yelp
+whitelist /usr/share/yelp-tools
+whitelist /usr/share/yelp-xsl
+
+whitelist ${DOCUMENTS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -26,27 +40,30 @@
 nodvd
 nogroups
 nonewprivs
-# Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that
-#noroot
+# Ubuntu 16.04 version needs root privileges - comment or put 'ignore noroot' in sysprof.local if you run Xenial
+noroot
 nosound
 notv
 nou2f
 novideo
 protocol unix,netlink
+seccomp
 shell none
 tracelog
 
 disable-mnt
-#private-bin sysprof - breaks GUI help menu
+#private-bin sysprof - breaks help menu
 private-cache
 private-dev
 private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
-# private-lib breaks GUI help menu
+# private-lib breaks help menu
 #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
 private-tmp
 
-# makes settings immutable
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.own org.gnome.Shell
+dbus-user.own org.gnome.Yelp
+dbus-user.own org.gnome.Sysprof3
+dbus-user.talk ca.desrt.dconf
 
-# memory-deny-write-execute - Breaks GUI on Arch
+# memory-deny-write-execute - breaks on Arch
diff -Nru firejail-0.9.64/etc/profile-m-z/tar.profile firejail-0.9.64.4/etc/profile-m-z/tar.profile
--- firejail-0.9.64/etc/profile-m-z/tar.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tar.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,49 +7,13 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname tar
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
+ignore include disable-shell.inc
+include archiver-common.inc
 
-# support compressed archives
-private-bin awk,bash,bzip2,compress,firejail,grep,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz
-private-cache
-private-dev
 private-etc alternatives,group,localtime,login.defs,passwd
-private-lib libfakeroot
+#private-lib libfakeroot,liblzma.so.*,libreadline.so.*
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
-
-dbus-user none
-dbus-system none
-
-memory-deny-write-execute
diff -Nru firejail-0.9.64/etc/profile-m-z/tcpdump.profile firejail-0.9.64.4/etc/profile-m-z/tcpdump.profile
--- firejail-0.9.64/etc/profile-m-z/tcpdump.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tcpdump.profile	2021-02-04 15:29:49.000000000 +0000
@@ -33,7 +33,7 @@
 notv
 nou2f
 novideo
-protocol unix,inet,inet6,netlink,packet
+protocol unix,inet,inet6,netlink,packet,bluetooth
 seccomp
 
 disable-mnt
diff -Nru firejail-0.9.64/etc/profile-m-z/teams-for-linux.profile firejail-0.9.64.4/etc/profile-m-z/teams-for-linux.profile
--- firejail-0.9.64/etc/profile-m-z/teams-for-linux.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/teams-for-linux.profile	2021-02-04 15:29:49.000000000 +0000
@@ -4,33 +4,23 @@
 # Persistent local customizations
 include teams-for-linux.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
 
 ignore dbus-user none
 ignore dbus-system none
 
 noblacklist ${HOME}/.config/teams-for-linux
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-
 mkdir ${HOME}/.config/teams-for-linux
 whitelist ${HOME}/.config/teams-for-linux
-include whitelist-common.inc
-include whitelist-var-common.inc
-
-nou2f
-novideo
-shell none
 
-disable-mnt
 private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
-private-cache
-private-dev
 private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
-private-tmp
 
 # Redirect
 include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/teams.profile firejail-0.9.64.4/etc/profile-m-z/teams.profile
--- firejail-0.9.64/etc/profile-m-z/teams.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/teams.profile	2021-02-04 15:29:49.000000000 +0000
@@ -4,8 +4,14 @@
 # Persistent local customizations
 include teams.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore novideo
+ignore private-tmp
 
 # see #3404
 ignore apparmor
@@ -15,24 +21,10 @@
 noblacklist ${HOME}/.config/teams
 noblacklist ${HOME}/.config/Microsoft
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-
 mkdir ${HOME}/.config/teams
 mkdir ${HOME}/.config/Microsoft
 whitelist ${HOME}/.config/teams
 whitelist ${HOME}/.config/Microsoft
-include whitelist-common.inc
-include whitelist-var-common.inc
-
-nou2f
-shell none
-tracelog
-
-disable-mnt
-private-cache
-private-dev
 
 # Redirect
 include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/telegram-desktop.profile firejail-0.9.64.4/etc/profile-m-z/telegram-desktop.profile
--- firejail-0.9.64/etc/profile-m-z/telegram-desktop.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/telegram-desktop.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: Official Telegram Desktop client
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include tekegram-desktop.local
+
 # Redirect
 include telegram.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/telegram.profile firejail-0.9.64.4/etc/profile-m-z/telegram.profile
--- firejail-0.9.64/etc/profile-m-z/telegram.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/telegram.profile	2021-02-04 15:29:49.000000000 +0000
@@ -25,5 +25,5 @@
 
 disable-mnt
 private-cache
-private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
diff -Nru firejail-0.9.64/etc/profile-m-z/Telegram.profile firejail-0.9.64.4/etc/profile-m-z/Telegram.profile
--- firejail-0.9.64/etc/profile-m-z/Telegram.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/Telegram.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for telegram
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Telegram.local
+
 # Redirect
 include telegram.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/textmaker18free.profile firejail-0.9.64.4/etc/profile-m-z/textmaker18free.profile
--- firejail-0.9.64/etc/profile-m-z/textmaker18free.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/textmaker18free.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,5 +7,5 @@
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
 
diff -Nru firejail-0.9.64/etc/profile-m-z/textmaker18.profile firejail-0.9.64.4/etc/profile-m-z/textmaker18.profile
--- firejail-0.9.64/etc/profile-m-z/textmaker18.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/textmaker18.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,5 +7,5 @@
 include globals.local
 
 # Redirect
-include softmaker-common.inc
+include softmaker-common.profile
 
diff -Nru firejail-0.9.64/etc/profile-m-z/thunar.profile firejail-0.9.64.4/etc/profile-m-z/thunar.profile
--- firejail-0.9.64/etc/profile-m-z/thunar.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/thunar.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: Modern file manager for Xfce
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include thunar.local
+
 # Redirect
 include Thunar.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/thunderbird-beta.profile firejail-0.9.64.4/etc/profile-m-z/thunderbird-beta.profile
--- firejail-0.9.64/etc/profile-m-z/thunderbird-beta.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/thunderbird-beta.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for thunderbird-beta
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include thunderbird-beta.local
+
 private-opt thunderbird-beta
 
 # Redirect
diff -Nru firejail-0.9.64/etc/profile-m-z/thunderbird.profile firejail-0.9.64.4/etc/profile-m-z/thunderbird.profile
--- firejail-0.9.64/etc/profile-m-z/thunderbird.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/thunderbird.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,6 +6,8 @@
 # Persistent global definitions
 include globals.local
 
+ignore include whitelist-runuser-common.inc
+
 # writable-run-user and dbus are needed by enigmail
 ignore dbus-user none
 ignore dbus-system none
@@ -58,7 +60,5 @@
 # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
 ignore private-tmp
 
-read-only ${HOME}/.config/mimeapps.list
-
 # Redirect
 include firefox-common.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_ar.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_ar.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_ar.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_ar.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_ar.local
+
 noblacklist ${HOME}/.tor-browser_ar
 
 mkdir ${HOME}/.tor-browser_ar
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-ar.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-ar.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-ar.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-ar.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-ar.local
+
 noblacklist ${HOME}/.tor-browser-ar
 
 mkdir ${HOME}/.tor-browser-ar
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_ca.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_ca.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_ca.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_ca.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_ca.local
+
 noblacklist ${HOME}/.tor-browser_ca
 
 mkdir ${HOME}/.tor-browser_ca
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-ca.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-ca.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-ca.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-ca.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-ca.local
+
 noblacklist ${HOME}/.tor-browser-ca
 
 mkdir ${HOME}/.tor-browser-ca
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_cs.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_cs.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_cs.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_cs.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_cs.local
+
 noblacklist ${HOME}/.tor-browser_cs
 
 mkdir ${HOME}/.tor-browser_cs
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-cs.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-cs.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-cs.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-cs.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-cs.local
+
 noblacklist ${HOME}/.tor-browser-cs
 
 mkdir ${HOME}/.tor-browser-cs
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_da.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_da.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_da.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_da.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_da.local
+
 noblacklist ${HOME}/.tor-browser_da
 
 mkdir ${HOME}/.tor-browser_da
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-da.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-da.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-da.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-da.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-da.local
+
 noblacklist ${HOME}/.tor-browser-da
 
 mkdir ${HOME}/.tor-browser-da
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_de.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_de.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_de.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_de.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_de.local
+
 noblacklist ${HOME}/.tor-browser_de
 
 mkdir ${HOME}/.tor-browser_de
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-de.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-de.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-de.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-de.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-de.local
+
 noblacklist ${HOME}/.tor-browser-de
 
 mkdir ${HOME}/.tor-browser-de
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_el.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_el.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_el.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_el.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_el.local
+
 noblacklist ${HOME}/.tor-browser_el
 
 mkdir ${HOME}/.tor-browser_el
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-el.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-el.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-el.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-el.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-el.local
+
 noblacklist ${HOME}/.tor-browser-el
 
 mkdir ${HOME}/.tor-browser-el
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_en.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_en.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_en.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_en.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_en.local
+
 noblacklist ${HOME}/.tor-browser_en
 
 mkdir ${HOME}/.tor-browser_en
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-en.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-en.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-en.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-en.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-en.local
+
 noblacklist ${HOME}/.tor-browser-en
 
 mkdir ${HOME}/.tor-browser-en
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-en-us.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-en-us.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-en-us.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-en-us.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-en-us.local
+
 noblacklist ${HOME}/.tor-browser-en-us
 
 mkdir ${HOME}/.tor-browser-en-us
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_en-US.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_en-US.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_en-US.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_en-US.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_en-US.local
+
 noblacklist ${HOME}/.tor-browser_en-US
 
 mkdir ${HOME}/.tor-browser_en-US
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-es-es.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-es-es.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-es-es.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-es-es.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-es-es.local
+
 noblacklist ${HOME}/.tor-browser-es-es
 
 mkdir ${HOME}/.tor-browser-es-es
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_es-ES.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_es-ES.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_es-ES.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_es-ES.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_es-ES.local
+
 noblacklist ${HOME}/.tor-browser_es-ES
 
 mkdir ${HOME}/.tor-browser_es-ES
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_es.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_es.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_es.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_es.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_es.local
+
 noblacklist ${HOME}/.tor-browser_es
 
 mkdir ${HOME}/.tor-browser_es
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-es.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-es.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-es.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-es.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-es.local
+
 noblacklist ${HOME}/.tor-browser-es
 
 mkdir ${HOME}/.tor-browser-es
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_fa.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_fa.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_fa.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_fa.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_fa.local
+
 noblacklist ${HOME}/.tor-browser_fa
 
 mkdir ${HOME}/.tor-browser_fa
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-fa.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-fa.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-fa.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-fa.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-fa.local
+
 noblacklist ${HOME}/.tor-browser-fa
 
 mkdir ${HOME}/.tor-browser-fa
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_fr.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_fr.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_fr.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_fr.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_fr.local
+
 noblacklist ${HOME}/.tor-browser_fr
 
 mkdir ${HOME}/.tor-browser_fr
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-fr.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-fr.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-fr.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-fr.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-fr.local
+
 noblacklist ${HOME}/.tor-browser-fr
 
 mkdir ${HOME}/.tor-browser-fr
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-ga-ie.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-ga-ie.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-ga-ie.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-ga-ie.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-ga-ie.local
+
 noblacklist ${HOME}/.tor-browser-ga-ie
 
 mkdir ${HOME}/.tor-browser-ga-ie
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_ga-IE.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_ga-IE.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_ga-IE.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_ga-IE.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_ga-IE.local
+
 noblacklist ${HOME}/.tor-browser_ga-IE
 
 mkdir ${HOME}/.tor-browser_ga-IE
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_he.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_he.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_he.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_he.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_he.local
+
 noblacklist ${HOME}/.tor-browser_he
 
 mkdir ${HOME}/.tor-browser_he
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-he.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-he.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-he.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-he.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-he.local
+
 noblacklist ${HOME}/.tor-browser-he
 
 mkdir ${HOME}/.tor-browser-he
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_hu.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_hu.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_hu.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_hu.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_hu.local
+
 noblacklist ${HOME}/.tor-browser_hu
 
 mkdir ${HOME}/.tor-browser_hu
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-hu.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-hu.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-hu.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-hu.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-hu.local
+
 noblacklist ${HOME}/.tor-browser-hu
 
 mkdir ${HOME}/.tor-browser-hu
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_id.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_id.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_id.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_id.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_id.local
+
 noblacklist ${HOME}/.tor-browser_id
 
 mkdir ${HOME}/.tor-browser_id
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-id.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-id.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-id.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-id.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-id.local
+
 noblacklist ${HOME}/.tor-browser-id
 
 mkdir ${HOME}/.tor-browser-id
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_is.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_is.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_is.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_is.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_is.local
+
 noblacklist ${HOME}/.tor-browser_is
 
 mkdir ${HOME}/.tor-browser_is
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-is.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-is.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-is.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-is.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-is.local
+
 noblacklist ${HOME}/.tor-browser-is
 
 mkdir ${HOME}/.tor-browser-is
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_it.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_it.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_it.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_it.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_it.local
+
 noblacklist ${HOME}/.tor-browser_it
 
 mkdir ${HOME}/.tor-browser_it
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-it.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-it.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-it.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-it.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-it.local
+
 noblacklist ${HOME}/.tor-browser-it
 
 mkdir ${HOME}/.tor-browser-it
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_ja.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_ja.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_ja.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_ja.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_ja.local
+
 noblacklist ${HOME}/.tor-browser_ja
 
 mkdir ${HOME}/.tor-browser_ja
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-ja.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-ja.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-ja.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-ja.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-ja.local
+
 noblacklist ${HOME}/.tor-browser-ja
 
 mkdir ${HOME}/.tor-browser-ja
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_ka.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_ka.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_ka.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_ka.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_ka.local
+
 noblacklist ${HOME}/.tor-browser_ka
 
 mkdir ${HOME}/.tor-browser_ka
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-ka.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-ka.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-ka.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-ka.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-ka.local
+
 noblacklist ${HOME}/.tor-browser-ka
 
 mkdir ${HOME}/.tor-browser-ka
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_ko.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_ko.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_ko.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_ko.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_ko.local
+
 noblacklist ${HOME}/.tor-browser_ko
 
 mkdir ${HOME}/.tor-browser_ko
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-ko.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-ko.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-ko.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-ko.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-ko.local
+
 noblacklist ${HOME}/.tor-browser-ko
 
 mkdir ${HOME}/.tor-browser-ko
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_nb.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_nb.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_nb.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_nb.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_nb.local
+
 noblacklist ${HOME}/.tor-browser_nb
 
 mkdir ${HOME}/.tor-browser_nb
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-nb.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-nb.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-nb.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-nb.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-nb.local
+
 noblacklist ${HOME}/.tor-browser-nb
 
 mkdir ${HOME}/.tor-browser-nb
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_nl.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_nl.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_nl.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_nl.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_nl.local
+
 noblacklist ${HOME}/.tor-browser_nl
 
 mkdir ${HOME}/.tor-browser_nl
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-nl.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-nl.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-nl.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-nl.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-nl.local
+
 noblacklist ${HOME}/.tor-browser-nl
 
 mkdir ${HOME}/.tor-browser-nl
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_pl.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_pl.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_pl.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_pl.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_pl.local
+
 noblacklist ${HOME}/.tor-browser_pl
 
 mkdir ${HOME}/.tor-browser_pl
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-pl.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-pl.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-pl.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-pl.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-pl.local
+
 noblacklist ${HOME}/.tor-browser-pl
 
 mkdir ${HOME}/.tor-browser-pl
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser.local
+
 noblacklist ${HOME}/.tor-browser
 
 mkdir ${HOME}/.tor-browser
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-pt-br.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-pt-br.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-pt-br.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-pt-br.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-pt-br.local
+
 noblacklist ${HOME}/.tor-browser-pt-br
 
 mkdir ${HOME}/.tor-browser-pt-br
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_pt-BR.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_pt-BR.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_pt-BR.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_pt-BR.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_pt-BR.local
+
 noblacklist ${HOME}/.tor-browser_pt-BR
 
 mkdir ${HOME}/.tor-browser_pt-BR
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_ru.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_ru.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_ru.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_ru.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_ru.local
+
 noblacklist ${HOME}/.tor-browser_ru
 
 mkdir ${HOME}/.tor-browser_ru
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-ru.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-ru.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-ru.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-ru.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-ru.local
+
 noblacklist ${HOME}/.tor-browser-ru
 
 mkdir ${HOME}/.tor-browser-ru
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-sv-se.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-sv-se.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-sv-se.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-sv-se.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-sv-se.local
+
 noblacklist ${HOME}/.tor-browser-sv-se
 
 mkdir ${HOME}/.tor-browser-sv-se
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_sv-SE.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_sv-SE.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_sv-SE.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_sv-SE.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_sv-SE.local
+
 noblacklist ${HOME}/.tor-browser_sv-SE
 
 mkdir ${HOME}/.tor-browser_sv-SE
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_tr.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_tr.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_tr.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_tr.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_tr.local
+
 noblacklist ${HOME}/.tor-browser_tr
 
 mkdir ${HOME}/.tor-browser_tr
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-tr.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-tr.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-tr.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-tr.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-tr.local
+
 noblacklist ${HOME}/.tor-browser-tr
 
 mkdir ${HOME}/.tor-browser-tr
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_vi.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_vi.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_vi.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_vi.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_vi.local
+
 noblacklist ${HOME}/.tor-browser_vi
 
 mkdir ${HOME}/.tor-browser_vi
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-vi.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-vi.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-vi.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-vi.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-vi.local
+
 noblacklist ${HOME}/.tor-browser-vi
 
 mkdir ${HOME}/.tor-browser-vi
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-zh-cn.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-zh-cn.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-zh-cn.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-zh-cn.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-zh-cn.local
+
 noblacklist ${HOME}/.tor-browser-zh-cn
 
 mkdir ${HOME}/.tor-browser-zh-cn
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_zh-CN.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_zh-CN.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_zh-CN.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_zh-CN.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_zh-CN.local
+
 noblacklist ${HOME}/.tor-browser_zh-CN
 
 mkdir ${HOME}/.tor-browser_zh-CN
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser-zh-tw.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser-zh-tw.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser-zh-tw.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser-zh-tw.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-zh-tw.local
+
 noblacklist ${HOME}/.tor-browser-zh-tw
 
 mkdir ${HOME}/.tor-browser-zh-tw
diff -Nru firejail-0.9.64/etc/profile-m-z/tor-browser_zh-TW.profile firejail-0.9.64.4/etc/profile-m-z/tor-browser_zh-TW.profile
--- firejail-0.9.64/etc/profile-m-z/tor-browser_zh-TW.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tor-browser_zh-TW.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_zh-TW.local
+
 noblacklist ${HOME}/.tor-browser_zh-TW
 
 mkdir ${HOME}/.tor-browser_zh-TW
diff -Nru firejail-0.9.64/etc/profile-m-z/totem.profile firejail-0.9.64.4/etc/profile-m-z/totem.profile
--- firejail-0.9.64/etc/profile-m-z/totem.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/totem.profile	2021-02-04 15:29:49.000000000 +0000
@@ -30,7 +30,7 @@
 whitelist ${HOME}/.local/share/totem
 whitelist /usr/share/totem
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff -Nru firejail-0.9.64/etc/profile-m-z/transmission-common.profile firejail-0.9.64.4/etc/profile-m-z/transmission-common.profile
--- firejail-0.9.64/etc/profile-m-z/transmission-common.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/transmission-common.profile	2021-02-04 15:29:49.000000000 +0000
@@ -39,6 +39,7 @@
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-m-z/transmission-daemon.profile firejail-0.9.64.4/etc/profile-m-z/transmission-daemon.profile
--- firejail-0.9.64/etc/profile-m-z/transmission-daemon.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/transmission-daemon.profile	2021-02-04 15:29:49.000000000 +0000
@@ -14,6 +14,7 @@
 whitelist /var/lib/transmission
 
 caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
+protocol unix,inet,inet6,packet
 
 private-bin transmission-daemon
 private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
diff -Nru firejail-0.9.64/etc/profile-m-z/trojita.profile firejail-0.9.64.4/etc/profile-m-z/trojita.profile
--- firejail-0.9.64/etc/profile-m-z/trojita.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/trojita.profile	2021-02-04 15:29:49.000000000 +0000
@@ -57,7 +57,8 @@
 private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 
-dbus-user none
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
 dbus-system none
 
 read-only ${HOME}/.mozilla/firefox/profiles.ini
diff -Nru firejail-0.9.64/etc/profile-m-z/tshark.profile firejail-0.9.64.4/etc/profile-m-z/tshark.profile
--- firejail-0.9.64/etc/profile-m-z/tshark.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tshark.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,46 +1,9 @@
 # Firejail profile for tshark
 # This file is overwritten after every install/update
 quiet
+
 # Persistent local customizations
 include tshark.local
-# Persistent global definitions
-include globals.local
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-
-whitelist /usr/share/wireshark
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-#caps.keep net_raw
-caps.keep dac_override,net_admin,net_raw
-ipc-namespace
-#net tun0
-netfilter
-no3d
-nodvd
-# nogroups - breaks network traffic capture for unprivileged users
-# nonewprivs - breaks network traffic capture for unprivileged users
-# noroot
-nosound
-notv
-nou2f
-novideo
-#protocol unix,inet,inet6,netlink,packet
-#seccomp
 
-disable-mnt
-#private
-private-cache
-#private-bin tshark
-private-dev
-private-tmp
+# Redirect
+include wireshark.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/tutanota-desktop.profile firejail-0.9.64.4/etc/profile-m-z/tutanota-desktop.profile
--- firejail-0.9.64/etc/profile-m-z/tutanota-desktop.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/tutanota-desktop.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,31 @@
+# Firejail profile for tutanota-desktop
+# Description: Encrypted email client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tutanota-desktop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/tuta_integration
+noblacklist ${HOME}/.config/tutanota-desktop
+
+ignore noexec /tmp
+
+include disable-shell.inc
+
+mkdir ${HOME}/.config/tuta_integration
+mkdir ${HOME}/.config/tutanota-desktop
+whitelist ${HOME}/.config/tuta_integration
+whitelist ${HOME}/.config/tutanota-desktop
+
+# These lines are needed to allow Firefox to open links
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
+?HAS_APPIMAGE: ignore private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-opt tutanota-desktop
+
+# Redirect
+include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/twitch.profile firejail-0.9.64.4/etc/profile-m-z/twitch.profile
--- firejail-0.9.64/etc/profile-m-z/twitch.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/twitch.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,31 +6,20 @@
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore nou2f
+ignore novideo
+
 noblacklist ${HOME}/.config/Twitch
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/Twitch
 whitelist ${HOME}/.config/Twitch
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-seccomp !chroot
-shell none
 
-disable-mnt
 private-bin twitch
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Twitch
-private-tmp
 
 # Redirect
 include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/unar.profile firejail-0.9.64.4/etc/profile-m-z/unar.profile
--- firejail-0.9.64/etc/profile-m-z/unar.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/unar.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,13 @@
+# Firejail profile for unar
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin unar
+
+# Redirect
+include ar.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/unlzma.profile firejail-0.9.64.4/etc/profile-m-z/unlzma.profile
--- firejail-0.9.64/etc/profile-m-z/unlzma.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/unlzma.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include unlzma.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/unrar.profile firejail-0.9.64.4/etc/profile-m-z/unrar.profile
--- firejail-0.9.64/etc/profile-m-z/unrar.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/unrar.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,40 +7,8 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-shell.inc
-
-caps.drop all
-hostname unrar
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-#nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
+include archiver-common.inc
 
 private-bin unrar
-private-dev
 private-etc alternatives,group,localtime,passwd
 private-tmp
-
-dbus-user none
-dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/unxz.profile firejail-0.9.64.4/etc/profile-m-z/unxz.profile
--- firejail-0.9.64/etc/profile-m-z/unxz.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/unxz.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include unxz.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/unzip.profile firejail-0.9.64.4/etc/profile-m-z/unzip.profile
--- firejail-0.9.64/etc/profile-m-z/unzip.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/unzip.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,42 +7,9 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-shell.inc
-
-caps.drop all
-hostname unzip
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-#nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
+include archiver-common.inc
 
-private-bin unzip
-private-dev
 private-etc alternatives,group,localtime,passwd
-
-dbus-user none
-dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/unzstd.profile firejail-0.9.64.4/etc/profile-m-z/unzstd.profile
--- firejail-0.9.64/etc/profile-m-z/unzstd.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/unzstd.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include unzstd.local
+
 # Redirect
 include zstd.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/VirtualBox.profile firejail-0.9.64.4/etc/profile-m-z/VirtualBox.profile
--- firejail-0.9.64/etc/profile-m-z/VirtualBox.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/VirtualBox.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: x86 virtualization solution
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include VirtualBox.local
+
 # Redirect
 include virtualbox.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/vivaldi-beta.profile firejail-0.9.64.4/etc/profile-m-z/vivaldi-beta.profile
--- firejail-0.9.64/etc/profile-m-z/vivaldi-beta.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/vivaldi-beta.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,7 @@
-# Firejail profile alias for vivaldi
+# Firejail profile for vivaldi-beta
 # This file is overwritten after every install/update
+# Persistent local customizations
+include vivaldi-beta.local
 
 # Redirect
 include vivaldi.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/vivaldi.profile firejail-0.9.64.4/etc/profile-m-z/vivaldi.profile
--- firejail-0.9.64/etc/profile-m-z/vivaldi.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/vivaldi.profile	2021-02-04 15:29:49.000000000 +0000
@@ -13,19 +13,29 @@
 writable-var
 
 noblacklist ${HOME}/.cache/vivaldi
+noblacklist ${HOME}/.cache/vivaldi-snapshot
 noblacklist ${HOME}/.config/vivaldi
+noblacklist ${HOME}/.config/vivaldi-snapshot
 noblacklist ${HOME}/.local/lib/vivaldi
 
 mkdir ${HOME}/.cache/vivaldi
+mkdir ${HOME}/.cache/vivaldi-snapshot
 mkdir ${HOME}/.config/vivaldi
+mkdir ${HOME}/.config/vivaldi-snapshot
 mkdir ${HOME}/.local/lib/vivaldi
 whitelist ${HOME}/.cache/vivaldi
+whitelist ${HOME}/.cache/vivaldi-snapshot
 whitelist ${HOME}/.config/vivaldi
+whitelist ${HOME}/.config/vivaldi-snapshot
 whitelist ${HOME}/.local/lib/vivaldi
 
+#private-bin bash,cat,dirname,readlink,rm,vivaldi,vivaldi-stable,vivaldi-snapshot
+
 # breaks vivaldi sync
 ignore dbus-user none
 ignore dbus-system none
 
+read-write ${HOME}/.local/lib/vivaldi
+
 # Redirect
 include chromium-common.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/vivaldi-snapshot.profile firejail-0.9.64.4/etc/profile-m-z/vivaldi-snapshot.profile
--- firejail-0.9.64/etc/profile-m-z/vivaldi-snapshot.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/vivaldi-snapshot.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,16 +2,6 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include vivaldi-snapshot.local
-# Persistent global definitions
-include globals.local
-
-noblacklist ${HOME}/.cache/vivaldi-snapshot
-noblacklist ${HOME}/.config/vivaldi-snapshot
-
-mkdir ${HOME}/.cache/vivaldi-snapshot
-mkdir ${HOME}/.config/vivaldi-snapshot
-whitelist ${HOME}/.cache/vivaldi-snapshot
-whitelist ${HOME}/.config/vivaldi-snapshot
 
 # Redirect
-include chromium-common.profile
+include vivaldi.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/vivaldi-stable.profile firejail-0.9.64.4/etc/profile-m-z/vivaldi-stable.profile
--- firejail-0.9.64/etc/profile-m-z/vivaldi-stable.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/vivaldi-stable.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,7 @@
-# Firejail profile alias for vivaldi
+# Firejail profile for vivaldi-stable
 # This file is overwritten after every install/update
+# Persistent local customizations
+include vivaldi-stable.local
 
 # Redirect
 include vivaldi.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/vlc.profile firejail-0.9.64.4/etc/profile-m-z/vlc.profile
--- firejail-0.9.64/etc/profile-m-z/vlc.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/vlc.profile	2021-02-04 15:29:49.000000000 +0000
@@ -8,6 +8,7 @@
 
 noblacklist ${HOME}/.cache/vlc
 noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/aacs
 noblacklist ${HOME}/.local/share/vlc
 
 include disable-common.inc
@@ -23,9 +24,10 @@
 mkdir ${HOME}/.local/share/vlc
 whitelist ${HOME}/.cache/vlc
 whitelist ${HOME}/.config/vlc
+whitelist ${HOME}/.config/aacs
 whitelist ${HOME}/.local/share/vlc
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 include whitelist-var-common.inc
 
 #apparmor - on Ubuntu 18.04 it refuses to start without dbus access
diff -Nru firejail-0.9.64/etc/profile-m-z/vmware.profile firejail-0.9.64.4/etc/profile-m-z/vmware.profile
--- firejail-0.9.64/etc/profile-m-z/vmware.profile	2020-10-13 11:43:23.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/vmware.profile	2021-02-04 15:29:49.000000000 +0000
@@ -26,7 +26,7 @@
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-caps.keep chown,net_raw,sys_nice,sys_rawio
+caps.keep chown,net_raw,sys_nice
 netfilter
 nogroups
 notv
@@ -34,6 +34,7 @@
 tracelog
 
 #disable-mnt
-#private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
+private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
 dbus-user none
 dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/vscodium.profile firejail-0.9.64.4/etc/profile-m-z/vscodium.profile
--- firejail-0.9.64/etc/profile-m-z/vscodium.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/vscodium.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for Visual Studio Code
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include vscodium.local
+
 noblacklist ${HOME}/.VSCodium
 
 # Redirect
diff -Nru firejail-0.9.64/etc/profile-m-z/vulturesclaw.profile firejail-0.9.64.4/etc/profile-m-z/vulturesclaw.profile
--- firejail-0.9.64/etc/profile-m-z/vulturesclaw.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/vulturesclaw.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for nethack-vultures
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include vulturesclaw.local
+
 noblacklist /var/games/vulturesclaw
 whitelist /var/games/vulturesclaw
 
diff -Nru firejail-0.9.64/etc/profile-m-z/vultureseye.profile firejail-0.9.64.4/etc/profile-m-z/vultureseye.profile
--- firejail-0.9.64/etc/profile-m-z/vultureseye.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/vultureseye.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,6 +1,9 @@
 # Firejail profile alias for nethack-vultures
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include vultureseye.local
+
 noblacklist /var/games/vultureseye
 whitelist /var/games/vultureseye
 
diff -Nru firejail-0.9.64/etc/profile-m-z/w3m.profile firejail-0.9.64.4/etc/profile-m-z/w3m.profile
--- firejail-0.9.64/etc/profile-m-z/w3m.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/w3m.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,6 +7,11 @@
 # Persistent global definitions
 include globals.local
 
+# Uncomment or add to your w3m.local if you want to use w3m-img on a vconsole
+#ignore nogroups
+#ignore private-dev
+#ignore private-etc
+
 noblacklist ${HOME}/.w3m
 
 blacklist /tmp/.X11-unix
diff -Nru firejail-0.9.64/etc/profile-m-z/warzone2100.profile firejail-0.9.64.4/etc/profile-m-z/warzone2100.profile
--- firejail-0.9.64/etc/profile-m-z/warzone2100.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/warzone2100.profile	2021-02-04 15:29:49.000000000 +0000
@@ -16,8 +16,8 @@
 include disable-programs.inc
 include disable-shell.inc
 
-# mkdir ${HOME}/.warzone2100-3.1
-# mkdir ${HOME}/.warzone2100-3.2
+mkdir ${HOME}/.warzone2100-3.1
+mkdir ${HOME}/.warzone2100-3.2
 whitelist ${HOME}/.warzone2100-3.1
 whitelist ${HOME}/.warzone2100-3.2
 whitelist /usr/share/games
diff -Nru firejail-0.9.64/etc/profile-m-z/weechat-curses.profile firejail-0.9.64.4/etc/profile-m-z/weechat-curses.profile
--- firejail-0.9.64/etc/profile-m-z/weechat-curses.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/weechat-curses.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for weechat
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include weechat-curses.local
+
 # Redirect
 include weechat.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/wget.profile firejail-0.9.64.4/etc/profile-m-z/wget.profile
--- firejail-0.9.64/etc/profile-m-z/wget.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/wget.profile	2021-02-04 15:29:49.000000000 +0000
@@ -12,7 +12,6 @@
 noblacklist ${HOME}/.wgetrc
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
@@ -44,6 +43,7 @@
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-m-z/whalebird.profile firejail-0.9.64.4/etc/profile-m-z/whalebird.profile
--- firejail-0.9.64/etc/profile-m-z/whalebird.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/whalebird.profile	2021-02-04 15:29:49.000000000 +0000
@@ -4,36 +4,24 @@
 # Persistent local customizations
 include whalebird.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
 
 ignore dbus-user none
 ignore dbus-system none
 
 noblacklist ${HOME}/.config/Whalebird
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-xdg.inc
-
 mkdir ${HOME}/.config/Whalebird
 whitelist ${HOME}/.config/Whalebird
-include whitelist-common.inc
-include whitelist-var-common.inc
 
 no3d
-nou2f
-novideo
-protocol unix,inet,inet6
-shell none
 
-disable-mnt
 private-bin whalebird
-private-cache
-private-dev
 private-etc fonts,machine-id
-private-tmp
 
 # Redirect
 include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/whois.profile firejail-0.9.64.4/etc/profile-m-z/whois.profile
--- firejail-0.9.64/etc/profile-m-z/whois.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/whois.profile	2021-02-04 15:29:49.000000000 +0000
@@ -8,7 +8,6 @@
 include globals.local
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
@@ -39,6 +38,7 @@
 novideo
 protocol inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-m-z/wine.profile firejail-0.9.64.4/etc/profile-m-z/wine.profile
--- firejail-0.9.64/etc/profile-m-z/wine.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/wine.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,6 +6,7 @@
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/winetricks
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/steam
@@ -19,6 +20,8 @@
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+# whitelist /usr/share/wine
+# include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 # some applications don't need allow-debuggers, comment the next line
diff -Nru firejail-0.9.64/etc/profile-m-z/wire-desktop.profile firejail-0.9.64.4/etc/profile-m-z/wire-desktop.profile
--- firejail-0.9.64/etc/profile-m-z/wire-desktop.profile	2020-10-17 15:28:33.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/wire-desktop.profile	2021-02-04 15:29:49.000000000 +0000
@@ -4,33 +4,29 @@
 # Persistent local customizations
 include wire-desktop.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
 # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
 
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore novideo
+ignore private-cache
+
 ignore dbus-user none
 ignore dbus-system none
 
 noblacklist ${HOME}/.config/Wire
 
-include disable-devel.inc
-include disable-interpreters.inc
-
 mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
-include whitelist-common.inc
-
-nou2f
-ignore seccomp
-seccomp !chroot
-shell none
 
-disable-mnt
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
-private-tmp
 
 # Redirect
 include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/wireshark-gtk.profile firejail-0.9.64.4/etc/profile-m-z/wireshark-gtk.profile
--- firejail-0.9.64/etc/profile-m-z/wireshark-gtk.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/wireshark-gtk.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: Network protocol analyzer
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include wireshark-gtk.local
+
 # Redirect
 include wireshark.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/wireshark.profile firejail-0.9.64.4/etc/profile-m-z/wireshark.profile
--- firejail-0.9.64/etc/profile-m-z/wireshark.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/wireshark.profile	2021-02-04 15:29:49.000000000 +0000
@@ -38,8 +38,8 @@
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6,netlink
-# seccomp - breaks network traffic capture for unprivileged users
+# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols
+seccomp
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-m-z/wireshark-qt.profile firejail-0.9.64.4/etc/profile-m-z/wireshark-qt.profile
--- firejail-0.9.64/etc/profile-m-z/wireshark-qt.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/wireshark-qt.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: Network protocol analyzer
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include wireshark-qt.local
+
 # Redirect
 include wireshark.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/xfce4-mixer.profile firejail-0.9.64.4/etc/profile-m-z/xfce4-mixer.profile
--- firejail-0.9.64/etc/profile-m-z/xfce4-mixer.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xfce4-mixer.profile	2021-02-04 15:29:49.000000000 +0000
@@ -19,6 +19,7 @@
 
 mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
 whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+whitelist /usr/share/gstreamer
 whitelist /usr/share/xfce4
 whitelist /usr/share/xfce4-mixer
 include whitelist-common.inc
@@ -48,7 +49,9 @@
 private-etc alternatives,asound.conf,fonts,machine-id,pulse
 private-tmp
 
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.own org.xfce.xfce4-mixer
+dbus-user.talk org.xfce.Xfconf
+dbus-system none
 
-memory-deny-write-execute
+# memory-deny-write-execute - breaks on Arch
diff -Nru firejail-0.9.64/etc/profile-m-z/xfce4-screenshooter.profile firejail-0.9.64.4/etc/profile-m-z/xfce4-screenshooter.profile
--- firejail-0.9.64/etc/profile-m-z/xfce4-screenshooter.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xfce4-screenshooter.profile	2021-02-04 15:29:49.000000000 +0000
@@ -48,4 +48,4 @@
 dbus-user none
 dbus-system none
 
-memory-deny-write-execute
+# memory-deny-write-execute -- see #3790
diff -Nru firejail-0.9.64/etc/profile-m-z/xonotic-glx.profile firejail-0.9.64.4/etc/profile-m-z/xonotic-glx.profile
--- firejail-0.9.64/etc/profile-m-z/xonotic-glx.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xonotic-glx.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for xonotic
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include xonotic-glx.local
+
 # Redirect
 include xonotic.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/xonotic-sdl.profile firejail-0.9.64.4/etc/profile-m-z/xonotic-sdl.profile
--- firejail-0.9.64/etc/profile-m-z/xonotic-sdl.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xonotic-sdl.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for xonotic
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include xonotic-sdl.local
+
 # Redirect
 include xonotic.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/xournalpp.profile firejail-0.9.64.4/etc/profile-m-z/xournalpp.profile
--- firejail-0.9.64/etc/profile-m-z/xournalpp.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xournalpp.profile	2021-02-04 15:29:49.000000000 +0000
@@ -9,6 +9,8 @@
 
 noblacklist ${HOME}/.xournalpp
 
+include allow-lua.inc
+
 whitelist /usr/share/texlive
 whitelist /usr/share/xournalpp
 whitelist /var/lib/texmf
@@ -16,6 +18,7 @@
 
 #mkdir ${HOME}/.xournalpp
 #whitelist ${HOME}/.xournalpp
+#whitelist ${HOME}/.texlive20*
 #whitelist ${DOCUMENTS}
 #include whitelist-common.inc
 
diff -Nru firejail-0.9.64/etc/profile-m-z/xournal.profile firejail-0.9.64.4/etc/profile-m-z/xournal.profile
--- firejail-0.9.64/etc/profile-m-z/xournal.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xournal.profile	2021-02-04 15:29:49.000000000 +0000
@@ -36,6 +36,7 @@
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-m-z/xplayer.profile firejail-0.9.64.4/etc/profile-m-z/xplayer.profile
--- firejail-0.9.64/etc/profile-m-z/xplayer.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xplayer.profile	2021-02-04 15:29:49.000000000 +0000
@@ -25,7 +25,7 @@
 whitelist ${HOME}/.config/xplayer
 whitelist ${HOME}/.local/share/xplayer
 include whitelist-common.inc
-include whitelist-players.inc
+include whitelist-player-common.inc
 include whitelist-var-common.inc
 
 # apparmor - makes settings immutable
diff -Nru firejail-0.9.64/etc/profile-m-z/xzcat.profile firejail-0.9.64.4/etc/profile-m-z/xzcat.profile
--- firejail-0.9.64/etc/profile-m-z/xzcat.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xzcat.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include xzcat.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/xzcmp.profile firejail-0.9.64.4/etc/profile-m-z/xzcmp.profile
--- firejail-0.9.64/etc/profile-m-z/xzcmp.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xzcmp.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include xzcmp.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/xzdec.profile firejail-0.9.64.4/etc/profile-m-z/xzdec.profile
--- firejail-0.9.64/etc/profile-m-z/xzdec.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xzdec.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,35 +7,4 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-caps.drop all
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-#nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-private-dev
-
-dbus-user none
-dbus-system none
+include archiver-common.inc
diff -Nru firejail-0.9.64/etc/profile-m-z/xzdiff.profile firejail-0.9.64.4/etc/profile-m-z/xzdiff.profile
--- firejail-0.9.64/etc/profile-m-z/xzdiff.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xzdiff.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include xzdiff.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/xzegrep.profile firejail-0.9.64.4/etc/profile-m-z/xzegrep.profile
--- firejail-0.9.64/etc/profile-m-z/xzegrep.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xzegrep.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include xzegrep.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/xzfgrep.profile firejail-0.9.64.4/etc/profile-m-z/xzfgrep.profile
--- firejail-0.9.64/etc/profile-m-z/xzfgrep.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xzfgrep.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include xzfgrep.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/xzgrep.profile firejail-0.9.64.4/etc/profile-m-z/xzgrep.profile
--- firejail-0.9.64/etc/profile-m-z/xzgrep.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xzgrep.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include xzgrep.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/xzless.profile firejail-0.9.64.4/etc/profile-m-z/xzless.profile
--- firejail-0.9.64/etc/profile-m-z/xzless.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xzless.profile	2021-02-04 15:29:49.000000000 +0000
@@ -2,5 +2,8 @@
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include xzless.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/xzmore.profile firejail-0.9.64.4/etc/profile-m-z/xzmore.profile
--- firejail-0.9.64/etc/profile-m-z/xzmore.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xzmore.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include xzmore.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/xz.profile firejail-0.9.64.4/etc/profile-m-z/xz.profile
--- firejail-0.9.64/etc/profile-m-z/xz.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/xz.profile	2021-02-04 15:29:49.000000000 +0000
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include xz.local
+
 # Redirect
 include cpio.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/yandex-browser.profile firejail-0.9.64.4/etc/profile-m-z/yandex-browser.profile
--- firejail-0.9.64/etc/profile-m-z/yandex-browser.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/yandex-browser.profile	2021-02-04 15:29:49.000000000 +0000
@@ -5,6 +5,11 @@
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/yandex-browser
 noblacklist ${HOME}/.cache/yandex-browser-beta
 noblacklist ${HOME}/.config/yandex-browser
diff -Nru firejail-0.9.64/etc/profile-m-z/yarn.profile firejail-0.9.64.4/etc/profile-m-z/yarn.profile
--- firejail-0.9.64/etc/profile-m-z/yarn.profile	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/yarn.profile	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,29 @@
+# Firejail profile for yarn
+# Description: Fast, reliable, and secure dependency management
+quiet
+# Persistent local customizations
+include yarn.local
+# Persistent global definitions
+include globals.local
+
+ignore read-only ${HOME}/.yarnrc
+
+noblacklist ${HOME}/.yarn
+noblacklist ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarncache
+noblacklist ${HOME}/.yarnrc
+
+# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below.
+#mkdir ${HOME}/.yarn
+#mkdir ${HOME}/.yarn-config
+#mkdir ${HOME}/.yarncache
+#mkfile ${HOME}/.yarnrc
+#whitelist ${HOME}/.yarn
+#whitelist ${HOME}/.yarn-config
+#whitelist ${HOME}/.yarncache
+#whitelist ${HOME}/.yarnrc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+# Redirect
+include nodejs-common.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/yelp.profile firejail-0.9.64.4/etc/profile-m-z/yelp.profile
--- firejail-0.9.64/etc/profile-m-z/yelp.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/yelp.profile	2021-02-04 15:29:49.000000000 +0000
@@ -20,7 +20,9 @@
 mkdir ${HOME}/.config/yelp
 whitelist ${HOME}/.config/yelp
 whitelist /usr/share/doc
+whitelist /usr/share/groff
 whitelist /usr/share/help
+whitelist /usr/share/man
 whitelist /usr/share/yelp
 whitelist /usr/share/yelp-tools
 whitelist /usr/share/yelp-xsl
@@ -31,31 +33,44 @@
 
 apparmor
 caps.drop all
+# machine-id breaks sound - uncomment here or put it in your yelp.local if you don't need it
+#machine-id
 net none
 nodvd
 nogroups
 nonewprivs
 noroot
+# nosound - uncomment here or put it in your yelp.local if you don't need it
+#nosound
 notv
 nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 disable-mnt
-private-bin yelp
+private-bin groff,man,tbl,troff,yelp
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
 private-tmp
 
+dbus-user filter
+dbus-user.own org.gnome.Yelp
+dbus-user.talk ca.desrt.dconf
 dbus-system none
 
-# read-only ${HOME} breaks some not necesarry featrues, comment it if
-# you need them or put 'ignore read-only ${HOME}' into your yelp.local.
-# broken features:
+# read-only ${HOME} breaks some features:
 #  1. yelp --editor-mode
 #  2. saving the window geometry
+# comment the line below or put 'ignore read-only ${HOME}' into your yelp.local if you need these features
 read-only ${HOME}
+read-write ${HOME}/.cache
+#  3. printing to PDF in ${DOCUMENTS}
+# additionally uncomment the lines below or put 'noblacklist ${DOCUMENTS}' and
+# 'whitelist ${DOCUMENTS}' into your yelp.local if you need printing to PDF support
+#noblacklist ${DOCUMENTS}
+#whitelist ${DOCUMENTS}
diff -Nru firejail-0.9.64/etc/profile-m-z/youtube-dl.profile firejail-0.9.64.4/etc/profile-m-z/youtube-dl.profile
--- firejail-0.9.64/etc/profile-m-z/youtube-dl.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/youtube-dl.profile	2021-02-04 15:29:49.000000000 +0000
@@ -21,7 +21,6 @@
 include allow-python3.inc
 
 blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
 blacklist ${RUNUSER}
 
 include disable-common.inc
@@ -52,6 +51,7 @@
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff -Nru firejail-0.9.64/etc/profile-m-z/youtubemusic-nativefier.profile firejail-0.9.64.4/etc/profile-m-z/youtubemusic-nativefier.profile
--- firejail-0.9.64/etc/profile-m-z/youtubemusic-nativefier.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/youtubemusic-nativefier.profile	2021-02-04 15:29:49.000000000 +0000
@@ -8,31 +8,14 @@
 
 noblacklist ${HOME}/.config/youtubemusic-nativefier-040164
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/youtubemusic-nativefier-040164
 whitelist ${HOME}/.config/youtubemusic-nativefier-040164
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
-nou2f
-novideo
-seccomp !chroot
-shell none
-
-disable-mnt
 private-bin youtubemusic-nativefier
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt youtubemusic-nativefier
-private-tmp
 
 # Redirect
 include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/youtube.profile firejail-0.9.64.4/etc/profile-m-z/youtube.profile
--- firejail-0.9.64/etc/profile-m-z/youtube.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/youtube.profile	2021-02-04 15:29:49.000000000 +0000
@@ -6,32 +6,19 @@
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore nou2f
+
 noblacklist ${HOME}/.config/Youtube
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-shell.inc 
-include disable-xdg.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/Youtube
 whitelist ${HOME}/.config/Youtube
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-novideo
-seccomp !chroot
-shell none
 
-disable-mnt
 private-bin youtube
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Youtube
-private-tmp
 
 # Redirect
 include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/youtube-viewer.profile firejail-0.9.64.4/etc/profile-m-z/youtube-viewer.profile
--- firejail-0.9.64/etc/profile-m-z/youtube-viewer.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/youtube-viewer.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,10 +7,6 @@
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
-blacklist ${RUNUSER}
-
 noblacklist ${HOME}/.config/youtube-viewer
 
 include allow-perl.inc
@@ -47,11 +43,11 @@
 tracelog
 
 disable-mnt
-# private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer
+private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,sh,smplayer,stty,vlc,which,youtube-dl,youtube-viewer
 private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
 
 dbus-user none
-dbus-system none
\ No newline at end of file
+dbus-system none
diff -Nru firejail-0.9.64/etc/profile-m-z/ytmdesktop.profile firejail-0.9.64.4/etc/profile-m-z/ytmdesktop.profile
--- firejail-0.9.64/etc/profile-m-z/ytmdesktop.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/ytmdesktop.profile	2021-02-04 15:29:49.000000000 +0000
@@ -10,30 +10,12 @@
 
 noblacklist ${HOME}/.config/youtube-music-desktop-app
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-xdg.inc
-
 mkdir ${HOME}/.config/youtube-music-desktop-app
 whitelist ${HOME}/.config/youtube-music-desktop-app
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-nou2f
-novideo
-seccomp !chroot
-shell none
 
-disable-mnt
 # private-bin env,ytmdesktop
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
-# private-opt 
-private-tmp
+# private-opt
 
 # Redirect
 include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/zathura.profile firejail-0.9.64.4/etc/profile-m-z/zathura.profile
--- firejail-0.9.64/etc/profile-m-z/zathura.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/zathura.profile	2021-02-04 15:29:49.000000000 +0000
@@ -28,7 +28,6 @@
 
 apparmor
 caps.drop all
-ipc-namespace
 machine-id
 net none
 nodvd
diff -Nru firejail-0.9.64/etc/profile-m-z/zcat.profile firejail-0.9.64.4/etc/profile-m-z/zcat.profile
--- firejail-0.9.64/etc/profile-m-z/zcat.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/zcat.profile	2021-02-04 15:29:49.000000000 +0000
@@ -8,6 +8,7 @@
 #include globals.local
 
 # Allow running kernel config check
+ignore include disable-shell.inc
 noblacklist /proc/config.gz
 
 # Redirect
diff -Nru firejail-0.9.64/etc/profile-m-z/zgrep.profile firejail-0.9.64.4/etc/profile-m-z/zgrep.profile
--- firejail-0.9.64/etc/profile-m-z/zgrep.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/zgrep.profile	2021-02-04 15:29:49.000000000 +0000
@@ -8,6 +8,7 @@
 #include globals.local
 
 # Allow running kernel config check
+ignore include disable-shell.inc
 noblacklist /proc/config.gz
 
 # Redirect
diff -Nru firejail-0.9.64/etc/profile-m-z/zoom.profile firejail-0.9.64.4/etc/profile-m-z/zoom.profile
--- firejail-0.9.64/etc/profile-m-z/zoom.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/zoom.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,20 +1,25 @@
 # Firejail profile for zoom
+# Description: Video Conferencing and Web Conferencing Service
 # This file is overwritten after every install/update
 # Persistent local customizations
 include zoom.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore apparmor
+ignore novideo
+ignore dbus-user none
+ignore dbus-system none
+
+# nogroups breaks webcam access on non-systemd systems (see #3711).
+# If you use such a system uncomment the line below or put 'ignore nogroups' in your zoom.local
+#ignore nogroups
+
 noblacklist ${HOME}/.config/zoomus.conf
 noblacklist ${HOME}/.zoom
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
+nowhitelist ${DOWNLOADS}
 
 mkdir ${HOME}/.cache/zoom
 mkfile ${HOME}/.config/zoomus.conf
@@ -22,26 +27,9 @@
 whitelist ${HOME}/.cache/zoom
 whitelist ${HOME}/.config/zoomus.conf
 whitelist ${HOME}/.zoom
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-nou2f
-protocol unix,inet,inet6,netlink
-seccomp !chroot
-shell none
-tracelog
-
-disable-mnt
-private-cache
-private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
-private-tmp
+
+# Disable for now, see https://github.com/netblue30/firejail/issues/3726
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+
+# Redirect
+include electron.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/zstdcat.profile firejail-0.9.64.4/etc/profile-m-z/zstdcat.profile
--- firejail-0.9.64/etc/profile-m-z/zstdcat.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/zstdcat.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include zstdcat.local
+
 # Redirect
 include zstd.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/zstdgrep.profile firejail-0.9.64.4/etc/profile-m-z/zstdgrep.profile
--- firejail-0.9.64/etc/profile-m-z/zstdgrep.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/zstdgrep.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include zstdgrep.local
+
 # Redirect
 include zstd.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/zstdless.profile firejail-0.9.64.4/etc/profile-m-z/zstdless.profile
--- firejail-0.9.64/etc/profile-m-z/zstdless.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/zstdless.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include zstdless.local
+
 # Redirect
 include zstd.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/zstdmt.profile firejail-0.9.64.4/etc/profile-m-z/zstdmt.profile
--- firejail-0.9.64/etc/profile-m-z/zstdmt.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/zstdmt.profile	2021-02-04 15:29:49.000000000 +0000
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include zstdmt.local
+
 # Redirect
 include zstd.profile
diff -Nru firejail-0.9.64/etc/profile-m-z/zstd.profile firejail-0.9.64.4/etc/profile-m-z/zstd.profile
--- firejail-0.9.64/etc/profile-m-z/zstd.profile	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/profile-m-z/zstd.profile	2021-02-04 15:29:49.000000000 +0000
@@ -7,37 +7,4 @@
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-apparmor
-caps.drop all
-hostname zstd
-ipc-namespace
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-#noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-private-cache
-private-dev
-
-memory-deny-write-execute
+include archiver-common.inc
diff -Nru firejail-0.9.64/etc/templates/profile.template firejail-0.9.64.4/etc/templates/profile.template
--- firejail-0.9.64/etc/templates/profile.template	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/templates/profile.template	2021-02-04 15:29:49.000000000 +0000
@@ -157,6 +157,8 @@
 #seccomp
 ##seccomp !chroot
 ##seccomp.drop SYSCALLS (see syscalls.txt)
+#seccomp.block-secondary
+##seccomp-error-action log (Only for debugging seccomp issues)
 #shell none
 #tracelog
 # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
diff -Nru firejail-0.9.64/etc/templates/syscalls.txt firejail-0.9.64.4/etc/templates/syscalls.txt
--- firejail-0.9.64/etc/templates/syscalls.txt	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/etc/templates/syscalls.txt	2021-02-04 15:29:49.000000000 +0000
@@ -35,7 +35,7 @@
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
 @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
 @default-nodebuggers=@default,ptrace,personality,process_vm_readv
-@default-keep=execve,prctl
+@default-keep=execveat,execve,prctl
 @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
 @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select
 @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
diff -Nru firejail-0.9.64/Makefile.in firejail-0.9.64.4/Makefile.in
--- firejail-0.9.64/Makefile.in	2020-10-13 11:43:23.000000000 +0000
+++ firejail-0.9.64.4/Makefile.in	2021-02-04 15:29:49.000000000 +0000
@@ -74,6 +74,7 @@
 	for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
 		$(MAKE) -C $$dir clean; \
 	done
+	$(MAKE) -C test clean
 	rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
 	rm -f $(SECCOMP_FILTERS)
 	rm -f test/utils/index.html*
@@ -92,6 +93,7 @@
 	for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
 		$(MAKE) -C $$dir distclean; \
 	done
+	$(MAKE) -C test distclean
 	rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh
 
 realinstall:
@@ -109,9 +111,9 @@
 	install -m 0755 -d $(DESTDIR)$(libdir)/firejail
 	install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
 	install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
-	# non-dumpable plugins
-	install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
-	install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
+	# plugins w/o read permission (non-dumpable)
+	install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
+	install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
 	# contrib scripts
 	install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
@@ -181,7 +183,7 @@
 	@echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
 
 DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES"
-DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
+DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
 
 dist:
 	mv config.status config.status.old
@@ -227,45 +229,11 @@
 # make test
 #
 
+TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters arguments fs fcopy fnetfilter
+TEST_TARGETS=$(patsubst %,test-%,$(TESTS))
 
-test-profiles:
-	cd test/profiles; ./profiles.sh | grep TESTING
-
-test-private-lib:
-	cd test/private-lib; ./private-lib.sh | grep TESTING
-
-test-apps:
-	cd test/apps; ./apps.sh | grep TESTING
-
-test-apps-x11:
-	cd test/apps-x11; ./apps-x11.sh | grep TESTING
-
-test-apps-x11-xorg:
-	cd test/apps-x11-xorg; ./apps-x11-xorg.sh | grep TESTING
-
-test-sysutils:
-	cd test/sysutils; ./sysutils.sh | grep TESTING
-
-test-utils:
-	cd test/utils; ./utils.sh | grep TESTING
-
-test-environment:
-	cd test/environment; ./environment.sh | grep TESTING
-
-test-filters:
-	cd test/filters; ./filters.sh | grep TESTING
-
-test-arguments:
-	cd test/arguments; ./arguments.sh | grep TESTING
-
-test-fs:
-	cd test/fs; ./fs.sh | grep TESTING
-
-test-fcopy:
-	cd test/fcopy; ./fcopy.sh | grep TESTING
-
-test-fnetfilter:
-	cd test/fnetfilter; ./fnetfilter.sh | grep TESTING
+$(TEST_TARGETS):
+	$(MAKE) -C test $(subst test-,,$@)
 
 test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
 	echo "TEST COMPLETE"
@@ -273,7 +241,7 @@
 test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
 	echo "TEST COMPLETE"
 
-test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-filters test-arguments
+test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-arguments
 	echo "TEST COMPLETE"
 
 ##########################################
@@ -284,32 +252,32 @@
 
 # a firejail-test account is required, public/private key setup
 test-ssh:
-	cd test/ssh; ./ssh.sh | grep TESTING
+	$(MAKE) -C test $(subst test-,,$@)
 
 # requires root access
 test-chroot:
-	cd test/chroot; ./chroot.sh | grep testing
+	$(MAKE) -C test $(subst test-,,$@)
 
 # Huge appimage files, not included in "make dist" archive
 test-appimage:
-	cd test/appimage; ./appimage.sh | grep TESTING
+	$(MAKE) -C test $(subst test-,,$@)
 
 # Root access, network devices are created before the test
 # restart your computer to get rid of these devices
 test-network:
-	cd test/network; ./network.sh | grep TESTING
+	$(MAKE) -C test $(subst test-,,$@)
 
 # requires the same setup as test-network
 test-stress:
-	cd test/stress; ./stress.sh | grep TESTING
+	$(MAKE) -C test $(subst test-,,$@)
 
 # Tests running a root user
 test-root:
-	cd test/root; su -c ./root.sh | grep TESTING
+	$(MAKE) -C test $(subst test-,,$@)
 
 # OverlayFS is not available on all platforms
 test-overlay:
-	cd test/overlay; ./overlay.sh | grep TESTING
+	$(MAKE) -C test $(subst test-,,$@)
 
 # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"
 
diff -Nru firejail-0.9.64/mkdeb.sh.in firejail-0.9.64.4/mkdeb.sh.in
--- firejail-0.9.64/mkdeb.sh.in	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/mkdeb.sh.in	2021-02-04 15:29:49.000000000 +0000
@@ -64,7 +64,7 @@
 find $INSTALL_DIR  -type d | xargs chmod 755
 cd $CODE_DIR
 fakeroot dpkg-deb --build debian
-lintian debian.deb
+lintian --no-tag-display-limit debian.deb
 mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb
 cd ..
 rm -fr $CODE_DIR
diff -Nru firejail-0.9.64/platform/rpm/mkrpm.sh firejail-0.9.64.4/platform/rpm/mkrpm.sh
--- firejail-0.9.64/platform/rpm/mkrpm.sh	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/platform/rpm/mkrpm.sh	2021-02-04 15:29:49.000000000 +0000
@@ -44,7 +44,7 @@
 # FIXME: We could parse RELNOTES and create a %changelog section here
 
 # Copy the source to build into a tarball
-tar --exclude='./.git*' --exclude='./test' --transform "s/^./${name}-${version}/" -czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz .
+tar --exclude='./.git*' --transform "s/^./${name}-${version}/" -czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz .
 
 # Build the files (rpm, debug rpm and source rpm)
 rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file}
diff -Nru firejail-0.9.64/README firejail-0.9.64.4/README
--- firejail-0.9.64/README	2020-10-21 11:42:19.000000000 +0000
+++ firejail-0.9.64.4/README	2021-02-04 15:29:49.000000000 +0000
@@ -69,7 +69,8 @@
 	- add profanity profile
 	- add barrirer profile
 Aidan Gauland (https://github.com/aidalgol)
-	- added electron and riot-web profiles
+	- added electron, riot-web and npm profiles
+	- whitelist Bohemia Interactive config dir for Steam
 Akhil Hans Maulloo (https://github.com/kouul)
 	- xz profile
 Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
@@ -159,6 +160,11 @@
 	- fixed riot-desktop
 Barış Ekin Yıldırım (https://github.com/circuitshaker)
 	- removing net none from code.profile
+bbhtt (https://github.com/bbhtt)
+	- improvements to balsa,fractal,gajim,trojita profiles
+	- improvements to nheko, spectral, feh, links, lynx profiles
+	- added alacartem com.github.bleakgrey.tootle, photoflare profiles
+	- add profiles for MS Edge dev build for Linux and Librewolf
 Benjamin Kampmann (https://github.com/ligthyear)
 	- Forward exit code from child process
 bitfreak25 (https://github.com/bitfreak25)
@@ -178,6 +184,8 @@
 	- blacklist Bitwarden config in disable-passwdmgr.inc
 briaeros (https://github.com/briaeros)
 	- fix command test in jail_prober.py
+botherer (https://github.com/botherder)
+	- add CoyIM profile
 Bruno Nova (https://github.com/brunonova)
 	- whitelist fix
 	- bash arguments fix
@@ -252,12 +260,16 @@
 Dara Adib (https://github.com/daradib)
 	- ssh profile fix
 	- evince profile fix
+	- linphone profile fix
 Dario Pellegrini (https://github.com/dpellegr)
 	- allowing links in netns
 David Thole (https://github.com/TheDarkTrumpet)
 	- added profile for teams-for-linux
 Davide Beatrici (https://github.com/davidebeatrici)
 	- steam.profile: correctly blacklist unneeded directories in user's home
+	- minetest fixes
+David Hyrule (https://github.com/Svaag)
+	- remove nou2f in ssh profile
 Deelvesh Bunjun (https://github.com/DeelveshBunjun)
 	- added xpdf profile
 Denys Havrysh (https://github.com/vutny)
@@ -297,6 +309,8 @@
 	- Liferea profile
 Felipe Barriga Richards (https://github.com/fbarriga)
 	- --private-etc fix
+fenuks (https://github.com/fenuks)
+	- fix sound in games using FMOD
 Florian Begusch (https://github.com/florianbegusch)
 	- (la)tex profiles
 	- fixed transmission-common.profile
@@ -416,6 +430,8 @@
 	- updated Waterfox profile
 Helmut Grohne (https://github.com/helmutg)
 	-  compiler support in the build system - Debian bug #869707
+hhzek0014 (https://github.com/hhzek0014)
+	- updated  bibletime.profile
 hlein (https://github.com/hlein)
 	- strip out \r's from jail prober
 Holger Heinz (https://github.com/hheinz)
@@ -513,6 +529,12 @@
 	- added support for .local profile files in /etc/firejail
 	- fixed Cryptocat profile
 	- make ~/.local read-only
+Kelvin (https://github.com/kmk3)
+	- disable ldns utilities, dnssec-*, khost, unbound-host
+	- sort DNS / RUNUSER paths
+	- improve bug_report.md
+	- fix keypassxc
+	- blacklist oksh shell in disable-shell.inc
 Kishore96in (https://github.com/Kishore96in)
 	- added falkon profile
 	- kxmlgui fixes
@@ -525,6 +547,7 @@
 	- fix meld
 kortewegdevries (https://github.com/kortewegdevries)
 	- a whole bunch of new profiles and fixes
+	- whitelisting evolution, kmail
 Kristóf Marussy (https://github.com/kris7t)
 	- dns support
 Kunal Mehta (https://github.com/legoktm)
@@ -543,6 +566,7 @@
 	- Preserve CFLAGS given to configure in common.mk.in
 	- fix emacs config to load as read-write
 	- disable browser drm by default
+	- minetest fixes
 Lockdis (https://github.com/Lockdis)
 	- Added crow, nyx, and google-earth-pro profiles
 Lukáš Krejčí (https://github.com/lskrejci)
@@ -601,6 +625,8 @@
 	- add vmware profile
 	- update virtualbox profile
 	- update telegram profile
+	- add spectacle profile
+	- add kdiff3 profile
 Nick Fox (https://github.com/njfox)
 	- add a profile alias for code-oss
 	- add code-oss config directory
@@ -611,6 +637,8 @@
 	- blacklisting for keybase.io's client
 Niklas Goerke (https://github.com/Niklas974)
 	- update QOwnNotes profile
+Nikos Chantziaras (https://github.com/realnc)
+	- fix audio support for Discord
 nyancat18 (https://github.com/nyancat18)
 	- added ardour4, dooble, karbon, krita profiles
 Ondra Nekola (https://github.com/satai)
@@ -698,8 +726,12 @@
 	- added telegram-desktop profile
 Rahul Golam (https://github.com/technoLord)
 	- strings profile
+RandomVoid (https://github.com/RandomVoid)
+	- fix building C# projects in Godot
 Raphaël Droz (https://github.com/drzraf)
 	- zoom profile fixes
+realaltffour (https://github.com/realaltffour)
+	- add lynx support to newsboat profile
 Reiner Herrmann (https://github.com/reinerh)
 	- a number of build patches
 	- man page fixes
@@ -719,6 +751,8 @@
 	- support AMD GPU by OpenCL in Blender
 rogshdo (https://github.com/rogshdo)
 	- BitlBee profile
+rootalc (https://github.com/rootalc)
+	- add nolocal6.net filter
 Ruan (https://github.com/ruany)
 	- fixed hexchat profile
 rusty-snake (https://github.com/rusty-snake)
@@ -950,6 +984,8 @@
 	read-only kde5 services directory
 xee5ch (https://github.com/xee5ch)
 	- skypeforlinux profile
+Ypnose (https://github.com/Ypnose)
+	- disable-shell.inc: add mksh shell
 yumkam (https://github.com/yumkam)
 	- add compile-time option to restrict --net= to root only
 	- man page fixes
diff -Nru firejail-0.9.64/RELNOTES firejail-0.9.64.4/RELNOTES
--- firejail-0.9.64/RELNOTES	2020-10-21 11:52:19.000000000 +0000
+++ firejail-0.9.64.4/RELNOTES	2021-02-07 20:00:19.000000000 +0000
@@ -1,3 +1,21 @@
+firejail (0.9.64.4) baseline; urgency=low
+  * disabled overlayfs, pending multiple fixes
+ -- netblue30 <netblue30@yahoo.com>  Sun, 7 Feb 2021 09:00:00 -0500
+
+firejail (0.9.64.2) baseline; urgency=low
+  * allow --tmpfs inside $HOME for unprivileged users
+  * --disable-usertmpfs  compile time option
+  * allow AF_BLUETOOTH via --protocol=bluetooth
+  * Setup guide for new users: contrib/firejail-welcome.sh
+  * implement netns in profiles
+  * added nolocal6.net IPv6 network filter
+  * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer
+  * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer
+  * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo
+  * new profiles: npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi
+  * new profiles: guvcview, pkglog, kdiff3, CoyIM
+ -- netblue30 <netblue30@yahoo.com>  Tue, 26 Jan 2021 09:00:00 -0500
+
 firejail (0.9.64) baseline; urgency=low
   * replaced --nowrap option with --wrap in firemon
   * The blocking action of seccomp filters has been changed from
diff -Nru firejail-0.9.64/src/common.mk.in firejail-0.9.64.4/src/common.mk.in
--- firejail-0.9.64/src/common.mk.in	2020-10-13 11:43:23.000000000 +0000
+++ firejail-0.9.64.4/src/common.mk.in	2021-02-04 15:29:49.000000000 +0000
@@ -24,6 +24,7 @@
 HAVE_GCOV=@HAVE_GCOV@
 HAVE_SELINUX=@HAVE_SELINUX@
 HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
+HAVE_USERTMPFS=@HAVE_USERTMPFS@
 
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
@@ -33,7 +34,7 @@
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
diff -Nru firejail-0.9.64/src/fbuilder/build_fs.c firejail-0.9.64.4/src/fbuilder/build_fs.c
--- firejail-0.9.64/src/fbuilder/build_fs.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fbuilder/build_fs.c	2021-02-04 15:29:49.000000000 +0000
@@ -217,6 +217,10 @@
 //*******************************************
 static FileDB *tmp_out = NULL;
 static void tmp_callback(char *ptr) {
+	// skip strace file
+	if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
+		return;
+
 	tmp_out = filedb_add(tmp_out, ptr);
 }
 
diff -Nru firejail-0.9.64/src/fbuilder/build_home.c firejail-0.9.64.4/src/fbuilder/build_home.c
--- firejail-0.9.64/src/fbuilder/build_home.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fbuilder/build_home.c	2021-02-04 15:29:49.000000000 +0000
@@ -24,7 +24,7 @@
 static FileDB *db_out = NULL;
 
 static void load_whitelist_common(void) {
-	FILE *fp = fopen("/etc/firejail/whitelist-common.inc", "r");
+	FILE *fp = fopen(SYSCONFDIR "/whitelist-common.inc", "r");
 	if (!fp) {
 		fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
 		exit(1);
diff -Nru firejail-0.9.64/src/fbuilder/build_profile.c firejail-0.9.64.4/src/fbuilder/build_profile.c
--- firejail-0.9.64/src/fbuilder/build_profile.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fbuilder/build_profile.c	2021-02-04 15:29:49.000000000 +0000
@@ -80,10 +80,19 @@
 	  stroutput,
 	};
 
-	// detect strace
+	// detect strace and check if Yama LSM allows us to use it
 	int have_strace = 0;
-	if (access("/usr/bin/strace", X_OK) == 0)
+	int have_yama_permission = 1;
+	if (access("/usr/bin/strace", X_OK) == 0) {
 		have_strace = 1;
+		FILE *ps = fopen("/proc/sys/kernel/yama/ptrace_scope", "r");
+		if (ps) {
+			unsigned val;
+			if (fscanf(ps, "%u", &val) == 1)
+				have_yama_permission = (val < 2);
+			fclose(ps);
+		}
+	}
 
 	// calculate command length
 	unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1;
@@ -93,10 +102,11 @@
 	cmd[0] = cmdlist[0];	// explicit assignment to clean scan-build error
 
 	// build command
+	// skip strace if not installed, or no permission to use it
+	int skip_strace = !(have_strace && have_yama_permission);
 	unsigned i = 0;
 	for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) {
-		// skip strace if not installed
-		if (have_strace == 0 && strcmp(cmdlist[i], "/usr/bin/strace") == 0)
+		if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0)
 			break;
 		cmd[i] = cmdlist[i];
 	}
@@ -172,12 +182,14 @@
 		fprintf(fp, "caps.drop all\n");
 		fprintf(fp, "nonewprivs\n");
 		fprintf(fp, "seccomp\n");
-		if (have_strace)
-			build_seccomp(strace_output, fp);
-		else {
+		if (!have_strace) {
 			fprintf(fp, "# If you install strace on your system, Firejail will also create a\n");
 			fprintf(fp, "# whitelisted seccomp filter.\n");
 		}
+		else if (!have_yama_permission)
+			fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n");
+		else
+			build_seccomp(strace_output, fp);
 		fprintf(fp, "\n");
 
 		fprintf(fp, "### network\n");
diff -Nru firejail-0.9.64/src/fcopy/main.c firejail-0.9.64.4/src/fcopy/main.c
--- firejail-0.9.64/src/fcopy/main.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fcopy/main.c	2021-02-04 15:29:49.000000000 +0000
@@ -23,7 +23,6 @@
 #include <ftw.h>
 #include <errno.h>
 #include <pwd.h>
-#include <sys/prctl.h>
 
 #if HAVE_SELINUX
 #include <sys/stat.h>
@@ -112,7 +111,7 @@
 	}
 
 	// open destination
-	int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755);
+	int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR);
 	if (dst < 0) {
 		if (!arg_quiet)
 			fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname);
@@ -133,7 +132,8 @@
 			done += rv;
 		}
 	}
-	fflush(0);
+	if (len < 0)
+		goto errexit;
 
 	if (fchown(dst, uid, gid) == -1)
 		goto errexit;
@@ -180,7 +180,7 @@
 
 	// if the link is already there, don't create it
 	struct stat s;
-	if (stat(linkpath, &s) == 0)
+	if (lstat(linkpath, &s) == 0)
 	       return;
 
 	char *rp = realpath(target, NULL);
@@ -412,30 +412,21 @@
 		exit(1);
 	}
 
-#ifdef WARN_DUMPABLE
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-		fprintf(stderr, "Error fcopy: I am dumpable\n");
-#endif
-
-	// trim trailing chars
-	if (src[strlen(src) - 1] == '/')
-		src[strlen(src) - 1] = '\0';
-	if (dest[strlen(dest) - 1] == '/')
-		dest[strlen(dest) - 1] = '\0';
+	warn_dumpable();
 
 	// check the two files; remove ending /
-	int len = strlen(src);
-	if (src[len - 1] == '/')
-		src[len - 1] = '\0';
-	if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) {
+	size_t len = strlen(src);
+	while (len > 1 && src[len - 1] == '/')
+		src[--len] = '\0';
+	if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != len) {
 		fprintf(stderr, "Error fcopy: invalid source file name %s\n", src);
 		exit(1);
 	}
 
 	len = strlen(dest);
-	if (dest[len - 1] == '/')
-		dest[len - 1] = '\0';
-	if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) {
+	while (len > 1 && dest[len - 1] == '/')
+		dest[--len] = '\0';
+	if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != len) {
 		fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest);
 		exit(1);
 	}
diff -Nru firejail-0.9.64/src/fcopy/Makefile.in firejail-0.9.64.4/src/fcopy/Makefile.in
--- firejail-0.9.64/src/fcopy/Makefile.in	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fcopy/Makefile.in	2021-02-04 15:29:49.000000000 +0000
@@ -5,8 +5,8 @@
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fcopy: $(OBJS)
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+fcopy: $(OBJS) ../lib/common.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist
 
diff -Nru firejail-0.9.64/src/firecfg/firecfg.config firejail-0.9.64.4/src/firecfg/firecfg.config
--- firejail-0.9.64/src/firecfg/firecfg.config	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firecfg/firecfg.config	2021-02-04 15:29:49.000000000 +0000
@@ -34,6 +34,7 @@
 abrowser
 akonadi_control
 akregator
+alacarte
 amarok
 amule
 amuled
@@ -63,6 +64,7 @@
 audacity
 audio-recorder
 authenticator
+authenticator-rs
 autokey-gtk
 autokey-qt
 autokey-run
@@ -119,6 +121,7 @@
 cherrytree
 chromium
 chromium-browser
+chromium-browser-privacy
 chromium-freeworld
 cin
 cinelerra
@@ -138,6 +141,7 @@
 code
 code-oss
 cola
+com.github.bleakgrey.tootle
 com.github.dahenson.agenda
 com.github.johnfactotum.Foliate
 com.gitlab.newsflash
@@ -145,6 +149,7 @@
 conky
 conplay
 corebird
+coyim
 crawl
 crawl-tiles
 crow
@@ -172,11 +177,13 @@
 dnscrypt-proxy
 dnsmasq
 dolphin
+dolphin-emu
 dooble
 dooble-qt4
 dosbox
 dragon
 drawio
+drill
 dropbox
 d-feet
 easystroke
@@ -196,14 +203,14 @@
 eog
 eom
 ephemeral
-#epiphany
+#epiphany - see #2995
 equalx
 et
 etr
 evince
 evince-previewer
 evince-thumbnailer
-evolution
+#evolution - see #3647
 exfalso
 exiftool
 falkon
@@ -211,7 +218,7 @@
 feedreader
 feh
 ferdi
-ffmpeg
+#ffmpeg
 ffmpegthumbnailer
 ffplay
 ffprobe
@@ -307,6 +314,7 @@
 gnome-robots
 gnome-schedule
 gnome-screenshot
+gnome-sound-recorder
 gnome-sudoku
 gnome-system-log
 gnome-taquin
@@ -332,6 +340,7 @@
 gramps
 gravity-beams-and-evaporating-stars
 gthumb
+gtk-straw-viewer
 gtk-youtube-viewer
 gtk2-youtube-viewer
 gtk3-youtube-viewer
@@ -382,6 +391,7 @@
 kcalc
 # kdeinit4
 kdenlive
+kdiff3
 keepass
 keepass2
 keepassx
@@ -415,6 +425,7 @@
 leafpad
 # less - breaks man
 libreoffice
+librewolf
 liferea
 lightsoff
 lincity-ng
@@ -446,6 +457,7 @@
 magicor
 # man
 manaplus
+marker
 masterpdfeditor
 masterpdfeditor4
 masterpdfeditor5
@@ -454,6 +466,7 @@
 mate-color-select
 mate-dictionary
 mathematica
+matrix-mirage
 mattermost-desktop
 mcabber
 mediainfo
@@ -465,6 +478,8 @@
 mendeleydesktop
 menulibre
 meteo-qt
+microsoft-edge
+microsoft-edge-dev
 midori
 min
 mindless
@@ -576,6 +591,7 @@
 pdftotext
 peek
 penguin-command
+photoflare
 picard
 pidgin
 #ping - disabled until we fix  #1912
@@ -608,6 +624,7 @@
 qgis
 qlipper
 qmmp
+qnapi
 qpdfview
 qt-faststart
 qtox
@@ -649,6 +666,7 @@
 shellcheck
 shortwave
 shotcut
+shotwell
 signal-cli
 signal-desktop
 silentarmy
@@ -667,6 +685,7 @@
 sol
 sound-juicer
 soundconverter
+spectacle
 spectral
 spotify
 sqlitebrowser
@@ -679,6 +698,7 @@
 steam-runtime
 stellarium
 strawberry
+straw-viewer
 strings
 studio.sh
 subdownloader
@@ -756,6 +776,7 @@
 trojita
 truecraft
 tshark
+tutanota-desktop
 tuxguitar
 tvbrowser
 twitch
diff -Nru firejail-0.9.64/src/firejail/checkcfg.c firejail-0.9.64.4/src/firejail/checkcfg.c
--- firejail-0.9.64/src/firejail/checkcfg.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/checkcfg.c	2021-02-04 15:29:49.000000000 +0000
@@ -351,6 +351,14 @@
 #endif
 		);
 
+	printf("\t- private-cache and tmpfs as user %s\n",
+#ifdef HAVE_USERTMPFS
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+
 	printf("\t- SELinux support is %s\n",
 #ifdef HAVE_SELINUX
 		"enabled"
diff -Nru firejail-0.9.64/src/firejail/firejail.h firejail-0.9.64.4/src/firejail/firejail.h
--- firejail-0.9.64/src/firejail/firejail.h	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/firejail.h	2021-02-04 15:29:49.000000000 +0000
@@ -372,7 +372,7 @@
 // sandbox.c
 #define SANDBOX_DONE '1'
 int sandbox(void* sandbox_arg);
-void start_application(int no_sandbox, char *set_sandbox_status) __attribute__((noreturn));
+void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn));
 void set_apparmor(void);
 
 // network_main.c
@@ -513,7 +513,6 @@
 void update_map(char *mapping, char *map_file);
 void wait_for_other(int fd);
 void notify_other(int fd);
-const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
 uid_t get_group_id(const char *group);
 int remove_overlay_directory(void);
diff -Nru firejail-0.9.64/src/firejail/fs.c firejail-0.9.64.4/src/firejail/fs.c
--- firejail-0.9.64/src/firejail/fs.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/fs.c	2021-02-04 15:29:49.000000000 +0000
@@ -162,7 +162,14 @@
 	}
 	else if (op == MOUNT_TMPFS) {
 		if (S_ISDIR(s.st_mode)) {
-			fs_tmpfs(fname, 0);
+			if (getuid()) {
+				if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+				    fname[strlen(cfg.homedir)] != '/') {
+					fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
+					exit(1);
+				}
+			}
+			fs_tmpfs(fname, getuid());
 			last_disable = SUCCESSFUL;
 		}
 		else
@@ -443,7 +450,7 @@
 void fs_tmpfs(const char *dir, unsigned check_owner) {
 	assert(dir);
 	if (arg_debug)
-		printf("Mounting tmpfs on %s\n", dir);
+		printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
 	// get a file descriptor for dir, fails if there is any symlink
 	int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
 	if (fd == -1)
@@ -788,6 +795,8 @@
 		disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR);
 	if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0)
 		disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
+	if (!arg_appimage && stat(RUN_FIREJAIL_APPIMAGE_DIR, &s) == 0)
+		disable_file(BLACKLIST_FILE, RUN_FIREJAIL_APPIMAGE_DIR);
 }
 
 
@@ -1254,28 +1263,3 @@
 	}
 	closedir(dir);
 }
-
-// this function is called from sandbox.c before blacklist/whitelist functions
-void fs_private_cache(void) {
-	char *cache;
-	if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1)
-		errExit("asprintf");
-	// check if ~/.cache is a valid destination
-	struct stat s;
-	if (lstat(cache, &s) == -1) {
-		fwarning("skipping private-cache: cannot find %s\n", cache);
-		free(cache);
-		return;
-	}
-	if (!S_ISDIR(s.st_mode)) {
-		if (S_ISLNK(s.st_mode))
-			fwarning("skipping private-cache: %s is a symbolic link\n", cache);
-		else
-			fwarning("skipping private-cache: %s is not a directory\n", cache);
-		free(cache);
-		return;
-	}
-	// do the mount
-	fs_tmpfs(cache, getuid()); // check ownership of ~/.cache
-	free(cache);
-}
diff -Nru firejail-0.9.64/src/firejail/fs_home.c firejail-0.9.64.4/src/firejail/fs_home.c
--- firejail-0.9.64/src/firejail/fs_home.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/fs_home.c	2021-02-04 15:29:49.000000000 +0000
@@ -360,43 +360,38 @@
 	selinux_relabel_path("/root", "/root");
 	fs_logger("tmpfs /root");
 
-	if (arg_allusers) {
-		if (u != 0)
-			// mask user home directory
-			// the directory should be owned by the current user
-			fs_tmpfs(homedir, 1);
-	}
-	else { // mask /home
+	// mask /home
+	if (!arg_allusers) {
 		if (arg_debug)
 			printf("Mounting a new /home directory\n");
 		if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=755,gid=0") < 0)
 			errExit("mounting /home directory");
 		selinux_relabel_path("/home", "/home");
 		fs_logger("tmpfs /home");
+	}
 
-		if (u != 0) {
-			if (strncmp(homedir, "/home/", 6) == 0) {
-				// create /home/user
-				if (arg_debug)
-					printf("Create a new user directory\n");
-				if (mkdir(homedir, S_IRWXU) == -1) {
-					if (mkpath_as_root(homedir) == -1)
-						errExit("mkpath");
-					if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST)
-						errExit("mkdir");
-				}
-				if (chown(homedir, u, g) < 0)
-					errExit("chown");
-
-				selinux_relabel_path(homedir, homedir);
-				fs_logger2("mkdir", homedir);
-				fs_logger2("tmpfs", homedir);
+	if (u != 0) {
+		if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) {
+			// create new empty /home/user directory
+			if (arg_debug)
+				printf("Create a new user directory\n");
+			if (mkdir(homedir, S_IRWXU) == -1) {
+				if (mkpath_as_root(homedir) == -1)
+					errExit("mkpath");
+				if (mkdir(homedir, S_IRWXU) == -1)
+					errExit("mkdir");
 			}
-			else
-				// mask user home directory
-				// the directory should be owned by the current user
-				fs_tmpfs(homedir, 1);
+			if (chown(homedir, u, g) < 0)
+				errExit("chown");
+
+			selinux_relabel_path(homedir, homedir);
+			fs_logger2("mkdir", homedir);
+			fs_logger2("tmpfs", homedir);
 		}
+		else
+			// mask user home directory
+			// the directory should be owned by the current user
+			fs_tmpfs(homedir, 1);
 	}
 
 	skel(homedir, u, g);
diff -Nru firejail-0.9.64/src/firejail/fs_lib2.c firejail-0.9.64.4/src/firejail/fs_lib2.c
--- firejail-0.9.64/src/firejail/fs_lib2.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/fs_lib2.c	2021-02-04 15:29:49.000000000 +0000
@@ -30,6 +30,7 @@
 //***************************************************************
 // standard libc libraries based on Debian's libc6 package
 // selinux seems to be linked in most command line utilities
+// libpcre2 is a dependency of selinux
 // locale (/usr/lib/locale) - without it, the program will default to "C" locale
 typedef struct liblist_t {
 	const char *name;
@@ -38,6 +39,7 @@
 
 static LibList libc_list[] = {
 	{ "libselinux.so.", 0 },
+	{ "libpcre2-8.so.", 0 },
 	{ "libapparmor.so.", 0},
 	{ "ld-linux-x86-64.so.", 0 },
 	{ "libanl.so.", 0 },
@@ -104,17 +106,15 @@
 
 void fslib_install_stdc(void) {
 	// install standard C libraries
+	timetrace_start();
 	struct stat s;
-	char *stdclib = "/lib64";		  // CentOS, Fedora, Arch
-
 	if (stat("/lib/x86_64-linux-gnu", &s) == 0) {	// Debian & friends
 		mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0);
 		selinux_relabel_path(RUN_LIB_DIR "/x86_64-linux-gnu", "/lib/x86_64-linux-gnu");
-		stdclib = "/lib/x86_64-linux-gnu";
+		stdc("/lib/x86_64-linux-gnu");
 	}
 
-	timetrace_start();
-	stdc(stdclib);
+	stdc("/lib64"); // CentOS, Fedora, Arch, ld-linux.so in Debian & friends
 
 	// install locale
 	if (stat("/usr/lib/locale", &s) == 0)
diff -Nru firejail-0.9.64/src/firejail/fs_lib.c firejail-0.9.64.4/src/firejail/fs_lib.c
--- firejail-0.9.64/src/firejail/fs_lib.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/fs_lib.c	2021-02-04 15:29:49.000000000 +0000
@@ -33,6 +33,52 @@
 static int lib_cnt = 0;
 static int dir_cnt = 0;
 
+char *find_in_path(const char *program) {
+	EUID_ASSERT();
+	if (arg_debug)
+		printf("Searching $PATH for %s\n", program);
+
+	char self[MAXBUF];
+	ssize_t len = readlink("/proc/self/exe", self, MAXBUF - 1);
+	if (len < 0)
+		errExit("readlink");
+	self[len] = '\0';
+
+	char *path = getenv("PATH");
+	if (!path)
+		return NULL;
+	char *dup = strdup(path);
+	if (!dup)
+		errExit("strdup");
+	char *tok = strtok(dup, ":");
+	while (tok) {
+		char *fname;
+		if (asprintf(&fname, "%s/%s", tok, program) == -1)
+			errExit("asprintf");
+
+		if (arg_debug)
+			printf("trying #%s#\n", fname);
+		struct stat s;
+		if (stat(fname, &s) == 0) {
+			// but skip links created by firecfg
+			char *rp = realpath(fname, NULL);
+			if (!rp)
+				errExit("realpath");
+			if (strcmp(self, rp) != 0) {
+				free(rp);
+				free(dup);
+				return fname;
+			}
+			free(rp);
+		}
+		free(fname);
+		tok = strtok(NULL, ":");
+	}
+
+	free(dup);
+	return NULL;
+}
+
 static void report_duplication(const char *full_path) {
 	char *fname = strrchr(full_path, '/');
 	if (fname && *(++fname) != '\0') {
@@ -165,7 +211,7 @@
 	mkdir_attr(dest, 0755, 0, 0);
 
 	if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-		mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
+		mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
 		errExit("mount bind");
 	fs_logger2("clone", full_path);
 	fs_logger2("mount", full_path);
@@ -336,11 +382,40 @@
 	// start timetrace
 	timetrace_start();
 
+	// bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail
+	if (arg_debug || arg_debug_private_lib)
+		printf("Installing Firejail libraries\n");
+	fslib_install_list(PATH_FIREJAIL);
+
+	// bring in firejail directory
+	fslib_install_list(LIBDIR "/firejail");
+
+	// bring in dhclient libraries
+	if (any_dhcp()) {
+		if (arg_debug || arg_debug_private_lib)
+			printf("Installing dhclient libraries\n");
+		fslib_install_list(RUN_MNT_DIR "/dhclient");
+	}
+	fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
+
+	timetrace_start();
+
 	// copy the libs in the new lib directory for the main exe
 	if (cfg.original_program_index > 0) {
 		if (arg_debug || arg_debug_private_lib)
 			printf("Installing sandboxed program libraries\n");
-		fslib_install_list(cfg.original_argv[cfg.original_program_index]);
+
+		if (strchr(cfg.original_argv[cfg.original_program_index], '/'))
+			fslib_install_list(cfg.original_argv[cfg.original_program_index]);
+		else { // search executable in $PATH
+			EUID_USER();
+			char *fname = find_in_path(cfg.original_argv[cfg.original_program_index]);
+			EUID_ROOT();
+			if (fname) {
+				fslib_install_list(fname);
+				free(fname);
+			}
+		}
 	}
 
 	// for the shell
@@ -369,15 +444,11 @@
 	}
 	fmessage("Program libraries installed in %0.2f ms\n", timetrace_end());
 
-	// install the reset of the system libraries
+	// install the rest of the system libraries
 	if (arg_debug || arg_debug_private_lib)
 		printf("Installing system libraries\n");
 	fslib_install_system();
 
-	// bring in firejail directory for --trace and seccomp post exec
-	// bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail
-	fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable
-
 	fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries",
 		dir_cnt, (dir_cnt == 1)? "directory": "directories");
 
diff -Nru firejail-0.9.64/src/firejail/join.c firejail-0.9.64.4/src/firejail/join.c
--- firejail-0.9.64/src/firejail/join.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/join.c	2021-02-04 15:29:49.000000000 +0000
@@ -20,10 +20,14 @@
 #include "firejail.h"
 #include <sys/stat.h>
 #include <sys/wait.h>
-#include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
 
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
 #include <sys/prctl.h>
 #ifndef PR_SET_NO_NEW_PRIVS
 #define PR_SET_NO_NEW_PRIVS 38
@@ -292,13 +296,28 @@
 		fprintf(stderr, "Error: cannot open umask file\n");
 		exit(1);
 	}
-	if (fscanf(fp, "%o", &orig_umask) != 1) {
+	if (fscanf(fp, "%3o", &orig_umask) != 1) {
 		fprintf(stderr, "Error: cannot read umask\n");
 		exit(1);
 	}
 	fclose(fp);
 }
 
+static int open_shell(void) {
+	EUID_ASSERT();
+	assert(cfg.shell);
+
+	if (arg_debug)
+		printf("Opening shell %s\n", cfg.shell);
+	// file descriptor will leak if not opened with O_CLOEXEC !!
+	int fd = open(cfg.shell, O_PATH|O_CLOEXEC);
+	if (fd == -1) {
+		fprintf(stderr, "Error: cannot open shell %s\n", cfg.shell);
+		exit(1);
+	}
+	return fd;
+}
+
 // return false if the sandbox identified by pid is not fully set up yet or if
 // it is no firejail sandbox at all, return true if the sandbox is complete
 bool is_ready_for_join(const pid_t pid) {
@@ -316,7 +335,7 @@
 	struct stat s;
 	if (fstat(fd, &s) == -1)
 		errExit("fstat");
-	if (!S_ISREG(s.st_mode) || s.st_uid != 0) {
+	if (!S_ISREG(s.st_mode) || s.st_uid != 0 || s.st_size != 1) {
 		close(fd);
 		return false;
 	}
@@ -391,6 +410,10 @@
 
 	extract_x11_display(parent);
 
+	int shfd = -1;
+	if (!arg_shell_none && !arg_audit)
+		shfd = open_shell();
+
 	EUID_ROOT();
 	// in user mode set caps seccomp, cpu, cgroup, etc
 	if (getuid() != 0) {
@@ -400,6 +423,7 @@
 		extract_cgroup(pid);
 		extract_nogroups(pid);
 		extract_user_namespace(pid);
+		extract_umask(pid);
 #ifdef HAVE_APPARMOR
 		extract_apparmor(pid);
 #endif
@@ -409,9 +433,6 @@
 	if (cfg.cgroup)	// not available for uid 0
 		set_cgroup(cfg.cgroup);
 
-	// set umask, also uid 0
-	extract_umask(pid);
-
 	// join namespaces
 	if (arg_join_network) {
 		if (join_namespace(pid, "net"))
@@ -522,10 +543,9 @@
 		extract_command(argc, argv, index);
 		if (cfg.command_line == NULL) {
 			assert(cfg.shell);
-			cfg.command_line = cfg.shell;
 			cfg.window_title = cfg.shell;
 		}
-		if (arg_debug)
+		else if (arg_debug)
 			printf("Extracted command #%s#\n", cfg.command_line);
 
 		// set cpu affinity
@@ -554,11 +574,13 @@
 			dbus_set_system_bus_env();
 #endif
 
-		start_application(0, NULL);
+		start_application(0, shfd, NULL);
 
 		__builtin_unreachable();
 	}
 	EUID_USER();
+	if (shfd != -1)
+		close(shfd);
 
 	int status = 0;
 	//*****************************
diff -Nru firejail-0.9.64/src/firejail/ls.c firejail-0.9.64.4/src/firejail/ls.c
--- firejail-0.9.64/src/firejail/ls.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/ls.c	2021-02-04 15:29:49.000000000 +0000
@@ -26,6 +26,7 @@
 #include <dirent.h>
 #include <pwd.h>
 #include <grp.h>
+#include <fcntl.h>
 //#include <dirent.h>
 //#include <stdio.h>
 //#include <stdlib.h>
@@ -293,6 +294,41 @@
 		printf("file2 %s\n", fname2 ? fname2 : "(null)");
 	}
 
+	// get file from sandbox and store it in the current directory
+	// implemented using --cat
+	if (op == SANDBOX_FS_GET) {
+		char *dest_fname = strrchr(fname1, '/');
+		if (!dest_fname || *(++dest_fname) == '\0') {
+			fprintf(stderr, "Error: invalid file name %s\n", fname1);
+			exit(1);
+		}
+		// create destination file if necessary
+		EUID_ASSERT();
+		int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWRITE);
+		if (fd == -1) {
+			fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname);
+			exit(1);
+		}
+		struct stat s;
+		if (fstat(fd, &s) == -1)
+			errExit("fstat");
+		if (!S_ISREG(s.st_mode)) {
+			fprintf(stderr, "Error: %s is no regular file\n", dest_fname);
+			exit(1);
+		}
+		if (ftruncate(fd, 0) == -1)
+			errExit("ftruncate");
+		// go quiet - messages on stdout will corrupt the file
+		arg_debug = 0;
+		arg_quiet = 1;
+		// redirection
+		if (dup2(fd, STDOUT_FILENO) == -1)
+			errExit("dup2");
+		assert(fd != STDOUT_FILENO);
+		close(fd);
+		op = SANDBOX_FS_CAT;
+	}
+
 	// sandbox root directory
 	char *rootdir;
 	if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
@@ -317,92 +353,6 @@
 		__gcov_flush();
 #endif
 	}
-
-	// get file from sandbox and store it in the current directory
-	else if (op == SANDBOX_FS_GET) {
-		char *src_fname =fname1;
-		char *dest_fname = strrchr(fname1, '/');
-		if (!dest_fname || *(++dest_fname) == '\0') {
-			fprintf(stderr, "Error: invalid file name %s\n", fname1);
-			exit(1);
-		}
-
-		EUID_ROOT();
-		if (arg_debug)
-			printf("copy %s to %s\n", src_fname, dest_fname);
-
-		// create a user-owned temporary file in /run/firejail directory
-		char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";
-		int fd = mkstemp(tmp_fname);
-		if (fd == -1) {
-			fprintf(stderr, "Error: cannot create temporary file %s\n", tmp_fname);
-			exit(1);
-		}
-		SET_PERMS_FD(fd, getuid(), getgid(), 0600);
-		close(fd);
-
-		// copy the source file into the temporary file - we need to chroot
-		pid_t child = fork();
-		if (child < 0)
-			errExit("fork");
-		if (child == 0) {
-			// chroot
-			if (chroot(rootdir) < 0)
-				errExit("chroot");
-			if (chdir("/") < 0)
-				errExit("chdir");
-
-			// drop privileges
-			drop_privs(0);
-
-			// copy the file
-			if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
-				_exit(1);
-#ifdef HAVE_GCOV
-			__gcov_flush();
-#endif
-			_exit(0);
-		}
-
-		// wait for the child to finish
-		int status = 0;
-		waitpid(child, &status, 0);
-		if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
-		else {
-			unlink(tmp_fname);
-			exit(1);
-		}
-
-		// copy the temporary file into the destination file
-		child = fork();
-		if (child < 0)
-			errExit("fork");
-		if (child == 0) {
-			// drop privileges
-			drop_privs(0);
-
-			// copy the file
-			if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
-				_exit(1);
-#ifdef HAVE_GCOV
-			__gcov_flush();
-#endif
-			_exit(0);
-		}
-
-		// wait for the child to finish
-		status = 0;
-		waitpid(child, &status, 0);
-		if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
-		else {
-			unlink(tmp_fname);
-			exit(1);
-		}
-
-		// remove the temporary file
-		unlink(tmp_fname);
-		EUID_USER();
-	}
 	// get file from host and store it in the sandbox
 	else if (op == SANDBOX_FS_PUT && path2) {
 		char *src_fname =fname1;
diff -Nru firejail-0.9.64/src/firejail/main.c firejail-0.9.64.4/src/firejail/main.c
--- firejail-0.9.64/src/firejail/main.c	2020-10-17 15:28:33.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/main.c	2021-02-04 15:29:49.000000000 +0000
@@ -161,7 +161,6 @@
 static pid_t child = 0;
 pid_t sandbox_pid;
 mode_t orig_umask = 022;
-unsigned long long start_timestamp;
 
 static void clear_atexit(void) {
 	EUID_ROOT();
@@ -868,7 +867,8 @@
 	shell = getenv("SHELL");
 	if (shell) {
 		invalid_filename(shell, 0); // no globbing
-		if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0)
+		if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 &&
+		    strcmp(shell, PATH_FIREJAIL) != 0)
 			return shell;
 	}
 
@@ -1026,7 +1026,7 @@
 	init_cfg(argc, argv);
 
 	// get starting timestamp, process --quiet
-	start_timestamp = getticks();
+	timetrace_start();
 	char *env_quiet = getenv("FIREJAIL_QUIET");
 	if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0))
 		arg_quiet = 1;
@@ -1231,11 +1231,6 @@
 	}
 	EUID_ASSERT();
 
-#ifdef WARN_DUMPABLE
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-		fprintf(stderr, "Error: Firejail is dumpable\n");
-#endif
-
 	// check for force-nonewprivs in /etc/firejail/firejail.config file
 	if (checkcfg(CFG_FORCE_NONEWPRIVS))
 		arg_nonewprivs = 1;
@@ -1283,7 +1278,7 @@
 		else if (strncmp(argv[i], "--protocol=", 11) == 0) {
 			if (checkcfg(CFG_SECCOMP)) {
 				if (cfg.protocol) {
-					fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
+					fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol);
 				}
 				else {
 					// store list
@@ -2000,12 +1995,14 @@
 		else if (strcmp(argv[i], "--private-tmp") == 0) {
 			arg_private_tmp = 1;
 		}
+#ifdef HAVE_USERTMPFS
 		else if (strcmp(argv[i], "--private-cache") == 0) {
 			if (checkcfg(CFG_PRIVATE_CACHE))
 				arg_private_cache = 1;
 			else
 				exit_err_feature("private-cache");
 		}
+#endif
 		else if (strcmp(argv[i], "--private-cwd") == 0) {
 			cfg.cwd = NULL;
 			arg_private_cwd = 1;
@@ -2396,6 +2393,13 @@
 					fprintf(stderr, "Error: invalid MAC address\n");
 					exit(1);
 				}
+
+				// check multicast address
+				if (br->macsandbox[0] & 1) {
+					fprintf(stderr, "Error: invalid MAC address (multicast)\n");
+					exit(1);
+				}
+
 			}
 			else
 				exit_err_feature("networking");
@@ -2778,7 +2782,7 @@
 
 	// build the sandbox command
 	if (prog_index == -1 && cfg.shell) {
-		cfg.command_line = cfg.shell;
+		assert(cfg.command_line == NULL); // runs cfg.shell
 		cfg.window_title = cfg.shell;
 		cfg.command_name = cfg.shell;
 	}
@@ -3021,8 +3025,15 @@
 	 	ptr += strlen(ptr);
 
 	 	if (!arg_nogroups) {
+		 	//  add firejail group
+		 	gid_t g = get_group_id("firejail");
+		 	if (g) {
+		 		sprintf(ptr, "%d %d 1\n", g, g);
+		 		ptr += strlen(ptr);
+		 	}
+
 		 	//  add tty group
-		 	gid_t g = get_group_id("tty");
+		 	g = get_group_id("tty");
 		 	if (g) {
 		 		sprintf(ptr, "%d %d 1\n", g, g);
 		 		ptr += strlen(ptr);
diff -Nru firejail-0.9.64/src/firejail/no_sandbox.c firejail-0.9.64.4/src/firejail/no_sandbox.c
--- firejail-0.9.64/src/firejail/no_sandbox.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/no_sandbox.c	2021-02-04 15:29:49.000000000 +0000
@@ -204,14 +204,15 @@
 			break;
 		}
 	}
-	// if shell is /usr/bin/firejail, replace it with /bin/bash
-	if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
-		cfg.shell = "/bin/bash";
-		prog_index = 0;
-	}
+
+// if shell is /usr/bin/firejail, replace it with /bin/bash
+//	if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
+//		cfg.shell = "/bin/bash";
+//		prog_index = 0;
+//	}
 
 	if (prog_index == 0) {
-		cfg.command_line = cfg.shell;
+		assert(cfg.command_line == NULL); // runs cfg.shell
 		cfg.window_title = cfg.shell;
 	} else {
 		build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
@@ -230,5 +231,5 @@
 
 	arg_quiet = 1;
 
-	start_application(1, NULL);
+	start_application(1, -1, NULL);
 }
diff -Nru firejail-0.9.64/src/firejail/profile.c firejail-0.9.64.4/src/firejail/profile.c
--- firejail-0.9.64/src/firejail/profile.c	2020-10-19 12:30:01.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/profile.c	2021-02-04 15:29:49.000000000 +0000
@@ -383,10 +383,12 @@
 		return 0;
 	}
 	else if (strcmp(ptr, "private-cache") == 0) {
+#ifdef HAVE_USERTMPFS
 		if (checkcfg(CFG_PRIVATE_CACHE))
 			arg_private_cache = 1;
 		else
 			warning_feature_disabled("private-cache");
+#endif
 		return 0;
 	}
 	else if (strcmp(ptr, "private-dev") == 0) {
@@ -617,6 +619,17 @@
 #endif
 		return 0;
 	}
+	else if (strncmp(ptr, "netns  ", 6) == 0) {
+#ifdef HAVE_NETWORK
+		if (checkcfg(CFG_NETWORK)) {
+			arg_netns = ptr + 6;
+			check_netns(arg_netns);
+		}
+		else
+			warning_feature_disabled("networking");
+#endif
+		return 0;
+	}
 	else if (strcmp(ptr, "net none") == 0) {
 		arg_nonetwork  = 1;
 		cfg.bridge0.configured = 0;
@@ -743,6 +756,12 @@
 				fprintf(stderr, "Error: invalid MAC address\n");
 				exit(1);
 			}
+
+			// check multicast address
+			if (br->macsandbox[0] & 1) {
+				fprintf(stderr, "Error: invalid MAC address (multicast)\n");
+				exit(1);
+			}
 		}
 		else
 			warning_feature_disabled("networking");
@@ -893,7 +912,7 @@
 	if (strncmp(ptr, "protocol ", 9) == 0) {
 		if (checkcfg(CFG_SECCOMP)) {
 			if (cfg.protocol) {
-				fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
+				fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol);
 				return 0;
 			}
 
@@ -1412,12 +1431,12 @@
 	// filesystem bind
 	if (strncmp(ptr, "bind ", 5) == 0) {
 		if (checkcfg(CFG_BIND)) {
+			// extract two directories
 			if (getuid() != 0) {
 				fprintf(stderr, "Error: --bind option is available only if running as root\n");
 				exit(1);
 			}
 
-			// extract two directories
 			char *dname1 = ptr + 5;
 			char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories
 			if (dname2 == NULL) {
@@ -1495,7 +1514,10 @@
 		if (checkcfg(CFG_JOIN) || getuid() == 0) {
 			// try to join by name only
 			pid_t pid;
-			if (!name2pid(ptr + 14, &pid)) {
+			EUID_ROOT();
+			int r = name2pid(ptr + 14, &pid);
+			EUID_USER();
+			if (!r) {
 				if (!cfg.shell && !arg_shell_none)
 					cfg.shell = guess_shell();
 
@@ -1563,10 +1585,12 @@
 	else if (strncmp(ptr, "noexec ", 7) == 0)
 		ptr += 7;
 	else if (strncmp(ptr, "tmpfs ", 6) == 0) {
+#ifndef HAVE_USERTMPFS
 		if (getuid() != 0) {
 			fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
 			exit(1);
 		}
+#endif
 		ptr += 6;
 	}
 	else {
diff -Nru firejail-0.9.64/src/firejail/pulseaudio.c firejail-0.9.64.4/src/firejail/pulseaudio.c
--- firejail-0.9.64/src/firejail/pulseaudio.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/pulseaudio.c	2021-02-04 15:29:49.000000000 +0000
@@ -31,6 +31,8 @@
 #define O_PATH 010000000
 #endif
 
+#define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf"
+
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
 	if (arg_debug)
@@ -73,8 +75,8 @@
 	closedir(dir);
 }
 
-static void pulseaudio_set_environment(const char *path) {
-	assert(path);
+static void pulseaudio_fallback(const char *path) {
+	fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir);
 	if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0)
 		errExit("setenv");
 }
@@ -84,9 +86,9 @@
 	struct stat s;
 
 	// do we have pulseaudio in the system?
-	if (stat("/etc/pulse/client.conf", &s) == -1) {
+	if (stat(PULSE_CLIENT_SYSCONF, &s) == -1) {
 		if (arg_debug)
-			printf("/etc/pulse/client.conf not found\n");
+			printf("%s not found\n", PULSE_CLIENT_SYSCONF);
 		return;
 	}
 
@@ -101,7 +103,7 @@
 	char *pulsecfg = NULL;
 	if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
 		errExit("asprintf");
-	if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed
+	if (copy_file(PULSE_CLIENT_SYSCONF, pulsecfg, -1, -1, 0644)) // root needed
 		errExit("copy_file");
 	FILE *fp = fopen(pulsecfg, "a");
 	if (!fp)
@@ -126,11 +128,11 @@
 	if (create_empty_dir_as_user(homeusercfg, 0700))
 		fs_logger2("create", homeusercfg);
 
-	// if ~/.config/pulse now exists and there are no symbolic links, mount the new directory
+	// if ~/.config/pulse exists and there are no symbolic links, mount the new directory
 	// else set environment variable
 	int fd = safe_fd(homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
 	if (fd == -1) {
-		pulseaudio_set_environment(pulsecfg);
+		pulseaudio_fallback(pulsecfg);
 		goto out;
 	}
 	// confirm the actual mount destination is owned by the user
@@ -138,12 +140,12 @@
 		if (errno != EACCES)
 			errExit("fstat");
 		close(fd);
-		pulseaudio_set_environment(pulsecfg);
+		pulseaudio_fallback(pulsecfg);
 		goto out;
 	}
 	if (s.st_uid != getuid()) {
 		close(fd);
-		pulseaudio_set_environment(pulsecfg);
+		pulseaudio_fallback(pulsecfg);
 		goto out;
 	}
 	// preserve a read-only mount
@@ -171,8 +173,9 @@
 	char *p;
 	if (asprintf(&p, "%s/client.conf", homeusercfg) == -1)
 		errExit("asprintf");
+	if (setenv("PULSE_CLIENTCONFIG", p, 1) < 0)
+		errExit("setenv");
 	fs_logger2("create", p);
-	pulseaudio_set_environment(p);
 	free(p);
 
 	// RUN_PULSE_DIR not needed anymore, mask it
diff -Nru firejail-0.9.64/src/firejail/run_symlink.c firejail-0.9.64.4/src/firejail/run_symlink.c
--- firejail-0.9.64/src/firejail/run_symlink.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/run_symlink.c	2021-02-04 15:29:49.000000000 +0000
@@ -22,6 +22,8 @@
 #include <sys/stat.h>
 #include <unistd.h>
 
+extern char *find_in_path(const char *program);
+
 void run_symlink(int argc, char **argv, int run_as_is) {
 	EUID_ASSERT();
 
@@ -40,54 +42,17 @@
 		errExit("setresuid");
 
 	// find the real program by looking in PATH
-	char *p = getenv("PATH");
-	if (!p) {
+	if (!getenv("PATH")) {
 		fprintf(stderr, "Error: PATH environment variable not set\n");
 		exit(1);
 	}
 
-	char *path = strdup(p);
-	if (!path)
-		errExit("strdup");
-
-	char *selfpath = realpath("/proc/self/exe", NULL);
-	if (!selfpath)
-		errExit("realpath");
-
-	// look in path for our program
-	char *tok = strtok(path, ":");
-	int found = 0;
-	while (tok) {
-		char *name;
-		if (asprintf(&name, "%s/%s", tok, program) == -1)
-			errExit("asprintf");
-
-		struct stat s;
-		if (stat(name, &s) == 0) {
-			/* coverity[toctou] */
-			char* rp = realpath(name, NULL);
-			if (!rp)
-				errExit("realpath");
-
-			if (strcmp(selfpath, rp) != 0) {
-				program = strdup(name);
-				found = 1;
-				free(rp);
-				break;
-			}
-
-			free(rp);
-		}
-
-		free(name);
-		tok = strtok(NULL, ":");
-	}
-	if (!found) {
+	char *p = find_in_path(program);
+	if (!p) {
 		fprintf(stderr, "Error: cannot find the program in the path\n");
 		exit(1);
 	}
-
-	free(selfpath);
+	program = p;
 
 	// restore original umask
 	umask(orig_umask);
diff -Nru firejail-0.9.64/src/firejail/sandbox.c firejail-0.9.64.4/src/firejail/sandbox.c
--- firejail-0.9.64/src/firejail/sandbox.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/sandbox.c	2021-02-04 15:29:49.000000000 +0000
@@ -141,7 +141,7 @@
 }
 #endif
 
-void seccomp_debug(void) {
+static void seccomp_debug(void) {
 	if (arg_debug == 0)
 		return;
 
@@ -400,19 +400,8 @@
 }
 
 static void print_time(void) {
-	if (start_timestamp) {
-		unsigned long long end_timestamp = getticks();
-		// measure 1 ms
-		usleep(1000);
-		unsigned long long onems = getticks() - end_timestamp;
-		if (onems) {
-			fmessage("Child process initialized in %.02f ms\n",
-				(float) (end_timestamp - start_timestamp) / (float) onems);
-			return;
-		}
-	}
-
-	fmessage("Child process initialized\n");
+	float delta = timetrace_end();
+	fmessage("Child process initialized in %.02f ms\n", delta);
 }
 
 
@@ -472,7 +461,7 @@
 	return 0;
 }
 
-void start_application(int no_sandbox, char *set_sandbox_status) {
+void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
 	// set environment
 	if (no_sandbox == 0) {
 		env_defaults();
@@ -482,7 +471,7 @@
 	umask(orig_umask);
 
 	if (arg_debug) {
-		printf("starting application\n");
+		printf("Starting application\n");
 		printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
 	}
 
@@ -499,9 +488,6 @@
 		if (set_sandbox_status)
 			*set_sandbox_status = SANDBOX_DONE;
 		execl(arg_audit_prog, arg_audit_prog, NULL);
-
-		perror("execl");
-		exit(1);
 	}
 	//****************************************
 	// start the program without using a shell
@@ -543,35 +529,37 @@
 	//****************************************
 	else {
 		assert(cfg.shell);
-		assert(cfg.command_line);
 
 		char *arg[5];
 		int index = 0;
 		arg[index++] = cfg.shell;
-		if (login_shell) {
-			arg[index++] = "-l";
-			if (arg_debug)
-				printf("Starting %s login shell\n", cfg.shell);
-		} else {
-			arg[index++] = "-c";
+		if (cfg.command_line) {
 			if (arg_debug)
 				printf("Running %s command through %s\n", cfg.command_line, cfg.shell);
+			arg[index++] = "-c";
 			if (arg_doubledash)
 				arg[index++] = "--";
 			arg[index++] = cfg.command_line;
 		}
-		arg[index] = NULL;
+		else if (login_shell) {
+			if (arg_debug)
+				printf("Starting %s login shell\n", cfg.shell);
+			arg[index++] = "-l";
+		}
+		else if (arg_debug)
+			printf("Starting %s shell\n", cfg.shell);
+
 		assert(index < 5);
+		arg[index] = NULL;
 
 		if (arg_debug) {
 			char *msg;
-			if (asprintf(&msg, "sandbox %d, execvp into %s", sandbox_pid, cfg.command_line) == -1)
+			if (asprintf(&msg, "sandbox %d, execvp into %s",
+				sandbox_pid, cfg.command_line ? cfg.command_line : cfg.shell) == -1)
 				errExit("asprintf");
 			logmsg(msg);
 			free(msg);
-		}
 
-		if (arg_debug) {
 			int i;
 			for (i = 0; i < 5; i++) {
 				if (arg[i] == NULL)
@@ -591,10 +579,14 @@
 		if (set_sandbox_status)
 			*set_sandbox_status = SANDBOX_DONE;
 		execvp(arg[0], arg);
+
+		// join sandbox without shell in the mount namespace
+		if (fd > -1)
+			fexecve(fd, arg, environ);
 	}
 
-	perror("execvp");
-	exit(1); // it should never get here!!!
+	perror("Cannot start application");
+	exit(1);
 }
 
 static void enforce_filters(void) {
@@ -921,14 +913,13 @@
 		}
 	}
 
+#ifdef HAVE_USERTMPFS
 	if (arg_private_cache) {
-		if (cfg.chrootdir)
-			fwarning("private-cache feature is disabled in chroot\n");
-		else if (arg_overlay)
-			fwarning("private-cache feature is disabled in overlay\n");
-		else
-			fs_private_cache();
+		EUID_USER();
+		profile_add("tmpfs ${HOME}/.cache");
+		EUID_ROOT();
 	}
+#endif
 
 	if (arg_private_tmp) {
 		// private-tmp is implemented as a whitelist
@@ -1235,7 +1226,7 @@
 			set_nice(cfg.nice);
 		set_rlimits();
 
-		start_application(0, set_sandbox_status);
+		start_application(0, -1, set_sandbox_status);
 	}
 
 	munmap(set_sandbox_status, 1);
diff -Nru firejail-0.9.64/src/firejail/util.c firejail-0.9.64.4/src/firejail/util.c
--- firejail-0.9.64/src/firejail/util.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/util.c	2021-02-04 15:29:49.000000000 +0000
@@ -36,6 +36,11 @@
 #define O_PATH 010000000
 #endif
 
+#include <sys/syscall.h>
+#ifdef __NR_openat2
+#include <linux/openat2.h>
+#endif
+
 #define MAX_GROUPS 1024
 #define MAXBUF 4098
 #define EMPTY_STRING ("")
@@ -70,10 +75,11 @@
 		goto clean_all;
 
 	// clean supplementary group list
-	// allow only tty, audio, video, games
+	// allow only firejail, tty, audio, video, games
 	gid_t new_groups[MAX_GROUPS];
 	int new_ngroups = 0;
 	char *allowed[] = {
+		"firejail",
 		"tty",
 		"audio",
 		"video",
@@ -559,27 +565,18 @@
 	if (!rv)
 		errExit("malloc");
 
-	if (len > 0) {
-		size_t i = 0, j = 0, cnt = 0;
-		for (; i < len; i++) {
-			if (path[i] == '/')
-				cnt++;
-			else
-				cnt = 0;
-
-			if (cnt < 2) {
-				rv[j] = path[i];
-				j++;
-			}
-		}
-		rv[j] = '\0';
-
-		// remove a trailing slash
-		if (j > 1 && rv[j - 1] == '/')
-			rv[j - 1] = '\0';
-	}
-	else
-		*rv = '\0';
+	size_t i = 0;
+	size_t j = 0;
+	while (path[i]) {
+		while (path[i] == '/' && path[i+1] == '/')
+			i++;
+		rv[j++] = path[i++];
+	}
+	rv[j] = '\0';
+
+	// remove a trailing slash
+	if (j > 1 && rv[j - 1] == '/')
+		rv[j - 1] = '\0';
 
 	return rv;
 }
@@ -814,20 +811,6 @@
 	fclose(stream);
 }
 
-
-
-
-// Equivalent to the GNU version of basename, which is incompatible with
-// the POSIX basename. A few lines of code saves any portability pain.
-// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
-const char *gnu_basename(const char *path) {
-	const char *last_slash = strrchr(path, '/');
-	if (!last_slash)
-		return path;
-	return last_slash+1;
-}
-
-
 uid_t pid_get_uid(pid_t pid) {
 	EUID_ASSERT();
 	uid_t rv = 0;
@@ -1007,12 +990,8 @@
 				if (chmod(dir, mode) == -1)
 					{;} // do nothing
 			}
-			else if (arg_debug) {
-				char *str;
-				if (asprintf(&str, "Directory %s not created", dir) == -1)
-					errExit("asprintf");
-				perror(str);
-			}
+			else if (arg_debug)
+				printf("Directory %s not created: %s\n", dir, strerror(errno));
 #ifdef HAVE_GCOV
 			__gcov_flush();
 #endif
@@ -1157,46 +1136,57 @@
 	free(fname);
 }
 
-// open file without following any symbolic link
-// returns a file descriptor on success, or -1 if a symlink is found
+// open an existing file without following any symbolic link
 int safe_fd(const char *path, int flags) {
+	flags |= O_NOFOLLOW;
 	assert(path);
-	if (*path != '/')
-		goto errexit;
-	if (strstr(path, ".."))
-		goto errexit;
-
-	int parentfd = open("/", O_PATH|O_DIRECTORY|O_CLOEXEC);
-	if (parentfd == -1)
-		errExit("open");
+	if (*path != '/' || strstr(path, "..")) {
+		fprintf(stderr, "Error: invalid path %s\n", path);
+		exit(1);
+	}
 	int fd = -1;
 
-	char *last_tok = EMPTY_STRING;
+#ifdef __NR_openat2 // kernel 5.6 or better
+	struct open_how oh;
+	memset(&oh, 0, sizeof(oh));
+	oh.flags = flags;
+	oh.resolve = RESOLVE_NO_SYMLINKS;
+	fd = syscall(__NR_openat2, -1, path, &oh, sizeof(struct open_how));
+	if (fd != -1 || errno != ENOSYS)
+		return fd;
+#endif
+
+	// openat2 syscall is not available, traverse path and
+	// check each component if it is a symbolic link or not
 	char *dup = strdup(path);
 	if (!dup)
 		errExit("strdup");
 	char *tok = strtok(dup, "/");
 	if (!tok) { // root directory
 		free(dup);
-		return parentfd;
+		return open("/", flags);
 	}
+	char *last_tok = EMPTY_STRING;
+	int parentfd = open("/", O_PATH|O_CLOEXEC);
+	if (parentfd == -1)
+		errExit("open");
 
 	while(1) {
-		// open the element, assuming it is a directory; this fails with ENOTDIR if it is a symbolic link
+		// open path component, assuming it is a directory; this fails with ENOTDIR if it is a symbolic link
 		// if token is a single dot, the previous directory is reopened
 		fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
 		if (fd == -1) {
-			// if the following token is NULL, the current token is the final path element
+			// if the following token is NULL, the current token is the final path component
 			// try again to open it, this time using the passed flags, and return -1 or the descriptor
 			last_tok = tok;
 			tok = strtok(NULL, "/");
 			if (!tok)
-				fd = openat(parentfd, last_tok, flags|O_NOFOLLOW);
+				fd = openat(parentfd, last_tok, flags);
 			close(parentfd);
 			free(dup);
-			return fd; // -1 if open failed
+			return fd;
 		}
-		// move on to next path segment
+		// move on to next path component
 		last_tok = tok;
 		tok = strtok(NULL, "/");
 		if (!tok)
@@ -1204,18 +1194,13 @@
 		close(parentfd);
 		parentfd = fd;
 	}
-
-	// we are here because the last path element exists and is of file type directory
+	// getting here when the last path component exists and is of file type directory
 	// reopen it using the passed flags
 	close(fd);
-	fd = openat(parentfd, last_tok, flags|O_NOFOLLOW);
+	fd = openat(parentfd, last_tok, flags);
 	close(parentfd);
 	free(dup);
-	return fd; // -1 if open failed
-
-errexit:
-	fprintf(stderr, "Error: cannot open \"%s\": invalid path\n", path);
-	exit(1);
+	return fd;
 }
 
 int has_handler(pid_t pid, int signal) {
@@ -1321,7 +1306,7 @@
 	assert(dir);
 	int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
 	if (fd == -1) {
-		if (errno == ENOTDIR && is_dir(dir))
+		if ((errno == ELOOP || errno == ENOTDIR) && is_dir(dir))
 			return 1;
 	}
 	else
diff -Nru firejail-0.9.64/src/firejail/x11.c firejail-0.9.64.4/src/firejail/x11.c
--- firejail-0.9.64/src/firejail/x11.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/firejail/x11.c	2021-02-04 15:29:49.000000000 +0000
@@ -1368,7 +1368,7 @@
 void x11_block(void) {
 #ifdef HAVE_X11
 	// check abstract socket presence and network namespace options
-	if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
+	if ((!arg_nonetwork && !arg_netns && !cfg.bridge0.configured && !cfg.interface0.configured)
 	&& x11_abstract_sockets_present()) {
 		fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n"
 			"Additional setup required. To block abstract X11 socket you can either:\n"
diff -Nru firejail-0.9.64/src/fldd/main.c firejail-0.9.64.4/src/fldd/main.c
--- firejail-0.9.64/src/fldd/main.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fldd/main.c	2021-02-04 15:29:49.000000000 +0000
@@ -24,7 +24,6 @@
 #include <fcntl.h>
 #include <sys/mman.h>
 #include <sys/mount.h>
-#include <sys/prctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -303,10 +302,7 @@
 		return 0;
 	}
 
-#ifdef WARN_DUMPABLE
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-		fprintf(stderr, "Error fldd: I am dumpable\n");
-#endif
+	warn_dumpable();
 
 	// check program access
 	if (access(argv[1], R_OK)) {
diff -Nru firejail-0.9.64/src/fldd/Makefile.in firejail-0.9.64.4/src/fldd/Makefile.in
--- firejail-0.9.64/src/fldd/Makefile.in	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fldd/Makefile.in	2021-02-04 15:29:49.000000000 +0000
@@ -5,8 +5,8 @@
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fldd: $(OBJS) ../lib/ldd_utils.o
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
+fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist
 
diff -Nru firejail-0.9.64/src/fnet/main.c firejail-0.9.64.4/src/fnet/main.c
--- firejail-0.9.64/src/fnet/main.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fnet/main.c	2021-02-04 15:29:49.000000000 +0000
@@ -21,7 +21,6 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/utsname.h>
-#include <sys/prctl.h>
 
 int arg_quiet = 0;
 
@@ -69,10 +68,9 @@
 		usage();
 		return 0;
 	}
-#ifdef WARN_DUMPABLE
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-		fprintf(stderr, "Error fnet: I am dumpable\n");
-#endif
+
+	warn_dumpable();
+
 	char *quiet = getenv("FIREJAIL_QUIET");
 	if (quiet && strcmp(quiet, "yes") == 0)
 		arg_quiet = 1;
diff -Nru firejail-0.9.64/src/fnet/Makefile.in firejail-0.9.64.4/src/fnet/Makefile.in
--- firejail-0.9.64/src/fnet/Makefile.in	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fnet/Makefile.in	2021-02-04 15:29:49.000000000 +0000
@@ -5,8 +5,8 @@
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fnet: $(OBJS) ../lib/libnetlink.o
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
+fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist
 
diff -Nru firejail-0.9.64/src/fnetfilter/main.c firejail-0.9.64.4/src/fnetfilter/main.c
--- firejail-0.9.64/src/fnetfilter/main.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fnetfilter/main.c	2021-02-04 15:29:49.000000000 +0000
@@ -18,7 +18,6 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "../include/common.h"
-#include <sys/prctl.h>
 
 #define MAXBUF 4098
 #define MAXARGS 16
@@ -181,10 +180,9 @@
 		usage();
 		return 1;
 	}
-#ifdef WARN_DUMPABLE
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-		fprintf(stderr, "Error fnetfilter: I am dumpable\n");
-#endif
+
+	warn_dumpable();
+
 	char *destfile = (argc == 3)? argv[2]: argv[1];
 	char *command = (argc == 3)? argv[1]: NULL;
 //printf("command %s\n", command);
diff -Nru firejail-0.9.64/src/fnetfilter/Makefile.in firejail-0.9.64.4/src/fnetfilter/Makefile.in
--- firejail-0.9.64/src/fnetfilter/Makefile.in	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fnetfilter/Makefile.in	2021-02-04 15:29:49.000000000 +0000
@@ -5,8 +5,8 @@
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fnetfilter: $(OBJS)
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+fnetfilter: $(OBJS) ../lib/common.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist
 
diff -Nru firejail-0.9.64/src/fseccomp/fseccomp.h firejail-0.9.64.4/src/fseccomp/fseccomp.h
--- firejail-0.9.64/src/fseccomp/fseccomp.h	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fseccomp/fseccomp.h	2021-02-04 15:29:49.000000000 +0000
@@ -23,7 +23,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <assert.h>
-#include <sys/prctl.h>
 #include "../include/common.h"
 #include "../include/syscall.h"
 
diff -Nru firejail-0.9.64/src/fseccomp/main.c firejail-0.9.64.4/src/fseccomp/main.c
--- firejail-0.9.64/src/fseccomp/main.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fseccomp/main.c	2021-02-04 15:29:49.000000000 +0000
@@ -69,11 +69,7 @@
 		return 0;
 	}
 
-#ifdef WARN_DUMPABLE
-	// check FIREJAIL_PLUGIN in order to not print a warning during make
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
-		fprintf(stderr, "Error fseccomp: I am dumpable\n");
-#endif
+	warn_dumpable();
 
 	char *quiet = getenv("FIREJAIL_QUIET");
 	if (quiet && strcmp(quiet, "yes") == 0)
diff -Nru firejail-0.9.64/src/fseccomp/Makefile.in firejail-0.9.64.4/src/fseccomp/Makefile.in
--- firejail-0.9.64/src/fseccomp/Makefile.in	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fseccomp/Makefile.in	2021-02-04 15:29:49.000000000 +0000
@@ -5,8 +5,8 @@
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fseccomp: $(OBJS) ../lib/errno.o ../lib/syscall.o
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist
 
diff -Nru firejail-0.9.64/src/fseccomp/protocol.c firejail-0.9.64.4/src/fseccomp/protocol.c
--- firejail-0.9.64/src/fseccomp/protocol.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fseccomp/protocol.c	2021-02-04 15:29:49.000000000 +0000
@@ -57,6 +57,7 @@
 	"inet6",
 	"netlink",
 	"packet",
+	"bluetooth",
 	NULL
 };
 
@@ -66,7 +67,8 @@
 	WHITELIST(AF_INET),
 	WHITELIST(AF_INET6),
 	WHITELIST(AF_NETLINK),
-	WHITELIST(AF_PACKET)
+	WHITELIST(AF_PACKET),
+	WHITELIST(AF_BLUETOOTH)
 };
 #endif
 // Note: protocol[] and protocol_filter_command are synchronized
@@ -143,22 +145,6 @@
 	memcpy(ptr, &filter_start[0], sizeof(filter_start));
 	ptr += sizeof(filter_start);
 
-#if 0
-printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter)));
-{
-	unsigned j;
-	unsigned char *ptr2 = (unsigned char *) &filter[0];
-	for (j = 0; j < sizeof(filter); j++, ptr2++) {
-		if ((j % (sizeof(struct sock_filter))) == 0)
-			printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-		printf("%02x, ", (*ptr2) & 0xff);
-	}
-	printf("\n");
-}
-printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter));
-#endif
-
-
 	// parse list and add commands
 	char *tmplist = strdup(prlist);
 	if (!tmplist)
@@ -176,22 +162,6 @@
 		memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter));
 		ptr += whitelist_len * sizeof(struct sock_filter);
 		token = strtok(NULL, ",");
-
-#if 0
-printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
-{
-	unsigned j;
-	unsigned char *ptr2 = (unsigned char *) &filter[0];
-	for (j = 0; j < sizeof(filter); j++, ptr2++) {
-		if ((j % (sizeof(struct sock_filter))) == 0)
-			printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-		printf("%02x, ", (*ptr2) & 0xff);
-	}
-	printf("\n");
-}
-#endif
-
-
 	}
 	free(tmplist);
 
@@ -202,19 +172,6 @@
 	memcpy(ptr, &filter_end[0], sizeof(filter_end));
 	ptr += sizeof(filter_end);
 
-#if 0
-printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
-{
-	unsigned j;
-	unsigned char *ptr2 = (unsigned char *) &filter[0];
-	for (j = 0; j < sizeof(filter); j++, ptr2++) {
-		if ((j % (sizeof(struct sock_filter))) == 0)
-			printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-		printf("%02x, ", (*ptr2) & 0xff);
-	}
-	printf("\n");
-}
-#endif
 	// save filter to file
 	int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
 	if (dst < 0) {
diff -Nru firejail-0.9.64/src/fsec-optimize/fsec_optimize.h firejail-0.9.64.4/src/fsec-optimize/fsec_optimize.h
--- firejail-0.9.64/src/fsec-optimize/fsec_optimize.h	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fsec-optimize/fsec_optimize.h	2021-02-04 15:29:49.000000000 +0000
@@ -22,7 +22,6 @@
 #include "../include/common.h"
 #include "../include/seccomp.h"
 #include <sys/mman.h>
-#include <sys/prctl.h>
 
 // optimize.c
 struct sock_filter *duplicate(struct sock_filter *filter, int entries);
diff -Nru firejail-0.9.64/src/fsec-optimize/main.c firejail-0.9.64.4/src/fsec-optimize/main.c
--- firejail-0.9.64/src/fsec-optimize/main.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fsec-optimize/main.c	2021-02-04 15:29:49.000000000 +0000
@@ -44,11 +44,7 @@
 		return 0;
 	}
 
-#ifdef WARN_DUMPABLE
-	// check FIREJAIL_PLUGIN in order to not print a warning during make
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
-		fprintf(stderr, "Error fsec-optimize: I am dumpable\n");
-#endif
+	warn_dumpable();
 
 	char *fname = argv[1];
 
diff -Nru firejail-0.9.64/src/fsec-optimize/Makefile.in firejail-0.9.64.4/src/fsec-optimize/Makefile.in
--- firejail-0.9.64/src/fsec-optimize/Makefile.in	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fsec-optimize/Makefile.in	2021-02-04 15:29:49.000000000 +0000
@@ -5,8 +5,8 @@
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fsec-optimize: $(OBJS) ../lib/libnetlink.o
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist
 
diff -Nru firejail-0.9.64/src/fsec-print/fsec_print.h firejail-0.9.64.4/src/fsec-print/fsec_print.h
--- firejail-0.9.64/src/fsec-print/fsec_print.h	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fsec-print/fsec_print.h	2021-02-04 15:29:49.000000000 +0000
@@ -23,7 +23,6 @@
 #include "../include/seccomp.h"
 #include "../include/syscall.h"
 #include <sys/mman.h>
-#include <sys/prctl.h>
 
 // print.c
 void print(struct sock_filter *filter, int entries);
diff -Nru firejail-0.9.64/src/fsec-print/main.c firejail-0.9.64.4/src/fsec-print/main.c
--- firejail-0.9.64/src/fsec-print/main.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fsec-print/main.c	2021-02-04 15:29:49.000000000 +0000
@@ -61,10 +61,7 @@
 		return 0;
 	}
 
-#ifdef WARN_DUMPABLE
-	if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-		fprintf(stderr, "Error fsec-print: I am dumpable\n");
-#endif
+	warn_dumpable();
 
 	char *fname = argv[1];
 
diff -Nru firejail-0.9.64/src/fsec-print/Makefile.in firejail-0.9.64.4/src/fsec-print/Makefile.in
--- firejail-0.9.64/src/fsec-print/Makefile.in	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/fsec-print/Makefile.in	2021-02-04 15:29:49.000000000 +0000
@@ -5,8 +5,8 @@
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
 	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fsec-print: $(OBJS) ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o
-	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist
 
diff -Nru firejail-0.9.64/src/include/common.h firejail-0.9.64.4/src/include/common.h
--- firejail-0.9.64/src/include/common.h	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/include/common.h	2021-02-04 15:29:49.000000000 +0000
@@ -38,11 +38,6 @@
 
 #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
 
-// check if processes run with dumpable flag set
-// currently we get "Error fseccomp: I am dumpable" every time we run a firejail build on Debian 8,
-// regardless what Debian version we run the build on
-//#define WARN_DUMPABLE
-
 // macro to print ip addresses in a printf statement
 #define PRINT_IP(A) \
 ((int) (((A) >> 24) & 0xFF)),  ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF))
@@ -118,21 +113,6 @@
 	return 0;
 }
 
-// rtdsc timestamp on x86-64/amd64  processors
-static inline unsigned long long getticks(void) {
-#if defined(__x86_64__)
-	unsigned a, d;
-	asm volatile("rdtsc" : "=a" (a), "=d" (d));
-	return ((unsigned long long)a) | (((unsigned long long)d) << 32);
-#elif defined(__i386__)
-	unsigned long long ret;
-	__asm__ __volatile__("rdtsc" : "=A" (ret));
-	return ret;
-#else
-	return 0; // not implemented
-#endif
-}
-
 void timetrace_start(void);
 float timetrace_end(void);
 int join_namespace(pid_t pid, char *type);
@@ -141,4 +121,6 @@
 char *pid_proc_cmdline(const pid_t pid);
 int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
 int pid_hidepid(void);
+void warn_dumpable(void);
+const char *gnu_basename(const char *path);
 #endif
diff -Nru firejail-0.9.64/src/lib/common.c firejail-0.9.64.4/src/lib/common.c
--- firejail-0.9.64/src/lib/common.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/lib/common.c	2021-02-04 15:29:49.000000000 +0000
@@ -30,6 +30,7 @@
 #include <signal.h>
 #include <dirent.h>
 #include <string.h>
+#include <time.h>
 #include "../include/common.h"
 #define BUFLEN 4096
 
@@ -266,7 +267,6 @@
 }
 
 // return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied
-#define BUFLEN 4096
 int pid_hidepid(void) {
 	FILE *fp = fopen("/proc/mounts", "r");
 	if (!fp)
@@ -277,7 +277,7 @@
 		if (strstr(buf, "proc /proc proc")) {
 			fclose(fp);
 			// check hidepid
-			if (strstr(buf, "hidepid=2") || strstr(buf, "hidepid=1"))
+			if (strstr(buf, "hidepid="))
 				return 1;
 			return 0;
 		}
@@ -287,41 +287,78 @@
 	return 0;
 }
 
+// print error if unprivileged users can trace the process
+void warn_dumpable(void) {
+	if (getuid() != 0 && prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getenv("FIREJAIL_PLUGIN")) {
+		fprintf(stderr, "Error: dumpable process\n");
+
+		// best effort to provide detailed debug information
+		// cannot use process name, it is just a file descriptor number
+		char path[BUFLEN];
+		ssize_t len = readlink("/proc/self/exe", path, BUFLEN - 1);
+		if (len < 0)
+			return;
+		path[len] = '\0';
+		// path can refer to a sandbox mount namespace, use basename only
+		const char *base = gnu_basename(path);
+
+		struct stat s;
+		if (stat("/proc/self/exe", &s) == 0 && s.st_uid != 0)
+			fprintf(stderr, "Change owner of %s executable to root\n", base);
+		else if (access("/proc/self/exe", R_OK) == 0)
+			fprintf(stderr, "Remove read permission on %s executable\n", base);
+	}
+}
+
+// Equivalent to the GNU version of basename, which is incompatible with
+// the POSIX basename. A few lines of code saves any portability pain.
+// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
+const char *gnu_basename(const char *path) {
+	const char *last_slash = strrchr(path, '/');
+	if (!last_slash)
+		return path;
+	return last_slash+1;
+}
+
 //**************************
 // time trace based on getticks function
 //**************************
-static int tt_not_implemented = 0; // not implemented for the current architecture
-static unsigned long long tt_1ms = 0;
-static unsigned long long tt = 0;	// start time
+typedef struct list_entry_t {
+	struct list_entry_t *next;
+	struct timespec ts;
+} ListEntry;
+
+static ListEntry *ts_list = NULL;
+
+static inline float msdelta(struct timespec *start, struct timespec *end) {
+	unsigned sec = end->tv_sec - start->tv_sec;
+	long nsec = end->tv_nsec - start->tv_nsec;
+	return (float) sec * 1000 + (float) nsec / 1000000;
+}
 
 void timetrace_start(void) {
-	if (tt_not_implemented)
-		return;
-	unsigned long long t1 = getticks();
-	if (t1 == 0) {
-		tt_not_implemented = 1;
-		return;
-	}
-
-	if (tt_1ms == 0) {
-		usleep(1000);	// sleep 1 ms
-		unsigned long long t2 = getticks();
-		tt_1ms = t2 - t1;
-		if (tt_1ms == 0) {
-			tt_not_implemented = 1;
-			return;
-		}
-	}
-
-	tt = getticks();
+	ListEntry *t = malloc(sizeof(ListEntry));
+	if (!t)
+		errExit("malloc");
+	memset(t, 0, sizeof(ListEntry));
+	clock_gettime(CLOCK_MONOTONIC, &t->ts);
+
+	// add it to the list
+	t->next = ts_list;
+	ts_list = t;
 }
 
 float timetrace_end(void) {
-	if (tt_not_implemented)
+	if (!ts_list)
 		return 0;
 
-	unsigned long long delta = getticks() - tt;
-	assert(tt_1ms);
-
-	return (float) delta / (float) tt_1ms;
+	// remove start time  from the list
+	ListEntry *t = ts_list;
+	ts_list = t->next;
+
+	struct timespec end;
+	clock_gettime(CLOCK_MONOTONIC, &end);
+	float rv = msdelta(&t->ts, &end);
+	free(t);
+	return rv;
 }
diff -Nru firejail-0.9.64/src/lib/syscall.c firejail-0.9.64.4/src/lib/syscall.c
--- firejail-0.9.64/src/lib/syscall.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/lib/syscall.c	2021-02-04 15:29:49.000000000 +0000
@@ -336,6 +336,7 @@
 #endif
 	},
 	{ .name = "@default-keep", .list =
+	  "execveat," // commonly used by fexecve
 	  "execve,"
 	  "prctl"
 	},
diff -Nru firejail-0.9.64/src/man/firecfg.txt firejail-0.9.64.4/src/man/firecfg.txt
--- firejail-0.9.64/src/man/firecfg.txt	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/man/firecfg.txt	2021-02-04 15:29:49.000000000 +0000
@@ -61,7 +61,7 @@
 
 .TP
 \fB\-\-bindir=directory
-Create and search symbolic links in directory instead of the default location /user/local/bin.
+Create and search symbolic links in directory instead of the default location /usr/local/bin.
 Directory should precede /usr/bin and /bin in the PATH environment variable.
 
 .TP
diff -Nru firejail-0.9.64/src/man/firejail-profile.txt firejail-0.9.64.4/src/man/firejail-profile.txt
--- firejail-0.9.64/src/man/firejail-profile.txt	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/man/firejail-profile.txt	2021-02-04 15:29:49.000000000 +0000
@@ -412,7 +412,7 @@
 \fBprotocol protocol1,protocol2,protocol3
 Enable protocol filter. The filter is based on seccomp and  checks the
 first argument to socket system call. Recognized values: \fBunix\fR,
-\fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
+\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
 .TP
 \fBseccomp
 Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
@@ -862,6 +862,11 @@
 a default gateway address also have to be added.
 
 .TP
+\fBnetns namespace
+Run the program in a named, persistent network namespace. These can
+be created and configured using "ip netns".
+
+.TP
 \fBveth-name name
 Use this name for the interface connected to the bridge for --net=bridge_interface commands,
 instead of the default one.
diff -Nru firejail-0.9.64/src/man/firejail.txt firejail-0.9.64.4/src/man/firejail.txt
--- firejail-0.9.64/src/man/firejail.txt	2020-10-19 12:01:48.000000000 +0000
+++ firejail-0.9.64.4/src/man/firejail.txt	2021-02-04 15:29:49.000000000 +0000
@@ -76,10 +76,10 @@
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
 to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
-If a program argument is not specified, Firejail starts /bin/bash shell.
+If a program argument is not specified, Firejail starts the user's preferred shell.
 Examples:
 .PP
-$ firejail [OPTIONS]                # starting a /bin/bash shell
+$ firejail [OPTIONS]                # starting the program specified in $SHELL, usually /bin/bash
 .PP
 $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 .PP
@@ -1317,7 +1317,7 @@
 .br
 
 .br
-.B nolocal.net
+.B nolocal.net/nolocal6.net
 is a desktop client firewall that disable access to local network. Example:
 .br
 
@@ -1558,7 +1558,7 @@
 Child process initialized
 .br
 [...]
-#if HAVE_USERNS
+#ifdef HAVE_USERNS
 .TP
 \fB\-\-noroot
 Install a user namespace with a single user - the current user.
@@ -2003,7 +2003,7 @@
 .TP
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
-Recognized values: unix, inet, inet6, netlink and packet. This option is not supported for i386 architecture.
+Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture.
 .br
 
 .br
@@ -2273,7 +2273,7 @@
 .TP
 \fB\-\-seccomp.keep=syscall,@group,!syscall2
 Enable seccomp filter, blacklist all syscall not listed and "syscall2".
-The system calls needed by Firejail (group @default-keep: prctl, execve)
+The system calls needed by Firejail (group @default-keep: prctl, execve, execveat)
 are handled with the preload library. On a 64 bit architecture, an
 additional filter for 32 bit system calls can be installed with
 \-\-seccomp.32.keep.
@@ -2476,7 +2476,7 @@
 \fB\-\-shell=program
 Set default user shell. Use this shell to run the application using \-c shell option.
 For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
-By default Bash shell (/bin/bash) is used.
+By default the user's preferred shell is used.
 .br
 
 .br
@@ -3023,7 +3023,7 @@
 .SH EXAMPLES
 .TP
 \f\firejail
-Sandbox a regular /bin/bash session.
+Sandbox a regular shell session.
 .TP
 \f\firejail firefox
 Start Mozilla Firefox.
@@ -3043,7 +3043,7 @@
 assigned automatically.
 .TP
 \f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
-Start a /bin/bash session in a new network namespace and connect it
+Start a shell session in a new network namespace and connect it
 to br0, br1, and br2 host bridge devices. IP addresses are assigned
 automatically for the interfaces connected to br1 and b2
 #endif
diff -Nru firejail-0.9.64/src/man/preproc.awk firejail-0.9.64.4/src/man/preproc.awk
--- firejail-0.9.64/src/man/preproc.awk	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/man/preproc.awk	2021-02-04 15:29:49.000000000 +0000
@@ -23,7 +23,7 @@
 BEGIN {
 	macros[0] = 0
 	for (arg in ARGV) {
-		if (ARGV[arg] ~ /^-D[A-Z_]+$/) {
+		if (ARGV[arg] ~ /^-D[A-Z0-9_]+$/) {
 			macros[length(macros) + 1] = substr(ARGV[arg], 3)
 		}
 		ARGV[arg] = ""
@@ -31,7 +31,7 @@
 
 	include = 1
 }
-/^#ifdef [A-Z_]+$/ {
+/^#ifdef [A-Z0-9_]+$/ {
 	macro = substr($0, 8)
 	for (i in macros) {
 		if (macros[i] == macro) {
diff -Nru firejail-0.9.64/src/profstats/main.c firejail-0.9.64.4/src/profstats/main.c
--- firejail-0.9.64/src/profstats/main.c	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/src/profstats/main.c	2021-02-04 15:29:49.000000000 +0000
@@ -30,6 +30,8 @@
 static int cnt_caps = 0;
 static int cnt_dbus_system_none = 0;
 static int cnt_dbus_user_none = 0;
+static int cnt_dbus_system_filter = 0;
+static int cnt_dbus_user_filter = 0;
 static int cnt_dotlocal = 0;
 static int cnt_globalsdotlocal = 0;
 static int cnt_netnone = 0;
@@ -107,6 +109,7 @@
 		return;
 	}
 
+	int have_include_local = 0;
 	char buf[MAXBUF];
 	while (fgets(buf, MAXBUF, fp)) {
 		char *ptr = strchr(buf, '\n');
@@ -152,11 +155,16 @@
 			cnt_privateetc++;
 		else if (strncmp(ptr, "dbus-system none", 16) == 0)
 			cnt_dbus_system_none++;
+		else if (strncmp(ptr, "dbus-system", 11) == 0)
+			cnt_dbus_system_filter++;
 		else if (strncmp(ptr, "dbus-user none", 14) == 0)
 			cnt_dbus_user_none++;
+		else if (strncmp(ptr, "dbus-user", 9) == 0)
+			cnt_dbus_user_filter++;
 		else if (strncmp(ptr, "include ", 8) == 0) {
 			// not processing .local files
 			if (strstr(ptr, ".local")) {
+				have_include_local = 1;
 //printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8);
 				if (strstr(ptr, "globals.local"))
 					cnt_globalsdotlocal++;
@@ -174,6 +182,8 @@
 	}
 
 	fclose(fp);
+	if (!have_include_local)
+		printf("No include .local found in %s\n", fname);
 	level--;
 }
 
@@ -257,7 +267,9 @@
 		int whitelistrunuser = cnt_whitelistrunuser;
 		int whitelistusrshare = cnt_whitelistusrshare;
 		int dbussystemnone = cnt_dbus_system_none;
+		int dbussystemfilter = cnt_dbus_system_filter;
 		int dbususernone = cnt_dbus_user_none;
+		int dbususerfilter = cnt_dbus_user_filter;
 		int ssh = cnt_ssh;
 		int mdwx = cnt_mdwx;
 
@@ -278,6 +290,16 @@
 			cnt_globalsdotlocal = globalsdotlocal + 1;
 		if (cnt_whitelistrunuser > (whitelistrunuser + 1))
 			cnt_whitelistrunuser = whitelistrunuser + 1;
+		if (cnt_seccomp > (seccomp + 1))
+			cnt_seccomp = seccomp + 1;
+		if (cnt_dbus_user_none > (dbususernone + 1))
+			cnt_dbus_user_none = dbususernone + 1;
+		if (cnt_dbus_user_filter > (dbususerfilter + 1))
+			cnt_dbus_user_filter = dbususerfilter + 1;
+		if (cnt_dbus_system_none > (dbussystemnone + 1))
+			cnt_dbus_system_none = dbussystemnone + 1;
+		if (cnt_dbus_system_filter > (dbussystemfilter + 1))
+			cnt_dbus_system_filter = dbussystemfilter + 1;
 
 		if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none)
 			printf("No dbus-system none found in %s\n", argv[i]);
@@ -337,7 +359,9 @@
 	printf("    whitelist usr/share\t\t%d   (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare);
 	printf("    net none\t\t\t%d\n", cnt_netnone);
 	printf("    dbus-user none \t\t%d\n", cnt_dbus_user_none);
+	printf("    dbus-user filter \t\t%d\n", cnt_dbus_user_filter);
 	printf("    dbus-system none \t\t%d\n", cnt_dbus_system_none);
+	printf("    dbus-system filter \t\t%d\n", cnt_dbus_system_filter);
 	printf("\n");
 	return 0;
 }
diff -Nru firejail-0.9.64/test/compile/compile.sh firejail-0.9.64.4/test/compile/compile.sh
--- firejail-0.9.64/test/compile/compile.sh	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/test/compile/compile.sh	2021-02-04 15:29:49.000000000 +0000
@@ -3,6 +3,16 @@
 # Copyright (C) 2014-2020 Firejail Authors
 # License GPL v2
 
+# not currently covered
+#  --disable-suid          install as a non-SUID executable
+#  --enable-fatal-warnings -W -Wall -Werror
+#  --enable-gcov           Gcov instrumentation
+#  --enable-contrib-install
+#                          install contrib scripts
+#  --enable-analyzer       enable GCC 10 static analyzer
+
+
+
 arr[1]="TEST 1: standard compilation"
 arr[2]="TEST 2: compile dbus proxy disabled"
 arr[3]="TEST 3: compile chroot disabled"
@@ -18,7 +28,9 @@
 arr[13]="TEST 13: compile busybox"
 arr[14]="TEST 14: compile overlayfs disabled"
 arr[15]="TEST 15: compile private-home disabled"
-arr[15]="TEST 16: compile disable manpages"
+arr[16]="TEST 16: compile disable manpages"
+arr[17]="TEST 17: disable tmpfs as regular user"
+arr[18]="TEST 18: disable private home"
 
 # remove previous reports and output file
 cleanup() {
@@ -334,6 +346,40 @@
 rm output-configure output-make
 
 #*****************************************************************
+# TEST 17
+#*****************************************************************
+# - disable tmpfs as regular user"
+#*****************************************************************
+print_title "${arr[17]}"
+cd firejail
+make distclean
+./configure --prefix=/usr  --disable-usertmpfs --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test17
+grep Error output-configure output-make >> ./report-test17
+cp output-configure oc17
+cp output-make om17
+rm output-configure output-make
+
+#*****************************************************************
+# TEST 18
+#*****************************************************************
+# - disable private home feature
+#*****************************************************************
+print_title "${arr[18]}"
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test18
+grep Error output-configure output-make >> ./report-test18
+cp output-configure oc18
+cp output-make om18
+rm output-configure output-make
+
+#*****************************************************************
 # PRINT REPORTS
 #*****************************************************************
 echo
@@ -363,3 +409,5 @@
 echo ${arr[14]}
 echo ${arr[15]}
 echo ${arr[16]}
+echo ${arr[17]}
+echo ${arr[18]}
diff -Nru firejail-0.9.64/test/environment/environment.sh firejail-0.9.64.4/test/environment/environment.sh
--- firejail-0.9.64/test/environment/environment.sh	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/test/environment/environment.sh	2021-02-04 15:29:49.000000000 +0000
@@ -70,12 +70,12 @@
 ./firejail-in-firejail.exp
 
 which aplay 2>/dev/null
-if [ "$?" -eq 0 ];
+if [ "$?" -eq 0 ] && [ "$(aplay -l | grep -c "List of PLAYBACK")" -gt 0 ];
 then
         echo "TESTING: sound (test/environment/sound.exp)"
         ./sound.exp
 else
-        echo "TESTING SKIP: aplay not found"
+        echo "TESTING SKIP: no aplay or sound card found"
 fi
 
 echo "TESTING: nice (test/environment/nice.exp)"
diff -Nru firejail-0.9.64/test/fnetfilter/cmdline.exp firejail-0.9.64.4/test/fnetfilter/cmdline.exp
--- firejail-0.9.64/test/fnetfilter/cmdline.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/fnetfilter/cmdline.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,37 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "fnetfilter\r"
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Usage:"
+}
+after 100
+
+send -- "fnetfilter -h\r"
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"Usage:"
+}
+after 100
+
+send -- "fnetfilter -h a b c d\r"
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"Usage:"
+}
+after 100
+
+send -- "fnetfilter a b c d\r"
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"Usage:"
+}
+after 100
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/fnetfilter/copy.exp firejail-0.9.64.4/test/fnetfilter/copy.exp
--- firejail-0.9.64/test/fnetfilter/copy.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/fnetfilter/copy.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,52 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "rm outfile\r"
+after 100
+
+send -- "fnetfilter test1.net outfile\r"
+after 100
+
+send -- "cat outfile\r"
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"*filter"
+}
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"test1"
+}
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"INPUT -m state --state RELATED,ESTABLISHED"
+}
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"disable STUN"
+}
+after 100
+
+send -- "fnetfilter foo outfile\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"cannot open foo"
+}
+after 100
+
+send -- "fnetfilter test1.net outlocked\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	"cannot open outlocked"
+}
+after 100
+
+send -- "rm outfile\r"
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/fnetfilter/default.exp firejail-0.9.64.4/test/fnetfilter/default.exp
--- firejail-0.9.64/test/fnetfilter/default.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/fnetfilter/default.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "rm outfile\r"
+after 100
+
+send -- "fnetfilter outfile\r"
+after 100
+
+send -- "cat outfile\r"
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"*filter"
+}
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"INPUT -m state --state RELATED,ESTABLISHED"
+}
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"disable STUN"
+}
+after 100
+
+send -- "fnetfilter test1.net,33\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"cannot open test1.net,33"
+}
+after 100
+send -- "rm outfile\r"
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/fnetfilter/fnetfilter.sh firejail-0.9.64.4/test/fnetfilter/fnetfilter.sh
--- firejail-0.9.64/test/fnetfilter/fnetfilter.sh	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/fnetfilter/fnetfilter.sh	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,31 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+
+if [ -f /etc/debian_version ]; then
+	libdir=$(dirname "$(dpkg -L firejail | grep fcopy)")
+	export PATH="$PATH:$libdir"
+fi
+
+export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
+
+chmod 400 outlocked
+
+echo "TESTING: fnetfilter cmdline (test/fnetfilter/cmdline.exp)"
+./cmdline.exp
+
+echo "TESTING: fnetfilter default (test/fnetfilter/default.exp)"
+./default.exp
+
+echo "TESTING: fnetfilter copy (test/fnetfilter/copy.exp)"
+./copy.exp
+
+echo "TESTING: fnetfilter template (test/fnetfilter/template.exp)"
+./template.exp
+
+rm -f outfile
diff -Nru firejail-0.9.64/test/fnetfilter/template.exp firejail-0.9.64.4/test/fnetfilter/template.exp
--- firejail-0.9.64/test/fnetfilter/template.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/fnetfilter/template.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,82 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "rm outfile\r"
+after 100
+
+send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request,3478,3479 outfile\r"
+after 100
+
+send -- "cat outfile\r"
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"*filter"
+}
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"INPUT -m state --state RELATED,ESTABLISHED"
+}
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"icmp-type echo-reply"
+}
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"icmp-type destination-unreachable"
+}
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"icmp-type time-exceeded"
+}
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	"icmp-type echo-request"
+}
+expect {
+	timeout {puts "TESTING ERROR 7\n";exit}
+	"dport 3478"
+}
+expect {
+	timeout {puts "TESTING ERROR 8\n";exit}
+	"dport 3479"
+}
+expect {
+	timeout {puts "TESTING ERROR 8\n";exit}
+	"dport 3478"
+}
+expect {
+	timeout {puts "TESTING ERROR 10\n";exit}
+	"dport 3479"
+}
+after 100
+
+send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request outfile\r"
+expect {
+	timeout {puts "TESTING ERROR 11\n";exit}
+	"ARG5 on line 14 was not defined"
+}
+after 100
+
+send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request\r"
+expect {
+	timeout {puts "TESTING ERROR 12\n";exit}
+	"cannot open test2.net,"
+}
+after 100
+
+send -- "fnetfilter test3.net,44 outfile\r"
+expect {
+	timeout {puts "TESTING ERROR 13\n";exit}
+	"invalid template argument on line 1"
+}
+after 100
+send -- "rm outfile\r"
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/fnetfilter/test1.net firejail-0.9.64.4/test/fnetfilter/test1.net
--- firejail-0.9.64/test/fnetfilter/test1.net	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/fnetfilter/test1.net	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,18 @@
+*filter
+# test1
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# echo replay is handled by -m state RELATED/ESTABLISHED above
+#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
+-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+# disable STUN
+-A OUTPUT -p udp --dport 3478 -j DROP
+-A OUTPUT -p udp --dport 3479 -j DROP
+-A OUTPUT -p tcp --dport 3478 -j DROP
+-A OUTPUT -p tcp --dport 3479 -j DROP
+COMMIT
diff -Nru firejail-0.9.64/test/fnetfilter/test2.net firejail-0.9.64.4/test/fnetfilter/test2.net
--- firejail-0.9.64/test/fnetfilter/test2.net	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/fnetfilter/test2.net	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,18 @@
+*filter
+# test2
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# echo replay is handled by -m state RELATED/ESTABLISHED above
+#-A INPUT -p icmp --$ARG1 echo-reply -j ACCEPT
+-A INPUT -p icmp --$ARG1 $ARG2 -j ACCEPT
+-A INPUT -p icmp --$ARG1 $ARG3 -j ACCEPT
+-A INPUT -p icmp --$ARG1 $ARG4 -j ACCEPT
+# disable STUN
+-A OUTPUT -p udp --dport $ARG5 -j DROP
+-A OUTPUT -p udp --dport $ARG6 -j DROP
+-A OUTPUT -p tcp --dport $ARG5 -j DROP
+-A OUTPUT -p tcp --dport $ARG6 -j DROP
+COMMIT
diff -Nru firejail-0.9.64/test/fnetfilter/test3.net firejail-0.9.64.4/test/fnetfilter/test3.net
--- firejail-0.9.64/test/fnetfilter/test3.net	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/fnetfilter/test3.net	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1 @@
+asdfasdf $ARG asdfasdfdasf
diff -Nru firejail-0.9.64/test/fs/fscheck-tmpfs.exp firejail-0.9.64.4/test/fs/fscheck-tmpfs.exp
--- firejail-0.9.64/test/fs/fscheck-tmpfs.exp	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/test/fs/fscheck-tmpfs.exp	2021-02-04 15:29:49.000000000 +0000
@@ -7,12 +7,49 @@
 spawn $env(SHELL)
 match_max 100000
 
-# ..
-send -- "firejail --tmpfs=fscheck-dir\r"
+send -- "mkdir -p ~/fjtest-dir/fjtest-dir\r"
+after 100
+send -- "mkdir /tmp/fjtest-dir\r"
+after 100
+
+if { ! [file exists ~/fjtest-dir/fjtest-dir] } {
+	puts "TESTING ERROR 1\n"
+	exit
+}
+if { ! [file exists /tmp/fjtest-dir] } {
+	puts "TESTING ERROR 2\n"
+	exit
+}
+
+send -- "firejail --noprofile --tmpfs=~/fjtest-dir\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"Child process initialized"
+}
+after 500
+
+send -- "ls ~/fjtest-dir/fjtest-dir\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"No such file or directory"
+}
+after 500
+
+send -- "exit\r"
+after 500
+
+send -- "firejail --noprofile --tmpfs=/tmp/fjtest-dir\r"
 expect {
-	timeout {puts "TESTING ERROR 0.1\n";exit}
+	timeout {puts "TESTING ERROR 5\n";exit}
 	"Error"
 }
+after 500
+
+# cleanup
+send -- "rm -fr ~/fjtest-dir\r"
 after 100
+send -- "rm -fr /tmp/fjtest-dir\r"
+after 100
+
 
 puts "\nall done\n"
diff -Nru firejail-0.9.64/test/fs/mkdir.exp firejail-0.9.64.4/test/fs/mkdir.exp
--- firejail-0.9.64/test/fs/mkdir.exp	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/test/fs/mkdir.exp	2021-02-04 15:29:49.000000000 +0000
@@ -7,11 +7,12 @@
 spawn $env(SHELL)
 match_max 100000
 
+send -- "rm -fr ~/.firejail_test\r"
+after 100
+
 send -- "firejail --profile=mkdir.profile find ~/.firejail_test\r"
 expect {
 	timeout {puts "TESTING ERROR 1.1\n";exit}
-	"Warning: cannot create" { puts "TESTING ERROR 1.2\n";exit}
-	"No such file or directory" { puts "TESTING ERROR 1.3\n";exit}
 	".firejail_test/a/b/c/d.txt"
 }
 send -- "rm -rf ~/.firejail_test\r"
@@ -20,30 +21,29 @@
 send -- "firejail --profile=mkdir.profile find /tmp/.firejail_test\r"
 expect {
 	timeout {puts "TESTING ERROR 2.1\n";exit}
-	"Warning: cannot create" { puts "TESTING ERROR 2.2\n";exit}
-	"No such file or directory" { puts "TESTING ERROR 2.3\n";exit}
 	"/tmp/.firejail_test/a/b/c/d.txt"
 }
 send -- "rm -rf /tmp/.firejail_test\r"
 after 100
 
 set UID [exec id -u]
-send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r"
-expect {
-	timeout {puts "TESTING ERROR 3.1\n";exit}
-	"Warning: cannot create" { puts "TESTING ERROR 3.2\n";exit}
-	"No such file or directory" { puts "TESTING ERROR 3.3\n";exit}
-	"/run/user/$UID/.firejail_test/a/b/c/d.txt"
+set fexist [file exist /run/user/$UID]
+if { $fexist } {
+	send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r"
+	expect {
+		timeout {puts "TESTING ERROR 3.1\n";exit}
+		"/run/user/$UID/.firejail_test/a/b/c/d.txt"
+	}
+	send -- "rm -rf /run/user/$UID/.firejail_test\r"
+	after 100
+
+
+	send -- "firejail --profile=mkdir2.profile\r"
+	expect {
+		timeout {puts "TESTING ERROR 4\n";exit}
+		"only files or directories in user home, /tmp, or /run/user/<UID>"
+	}
+	after 100
 }
-send -- "rm -rf /run/user/$UID/.firejail_test\r"
-after 100
-
-
-send -- "firejail --profile=mkdir2.profile\r"
-expect {
-	timeout {puts "TESTING ERROR 4\n";exit}
-	"only files or directories in user home, /tmp, or /run/user/<UID>"
-}
-after 100
 
 puts "\nall done\n"
diff -Nru firejail-0.9.64/test/fs/private-cache.exp firejail-0.9.64.4/test/fs/private-cache.exp
--- firejail-0.9.64/test/fs/private-cache.exp	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/test/fs/private-cache.exp	2021-02-04 15:29:49.000000000 +0000
@@ -7,16 +7,17 @@
 spawn $env(SHELL)
 match_max 100000
 
-if {[file exists ~/.cache]} {
-	puts "found .cache directory\n"
-} else {
-	send -- "mkdir --mode=755 ~/.cache\r"
-}
+send -- "mkdir --mode=700 ~/.cache\r"
 after 100
 
 send -- "touch ~/.cache/abcdefg\r"
 after 100
 
+if { ! [file exists ~/.cache/abcdefg] } {
+	puts "TESTING ERROR 0\n"
+	exit
+}
+
 send -- "firejail --noprofile --private-cache\r"
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
@@ -34,23 +35,8 @@
 send -- "exit\r"
 sleep 1
 
-send -- "rm -v ~/.cache/abcdefg\r"
-expect {
-	timeout {puts "TESTING ERROR 3\n";exit}
-	"removed"
-}
+# cleanup
+send -- "rm ~/.cache/abcdefg\r"
 after 100
 
-# redo the test with --private
-
-send -- "firejail --noprofile --private --private-cache\r"
-expect {
-	timeout {puts "TESTING ERROR 4\n";exit}
-	"Warning"
-}
-sleep 1
-
-send -- "exit\r"
-sleep 1
-
 puts "\nall done\n"
diff -Nru firejail-0.9.64/test/Makefile.in firejail-0.9.64.4/test/Makefile.in
--- firejail-0.9.64/test/Makefile.in	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/Makefile.in	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,13 @@
+TESTS=$(patsubst %/,%,$(wildcard */))
+
+.PHONY: $(TESTS)
+
+$(TESTS):
+	cd $@ && ./$@.sh 2>&1 | tee $@.log
+	cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log
+
+clean:
+	for test in $(TESTS); do rm -f "$$test/$$test.log"; done
+
+distclean: clean
+	rm -f Makefile
diff -Nru firejail-0.9.64/test/private-lib/atril.exp firejail-0.9.64.4/test/private-lib/atril.exp
--- firejail-0.9.64/test/private-lib/atril.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/atril.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail atril\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/atril.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"atril"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail atril"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail atril"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/dig.exp firejail-0.9.64.4/test/private-lib/dig.exp
--- firejail-0.9.64/test/private-lib/dig.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/dig.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,17 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail dig 1.1.1.1\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Query time"
+}
+
+after 100
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/eog.exp firejail-0.9.64.4/test/private-lib/eog.exp
--- firejail-0.9.64/test/private-lib/eog.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/eog.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail eog\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/eog.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"eog"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail eog"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail eog"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/eom.exp firejail-0.9.64.4/test/private-lib/eom.exp
--- firejail-0.9.64/test/private-lib/eom.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/eom.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail eom\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/eom.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"eom"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail eom"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail eom"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/evince.exp firejail-0.9.64.4/test/private-lib/evince.exp
--- firejail-0.9.64/test/private-lib/evince.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/evince.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail evince\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/evince.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"evince"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail evince"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail evince"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/galculator.exp firejail-0.9.64.4/test/private-lib/galculator.exp
--- firejail-0.9.64/test/private-lib/galculator.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/galculator.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail galculator\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/galculator.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"galculator"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail galculator"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail galculator"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/gedit.exp firejail-0.9.64.4/test/private-lib/gedit.exp
--- firejail-0.9.64/test/private-lib/gedit.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/gedit.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail /usr/bin/gedit\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/gedit.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"gedit"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail /usr/bin/gedit"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail /usr/bin/gedit"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/gnome-calculator.exp firejail-0.9.64.4/test/private-lib/gnome-calculator.exp
--- firejail-0.9.64/test/private-lib/gnome-calculator.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/gnome-calculator.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,85 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+# gnome-calculator uses quiet at the top of the profile
+# we need to use --ignore
+send -- "firejail --ignore=quiet gnome-calculator\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/gnome-calculator.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"gnome-calculator"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail --ignore=quiet gnome-calculator"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail --ignore=quiet gnome-calculator"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/gnome-logs.exp firejail-0.9.64.4/test/private-lib/gnome-logs.exp
--- firejail-0.9.64/test/private-lib/gnome-logs.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/gnome-logs.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail gnome-logs\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/gnome-logs.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"gnome-logs"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail gnome-logs"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail gnome-logs"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/gnome-nettool.exp firejail-0.9.64.4/test/private-lib/gnome-nettool.exp
--- firejail-0.9.64/test/private-lib/gnome-nettool.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/gnome-nettool.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,84 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail gnome-nettool\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/gnome-nettool.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"gnome-nettool"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+#seccomp is not configured
+#send -- "firemon --seccomp\r"
+#expect {
+#	timeout {puts "TESTING ERROR 5\n";exit}
+#	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+#	":firejail gnome-nettool"
+#}
+#expect {
+#	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+#	"Seccomp:	2"
+#}
+#expect {
+#	timeout {puts "TESTING ERROR 5.1\n";exit}
+#	"name=blablabla"
+#}
+#after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail gnome-nettool"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000002000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/gnome-system-log.exp firejail-0.9.64.4/test/private-lib/gnome-system-log.exp
--- firejail-0.9.64/test/private-lib/gnome-system-log.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/gnome-system-log.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail gnome-system-log\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/gnome-system-log.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"gnome-system-log"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail gnome-system-log"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail gnome-system-log"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/gpicview.exp firejail-0.9.64.4/test/private-lib/gpicview.exp
--- firejail-0.9.64/test/private-lib/gpicview.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/gpicview.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail gpicview\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/gpicview.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"gpicview"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail gpicview"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail gpicview"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/leafpad.exp firejail-0.9.64.4/test/private-lib/leafpad.exp
--- firejail-0.9.64/test/private-lib/leafpad.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/leafpad.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail leafpad\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/leafpad.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"leafpad"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail leafpad"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail leafpad"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/mousepad.exp firejail-0.9.64.4/test/private-lib/mousepad.exp
--- firejail-0.9.64/test/private-lib/mousepad.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/mousepad.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail mousepad\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/mousepad.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"mousepad"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail mousepad"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail mousepad"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/pavucontrol.exp firejail-0.9.64.4/test/private-lib/pavucontrol.exp
--- firejail-0.9.64/test/private-lib/pavucontrol.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/pavucontrol.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail pavucontrol\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/pavucontrol.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"pavucontrol"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail pavucontrol"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail pavucontrol"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/pluma.exp firejail-0.9.64.4/test/private-lib/pluma.exp
--- firejail-0.9.64/test/private-lib/pluma.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/pluma.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail pluma\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/pluma.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"pluma"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail pluma"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail pluma"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/private-lib.sh firejail-0.9.64.4/test/private-lib/private-lib.sh
--- firejail-0.9.64/test/private-lib/private-lib.sh	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/private-lib.sh	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,22 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3g
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+
+LIST="gnome-logs gnome-system-log gnome-nettool pavucontrol dig evince whois galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog"
+
+
+for app in $LIST; do
+	which $app 2>/dev/null
+	if [ "$?" -eq 0 ];
+	then
+		echo "TESTING: private-lib $app"
+		./$app.exp
+	else
+		echo "TESTING SKIP: $app not found"
+	fi
+done
diff -Nru firejail-0.9.64/test/private-lib/transmission-gtk.exp firejail-0.9.64.4/test/private-lib/transmission-gtk.exp
--- firejail-0.9.64/test/private-lib/transmission-gtk.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/transmission-gtk.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --ignore=quiet transmission-gtk\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/transmission-gtk.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"transmission-gtk"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail --ignore=quiet transmission-gtk"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail --ignore=quiet transmission-gtk"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/whois.exp firejail-0.9.64.4/test/private-lib/whois.exp
--- firejail-0.9.64/test/private-lib/whois.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/whois.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,17 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail whois debian.org\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Domain Name"
+}
+
+after 100
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/private-lib/xcalc.exp firejail-0.9.64.4/test/private-lib/xcalc.exp
--- firejail-0.9.64/test/private-lib/xcalc.exp	1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.64.4/test/private-lib/xcalc.exp	2021-02-04 15:29:49.000000000 +0000
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail xcalc\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/xcalc.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"xcalc"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	":firejail xcalc"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail xcalc"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff -Nru firejail-0.9.64/test/profiles/profiles.sh firejail-0.9.64.4/test/profiles/profiles.sh
--- firejail-0.9.64/test/profiles/profiles.sh	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/test/profiles/profiles.sh	2021-02-04 15:29:49.000000000 +0000
@@ -34,11 +34,20 @@
 echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)"
 ./profile_noperm.exp
 
+# problems with testing full list of profiles
+# disabled in 0.9.64.2, to be brought back in the release after
+exit 0
 
+# GitHub CI doesn't have a /run/user/$UID directory. Using it to test a small number of profiles.
+UID=`id -u`
+if [ -d "/run/user/$UID" ]; then
+	PROFILES=`ls /etc/firejail/*.profile`
+	echo "TESTING: default profiles installed in /etc"
+else
+	PROFILES=`ls /etc/firejail/transmission*.profile /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile`
+	echo "TESTING: small number of default profiles installed in /etc"
+fi
 
-
-echo "TESTING: default profiles installed in /etc"
-PROFILES=`ls /etc/firejail/*.profile`
 for PROFILE in $PROFILES
 do
 	echo "TESTING: $PROFILE"
diff -Nru firejail-0.9.64/test/sysutils/less.exp firejail-0.9.64.4/test/sysutils/less.exp
--- firejail-0.9.64/test/sysutils/less.exp	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/test/sysutils/less.exp	2021-02-04 15:29:49.000000000 +0000
@@ -10,6 +10,7 @@
 send -- "firejail less sysutils.sh\r"
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
+	"(press RETURN)" {puts "TESTING SKIP 1.1\n";exit}
 	"MALLOC_CHECK"
 }
 expect {
diff -Nru firejail-0.9.64/test/sysutils/xz.exp firejail-0.9.64.4/test/sysutils/xz.exp
--- firejail-0.9.64/test/sysutils/xz.exp	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/test/sysutils/xz.exp	2021-02-04 15:29:49.000000000 +0000
@@ -3,7 +3,7 @@
 # Copyright (C) 2014-2020 Firejail Authors
 # License GPL v2
 
-set timeout 10
+set timeout 60
 spawn $env(SHELL)
 match_max 100000
 
@@ -13,6 +13,9 @@
 send -- "firejail /usr/bin/xz -c /usr/bin/firejail > firejail_t2\r"
 sleep 1
 
+send -- "md5sum firejail_t1 firejail_t2; ls -l firejail_t1 firejail_t2\r"
+sleep 1
+
 send -- "diff -s firejail_t1 firejail_t2\r"
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
diff -Nru firejail-0.9.64/test/utils/man.exp firejail-0.9.64.4/test/utils/man.exp
--- firejail-0.9.64/test/utils/man.exp	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/test/utils/man.exp	2021-02-04 15:29:49.000000000 +0000
@@ -10,6 +10,7 @@
 send -- "man firejail\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
+	"(press RETURN)" {puts "TESTING SKIP 1.1\n";exit}
 	"Linux namespaces sandbox program"
 }
 after 100
diff -Nru firejail-0.9.64/test/utils/shutdown.exp firejail-0.9.64.4/test/utils/shutdown.exp
--- firejail-0.9.64/test/utils/shutdown.exp	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/test/utils/shutdown.exp	2021-02-04 15:29:49.000000000 +0000
@@ -3,7 +3,7 @@
 # Copyright (C) 2014-2020 Firejail Authors
 # License GPL v2
 
-set timeout 10
+set timeout 15
 cd /home
 spawn $env(SHELL)
 match_max 100000
diff -Nru firejail-0.9.64/test/utils/utils.sh firejail-0.9.64.4/test/utils/utils.sh
--- firejail-0.9.64/test/utils/utils.sh	2020-10-06 12:50:41.000000000 +0000
+++ firejail-0.9.64.4/test/utils/utils.sh	2021-02-04 15:29:49.000000000 +0000
@@ -18,7 +18,7 @@
 rm -f ~/firejail-test-file-7699
 rm -f firejail-test-file-4388
 
-if [ $(readlink /proc/self) -lt 100 ]; then
+if [ $(faudit | grep -c "is running in a PID namespace.") -gt 0 ]; then
 	echo "TESTING SKIP: already running in pid namespace (test/utils/audit.exp)"
 else
 	echo "TESTING: audit (test/utils/audit.exp)"