diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index c1c240922..a7b7c8a3e 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -5,9 +5,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
@@ -27,9 +27,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b86d432f9..9cf216492 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -10,9 +10,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
@@ -32,9 +32,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
@@ -88,7 +88,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@a34ca99b4610d924e04c68db79e503e1f79f9f02
+      uses: github/codeql-action/init@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -99,7 +99,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@a34ca99b4610d924e04c68db79e503e1f79f9f02
+      uses: github/codeql-action/autobuild@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -113,4 +113,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@a34ca99b4610d924e04c68db79e503e1f79f9f02
+      uses: github/codeql-action/analyze@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
diff --git a/.gitignore b/.gitignore
index 7333b1c8d..db3b16893 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,6 +16,9 @@ config.log
 config.mk
 config.sh
 config.status
+contrib/syntax/files/example
+contrib/syntax/files/firejail-profile.lang
+contrib/syntax/files/firejail.vim
 firejail-*.tar.xz
 firejail-login.5
 firejail-profile.5
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 9a5f19b54..97730e533 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -38,8 +38,7 @@ If you add a new command, here's the checklist:
 
  - [ ] Update manpages: firejail(1) and firejail-profile(5)
  - [ ] Update shell completions
- - [ ] Update vim syntax files
- - [ ] Update gtksourceview language specs
+ - [ ] Update syntax files (run `make syntax` or just `make`)
  - [ ] Update --help
 
 # Editing the wiki
diff --git a/Makefile b/Makefile
index 119bf6b4b..443c3183f 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,10 @@ MAN_TARGET = man
 MAN_SRC = src/man
 endif
 
+ifneq ($(HAVE_CONTRIB_INSTALL),no)
+CONTRIB_TARGET = contrib
+endif
+
 COMPLETIONDIRS = src/zsh_completion src/bash_completion
 
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
@@ -17,16 +21,32 @@ SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
+
+SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h))
+
+# Lists of keywords used in profiles; used for generating syntax files.
+SYNTAX_LISTS = \
+	contrib/syntax/lists/profile_commands_arg0.list \
+	contrib/syntax/lists/profile_commands_arg1.list \
+	contrib/syntax/lists/profile_conditionals.list \
+	contrib/syntax/lists/profile_macros.list \
+	contrib/syntax/lists/syscall_groups.list \
+	contrib/syntax/lists/syscalls.list \
+	contrib/syntax/lists/system_errnos.list
+
+SYNTAX_FILES_IN := $(sort $(wildcard contrib/syntax/files/*.in))
+SYNTAX_FILES := $(SYNTAX_FILES_IN:.in=)
+
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
 
 .PHONY: all
-all: all_items mydirs $(MAN_TARGET) filters
+all: all_items mydirs filters $(MAN_TARGET) $(CONTRIB_TARGET)
 
 config.mk config.sh:
-	printf 'run ./configure to generate %s\n' "$@" >&2
-	false
+	@printf 'error: run ./configure to generate %s\n' "$@" >&2
+	@false
 
 .PHONY: all_items $(ALL_ITEMS)
 all_items: $(ALL_ITEMS)
@@ -38,11 +58,6 @@ mydirs: $(MYDIRS)
 $(MYDIRS):
 	$(MAKE) -C $@
 
-$(MANPAGES): src/man config.mk
-	./mkman.sh $(VERSION) src/man/$(basename $@).man $@
-
-man: $(MANPAGES)
-
 filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
 seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
 	src/fseccomp/fseccomp default seccomp
@@ -65,14 +80,83 @@ seccomp.mdwx: src/fseccomp/fseccomp
 seccomp.mdwx.32: src/fseccomp/fseccomp
 	src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
 
+$(MANPAGES): src/man config.mk
+	./mkman.sh $(VERSION) src/man/$(basename $@).man $@
+
+man: $(MANPAGES)
+
+# Makes all targets in contrib/
+.PHONY: contrib
+contrib: syntax
+
+.PHONY: syntax
+syntax: $(SYNTAX_FILES)
+
+# TODO: include/rlimit are false positives
+contrib/syntax/lists/profile_commands_arg0.list: src/firejail/profile.c
+	@sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' $< | \
+	grep -Ev '^(include|rlimit)$$' | sed 's/\./\\./' | LC_ALL=C sort -u >$@
+
+# TODO: private-lib is special-cased in the code and doesn't match the regex
+contrib/syntax/lists/profile_commands_arg1.list: src/firejail/profile.c
+	@{ sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' $<; echo private-lib; } | \
+	LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/profile_conditionals.list: src/firejail/profile.c
+	@awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$$/ {process=1;} \
+		/\t*\{"[^"]+".*/ \
+		{ if (process) {print gensub(/^\t*\{"([^"]+)".*$$/, "\\1", 1);} } \
+		/^\t\{ NULL, NULL \}$$/ {process=0;}' \
+		$< | LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/profile_macros.list: src/firejail/macros.c
+	@sed -En 's/.*\$$\{([^}]+)\}.*/\1/p' $< | LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/syscall_groups.list: src/lib/syscall.c
+	@sed -En 's/.*"@([^",]+).*/\1/p' $< | LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/syscalls.list: $(SYSCALL_HEADERS)
+	@sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' $(SYSCALL_HEADERS) | \
+	LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/system_errnos.list: src/lib/errno.c
+	@sed -En 's/.*"(E[^"]+).*/\1/p' $< | LC_ALL=C sort -u >$@
+
+pipe_fromlf = { tr '\n' '|' | sed 's/|$$//'; }
+space_fromlf = { tr '\n' ' ' | sed 's/ $$//'; }
+edit_syntax_file = sed \
+	-e "s/@make_input@/$$(basename $@).  Generated from $$(basename $<) by make./" \
+	-e "s/@FJ_PROFILE_COMMANDS_ARG0@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg0.list)/" \
+	-e "s/@FJ_PROFILE_COMMANDS_ARG1@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg1.list)/" \
+	-e "s/@FJ_PROFILE_CONDITIONALS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_conditionals.list)/" \
+	-e "s/@FJ_PROFILE_MACROS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_macros.list)/" \
+	-e "s/@FJ_SYSCALLS@/$$($(space_fromlf) <contrib/syntax/lists/syscalls.list)/" \
+	-e "s/@FJ_SYSCALL_GROUPS@/$$($(pipe_fromlf) <contrib/syntax/lists/syscall_groups.list)/" \
+	-e "s/@FJ_SYSTEM_ERRNOS@/$$($(pipe_fromlf) <contrib/syntax/lists/system_errnos.list)/"
+
+contrib/syntax/files/example: contrib/syntax/files/example.in $(SYNTAX_LISTS)
+	@printf 'Generating %s from %s\n' $@ $<
+	@$(edit_syntax_file) $< >$@
+
+# gtksourceview language-specs
+contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in $(SYNTAX_LISTS)
+	@printf 'Generating %s from %s\n' $@ $<
+	@$(edit_syntax_file) $< >$@
+
+# vim syntax files
+contrib/syntax/files/%.vim: contrib/syntax/files/%.vim.in $(SYNTAX_LISTS)
+	@printf 'Generating %s from %s\n' $@ $<
+	@$(edit_syntax_file) $< >$@
+
 .PHONY: clean
 clean:
 	for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
 		$(MAKE) -C $$dir clean; \
 	done
 	$(MAKE) -C test clean
-	rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
 	rm -f $(SECCOMP_FILTERS)
+	rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
+	rm -f $(SYNTAX_FILES)
 	rm -f test/utils/index.html*
 	rm -f test/utils/wget-log
 	rm -f test/utils/firejail-test-file*
@@ -124,10 +208,10 @@ ifeq ($(HAVE_CONTRIB_INSTALL),yes)
 	install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
 	install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
 	install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
-	install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
-	# gtksourceview-5 language-specs
+	install -m 0644 contrib/syntax/files/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
+	# gtksourceview language-specs
 	install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
-	install -m 0644 contrib/gtksourceview-5/language-specs/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
+	install -m 0644 contrib/syntax/files/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
 endif
 	# documents
 	install -m 0755 -d $(DESTDIR)$(docdir)
diff --git a/README b/README
index 74318fa16..762668a88 100644
--- a/README
+++ b/README
@@ -125,6 +125,8 @@ Alexander Stein (https://github.com/ajstein)
 alkim0 (https://github.com/alkim0)
 	- warn when encountering EIO during remount
 	- Add profile for chafa
+amano-kenji  (https://github.com/amano-kenji)
+	- fix private-etc in qutebrowser profile
 Amin Vakil (https://github.com/aminvakil)
 	- whois profile fix
 	- added profile for strawberry
@@ -679,6 +681,8 @@ Laurent Declercq (https://github.com/nuxwin)
 	- fixed test for shell interpreter in chroots
 LaurentGH (https://github.com/LaurentGH)
 	- allow private-bin parameters to be absolute paths
+layderv (https://github.com/layderv)
+	- prevent sandbox name from containing only digits
 lecso7 (https://github.com/lecso7)
 	- added goldendict profile
 	- allow evince to read .cbz file format
diff --git a/README.md b/README.md
index f261da2a3..7d1c88c65 100644
--- a/README.md
+++ b/README.md
@@ -184,7 +184,7 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 
 ### private-etc rework
 `````
-       --private-etc, --private-etc=file,directory
+       --private-etc, --private-etc=file,directory,@group
               The files installed by --private-etc are copies of the  original
               system  files  from  /etc  directory.   By  default, the command
               brings in a skeleton of files and directories used by most  con‐
@@ -192,24 +192,23 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 
               $ firejail --private-etc dig debian.org
 
-              For X11/GTK/QT/Gnome/KDE  programs add GUI group as a parameter.
-              Example:
+              For  X11/GTK/QT/Gnome/KDE   programs add @x11 group as a parame‐
+              ter. Example:
 
-              $ firejail --private-etc=GUI,python* gimp
+              $ firejail --private-etc=@x11,gcrypt,python* gimp
 
-              /etc/python* directories are not part of the generic GUI  group.
-              These directories are reuqired by Gimp plugin system. File glob‐
-              bing is supported.
+              gcrypt and /etc/python* directories are not part of the  generic
+              @x11 group.  File globbing is supported.
 
-              For games, add GAMES group:
+              For games, add @games group:
 
-              $ firejail --private-etc=GUI,GAMES warzone2100
+              $ firejail --private-etc=@games,@x11 warzone2100
 
-              Sound and networking files are  included  automatically,  unless
-              --nosound  or  --net=none  are  specified.   Files for encrypted
-              TLS/SSL protocol are in TLS-CA group.
+              Sound  and  networking  files are included automatically, unless
+              --nosound or --net=none  are  specified.   Files  for  encrypted
+              TLS/SSL protocol are in @tls-ca group.
 
-              $ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org
+              $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
 
               Note: The easiest way to extract the list of /etc files accessed
               by your program is using strace utility:
diff --git a/RELNOTES b/RELNOTES
index 478bf297d..6230fe81b 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.73) baseline; urgency=low
   * work in progress
   * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
+  * modif: prevent sandbox name from containing only digits (#5578)
   * docs: remove apparmor options in --help when building without apparmor
     support (#5589)
   * fix: qutebrowser not opening tabs (#5601)
diff --git a/contrib/syntax/files/example.in b/contrib/syntax/files/example.in
new file mode 100644
index 000000000..74bcdc079
--- /dev/null
+++ b/contrib/syntax/files/example.in
@@ -0,0 +1,16 @@
+# @make_input@
+# Example file to check the values of input variables.
+
+FJ_PROFILE_COMMANDS_ARG0 = @FJ_PROFILE_COMMANDS_ARG0@
+
+FJ_PROFILE_COMMANDS_ARG1 = @FJ_PROFILE_COMMANDS_ARG1@
+
+FJ_PROFILE_CONDITIONALS = @FJ_PROFILE_CONDITIONALS@
+
+FJ_PROFILE_MACROS = @FJ_PROFILE_MACROS@
+
+FJ_SYSCALLS = @FJ_SYSCALLS@
+
+FJ_SYSCALL_GROUPS = @FJ_SYSCALL_GROUPS@
+
+FJ_SYSTEM_ERRNOS = @FJ_SYSTEM_ERRNOS@
diff --git a/contrib/gtksourceview-5/language-specs/firejail-profile.lang b/contrib/syntax/files/firejail-profile.lang.in
similarity index 59%
rename from contrib/gtksourceview-5/language-specs/firejail-profile.lang
rename to contrib/syntax/files/firejail-profile.lang.in
index 61c37f98f..acd5c86ce 100644
--- a/contrib/gtksourceview-5/language-specs/firejail-profile.lang
+++ b/contrib/syntax/files/firejail-profile.lang.in
@@ -1,4 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!-- @make_input@ -->
 <!-- vim: set ts=2 sts=2 sw=2 et: -->
 <!--
   https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-tutorial.md
@@ -20,15 +21,15 @@
 
   <definitions>
     <define-regex id="commands-with-arguments" extended="true">
-      (apparmor|bind|blacklist-nolog|blacklist|caps.drop|caps.keep|cpu|dbus-system.broadcast|dbus-system.call|dbus-system.own|dbus-system.see|dbus-system.talk|dbus-system|dbus-user.broadcast|dbus-user.call|dbus-user.own|dbus-user.see|dbus-user.talk|dbus-user|defaultgw|dns|env|hostname|hosts-file|ignore|include|ip6|ip|iprange|join-or-start|keep-fd|mac|mkdir|mkfile|mtu|name|net|netfilter6|netfilter|netmask|netns|nice|noblacklist|noexec|nowhitelist|overlay-named|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|private|protocol|read-only|read-write|restrict-namespaces|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|rlimit|rmenv|seccomp-error-action|seccomp.32.drop|seccomp.32.keep|seccomp.32|seccomp.drop|seccomp.keep|seccomp|shell|timeout|tmpfs|veth-name|whitelist-ro|whitelist|x11|xephyr-screen)
+      (@FJ_PROFILE_COMMANDS_ARG1@)
     </define-regex>
 
     <define-regex id="commands-without-arguments" extended="true">
-      (allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay-tmpfs|overlay|private-cache|private-cwd|private-dev|private-lib|private-tmp|private|quiet|restrict-namespaces|seccomp.32|seccomp.block-secondary|seccomp|tab|tracelog|writable-etc|writable-run-user|writable-var-log|writable-var|x11)
+      (@FJ_PROFILE_COMMANDS_ARG0@)
     </define-regex>
 
     <define-regex id="conditions" extended="true">
-      (ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11)
+      (@FJ_PROFILE_CONDITIONALS@)
     </define-regex>
 
     <context id="conditional-line">
diff --git a/contrib/syntax/files/firejail.vim.in b/contrib/syntax/files/firejail.vim.in
new file mode 100644
index 000000000..ec6b29e4f
--- /dev/null
+++ b/contrib/syntax/files/firejail.vim.in
@@ -0,0 +1,99 @@
+" @make_input@
+" Vim syntax file
+" Language: Firejail security sandbox profile
+" URL: https://github.com/netblue30/firejail
+
+if exists("b:current_syntax")
+  finish
+endif
+
+
+syn iskeyword @,48-57,_,.,-
+
+
+syn keyword fjTodo TODO FIXME XXX NOTE contained
+syn match fjComment "#.*$" contains=fjTodo
+
+"TODO: highlight "dangerous" capabilities differently, as is done in apparmor.vim?
+syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained
+syn match fjCapabilityList /,/ nextgroup=fjCapability contained
+
+syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained
+syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained
+
+syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
+syn match fjProtocolList /,/ nextgroup=fjProtocol contained
+
+" Syscalls (auto-generated)
+syn keyword fjSyscall @FJ_SYSCALLS@ nextgroup=fjSyscallErrno contained
+" Syscall groups (auto-generated)
+syn match fjSyscall /\v\@(@FJ_SYSCALL_GROUPS@)>/ nextgroup=fjSyscallErrno contained
+syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
+" Errnos (auto-generated)
+syn match fjSyscallErrno /\v(:(@FJ_SYSTEM_ERRNOS@)>)?/ nextgroup=fjSyscallList contained
+syn match fjSyscallList /,/ nextgroup=fjSyscall contained
+
+syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
+syn keyword fjSeccompAction kill log ERRNO contained
+
+syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
+syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
+
+syn keyword fjAll all contained
+syn keyword fjNone none contained
+syn keyword fjLo lo contained
+syn keyword fjFilter filter contained
+
+" Variable names (auto-generated)
+syn match fjVar /\v\$\{(@FJ_PROFILE_MACROS@)}/
+
+" Profile commands with 1 argument (auto-generated)
+syn match fjCommand /\v(@FJ_PROFILE_COMMANDS_ARG1@) / skipwhite contained
+" Profile commands with 0 arguments (auto-generated)
+syn match fjCommand /\v(@FJ_PROFILE_COMMANDS_ARG0@)$/ contained
+syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
+syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
+syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
+syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
+syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained
+syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
+syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
+syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
+syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
+syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
+syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
+syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
+syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
+syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
+syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
+" Commands that can't be inside a ?CONDITIONAL: statement
+syn match fjCommandNoCond /include / skipwhite contained
+syn match fjCommandNoCond /quiet$/ contained
+
+" Conditionals (auto-generated)
+syn match fjConditional /\v\?(@FJ_PROFILE_CONDITIONALS@) ?:/ nextgroup=fjCommand skipwhite contained
+
+" A line is either a command, a conditional or a comment
+syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
+
+hi def link fjTodo Todo
+hi def link fjComment Comment
+hi def link fjCommand Statement
+hi def link fjCommandNoCond Statement
+hi def link fjConditional Macro
+hi def link fjVar Identifier
+hi def link fjCapability Type
+hi def link fjProtocol Type
+hi def link fjSyscall Type
+hi def link fjSyscallErrno Constant
+hi def link fjX11Sandbox Type
+hi def link fjEnvVar Type
+hi def link fjRmenvVar Type
+hi def link fjAll Type
+hi def link fjNone Type
+hi def link fjLo Type
+hi def link fjFilter Type
+hi def link fjSeccompAction Type
+
+
+let b:current_syntax = "firejail"
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list
new file mode 100644
index 000000000..a402671a6
--- /dev/null
+++ b/contrib/syntax/lists/profile_commands_arg0.list
@@ -0,0 +1,50 @@
+allow-debuggers
+allusers
+apparmor
+apparmor-replace
+apparmor-stack
+caps
+deterministic-exit-code
+deterministic-shutdown
+disable-mnt
+ipc-namespace
+keep-config-pulse
+keep-dev-shm
+keep-var-tmp
+machine-id
+memory-deny-write-execute
+netfilter
+netlock
+no3d
+noautopulse
+nodbus
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+overlay
+overlay-tmpfs
+private
+private-cache
+private-cwd
+private-dev
+private-etc
+private-lib
+private-tmp
+quiet
+restrict-namespaces
+seccomp
+seccomp\.block-secondary
+tab
+tracelog
+writable-etc
+writable-run-user
+writable-var
+writable-var-log
+x11
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list
new file mode 100644
index 000000000..c703f2257
--- /dev/null
+++ b/contrib/syntax/lists/profile_commands_arg1.list
@@ -0,0 +1,76 @@
+apparmor
+bind
+blacklist
+blacklist-nolog
+caps.drop
+caps.keep
+cpu
+dbus-system.broadcast
+dbus-system.call
+dbus-system.own
+dbus-system.see
+dbus-system.talk
+dbus-user.broadcast
+dbus-user.call
+dbus-user.own
+dbus-user.see
+dbus-user.talk
+defaultgw
+dns
+env
+hostname
+hosts-file
+ignore
+include
+ip
+ip6
+iprange
+join-or-start
+keep-fd
+mac
+mkdir
+mkfile
+mtu
+name
+net
+netfilter
+netfilter6
+netmask
+netns
+nice
+noblacklist
+noexec
+nowhitelist
+overlay-named
+private
+private-bin
+private-cwd
+private-etc
+private-home
+private-lib
+private-opt
+private-srv
+protocol
+read-only
+read-write
+restrict-namespaces
+rlimit-as
+rlimit-cpu
+rlimit-fsize
+rlimit-nofile
+rlimit-nproc
+rlimit-sigpending
+rmenv
+seccomp
+seccomp-error-action
+seccomp.32
+seccomp.32.drop
+seccomp.32.keep
+seccomp.drop
+seccomp.keep
+timeout
+tmpfs
+veth-name
+whitelist
+whitelist-ro
+xephyr-screen
diff --git a/contrib/syntax/lists/profile_conditionals.list b/contrib/syntax/lists/profile_conditionals.list
new file mode 100644
index 000000000..2cae76c96
--- /dev/null
+++ b/contrib/syntax/lists/profile_conditionals.list
@@ -0,0 +1,9 @@
+ALLOW_TRAY
+BROWSER_ALLOW_DRM
+BROWSER_DISABLE_U2F
+HAS_APPIMAGE
+HAS_NET
+HAS_NODBUS
+HAS_NOSOUND
+HAS_PRIVATE
+HAS_X11
diff --git a/contrib/syntax/lists/profile_macros.list b/contrib/syntax/lists/profile_macros.list
new file mode 100644
index 000000000..4ba780f11
--- /dev/null
+++ b/contrib/syntax/lists/profile_macros.list
@@ -0,0 +1,10 @@
+CFG
+DESKTOP
+DOCUMENTS
+DOWNLOADS
+HOME
+MUSIC
+PATH
+PICTURES
+RUNUSER
+VIDEOS
diff --git a/contrib/syntax/lists/syscall_groups.list b/contrib/syntax/lists/syscall_groups.list
new file mode 100644
index 000000000..fb42ae5f7
--- /dev/null
+++ b/contrib/syntax/lists/syscall_groups.list
@@ -0,0 +1,29 @@
+aio
+basic-io
+chown
+clock
+cpu-emulation
+debug
+default
+default-keep
+default-nodebuggers
+file-system
+io-event
+ipc
+keyring
+memlock
+module
+mount
+network-io
+obsolete
+privileged
+process
+raw-io
+reboot
+resources
+setuid
+signal
+swap
+sync
+system-service
+timer
diff --git a/contrib/syntax/lists/syscalls.list b/contrib/syntax/lists/syscalls.list
new file mode 100644
index 000000000..abb740b24
--- /dev/null
+++ b/contrib/syntax/lists/syscalls.list
@@ -0,0 +1,454 @@
+_llseek
+_newselect
+_sysctl
+accept
+accept4
+access
+acct
+add_key
+adjtimex
+afs_syscall
+alarm
+arch_prctl
+arm_fadvise64_64
+arm_sync_file_range
+bdflush
+bind
+bpf
+break
+brk
+capget
+capset
+chdir
+chmod
+chown
+chown32
+chroot
+clock_adjtime
+clock_adjtime64
+clock_getres
+clock_getres_time64
+clock_gettime
+clock_gettime64
+clock_nanosleep
+clock_nanosleep_time64
+clock_settime
+clock_settime64
+clone
+clone3
+close
+close_range
+connect
+copy_file_range
+creat
+create_module
+delete_module
+dup
+dup2
+dup3
+epoll_create
+epoll_create1
+epoll_ctl
+epoll_ctl_old
+epoll_pwait
+epoll_pwait2
+epoll_wait
+epoll_wait_old
+eventfd
+eventfd2
+execve
+execveat
+exit
+exit_group
+faccessat
+faccessat2
+fadvise64
+fadvise64_64
+fallocate
+fanotify_init
+fanotify_mark
+fchdir
+fchmod
+fchmodat
+fchown
+fchown32
+fchownat
+fcntl
+fcntl64
+fdatasync
+fgetxattr
+finit_module
+flistxattr
+flock
+fork
+fremovexattr
+fsconfig
+fsetxattr
+fsmount
+fsopen
+fspick
+fstat
+fstat64
+fstatat64
+fstatfs
+fstatfs64
+fsync
+ftime
+ftruncate
+ftruncate64
+futex
+futex_time64
+futex_waitv
+futimesat
+get_kernel_syms
+get_mempolicy
+get_robust_list
+get_thread_area
+getcpu
+getcwd
+getdents
+getdents64
+getegid
+getegid32
+geteuid
+geteuid32
+getgid
+getgid32
+getgroups
+getgroups32
+getitimer
+getpeername
+getpgid
+getpgrp
+getpid
+getpmsg
+getppid
+getpriority
+getrandom
+getresgid
+getresgid32
+getresuid
+getresuid32
+getrlimit
+getrusage
+getsid
+getsockname
+getsockopt
+gettid
+gettimeofday
+getuid
+getuid32
+getxattr
+gtty
+idle
+init_module
+inotify_add_watch
+inotify_init
+inotify_init1
+inotify_rm_watch
+io_cancel
+io_destroy
+io_getevents
+io_pgetevents
+io_pgetevents_time64
+io_setup
+io_submit
+io_uring_enter
+io_uring_register
+io_uring_setup
+ioctl
+ioperm
+iopl
+ioprio_get
+ioprio_set
+ipc
+kcmp
+kexec_file_load
+kexec_load
+keyctl
+kill
+landlock_add_rule
+landlock_create_ruleset
+landlock_restrict_self
+lchown
+lchown32
+lgetxattr
+link
+linkat
+listen
+listxattr
+llistxattr
+lock
+lookup_dcookie
+lremovexattr
+lseek
+lsetxattr
+lstat
+lstat64
+madvise
+mbind
+membarrier
+memfd_create
+migrate_pages
+mincore
+mkdir
+mkdirat
+mknod
+mknodat
+mlock
+mlock2
+mlockall
+mmap
+mmap2
+modify_ldt
+mount
+mount_setattr
+move_mount
+move_pages
+mprotect
+mpx
+mq_getsetattr
+mq_notify
+mq_open
+mq_timedreceive
+mq_timedreceive_time64
+mq_timedsend
+mq_timedsend_time64
+mq_unlink
+mremap
+msgctl
+msgget
+msgrcv
+msgsnd
+msync
+munlock
+munlockall
+munmap
+name_to_handle_at
+nanosleep
+newfstatat
+nfsservctl
+nice
+oldfstat
+oldlstat
+oldolduname
+oldstat
+olduname
+open
+open_by_handle_at
+open_tree
+openat
+openat2
+pause
+pciconfig_iobase
+pciconfig_read
+pciconfig_write
+perf_event_open
+personality
+pidfd_getfd
+pidfd_open
+pidfd_send_signal
+pipe
+pipe2
+pivot_root
+pkey_alloc
+pkey_free
+pkey_mprotect
+poll
+ppoll
+ppoll_time64
+prctl
+pread64
+preadv
+preadv2
+prlimit64
+process_madvise
+process_mrelease
+process_vm_readv
+process_vm_writev
+prof
+profil
+pselect6
+pselect6_time64
+ptrace
+putpmsg
+pwrite64
+pwritev
+pwritev2
+query_module
+quotactl
+quotactl_fd
+read
+readahead
+readdir
+readlink
+readlinkat
+readv
+reboot
+recv
+recvfrom
+recvmmsg
+recvmmsg_time64
+recvmsg
+remap_file_pages
+removexattr
+rename
+renameat
+renameat2
+request_key
+restart_syscall
+rmdir
+rseq
+rt_sigaction
+rt_sigpending
+rt_sigprocmask
+rt_sigqueueinfo
+rt_sigreturn
+rt_sigsuspend
+rt_sigtimedwait
+rt_sigtimedwait_time64
+rt_tgsigqueueinfo
+sched_get_priority_max
+sched_get_priority_min
+sched_getaffinity
+sched_getattr
+sched_getparam
+sched_getscheduler
+sched_rr_get_interval
+sched_rr_get_interval_time64
+sched_setaffinity
+sched_setattr
+sched_setparam
+sched_setscheduler
+sched_yield
+seccomp
+security
+select
+semctl
+semget
+semop
+semtimedop
+semtimedop_time64
+send
+sendfile
+sendfile64
+sendmmsg
+sendmsg
+sendto
+set_mempolicy
+set_robust_list
+set_thread_area
+set_tid_address
+setdomainname
+setfsgid
+setfsgid32
+setfsuid
+setfsuid32
+setgid
+setgid32
+setgroups
+setgroups32
+sethostname
+setitimer
+setns
+setpgid
+setpriority
+setregid
+setregid32
+setresgid
+setresgid32
+setresuid
+setresuid32
+setreuid
+setreuid32
+setrlimit
+setsid
+setsockopt
+settimeofday
+setuid
+setuid32
+setxattr
+sgetmask
+shmat
+shmctl
+shmdt
+shmget
+shutdown
+sigaction
+sigaltstack
+signal
+signalfd
+signalfd4
+sigpending
+sigprocmask
+sigreturn
+sigsuspend
+socket
+socketcall
+socketpair
+splice
+ssetmask
+stat
+stat64
+statfs
+statfs64
+statx
+stime
+stty
+swapoff
+swapon
+symlink
+symlinkat
+sync
+sync_file_range
+syncfs
+sysfs
+sysinfo
+syslog
+tee
+tgkill
+time
+timer_create
+timer_delete
+timer_getoverrun
+timer_gettime
+timer_gettime64
+timer_settime
+timer_settime64
+timerfd_create
+timerfd_gettime
+timerfd_gettime64
+timerfd_settime
+timerfd_settime64
+times
+tkill
+truncate
+truncate64
+tuxcall
+ugetrlimit
+ulimit
+umask
+umount
+umount2
+uname
+unlink
+unlinkat
+unshare
+uselib
+userfaultfd
+ustat
+utime
+utimensat
+utimensat_time64
+utimes
+vfork
+vhangup
+vm86
+vm86old
+vmsplice
+vserver
+wait4
+waitid
+waitpid
+write
+writev
diff --git a/contrib/syntax/lists/system_errnos.list b/contrib/syntax/lists/system_errnos.list
new file mode 100644
index 000000000..f0f816943
--- /dev/null
+++ b/contrib/syntax/lists/system_errnos.list
@@ -0,0 +1,135 @@
+E2BIG
+EACCES
+EADDRINUSE
+EADDRNOTAVAIL
+EADV
+EAFNOSUPPORT
+EAGAIN
+EALREADY
+EBADE
+EBADF
+EBADFD
+EBADMSG
+EBADR
+EBADRQC
+EBADSLT
+EBFONT
+EBUSY
+ECANCELED
+ECHILD
+ECHRNG
+ECOMM
+ECONNABORTED
+ECONNREFUSED
+ECONNRESET
+EDEADLK
+EDEADLOCK
+EDESTADDRREQ
+EDOM
+EDOTDOT
+EDQUOT
+EEXIST
+EFAULT
+EFBIG
+EHOSTDOWN
+EHOSTUNREACH
+EHWPOISON
+EIDRM
+EILSEQ
+EINPROGRESS
+EINTR
+EINVAL
+EIO
+EISCONN
+EISDIR
+EISNAM
+EKEYEXPIRED
+EKEYREJECTED
+EKEYREVOKED
+EL2HLT
+EL2NSYNC
+EL3HLT
+EL3RST
+ELIBACC
+ELIBBAD
+ELIBEXEC
+ELIBMAX
+ELIBSCN
+ELNRNG
+ELOOP
+EMEDIUMTYPE
+EMFILE
+EMLINK
+EMSGSIZE
+EMULTIHOP
+ENAMETOOLONG
+ENAVAIL
+ENETDOWN
+ENETRESET
+ENETUNREACH
+ENFILE
+ENOANO
+ENOATTR
+ENOBUFS
+ENOCSI
+ENODATA
+ENODEV
+ENOENT
+ENOEXEC
+ENOKEY
+ENOLCK
+ENOLINK
+ENOMEDIUM
+ENOMEM
+ENOMSG
+ENONET
+ENOPKG
+ENOPROTOOPT
+ENOSPC
+ENOSR
+ENOSTR
+ENOSYS
+ENOTBLK
+ENOTCONN
+ENOTDIR
+ENOTEMPTY
+ENOTNAM
+ENOTRECOVERABLE
+ENOTSOCK
+ENOTSUP
+ENOTTY
+ENOTUNIQ
+ENXIO
+EOPNOTSUPP
+EOVERFLOW
+EOWNERDEAD
+EPERM
+EPFNOSUPPORT
+EPIPE
+EPROTO
+EPROTONOSUPPORT
+EPROTOTYPE
+ERANGE
+EREMCHG
+EREMOTE
+EREMOTEIO
+ERESTART
+ERFKILL
+EROFS
+ESHUTDOWN
+ESOCKTNOSUPPORT
+ESPIPE
+ESRCH
+ESRMNT
+ESTALE
+ESTRPIPE
+ETIME
+ETIMEDOUT
+ETOOMANYREFS
+ETXTBSY
+EUCLEAN
+EUNATCH
+EUSERS
+EWOULDBLOCK
+EXDEV
+EXFULL
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
deleted file mode 100644
index c844350d8..000000000
--- a/contrib/vim/syntax/firejail.vim
+++ /dev/null
@@ -1,104 +0,0 @@
-" Vim syntax file
-" Language: Firejail security sandbox profile
-" URL: https://github.com/netblue30/firejail
-
-if exists("b:current_syntax")
-  finish
-endif
-
-
-syn iskeyword @,48-57,_,.,-
-
-
-syn keyword fjTodo TODO FIXME XXX NOTE contained
-syn match fjComment "#.*$" contains=fjTodo
-
-"TODO: highlight "dangerous" capabilities differently, as is done in apparmor.vim?
-syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained
-syn match fjCapabilityList /,/ nextgroup=fjCapability contained
-
-syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained
-syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained
-
-syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
-syn match fjProtocolList /,/ nextgroup=fjProtocol contained
-
-" Syscalls grabbed from: src/include/syscall*.h
-" Generate list with: sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr '\n' ' '
-syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained
-" Syscall groups grabbed from: src/fseccomp/syscall.c
-" Generate list with: sed -En 's/.*"@([^",]+).*/\1/p' src/lib/syscall.c | sort -u | tr '\n' '|'
-syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained
-syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
-" Errnos grabbed from: src/fseccomp/errno.c
-" Generate list with: sed -En 's/.*"(E[^"]+).*/\1/p' src/lib/errno.c | sort -u | tr '\n' '|'
-syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained
-syn match fjSyscallList /,/ nextgroup=fjSyscall contained
-
-syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
-syn keyword fjSeccompAction kill log ERRNO contained
-
-syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
-syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
-
-syn keyword fjAll all contained
-syn keyword fjNone none contained
-syn keyword fjLo lo contained
-syn keyword fjFilter filter contained
-
-" Variable names grabbed from: src/firejail/macros.c
-" Generate list with: sed -En 's/.*\$\{([^}]+)\}.*/\1/p' src/firejail/macros.c | sort -u | tr '\n' '|'
-syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES|RUNUSER|VIDEOS)}/
-
-" Commands grabbed from: src/firejail/profile.c
-" Generate list with: { sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' src/firejail/profile.c; echo private-lib; } | grep -Ev '^(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)$' | sort -u | tr '\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
-syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
-" Generate list with: sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' src/firejail/profile.c | grep -Ev '^(include|rlimit|quiet)$' | sed 's/\./\\./' | sort -u | tr '\n' '|' # include/rlimit are false positives, quiet is special-cased below
-syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
-syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
-syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
-syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
-syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
-syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained
-syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
-syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
-syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
-syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
-syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
-syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
-syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
-syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
-syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
-syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
-" Commands that can't be inside a ?CONDITIONAL: statement
-syn match fjCommandNoCond /include / skipwhite contained
-syn match fjCommandNoCond /quiet$/ contained
-
-" Conditionals grabbed from: src/firejail/profile.c
-" Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr '\n' '|'
-syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
-
-" A line is either a command, a conditional or a comment
-syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
-
-hi def link fjTodo Todo
-hi def link fjComment Comment
-hi def link fjCommand Statement
-hi def link fjCommandNoCond Statement
-hi def link fjConditional Macro
-hi def link fjVar Identifier
-hi def link fjCapability Type
-hi def link fjProtocol Type
-hi def link fjSyscall Type
-hi def link fjSyscallErrno Constant
-hi def link fjX11Sandbox Type
-hi def link fjEnvVar Type
-hi def link fjRmenvVar Type
-hi def link fjAll Type
-hi def link fjNone Type
-hi def link fjLo Type
-hi def link fjFilter Type
-hi def link fjSeccompAction Type
-
-
-let b:current_syntax = "firejail"
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 44e45d416..66a309d85 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -18,6 +18,7 @@ blacklist-nolog ${HOME}/.histfile
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.kde/share/apps/klipper
 blacklist-nolog ${HOME}/.kde4/share/apps/klipper
+blacklist-nolog ${HOME}/.lesshst
 blacklist-nolog ${HOME}/.local/share/fish/fish_history
 blacklist-nolog ${HOME}/.local/share/ibus-typing-booster
 blacklist-nolog ${HOME}/.local/share/klipper
@@ -25,10 +26,9 @@ blacklist-nolog ${HOME}/.local/share/nvim
 blacklist-nolog ${HOME}/.local/state/nvim
 blacklist-nolog ${HOME}/.macromedia
 blacklist-nolog ${HOME}/.mupdf.history
+blacklist-nolog ${HOME}/.mutthistory
 blacklist-nolog ${HOME}/.python-history
-blacklist-nolog ${HOME}/.python_history
 blacklist-nolog ${HOME}/.pythonhist
-blacklist-nolog ${HOME}/.lesshst
 blacklist-nolog ${HOME}/.viminfo
 blacklist-nolog /tmp/clipmenu*
 
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index 6399bc1a3..b2bc17c67 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -13,7 +13,7 @@ include allow-perl.inc
 noroot
 
 # without login.defs atool complains and uses UID/GID 1000 by default
-private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf
 private-tmp
 
 # Redirect
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 88b29cfbd..bfe8764d5 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -54,7 +54,7 @@ tracelog
 private-cache
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
-private-etc TLS-CA
+private-etc @tls-ca
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 3365c0829..57c9b5dfb 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -60,7 +60,7 @@ disable-mnt
 # private-etc below works fine on most distributions. There are some problems on CentOS.
 # Add it to your firefox-common.local if you want to enable it.
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
-private-etc GUI,mailcap,mime.types,NETWORK,os-release,TLS-CA
+private-etc @tls-ca,@x11,mailcap,mime.types,os-release
 private-tmp
 
 blacklist ${PATH}/curl
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index d9515c867..f29929a72 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -59,7 +59,7 @@ seccomp !mbind
 tracelog
 
 private-dev
-private-etc gcrypt,GUI,python*
+private-etc @x11,gcrypt,python*
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 702bebf36..ea01e8c47 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -65,7 +65,7 @@ tracelog
 # private-bin inkscape,potrace,python* - problems on Debian stretch
 private-cache
 private-dev
-private-etc ImageMagick*,inkscape: GUI,python*
+private-etc @x11,ImageMagick*,python*
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 52d30669f..bce56743a 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -23,6 +23,7 @@ noblacklist ${HOME}/.mail
 noblacklist ${HOME}/.mailcap
 noblacklist ${HOME}/.msmtprc
 noblacklist ${HOME}/.mutt
+noblacklist ${HOME}/.mutthistory
 noblacklist ${HOME}/.muttrc
 noblacklist ${HOME}/.nanorc
 noblacklist ${HOME}/.signature
@@ -51,29 +52,18 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.Mail
-mkdir ${HOME}/.bogofilter
 mkdir ${HOME}/.cache/mutt
 mkdir ${HOME}/.config/mutt
-mkdir ${HOME}/.config/nano
-mkdir ${HOME}/.elinks
-mkdir ${HOME}/.emacs.d
 mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.mail
 mkdir ${HOME}/.mutt
-mkdir ${HOME}/.vim
-mkdir ${HOME}/.w3m
 mkdir ${HOME}/Mail
 mkdir ${HOME}/mail
 mkdir ${HOME}/postponed
 mkdir ${HOME}/sent
-mkfile ${HOME}/.emacs
 mkfile ${HOME}/.mailcap
-mkfile ${HOME}/.msmtprc
 mkfile ${HOME}/.muttrc
-mkfile ${HOME}/.nanorc
 mkfile ${HOME}/.signature
-mkfile ${HOME}/.viminfo
-mkfile ${HOME}/.vimrc
 whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.Mail
@@ -89,6 +79,7 @@ whitelist ${HOME}/.mail
 whitelist ${HOME}/.mailcap
 whitelist ${HOME}/.msmtprc
 whitelist ${HOME}/.mutt
+whitelist ${HOME}/.mutthistory
 whitelist ${HOME}/.muttrc
 whitelist ${HOME}/.nanorc
 whitelist ${HOME}/.signature
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 6000bd98f..b0eea4380 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -46,7 +46,7 @@ tracelog
 disable-mnt
 private-bin bash,dash,sh,warzone2100,which
 private-dev
-private-etc GAMES,GUI
+private-etc @games,@x11
 private-tmp
 
 restrict-namespaces
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index ad5e8585d..83f140d80 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -77,15 +77,15 @@ char *fs_etc_build(char *str) {
 		char* ptr = strtok(str, ",");
 		while (ptr) {
 			// look for standard groups
-			if (strcmp(ptr, "TLS-CA") == 0)
+			if (strcmp(ptr, "@tls-ca") == 0)
 				etc_copy_group(&etc_group_tls_ca[0]);
-			if (strcmp(ptr, "GUI") == 0)
-				etc_copy_group(&etc_group_gui[0]);
-			if (strcmp(ptr, "SOUND") == 0)
+			if (strcmp(ptr, "@x11") == 0)
+				etc_copy_group(&etc_group_x11[0]);
+			if (strcmp(ptr, "@sound") == 0)
 				etc_copy_group(&etc_group_sound[0]);
-			if (strcmp(ptr, "NETWORK") == 0)
+			if (strcmp(ptr, "@network") == 0)
 				etc_copy_group(&etc_group_network[0]);
-			if (strcmp(ptr, "GAMES") == 0)
+			if (strcmp(ptr, "@games") == 0)
 				etc_copy_group(&etc_group_games[0]);
 			else
 				etc_add(ptr);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 57fe4fb22..02fcb77d7 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2172,11 +2172,24 @@ int main(int argc, char **argv, char **envp) {
 		// hostname, etc
 		//*************************************
 		else if (strncmp(argv[i], "--name=", 7) == 0) {
+			int only_numbers = 1;
 			cfg.name = argv[i] + 7;
 			if (strlen(cfg.name) == 0) {
 				fprintf(stderr, "Error: please provide a name for sandbox\n");
 				return 1;
 			}
+			const char *c = cfg.name;
+			while (*c) {
+				if (!isdigit(*c)) {
+					only_numbers = 0;
+					break;
+				}
+				++c;
+			}
+			if (only_numbers) {
+				fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n");
+				return 1;
+			}
 		}
 		else if (strncmp(argv[i], "--hostname=", 11) == 0) {
 			cfg.hostname = argv[i] + 11;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a64198e68..d01999ec5 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -326,11 +326,24 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 	}
 	// sandbox name
 	else if (strncmp(ptr, "name ", 5) == 0) {
+		int only_numbers = 1;
 		cfg.name = ptr + 5;
 		if (strlen(cfg.name) == 0) {
 			fprintf(stderr, "Error: invalid sandbox name\n");
 			exit(1);
 		}
+		const char *c = cfg.name;
+		while (*c) {
+			if (!isdigit(*c)) {
+				only_numbers = 0;
+				break;
+			}
+			++c;
+		}
+		if (only_numbers) {
+			fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n");
+			exit(1);
+		}
 		return 0;
 	}
 	else if (strcmp(ptr, "ipc-namespace") == 0) {
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h
index 421837fbb..fcb824778 100644
--- a/src/include/etc_groups.h
+++ b/src/include/etc_groups.h
@@ -23,7 +23,7 @@
 
 #define ETC_MAX 256
 
-// DEFAULT
+// @default
 static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
 	"alternatives",
 	"fonts",
@@ -42,7 +42,7 @@ static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
 	NULL
 };
 
-// SOUND
+// @sound
 static char *etc_group_sound[] = {
 	"alsa",
 	"asound.conf",
@@ -51,7 +51,7 @@ static char *etc_group_sound[] = {
 	NULL
 };
 
-// NETWORK
+// @network
 static char*etc_group_network[] = {
 	"hostname",
 	"hosts",
@@ -60,7 +60,7 @@ static char*etc_group_network[] = {
 	NULL
 };
 
-// TLS-CA
+// @tls-ca
 static char *etc_group_tls_ca[] = {
 	"ca-certificates",
 	"crypto-policies",
@@ -70,8 +70,8 @@ static char *etc_group_tls_ca[] = {
 	NULL
 };
 
-// GUI
-static char *etc_group_gui[] = {
+// @x11
+static char *etc_group_x11[] = {
 	"xdg",
 	"drirc",
 	"dconf",
@@ -80,10 +80,12 @@ static char *etc_group_gui[] = {
 	"kde4rc",
 	"kde5rc",
 	"pango", // text rendering/internationalization
+	"nvidia",
+	"X11",
 	NULL
 };
 
-// GAMES
+// @games
 static char *etc_group_games[] = {
 	"timidity", // MIDI
 	"timidity.cfg",
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e60c139a5..1b051ab57 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1330,6 +1330,7 @@ $ firejail \-\-net=eth0 \-\-mtu=1492
 \fB\-\-name=name
 Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use
 this name to identify a sandbox.
+The name cannot contain only digits, as that is treated as a PID in the other options, such as in \-\-join.
 
 In case the name supplied by the user is already in use by another sandbox, Firejail will assign a
 new name as "name-PID", where PID is the process ID of the sandbox. This functionality
@@ -2127,27 +2128,27 @@ cdrom  cdrw  dri  dvd  dvdrw  full  log  null  ptmx  pts  random  shm  snd  sr0
 .br
 $
 .TP
-\fB\-\-private-etc, \-\-private-etc=file,directory
+\fB\-\-private-etc, \-\-private-etc=file,directory,@group
 The files installed by \-\-private-etc are copies of the original system files from /etc directory.
 By default, the command brings in a skeleton of files and directories used by most console tools:
 
 $ firejail --private-etc dig debian.org
 
-For X11/GTK/QT/Gnome/KDE  programs add GUI group as a parameter. Example:
+For X11/GTK/QT/Gnome/KDE  programs add @x11 group as a parameter. Example:
 
-$ firejail --private-etc=GUI,python* gimp
+$ firejail --private-etc=@x11,gcrypt,python* gimp
 
-/etc/python* directories are not part of the generic GUI group.
-These directories are reuqired by Gimp plugin system. File globbing is supported.
+gcrypt and /etc/python* directories are not part of the generic @x11 group.
+File globbing is supported.
 
-For games, add GAMES group:
+For games, add @games group:
 
-$ firejail --private-etc=GUI,GAMES warzone2100
+$ firejail --private-etc=@games,@x11 warzone2100
 
 Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified.
-Files for encrypted TLS/SSL protocol are in TLS-CA group.
+Files for encrypted TLS/SSL protocol are in @tls-ca group.
 
-$ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org
+$ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
 
 
 Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility: