diff --git a/etc/inc/allow-lua.inc b/etc/inc/allow-lua.inc
index 9c47e7a3b7b..4b6dd8a53a3 100644
--- a/etc/inc/allow-lua.inc
+++ b/etc/inc/allow-lua.inc
@@ -8,5 +8,4 @@ noblacklist /usr/lib/liblua*
 noblacklist /usr/lib/lua
 noblacklist /usr/lib64/liblua*
 noblacklist /usr/lib64/lua
-noblacklist /usr/share/lua
 noblacklist /usr/share/lua*
diff --git a/etc/profile-a-l/luarocks.profile b/etc/profile-a-l/luarocks.profile
new file mode 100644
index 00000000000..e6a9df60d09
--- /dev/null
+++ b/etc/profile-a-l/luarocks.profile
@@ -0,0 +1,72 @@
+# Firejail profile for luarocks
+# Description: LuaRocks is the package manager for the Lua programming language.
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include luarocks.local
+# Persistent global definitions
+include globals.local
+
+# Disallow blocking access to Lua header files.
+noblacklist /usr/include/lua*
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+# luarocks can invoke compilers
+#include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+# luarocks is hacky and needs shell access
+#include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+whitelist ${HOME}/.netrc
+whitelist ${HOME}/.config/pkcs11
+whitelist ${HOME}/.wget-hsts
+whitelist ${HOME}/.cache/luarocks
+whitelist ${HOME}/luarocks/cmd/external
+whitelist ${HOME}/.nix-profile/bin
+whitelist ${HOME}/.luarocks
+whitelist ${HOME}/.config/luarocks
+
+whitelist /usr/share/lua
+include whitelist-run-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+#private-etc alternatives,ca-certificates,crypto-policies,luarocks,pki,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-write ${HOME}/.luarocks
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index a544e25f22a..8b7ae881e0c 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -481,6 +481,7 @@ lowriter
 # lrzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 # lrztar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 # lrzuntar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+luarocks
 luminance-hdr
 lximage-qt
 lxmusic