Merge branch 'master' of https://github.com/netblue30/firejail

126 files changed, 2793 insertions, 37 deletions

diff --git a/.gitignore b/.gitignore
index 554d1985b..0882eeecf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,6 +25,7 @@ src/fnet/fnet
 src/fseccomp/fseccomp
 src/fcopy/fcopy
 src/fldd/fldd
+src/fbuilder/fbuilder
 uids.h
 seccomp
 seccomp.debug
diff --git a/Makefile.in b/Makefile.in
index e20aa5b62..be5ab837f 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,6 +1,6 @@
 all: apps man filters
 MYLIBS = src/lib
-APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp
+APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
 
@@ -99,6 +99,7 @@ endif
         install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/.
 ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
         install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
@@ -169,6 +170,7 @@ install-strip: all
         strip src/fseccomp/fseccomp
         strip src/fcopy/fcopy
         strip src/fldd/fldd
+        strip src/fbuilder/fbuilder
         $(MAKE) realinstall
 
 uninstall:
diff --git a/README b/README
index da5c39516..239cd26b0 100644
--- a/README
+++ b/README
@@ -112,6 +112,10 @@ creideiki (https://github.com/creideiki)
         - make the sandbox process reap all children
 chiraag-nataraj (https://github.com/chiraag-nataraj)
         - support for newer Xpra versions (2.1+)
+        - added Viber, amule, ardour5, brackets, calligra, cin, fetchmail profiles
+        - added freecad, google-earth, imagej, kdenlive, linphone, lmms profiles
+        - added macrofusion, mpd, natron, ricochet, shotcut, tor-browser-en profiles
+        - added tor, x-terminal-emulator, zart profiles
 Christian Stadelmann (https://github.com/genodeftest)
         - profile fixes
         - evolution profile fix
@@ -241,12 +245,15 @@ Impyy (https://github.com/Impyy)
         - added mumble profile
 irregulator (https://github.com/irregulator)
         - thunderbird profile fixes for debian stretch
+Irvine (https://github.com/Irvinehimself)
+        - added conky profile
 Ivan Kozik (https://github.com/ivan)
         - speed up sandbox exit
 Jaykishan Mutkawoa (https://github.com/jmutkawoa)
         - cpio profile
 James Elford (https://github.com/jelford)
         - pass password manager support
+        - removed shell none from ssh-agent configuration, fixing the infinit loop
 Jericho (https://github.com/attritionorg)
         - spelling
 Jesse Smith (https://github.com/slicer69)
@@ -306,6 +313,8 @@ Mattias Wadman (https://github.com/wader)
         - seccomp errno filter support
 Matthew Gyurgyik (https://github.com/pyther)
         - rpm spec and several fixes
+melvinvermeeren (https://github.com/melvinvermeeren)
+        - added teamspeak3 profile
 Michael Haas (https://github.com/mhaas)
         - bugfixes
 Mike Frysinger (vapier@gentoo.org)
@@ -319,6 +328,8 @@ n1trux (https://github.com/n1trux)
 netblue30 (netblue30@yahoo.com)
 Niklas Haas (https://github.com/haasn)
         - blacklisting for keybase.io's client
+nyancat18 (https://github.com/nyancat18)
+        - added ardour4, dooble, karbon, krita profiles
 Ondra Nekola (https://github.com/satai)
         - allow firefox theming with non-global themes
 Panzerfather (https://github.com/Panzerfather)
@@ -416,6 +427,7 @@ smithsohu (https://github.com/smitsohu)
         - enhance mutt, goobox, baloo and clementine profiles
 soredake (https://github.com/soredake)
         - fix steam startup with >=llvm-4
+        - fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile
 SpotComms (https://github.com/SpotComms)
         - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
         - added PDFSam, Pithos, and Xonotic profiles
@@ -507,6 +519,8 @@ Topi Miettinen (https://github.com/topimiettinen)
         - seccomp default list update
         - improve loading of seccomp filter and memory-deny-write-execute feature
         - private-lib feature
+user1024 (user1024@tut.by)
+        - electron profile whitelisting
 valoq (https://github.com/valoq)
         - lots of profile fixes
         - added support for /srv in --whitelist feature
diff --git a/README.md b/README.md
index 255384e2e..efc102ba1 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,70 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 # Current development version: 0.9.51
 
+## Whitelisting /var
+
+Add "include /etc/firejail/whitelist-var-common.inc" to an application profile and test it. If it's working,
+send a pull request. I did it so far for some more common applications like Firefox, Chromium etc.
+
+## Profile build  tool
+`````
+$ firejail --build appname
+`````
+The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
+builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
+with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
+in order to allow strace to run. Chromium and Chromium-based browsers will not work.
+
+Example:
+`````
+$ firejail --build /usr/bin/vlc ~/Videos/test.mp4
+
+[...]
+
+############################################
+# /usr/bin/vlc profile
+############################################
+# Persistent global definitions
+# include /etc/firejail/globals.local
+
+### basic blacklisting
+include /etc/firejail/disable-common.inc
+# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+# include /etc/firejail/disable-programs.inc
+
+### home directory whitelisting
+whitelist ~/Videos
+whitelist ~/.local/share/vlc
+whitelist ~/.config/vlc
+include /etc/firejail/whitelist-common.inc
+
+### filesystem
+private-tmp
+private-dev
+private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux,
+whitelist /var/lib/menu-xdg
+# private-bin vlc,
+
+### security filters
+caps.drop all
+nonewprivs
+seccomp
+# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create
+# 76 syscalls total
+# Probably you will need to add more syscalls to seccomp.keep. Look for
+# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
+# running your sandbox.
+
+### network
+protocol unix,netlink,
+net none
+
+### environment
+shell none
+$
+`````
+
 ## New command line options
 `````
       --writable-run-user
@@ -107,3 +171,13 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
               Example:
               $ sudo firejail --writable-run-user
 `````
+
+## New profiles:
+
+terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu,
+amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter,
+calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage,
+calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,
+imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,
+ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
+conky
diff --git a/RELNOTES b/RELNOTES
index 85c554b32..d4302c134 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.51) baseline; urgency=low
   * work in progress!
   * feature: --writable-run-user
+  * feature: profile build tool (--build)
  -- netblue30 <netblue30@yahoo.com>  Thu, 14 Sep 2017 20:00:00 -0500
 
 firejail (0.9.50~rc1) baseline; urgency=low
diff --git a/configure b/configure
index e1cc0147f..f64aa2dac 100755
--- a/configure
+++ b/configure
@@ -3823,7 +3823,7 @@ if test "$prefix" = /usr; then
         sysconfdir="/etc"
 fi
 
-ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile"
+ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4541,6 +4541,7 @@ do
     "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;;
     "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;;
     "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;;
+    "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;;
     "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
     "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
     "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;
diff --git a/configure.ac b/configure.ac
index e06512665..900c8b959 100644
--- a/configure.ac
+++ b/configure.ac
@@ -176,7 +176,7 @@ if test "$prefix" = /usr; then
 fi
 
 AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \
-src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \
+src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile \
 src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile)
 
 echo
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile
index 06cc69503..964a9e5fa 100644
--- a/etc/2048-qt.profile
+++ b/etc/2048-qt.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/Natron.profile b/etc/Natron.profile
new file mode 100644
index 000000000..b21790fe4
--- /dev/null
+++ b/etc/Natron.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for natron
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/natron.profile
diff --git a/etc/Viber.profile b/etc/Viber.profile
new file mode 100644
index 000000000..03e5f1086
--- /dev/null
+++ b/etc/Viber.profile
@@ -0,0 +1,38 @@
+# Firejail profile for Viber
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/Viber.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist ${HOME}/.ViberPC
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.ViberPC
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin sh,bash,dash,dig,awk,Viber
+private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/akregator.profile b/etc/akregator.profile
index 12bb06fb5..55434e45b 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -13,6 +13,12 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+mkfile ${HOME}/.config/akregatorrc
+mkdir ${HOME}/.local/share/akregator
+whitelist ${HOME}/.config/akregatorrc
+whitelist ${HOME}/.local/share/akregator
+include /etc/firejail/whitelist-common.inc
+
 caps.drop all
 netfilter
 no3d
@@ -27,6 +33,7 @@ seccomp
 shell none
 
 disable-mnt
+private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
 private-dev
 private-tmp
 
diff --git a/etc/amarok.profile b/etc/amarok.profile
index 478d5285c..79343fcdf 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nogroups
diff --git a/etc/amule.profile b/etc/amule.profile
new file mode 100644
index 000000000..98ec52015
--- /dev/null
+++ b/etc/amule.profile
@@ -0,0 +1,40 @@
+# Firejail profile for amule
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/amule.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist ${HOME}/.aMule
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.aMule
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin amule
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/ardour4.profile b/etc/ardour4.profile
new file mode 100644
index 000000000..7d1163174
--- /dev/null
+++ b/etc/ardour4.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for ardour5
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/ardour5.profile
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
new file mode 100644
index 000000000..69b3dde46
--- /dev/null
+++ b/etc/ardour5.profile
@@ -0,0 +1,37 @@
+# Firejail profile for ardour5
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/ardour5.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist ${HOME}/.config/ardour4
+noblacklist ${HOME}/.config/ardour5
+noblacklist ${HOME}/.lv2
+noblacklist ${HOME}/.vst
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix
+seccomp
+shell none
+
+#private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm
+private-dev
+#private-etc pulse,X11,alternatives,ardour4,ardour5,fonts
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/audacious.profile b/etc/audacious.profile
index bd2367fe0..52e701821 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 notv
diff --git a/etc/brackets.profile b/etc/brackets.profile
new file mode 100644
index 000000000..0a8c592a7
--- /dev/null
+++ b/etc/brackets.profile
@@ -0,0 +1,29 @@
+# Firejail profile for brackets
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/brackets.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.config/Brackets
+noblacklist /opt/brackets/
+noblacklist /opt/google/
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
diff --git a/etc/calibre.profile b/etc/calibre.profile
index aa0de473c..844231032 100644
--- a/etc/calibre.profile
+++ b/etc/calibre.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/calligra.profile b/etc/calligra.profile
new file mode 100644
index 000000000..e90c8efe8
--- /dev/null
+++ b/etc/calligra.profile
@@ -0,0 +1,29 @@
+# Firejail profile for calligra
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/calligra.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch
+private-dev
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligraauthor.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/calligra.profile
diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligraconverter.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/calligra.profile
diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligraflow.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/calligra.profile
diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligraplan.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/calligra.profile
diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligraplanwork.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/calligra.profile
diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligrasheets.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/calligra.profile
diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligrastage.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/calligra.profile
diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile
new file mode 100644
index 000000000..629ab46c1
--- /dev/null
+++ b/etc/calligrawords.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/calligra.profile
diff --git a/etc/catfish.profile b/etc/catfish.profile
index 498f3b6ee..5fc585d90 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -8,8 +8,13 @@ include /etc/firejail/globals.local
 # We can't blacklist much since catfish
 # is for finding files/content
 noblacklist ~/.config/catfish
+include /etc/firejail/disable-common.inc
+# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 
-include /etc/firejail/disable-devel.inc
+whitelist /var/lib/mlocate
+include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 net none
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 9be99e68a..0c7058a11 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -23,6 +23,7 @@ whitelist ~/.config/chromium
 whitelist ~/.config/chromium-flags.conf
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 
 caps.keep sys_chroot,sys_admin
 netfilter
diff --git a/etc/cin.profile b/etc/cin.profile
new file mode 100644
index 000000000..eeeda476f
--- /dev/null
+++ b/etc/cin.profile
@@ -0,0 +1,31 @@
+# Firejail profile for cin
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/cin.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.bcast5
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+notv
+noroot
+protocol unix
+seccomp
+shell none
+
+#private-bin cin
+private-dev
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/clamav.profile b/etc/clamav.profile
new file mode 100644
index 000000000..a5aacc1d5
--- /dev/null
+++ b/etc/clamav.profile
@@ -0,0 +1,32 @@
+# Firejail profile for clamav
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include /etc/firejail/clamav.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-dev
+read-only ${HOME}
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/clamdscan.profile b/etc/clamdscan.profile
new file mode 100644
index 000000000..1fc728206
--- /dev/null
+++ b/etc/clamdscan.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for clamav
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/clamav.profile
diff --git a/etc/clamdtop.profile b/etc/clamdtop.profile
new file mode 100644
index 000000000..1fc728206
--- /dev/null
+++ b/etc/clamdtop.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for clamav
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/clamav.profile
diff --git a/etc/clamscan.profile b/etc/clamscan.profile
new file mode 100644
index 000000000..1fc728206
--- /dev/null
+++ b/etc/clamscan.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for clamav
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/clamav.profile
diff --git a/etc/conky.profile b/etc/conky.profile
new file mode 100644
index 000000000..4ee25f099
--- /dev/null
+++ b/etc/conky.profile
@@ -0,0 +1,35 @@
+# Firejail profile for conky
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/conky.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/darktable.profile b/etc/darktable.profile
index e04163486..c2dc0b42c 100644
--- a/etc/darktable.profile
+++ b/etc/darktable.profile
@@ -26,6 +26,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
+#private-bin darktable
 private-dev
 private-tmp
 
diff --git a/etc/dia.profile b/etc/dia.profile
index a625ab36d..abe83ac8c 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -27,6 +27,7 @@ seccomp
 shell none
 
 disable-mnt
+#private-bin dia
 private-dev
 private-tmp
 
diff --git a/etc/digikam.profile b/etc/digikam.profile
index 43191ec06..ef518470e 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 5dd3dfd30..ca6ba9710 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -2,13 +2,15 @@
 # Persistent customizations should go in a .local file.
 include /etc/firejail/disable-common.local
 
-# History files in $HOME
+# History files and clipboard managers in $HOME
 blacklist-nolog ${HOME}/.*_history
 blacklist-nolog ${HOME}/.adobe
 blacklist-nolog ${HOME}/.bash_history
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.local/share/fish/fish_history
 blacklist-nolog ${HOME}/.macromedia
+blacklist-nolog /tmp/clipmenu*   
+blacklist-nolog ${HOME}/.cache/greenclip*
 
 # X11 session autostart
 # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 7e44d582e..88b7e7d32 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -17,8 +17,10 @@ blacklist ${HOME}/.Steam
 blacklist ${HOME}/.Steampath
 blacklist ${HOME}/.Steampid
 blacklist ${HOME}/.TelegramDesktop
+blacklist ${HOME}/.ViberPC
 blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.Wolfram Research
+blacklist ${HOME}/.aMule
 blacklist ${HOME}/.android
 blacklist ${HOME}/.arduino15
 blacklist ${HOME}/.atom
@@ -35,6 +37,7 @@ blacklist ${HOME}/.config/Brackets
 blacklist ${HOME}/.config/Clementine
 blacklist ${HOME}/.config/Cryptocat
 blacklist ${HOME}/.config/Franz
+blacklist ${HOME}/.config/FreeCAD
 blacklist ${HOME}/.config/Gitter
 blacklist ${HOME}/.config/Google
 blacklist ${HOME}/.config/Gpredict
@@ -51,6 +54,7 @@ blacklist ${HOME}/.config/Qlipper
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
 blacklist ${HOME}/.config/Riot
+blacklist ${HOME}/.config/Rocket.Chat
 blacklist ${HOME}/.config/Slack
 blacklist ${HOME}/.config/Thunar
 blacklist ${HOME}/.config/VirtualBox
@@ -123,6 +127,7 @@ blacklist ${HOME}/.config/lximage-qt
 blacklist ${HOME}/.config/mate-calc
 blacklist ${HOME}/.config/mate/eom
 blacklist ${HOME}/.config/mate/mate-dictionary
+blacklist ${HOME}/.config/mfusion
 blacklist ${HOME}/.config/midori
 blacklist ${HOME}/.config/mpv
 blacklist ${HOME}/.config/mupen64plus
@@ -187,6 +192,7 @@ blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.curlrc
 blacklist ${HOME}/.dia
 blacklist ${HOME}/.dillo
+blacklist ${HOME}/.dooble
 blacklist ${HOME}/.dosbox
 blacklist ${HOME}/.dropbox-dist
 blacklist ${HOME}/.electrum*
@@ -211,6 +217,7 @@ blacklist ${HOME}/.guayadeque
 blacklist ${HOME}/.hedgewars
 blacklist ${HOME}/.hugin
 blacklist ${HOME}/.icedove
+blacklist ${HOME}/.imagej
 blacklist ${HOME}/.inkscape
 blacklist ${HOME}/.java
 blacklist ${HOME}/.jitsi
@@ -318,6 +325,7 @@ blacklist ${HOME}/.local/share/spotify
 blacklist ${HOME}/.local/share/steam
 blacklist ${HOME}/.local/share/supertux2
 blacklist ${HOME}/.local/share/telepathy
+blacklist ${HOME}/.local/share/terasology
 blacklist ${HOME}/.local/share/torbrowser
 blacklist ${HOME}/.local/share/totem
 blacklist ${HOME}/.local/share/vpltd
@@ -360,6 +368,7 @@ blacklist ${HOME}/.steampath
 blacklist ${HOME}/.steampid
 blacklist ${HOME}/.stellarium
 blacklist ${HOME}/.subversion
+blacklist ${HOME}/.surf
 blacklist ${HOME}/.sword
 blacklist ${HOME}/.sylpheed-2.0
 blacklist ${HOME}/.synfig
@@ -407,6 +416,7 @@ blacklist ${HOME}/.cache/google-chrome
 blacklist ${HOME}/.cache/google-chrome-beta
 blacklist ${HOME}/.cache/google-chrome-unstable
 blacklist ${HOME}/.cache/icedove
+blacklist ${HOME}/.cache/INRIA/Natron
 blacklist ${HOME}/.cache/inox
 blacklist ${HOME}/.cache/libgweather
 blacklist ${HOME}/.cache/midori
diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile
new file mode 100644
index 000000000..4e1227a0f
--- /dev/null
+++ b/etc/dooble-qt4.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for dooble
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/dooble.profile
diff --git a/smtube.profile b/etc/dooble.profile
index 2694dd5b0..2a57b0ef3 100644
--- a/smtube.profile
+++ b/etc/dooble.profile
@@ -1,35 +1,37 @@
-# Firejail profile for smtube
+# Firejail profile for dooble
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/smtube.local
+include /etc/firejail/dooble-qt4.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-noblacklist ${HOME}/.config/smplayer
-noblacklist ${HOME}/.config/smtube
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.mplayer
-noblacklist ${HOME}/.config/vlc
-noblacklist ${HOME}/.local/share/vlc
+
+noblacklist ${HOME}/.dooble
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+mkdir ${HOME}/.dooble
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.dooble
+include /etc/firejail/whitelist-common.inc
+
 caps.drop all
 netfilter
 nodvd
-notv
-novideo
 nogroups
 nonewprivs
 noroot
+notv
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
+tracelog
 
-#no private-bin because users can add their own players to smtube and that would prevent that
+disable-mnt
 private-dev
 private-tmp
 
diff --git a/etc/dosbox.profile b/etc/dosbox.profile
index fa9b26e82..a64578e5c 100644
--- a/etc/dosbox.profile
+++ b/etc/dosbox.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/dragon.profile b/etc/dragon.profile
index 211c2432f..c37f81ac9 100644
--- a/etc/dragon.profile
+++ b/etc/dragon.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/electron.profile b/etc/electron.profile
index 9b21c1bfd..91e5cd3df 100644
--- a/etc/electron.profile
+++ b/etc/electron.profile
@@ -5,11 +5,12 @@ include /etc/firejail/electron.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+whitelist ${DOWNLOADS}
+
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/evince.profile b/etc/evince.profile
index 5c6215bb2..f503b9a8e 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile
new file mode 100644
index 000000000..3fd7f3d75
--- /dev/null
+++ b/etc/fetchmail.profile
@@ -0,0 +1,29 @@
+# Firejail profile for fetchmail
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/fetchmail.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+#private-bin fetchmail,procmail,bash,chmod
+private-dev
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 85201b021..1f4a8e3f6 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -59,6 +59,7 @@ whitelist ~/.wine-pipelight64
 whitelist ~/.zotero
 whitelist ~/dwhelper
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 netfilter
diff --git a/etc/freecad.profile b/etc/freecad.profile
new file mode 100644
index 000000000..4fde66839
--- /dev/null
+++ b/etc/freecad.profile
@@ -0,0 +1,35 @@
+# Firejail profile for freecad
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/freecad.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist ${HOME}/.config/FreeCAD
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin freecad,freecadcmd
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile
new file mode 100644
index 000000000..f8bbff593
--- /dev/null
+++ b/etc/freecadcmd.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for freecad
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/freecad.profile
diff --git a/etc/freshclam.profile b/etc/freshclam.profile
new file mode 100644
index 000000000..08eac5595
--- /dev/null
+++ b/etc/freshclam.profile
@@ -0,0 +1,34 @@
+# Firejail profile for freshclam
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include /etc/firejail/clamav.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+caps.keep setgid,setuid
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-dev
+private-tmp
+writable-var
+writable-var-log
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/galculator.profile b/etc/galculator.profile
index 37f147f0f..dbc22a889 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 mkdir ~/.config/galculator
 whitelist ~/.config/galculator
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 net none
diff --git a/etc/gimp.profile b/etc/gimp.profile
index aa77d6105..292c2aac9 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 net none
 nodvd
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 6547c73df..326222426 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 netfilter
diff --git a/etc/google-earth.profile b/etc/google-earth.profile
new file mode 100644
index 000000000..b60f5b3a5
--- /dev/null
+++ b/etc/google-earth.profile
@@ -0,0 +1,48 @@
+# Firejail profile for google-earth
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/google-earth.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.config/Google
+noblacklist ${HOME}/.googleearth/Cache/
+noblacklist ${HOME}/.googleearth/Temp/
+noblacklist ${HOME}/.googleearth/myplaces.backup.kml
+noblacklist ${HOME}/.googleearth/myplaces.kml
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+mkdir ${HOME}/.config/Google
+mkdir ${HOME}/.googleearth/Cache/
+mkdir ${HOME}/.googleearth/Temp/
+mkfile ${HOME}/.googleearth/myplaces.backup.kml
+mkfile ${HOME}/.googleearth/myplaces.kml
+whitelist ${HOME}/.config/Google
+whitelist ${HOME}/.googleearth/Cache/
+whitelist ${HOME}/.googleearth/Temp/
+whitelist ${HOME}/.googleearth/myplaces.backup.kml
+whitelist ${HOME}/.googleearth/myplaces.kml
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin google-earth,sh,bash,dash,grep,sed,ls,dirname
+private-dev
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index 26bc589ee..1842c9cb1 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 net none
 nodvd
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index 2b33051e2..f5e7bc329 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nogroups
diff --git a/etc/hugin.profile b/etc/hugin.profile
index d3cd181b1..ff88e0d5c 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -25,6 +25,7 @@ protocol unix
 seccomp
 shell none
 
+private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend
 private-dev
 private-tmp
 
diff --git a/etc/imagej.profile b/etc/imagej.profile
new file mode 100644
index 000000000..88a56c706
--- /dev/null
+++ b/etc/imagej.profile
@@ -0,0 +1,35 @@
+# Firejail profile for imagej
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/imagej.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist ${HOME}/.imagej
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index 1d24f5d7d..c062ab8ef 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nodvd
@@ -25,6 +27,7 @@ protocol unix
 seccomp
 shell none
 
+#private-bin inkscape
 private-dev
 private-tmp
 
diff --git a/etc/k3b.profile b/etc/k3b.profile
index ca190ecb9..58623d823 100644
--- a/etc/k3b.profile
+++ b/etc/k3b.profile
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 no3d
 nonewprivs
diff --git a/etc/karbon.profile b/etc/karbon.profile
new file mode 100644
index 000000000..3525a3e06
--- /dev/null
+++ b/etc/karbon.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for krita
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/krita.profile
diff --git a/etc/kate.profile b/etc/kate.profile
index ec5d09ce2..69100d49d 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -17,6 +17,8 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/kcalc.profile b/etc/kcalc.profile
index f334c4c72..0de23f106 100644
--- a/etc/kcalc.profile
+++ b/etc/kcalc.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
new file mode 100644
index 000000000..a1a5f957c
--- /dev/null
+++ b/etc/kdenlive.profile
@@ -0,0 +1,30 @@
+# Firejail profile for kdenlive
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/kdenlive.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
+private-dev
+#private-etc fonts,alternatives,X11,pulse,passwd
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/krita.profile b/etc/krita.profile
new file mode 100644
index 000000000..e91f5b242
--- /dev/null
+++ b/etc/krita.profile
@@ -0,0 +1,32 @@
+# Firejail profile for krita
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/krita.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index 6ba076dc0..6b458ede3 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -17,6 +17,8 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/leafpad.profile b/etc/leafpad.profile
index e7557651b..c9addba21 100644
--- a/etc/leafpad.profile
+++ b/etc/leafpad.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index ec7356002..8d05a557c 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/linphone.profile b/etc/linphone.profile
new file mode 100644
index 000000000..41f9245a2
--- /dev/null
+++ b/etc/linphone.profile
@@ -0,0 +1,41 @@
+# Firejail profile for linphone
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/linphone.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.linphone-history.db
+noblacklist ${HOME}/.linphonerc
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+mkfile ${HOME}/.linphone-history.db
+mkfile ${HOME}/.linphonerc
+whitelist ${HOME}/.linphone-history.db
+whitelist ${HOME}/.linphonerc
+whitelist ${HOME}/Downloads
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/lmms.profile b/etc/lmms.profile
new file mode 100644
index 000000000..29ed235c6
--- /dev/null
+++ b/etc/lmms.profile
@@ -0,0 +1,34 @@
+# Firejail profile for lmms
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/lmms.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist ${HOME}/.lmmsrc.xml
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
index bd32e0c70..ec2a65290 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/luminance-hdr.profile
@@ -26,6 +26,7 @@ seccomp
 shell none
 tracelog
 
+#private-bin luminance-hdr,luminance-hdr-cli,align_image_stack
 private-dev
 private-tmp
 
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
new file mode 100644
index 000000000..be66cf6ee
--- /dev/null
+++ b/etc/macrofusion.profile
@@ -0,0 +1,35 @@
+# Firejail profile for macrofusion
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/macrofusion.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist ${HOME}/.config/mfusion
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+
+#private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/mousepad.profile b/etc/mousepad.profile
index 36365fc2f..60205ffda 100644
--- a/etc/mousepad.profile
+++ b/etc/mousepad.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/mpd.profile b/etc/mpd.profile
new file mode 100644
index 000000000..7bfa47d77
--- /dev/null
+++ b/etc/mpd.profile
@@ -0,0 +1,33 @@
+# Firejail profile for mpd
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/mpd.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist ${HOME}/.mpdconf
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+#private-bin mpd,bash
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 0592751ef..eb8a88a4b 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nogroups
diff --git a/etc/musescore.profile b/etc/musescore.profile
index 3b5a0b13c..b039d07b2 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -19,6 +19,7 @@ caps.drop all
 netfilter
 no3d
 nodvd
+nogroups
 nonewprivs
 noroot
 notv
diff --git a/etc/natron.profile b/etc/natron.profile
new file mode 100644
index 000000000..d77539d83
--- /dev/null
+++ b/etc/natron.profile
@@ -0,0 +1,33 @@
+# Firejail profile for natron
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/natron.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist ${HOME}/.Natron
+noblacklist ${HOME}/.cache/INRIA/Natron
+noblacklist ${HOME}/.config/INRIA
+noblacklist /opt/natron
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin natron,Natron,NatronRenderer
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/okular.profile b/etc/okular.profile
index 5a704ad26..94736fbae 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -20,6 +20,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index dd610920a..d195cf586 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -27,3 +27,6 @@ tracelog
 private-bin pidgin
 private-dev
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/ricochet.profile b/etc/ricochet.profile
new file mode 100644
index 000000000..6da0e21d5
--- /dev/null
+++ b/etc/ricochet.profile
@@ -0,0 +1,40 @@
+# Firejail profile for ricochet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/ricochet.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist ${HOME}/.local/share/Ricochet
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.local/share/Ricochet
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin ricochet,tor
+private-dev
+#private-etc fonts,tor,X11,alternatives
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/riot-web.profile b/etc/riot-web.profile
index c714652df..06dbbe9d9 100644
--- a/etc/riot-web.profile
+++ b/etc/riot-web.profile
@@ -5,9 +5,9 @@ include /etc/firejail/riot-web.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-noblacklist ~/.config/Riot
+noblacklist ${HOME}/.config/Riot
 
-whitelist ~/.config/Riot
+whitelist ${HOME}/.config/Riot
 include /etc/firejail/whitelist-common.inc
 
 # Redirect
diff --git a/etc/rocketchat.profile b/etc/rocketchat.profile
new file mode 100644
index 000000000..da92cd938
--- /dev/null
+++ b/etc/rocketchat.profile
@@ -0,0 +1,14 @@
+# Firejail profile for rocketchat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/rocketchat.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.config/Rocket.Chat
+
+whitelist ${HOME}/.config/Rocket.Chat
+include /etc/firejail/whitelist-common.inc
+
+# Redirect
+include /etc/firejail/electron.profile
diff --git a/etc/scribus.profile b/etc/scribus.profile
index e4c88be49..dd06fa59f 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -38,5 +38,6 @@ protocol unix
 seccomp
 tracelog
 
+#private-bin scribus,gs
 private-dev
 # private-tmp
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
new file mode 100644
index 000000000..e30bc1f46
--- /dev/null
+++ b/etc/shotcut.profile
@@ -0,0 +1,31 @@
+# Firejail profile for shotcut
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/shotcut.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist ${HOME}/.config/Meltytech
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix
+seccomp
+shell none
+
+#private-bin shotcut,melt,qmelt,nice
+private-dev
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile
index abc68a499..977cfea99 100644
--- a/etc/silentarmy.profile
+++ b/etc/silentarmy.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nodvd
@@ -28,6 +30,7 @@ disable-mnt
 private
 # private-bin silentarmy,sa-solver,python3
 private-dev
+private-opt none
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/skype.profile b/etc/skype.profile
index f3e504a3f..b12f9879e 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -24,6 +24,7 @@ seccomp
 shell none
 
 disable-mnt
+#private-bin skype,bash
 private-dev
 private-tmp
 
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index 7e9d34c92..fa5728d9b 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+shell none
 caps.drop all
 netfilter
 no3d
diff --git a/etc/steam.profile b/etc/steam.profile
index 227162e1f..b4b9ede70 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -21,6 +21,8 @@ noblacklist ${HOME}/.steampath
 noblacklist ${HOME}/.steampid
 # with >=llvm-4 mesa drivers need llvm stuff
 noblacklist /usr/lib/llvm*
+# needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
+noblacklist /sbin
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -44,5 +46,5 @@ shell none
 
 # private-dev should be commented for controllers
 private-dev
-private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl
+private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/surf.profile b/etc/surf.profile
new file mode 100644
index 000000000..251331902
--- /dev/null
+++ b/etc/surf.profile
@@ -0,0 +1,35 @@
+# Firejail profile for surf
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/surf.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ~/.surf
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+
+mkdir ~/.surf
+whitelist ${DOWNLOADS}
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin ls,surf,sh,dash,bash,curl,dmenu,printf,sed,sleep,st,stterm,xargs,xprop
+private-dev
+private-etc passwd,group,hosts,resolv.conf,fonts,ssl
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 08ece1e9b..b0014ace6 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -26,6 +26,7 @@ protocol unix
 seccomp
 shell none
 
+#private-bin synfigstudio
 private-dev
 private-tmp
 
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile
new file mode 100644
index 000000000..86f96ba50
--- /dev/null
+++ b/etc/teamspeak3.profile
@@ -0,0 +1,39 @@
+# Firejail profile for teamspeak3
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/teamspeak3.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.ts3client
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+mkdir ${HOME}/.ts3client
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.ts3client
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/terasology.profile b/etc/terasology.profile
new file mode 100644
index 000000000..ca580c0d0
--- /dev/null
+++ b/etc/terasology.profile
@@ -0,0 +1,42 @@
+# Firejail profile for terasology
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/default.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist ${HOME}/.java
+noblacklist ${HOME}/.local/share/terasology
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+mkdir ${HOME}/.java
+mkdir ${HOME}/.local/share/terasology
+whitelist ${HOME}/.java
+whitelist ${HOME}/.local/share/terasology
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk
+private-tmp
+
+noexec ${HOME}
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile
new file mode 100644
index 000000000..bf3a80139
--- /dev/null
+++ b/etc/tor-browser-en.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/torbrowser-launcher.profile
diff --git a/etc/tor.profile b/etc/tor.profile
new file mode 100644
index 000000000..fcb123eef
--- /dev/null
+++ b/etc/tor.profile
@@ -0,0 +1,47 @@
+# Firejail profile for tor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/tor.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+# How to use:
+# Create a script called anything (e.g. mytor)
+# with the following contents:
+
+# #!/bin/bash
+# TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1"
+# sudo -b daemon -f -d -- firejail --profile=/home/<username>/.config/firejail/tor.profile $TORCMD
+
+# You'll also likely want to disable the system service (if it exists)
+# Run mytor (or whatever you called the script above) whenever you want to start tor
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.keep setuid,setgid,net_bind_service,dac_read_search
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+writable-var
+
+disable-mnt
+private
+private-bin tor,bash
+private-dev
+private-etc tor,passwd
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 763c2d051..3b6b65bec 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -5,17 +5,20 @@ include /etc/firejail/torbrowser-launcher.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-
+noblacklist ~/.tor-browser-en
 noblacklist ~/.config/torbrowser
-whitelist ~/.config/torbrowser
 noblacklist ~/.local/share/torbrowser
-whitelist ~/.local/share/torbrowser
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+whitelist ~/.tor-browser-en
+whitelist ~/.config/torbrowser
+whitelist ~/.local/share/torbrowser
+include /etc/firejail/whitelist-common.inc
+
 caps.drop all
 netfilter
 nodvd
@@ -29,7 +32,7 @@ seccomp
 shell none
 tracelog
 
-private-bin torbrowser-launcher,python2.7,python,bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
+private-bin bash,cp,dash,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python,python2.7,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher
 private-dev
 private-etc fonts
 private-tmp
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 0bb721c64..6a8d6c679 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -19,6 +19,7 @@ whitelist  ${DOWNLOADS}
 whitelist ~/.cache/transmission
 whitelist ~/.config/transmission
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 netfilter
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 08964bbab..4db8e19ce 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -19,6 +19,7 @@ whitelist  ${DOWNLOADS}
 whitelist ~/.cache/transmission
 whitelist ~/.config/transmission
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 netfilter
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index 5b6a257f6..fbc198cc3 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -17,6 +17,7 @@ caps.drop all
 netfilter
 no3d
 nodvd
+nogroups
 nonewprivs
 noroot
 notv
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
index 6e153d559..b01e6d144 100644
--- a/etc/virtualbox.profile
+++ b/etc/virtualbox.profile
@@ -20,7 +20,9 @@ mkdir ~/.config/VirtualBox
 mkdir ~/VirtualBox VMs
 whitelist ~/.config/VirtualBox
 whitelist ~/VirtualBox VMs
+whitelist ${DOWNLOADS}
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 netfilter
diff --git a/etc/vlc.profile b/etc/vlc.profile
index bccde7a3d..c3a4d58d0 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 # nogroups
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index ba4b91451..310149ecd 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -16,6 +16,7 @@ whitelist ~/.drirc
 whitelist ~/.mime.types
 whitelist ~/.local/share/applications
 read-only ~/.local/share/applications
+whitelist ~/.config/ibus
 
 # fonts
 whitelist ~/.fonts
@@ -34,10 +35,14 @@ whitelist ~/.gtkrc-2.0
 whitelist ~/.gtk-2.0
 whitelist ~/.config/gtk-2.0
 whitelist ~/.config/gtk-3.0
+whitelist ~/.config/gtkrc
+whitelist ~/.config/gtkrc-2.0
 whitelist ~/.themes
 whitelist ~/.local/share/themes
 whitelist ~/.kde/share/config/gtkrc
 whitelist ~/.kde/share/config/gtkrc-2.0
+whitelist ~/.kde4/share/config/gtkrc
+whitelist ~/.kde4/share/config/gtkrc-2.0
 whitelist ~/.gnome2
 whitelist ~/.gnome2-private
 
@@ -50,3 +55,6 @@ whitelist ~/.config/kdeglobals
 whitelist ~/.kde/share/config/oxygenrc
 whitelist ~/.kde/share/config/kdeglobals
 whitelist ~/.kde/share/icons
+whitelist ~/.kde4/share/config/oxygenrc
+whitelist ~/.kde4/share/config/kdeglobals
+whitelist ~/.kde4/share/icons
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc
new file mode 100644
index 000000000..024995f20
--- /dev/null
+++ b/etc/whitelist-var-common.inc
@@ -0,0 +1,11 @@
+# Local customizations come here
+include /etc/firejail/whitelist-var-common.local
+
+# common /var whitelist for all profiles
+
+whitelist /var/lib/dbus
+whitelist /var/lib/menu-xdg
+whitelist /var/cache/fontconfig
+whitelist /var/tmp
+whitelist /var/run
+whitelist /var/lock
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile
new file mode 100644
index 000000000..1395b81c9
--- /dev/null
+++ b/etc/x-terminal-emulator.profile
@@ -0,0 +1,20 @@
+# Firejail profile for x-terminal-emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/x-terminal-emulator.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+caps.drop all
+ipc-namespace
+net none
+netfilter
+nogroups
+noroot
+protocol unix
+seccomp
+
+private-dev
+
+noexec /tmp
diff --git a/etc/xmr-stak-cpu.profile b/etc/xmr-stak-cpu.profile
new file mode 100644
index 000000000..9cc6e0c1f
--- /dev/null
+++ b/etc/xmr-stak-cpu.profile
@@ -0,0 +1,42 @@
+# Firejail profile for xmr-stak-cpu
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/xmr-stak-cpu.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+include /etc/firejail/whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private
+private-bin xmr-stak-cpu
+private-dev
+private-etc xmr-stak-cpu.json
+private-lib
+private-opt none
+private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index e20fb3e99..d41591fd6 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 ipc-namespace
 netfilter
diff --git a/etc/zart.profile b/etc/zart.profile
new file mode 100644
index 000000000..6e136d0c9
--- /dev/null
+++ b/etc/zart.profile
@@ -0,0 +1,30 @@
+# Firejail profile for zart
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/zart.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix
+seccomp
+shell none
+
+private-bin zart,ffmpeg,melt,ffprobe,ffplay
+private-dev
+
+noexec ${HOME}
+noexec /tmp
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index d0e236e61..af6547f7f 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -357,3 +357,4 @@
 /etc/firejail/zoom.profile
 /etc/firejail/yandex-browser.profile
 /etc/firejail/itch.profile
+/etc/firejail/whitelist-var-common.inc
diff --git a/src/fbuilder/Makefile.in b/src/fbuilder/Makefile.in
new file mode 100644
index 000000000..dd8e2ce6e
--- /dev/null
+++ b/src/fbuilder/Makefile.in
@@ -0,0 +1,45 @@
+all: fbuilder
+
+CC=@CC@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+sysconfdir=@sysconfdir@
+
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
+HAVE_SECCOMP=@HAVE_SECCOMP@
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_BIND=@HAVE_BIND@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+
+fbuilder: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+clean:; rm -f *.o fbuilder *.gcov *.gcda *.gcno
+
+distclean: clean
+        rm -fr Makefile
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
new file mode 100644
index 000000000..7d0e2cb7c
--- /dev/null
+++ b/src/fbuilder/build_bin.c
@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fbuilder.h"
+
+static FileDB *bin_out = NULL;
+
+static void process_bin(const char *fname) {
+        assert(fname);
+        
+        // process trace file
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                exit(1);
+        }
+        
+        char buf[MAX_BUF];
+        while (fgets(buf, MAX_BUF, fp)) {
+                // remove \n
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+        
+                // parse line: 4:galculator:access /etc/fonts/conf.d:0
+                // number followed by :
+                ptr = buf;
+                if (!isdigit(*ptr))
+                        continue;
+                while (isdigit(*ptr))
+                        ptr++;
+                if (*ptr != ':')
+                        continue;
+                ptr++;
+
+                // next :
+                ptr = strchr(ptr, ':');
+                if (!ptr)
+                        continue;
+                ptr++;
+                if (strncmp(ptr, "exec ", 5) == 0)
+                        ptr +=  5;
+                else
+                        continue;
+                if (strncmp(ptr, "/bin/", 5) == 0)
+                        ptr += 5;
+                else if (strncmp(ptr, "/sbin/", 6) == 0)
+                        ptr += 6;
+                else if (strncmp(ptr, "/usr/bin/", 9) == 0)
+                        ptr += 9;
+                else if (strncmp(ptr, "/usr/sbin/", 10) == 0)
+                        ptr += 10;
+                else if (strncmp(ptr, "/usr/local/bin/", 15) == 0)
+                        ptr += 15;
+                else if (strncmp(ptr, "/usr/local/sbin/", 16) == 0)
+                        ptr += 16;
+                else if (strncmp(ptr, "/usr/games/", 11) == 0)
+                        ptr += 12;
+                else if (strncmp(ptr, "/usr/local/games/", 17) == 0)
+                        ptr += 17;
+                else
+                        continue;
+
+                // end of filename
+                char *ptr2 = strchr(ptr, ':');
+                if (!ptr2)
+                        continue;
+                *ptr2 = '\0';
+                
+                bin_out = filedb_add(bin_out, ptr);
+        }
+        
+        fclose(fp);
+}
+
+
+// process fname, fname.1, fname.2, fname.3, fname.4, fname.5
+void build_bin(const char *fname) {
+        assert(fname);
+        
+        // run fname
+        process_bin(fname);
+        
+        // run all the rest
+        struct stat s;
+        int i;
+        for (i = 1; i <= 5; i++) {
+                char *newname;
+                if (asprintf(&newname, "%s.%d", fname, i) == -1)
+                        errExit("asprintf");
+                if (stat(newname, &s) == 0)
+                        process_bin(newname);
+                free(newname);
+        }
+
+        if (bin_out) {
+                printf("# private-bin ");
+                FileDB *ptr = bin_out;
+                while (ptr) {
+                        printf("%s,", ptr->fname);
+                        ptr = ptr->next;
+                }
+                printf("\n");
+        }
+}
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
new file mode 100644
index 000000000..dcd86e069
--- /dev/null
+++ b/src/fbuilder/build_fs.c
@@ -0,0 +1,280 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#include "fbuilder.h"
+
+// common file processing function, using the callback for each line in the file
+static void process_file(const char *fname, const char *dir, void (*callback)(char *)) {
+        assert(fname);
+        assert(dir);
+        assert(callback);
+        
+        int dir_len = strlen(dir);
+        
+        // process trace file
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                exit(1);
+        }
+        
+        char buf[MAX_BUF];
+        while (fgets(buf, MAX_BUF, fp)) {
+                // remove \n
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+        
+                // parse line: 4:galculator:access /etc/fonts/conf.d:0
+                // number followed by :
+                ptr = buf;
+                if (!isdigit(*ptr))
+                        continue;
+                while (isdigit(*ptr))
+                        ptr++;
+                if (*ptr != ':')
+                        continue;
+                ptr++;
+
+                // next :
+                ptr = strchr(ptr, ':');
+                if (!ptr)
+                        continue;
+                ptr++;
+                if (strncmp(ptr, "access ", 7) == 0)
+                        ptr +=  7;
+                else if (strncmp(ptr, "fopen ", 6) == 0)
+                        ptr += 6;
+                else if (strncmp(ptr, "fopen64 ", 8) == 0)
+                        ptr += 8;
+                else if (strncmp(ptr, "open64 ", 7) == 0)
+                        ptr += 7;
+                else if (strncmp(ptr, "open ", 5) == 0)
+                        ptr += 5;
+                else
+                        continue;
+                if (strncmp(ptr, dir, dir_len) != 0)
+                        continue;
+
+                // end of filename
+                char *ptr2 = strchr(ptr, ':');
+                if (!ptr2)
+                        continue;
+                *ptr2 = '\0';
+                
+                callback(ptr);
+        }
+        
+        fclose(fp);
+}
+
+// process fname, fname.1, fname.2, fname.3, fname.4, fname.5
+static void process_files(const char *fname, const char *dir, void (*callback)(char *)) {
+        assert(fname);
+        assert(dir);
+        assert(callback);
+        
+        // run fname
+        process_file(fname, dir, callback);
+        
+        // run all the rest
+        struct stat s;
+        int i;
+        for (i = 1; i <= 5; i++) {
+                char *newname;
+                if (asprintf(&newname, "%s.%d", fname, i) == -1)
+                        errExit("asprintf");
+                if (stat(newname, &s) == 0)
+                        process_file(newname, dir, callback);
+                free(newname);
+        }
+}
+
+//*******************************************
+// etc directory
+//*******************************************
+static FileDB *etc_out = NULL;
+
+static void etc_callback(char *ptr) {
+        // skip firejail directory
+        if (strncmp(ptr, "/etc/firejail", 13) == 0)
+                return;
+
+        // add only top files and directories
+        ptr += 5;       // skip "/etc/"
+        char *end = strchr(ptr, '/');
+        if (end)
+                *end = '\0';
+        etc_out = filedb_add(etc_out, ptr);
+}
+
+void build_etc(const char *fname) {
+        assert(fname);
+        
+        process_files(fname, "/etc", etc_callback);
+        
+        printf("private-etc ");
+        if (etc_out == NULL)
+                printf("none\n");
+        else {
+                FileDB *ptr = etc_out;
+                while (ptr) {
+                        printf("%s,", ptr->fname);
+                        ptr = ptr->next;
+                }
+                printf("\n");
+        }       
+}
+
+//*******************************************
+// var directory
+//*******************************************
+static FileDB *var_out = NULL;
+static void var_callback(char *ptr) {
+        if (strcmp(ptr, "/var/lib") == 0)
+                ;
+        else if (strcmp(ptr, "/var/cache") == 0)
+                ;
+        else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0)
+                var_out = filedb_add(var_out, "/var/lib/menu-xdg");
+        else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0)
+                var_out = filedb_add(var_out, "/var/cache/fontconfig");
+        else
+                var_out = filedb_add(var_out, ptr);
+}
+
+void build_var(const char *fname) {
+        assert(fname);
+
+        process_files(fname, "/var", var_callback);
+        
+        if (var_out == NULL)
+                printf("blacklist /var\n");
+        else
+                filedb_print(var_out, "whitelist ");
+}
+
+//*******************************************
+// tmp directory
+//*******************************************
+static FileDB *tmp_out = NULL;
+static void tmp_callback(char *ptr) {
+        filedb_add(tmp_out, ptr);
+}
+
+void build_tmp(const char *fname) {
+        assert(fname);
+        
+        process_files(fname, "/tmp", tmp_callback);
+        
+        if (tmp_out == NULL)
+                printf("private-tmp\n");
+        else {
+                printf("\n");
+                printf("# private-tmp\n");
+                printf("# File accessed in /tmp directory:\n");
+                printf("# ");
+                FileDB *ptr = tmp_out;
+                while (ptr) {
+                        printf("%s,", ptr->fname);
+                        ptr = ptr->next;
+                }
+                printf("\n");
+        }
+}
+
+//*******************************************
+// dev directory
+//*******************************************
+static char *dev_skip[] = {
+        "/dev/zero",
+        "/dev/null",
+        "/dev/full",
+        "/dev/random",
+        "/dev/urandom",
+        "/dev/tty",
+        "/dev/snd", 
+        "/dev/dri",
+        "/dev/pts",
+        "/dev/nvidia0",
+        "/dev/nvidia1",
+        "/dev/nvidia2",
+        "/dev/nvidia3",
+        "/dev/nvidia4",
+        "/dev/nvidia5",
+        "/dev/nvidia6",
+        "/dev/nvidia7",
+        "/dev/nvidia8",
+        "/dev/nvidia9",
+        "/dev/nvidiactl",
+        "/dev/nvidia-modeset",
+        "/dev/nvidia-uvm",
+        "/dev/video0",
+        "/dev/video1",
+        "/dev/video2",
+        "/dev/video3",
+        "/dev/video4",
+        "/dev/video5",
+        "/dev/video6",
+        "/dev/video7",
+        "/dev/video8",
+        "/dev/video9",
+        "/dev/dvb",
+        "/dev/sr0",
+        NULL
+};
+
+static FileDB *dev_out = NULL;
+static void dev_callback(char *ptr) {
+        // skip private-dev devices
+        int i = 0;
+        int found = 0;
+        while (dev_skip[i]) {
+                if (strcmp(ptr, dev_skip[i]) == 0) {
+                        found = 1;
+                        break;
+                }
+                i++;
+        }
+        if (!found)
+                filedb_add(dev_out, ptr);
+}
+
+void build_dev(const char *fname) {
+        assert(fname);
+        
+        process_files(fname, "/tmp", tmp_callback);
+        
+        if (dev_out == NULL)
+                printf("private-dev\n");
+        else {
+                printf("\n");
+                printf("# private-dev\n");
+                printf("# This is the list of devices accessed (on top of regular private-dev devices:\n");
+                printf("# ");
+                FileDB *ptr = dev_out;
+                while (ptr) {
+                        printf("%s,", ptr->fname);
+                        ptr = ptr->next;
+                }
+                printf("\n");
+        }
+}
+
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
new file mode 100644
index 000000000..947f172d8
--- /dev/null
+++ b/src/fbuilder/build_home.c
@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#include "fbuilder.h"
+
+static FileDB *db_skip = NULL;
+static FileDB *db_out = NULL;
+
+static void load_whitelist_common(void) {
+        FILE *fp = fopen("/etc/firejail/whitelist-common.inc", "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
+                exit(1);
+        }
+        
+        char buf[MAX_BUF];
+        while (fgets(buf, MAX_BUF, fp)) {
+                if (strncmp(buf, "whitelist ~/", 12) != 0)
+                        continue;
+                char *fn = buf + 12;
+                char *ptr = strchr(buf, '\n');
+                if (!ptr)
+                        continue;
+                *ptr = '\0';
+                
+                // add the file to skip list
+                db_skip = filedb_add(db_skip, fn);
+        }
+        
+        fclose(fp);     
+}
+
+void process_home(const char *fname, char *home, int home_len) {
+        assert(fname);
+        assert(home);
+        assert(home_len);
+        
+        // process trace file
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                exit(1);
+        }
+        
+        char buf[MAX_BUF];
+        while (fgets(buf, MAX_BUF, fp)) {
+                // remove \n
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+        
+                // parse line: 4:galculator:access /etc/fonts/conf.d:0
+                // number followed by :
+                ptr = buf;
+                if (!isdigit(*ptr))
+                        continue;
+                while (isdigit(*ptr))
+                        ptr++;
+                if (*ptr != ':')
+                        continue;
+                ptr++;
+
+                // next :
+                ptr = strchr(ptr, ':');
+                if (!ptr)
+                        continue;
+                ptr++;
+                if (strncmp(ptr, "access /home", 12) == 0)
+                        ptr +=  7;
+                else if (strncmp(ptr, "fopen /home", 11) == 0)
+                        ptr += 6;
+                else if (strncmp(ptr, "fopen64 /home", 13) == 0)
+                        ptr += 8;
+                else if (strncmp(ptr, "open64 /home", 12) == 0)
+                        ptr += 7;
+                else if (strncmp(ptr, "open /home", 10) == 0)
+                        ptr += 5;
+                else
+                        continue;
+
+                // end of filename
+                char *ptr2 = strchr(ptr, ':');
+                if (!ptr2)
+                        continue;
+                *ptr2 = '\0';
+
+                // check home directory
+                if (strncmp(ptr, home, home_len) != 0)
+                        continue;
+                if (strcmp(ptr, home) == 0)
+                        continue;
+                ptr += home_len + 1;
+                
+                // skip files handled automatically by firejail 
+                if (strcmp(ptr, ".Xauthority") == 0 ||
+                    strcmp(ptr, ".Xdefaults-debian") == 0 ||
+                    strncmp(ptr, ".config/pulse/", 13) == 0 ||
+                    strncmp(ptr, ".pulse/", 7) == 0 ||
+                    strncmp(ptr, ".bash_hist", 10) == 0 ||
+                    strcmp(ptr, ".bashrc") == 0)
+                        continue;
+                
+                
+                // try to find the relevant directory for this file
+                char *dir = extract_dir(ptr);
+                char *toadd = (dir)? dir: ptr;
+
+                // skip some dot directories
+                if (strcmp(toadd, ".config") == 0 ||
+                    strcmp(toadd, ".local") == 0 ||
+                    strcmp(toadd, ".local/share") == 0 ||
+                    strcmp(toadd, ".cache") == 0) {
+                        if (dir)
+                                free(dir);
+                        continue;
+                }
+
+                // clean .cache entries
+                if (strncmp(toadd, ".cache/", 7) == 0) {
+                        char *ptr2 = toadd + 7;
+                        ptr2 = strchr(ptr2, '/');
+                        if (ptr2)
+                                *ptr2 = '\0';
+                }
+
+                // skip files and directories in whitelist-common.inc
+                if (filedb_find(db_skip, toadd)) {
+                        if (dir)
+                                free(dir);
+                        continue;
+                }
+
+                // add the file to out list
+                db_out = filedb_add(db_out, toadd);
+                if (dir)
+                        free(dir);
+
+        }
+        fclose(fp);
+}
+
+
+// process fname, fname.1, fname.2, fname.3, fname.4, fname.5
+void build_home(const char *fname) {
+        assert(fname);
+                
+        // load whitelist common
+        load_whitelist_common();
+
+        // find user home directory
+        struct passwd *pw = getpwuid(getuid());
+        if (!pw)
+                errExit("getpwuid");
+        char *home = pw->pw_dir;
+        if (!home)
+                errExit("getpwuid");
+        int home_len = strlen(home);
+        
+        // run fname
+        process_home(fname, home, home_len);
+        
+        // run all the rest
+        struct stat s;
+        int i;
+        for (i = 1; i <= 5; i++) {
+                char *newname;
+                if (asprintf(&newname, "%s.%d", fname, i) == -1)
+                        errExit("asprintf");
+                if (stat(newname, &s) == 0)
+                        process_home(newname, home, home_len);
+                free(newname);
+        }
+        
+        // print the out list if any
+        if (db_out) {
+                filedb_print(db_out, "whitelist ~/");
+                printf("include /etc/firejail/whitelist-common.inc\n");
+        }
+        else
+                printf("private\n");
+
+}
\ No newline at end of file
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
new file mode 100644
index 000000000..3f5fe48ca
--- /dev/null
+++ b/src/fbuilder/build_profile.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#include "fbuilder.h"
+#include <sys/wait.h>
+#include <fcntl.h>
+
+#define TRACE_OUTPUT "/tmp/firejail-trace"
+#define STRACE_OUTPUT "/tmp/firejail-strace"
+
+static char *cmdlist[] = {
+        "/usr/bin/firejail",
+        "--quiet",
+        "--output=" TRACE_OUTPUT,
+        "--noprofile",
+        "--caps.drop=all",
+        "--nonewprivs",
+        "--trace",
+        "--shell=none",
+        "/usr/bin/strace", // also used as a marker in build_profile()
+        "-c",
+        "-f",
+        "-o" STRACE_OUTPUT,
+};
+
+static void clear_tmp_files(void) {
+        unlink(STRACE_OUTPUT);
+        unlink(TRACE_OUTPUT);
+        
+        // run all the rest
+        int i;
+        for (i = 1; i <= 5; i++) {
+                char *newname;
+                if (asprintf(&newname, "%s.%d", TRACE_OUTPUT, i) == -1)
+                        errExit("asprintf");
+                unlink(newname);
+                free(newname);
+        }
+
+}
+
+void build_profile(int argc, char **argv, int index) {
+        // next index is the application name
+        if (index >= argc) {
+                fprintf(stderr, "Error: application name missing\n");
+                exit(1);
+        }
+        
+        // clean /tmp files
+        clear_tmp_files();
+        
+        // detect strace
+        int have_strace = 0;
+        if (access("/usr/bin/strace", X_OK) == 0)
+                have_strace = 1;
+        
+        // calculate command length
+        int len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1;
+        if (arg_debug)
+                printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index);
+        char *cmd[len]; 
+        
+        // build command
+        int i = 0;
+        for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) {
+                // skip strace if not installed
+                if (have_strace == 0 && strcmp(cmdlist[i], "/usr/bin/strace") == 0)
+                        break;
+                cmd[i] = cmdlist[i];
+        }
+
+        int i2 = index;
+        for (; i < (len - 1); i++, i2++)
+                cmd[i] = argv[i2];
+        cmd[i] = NULL;
+
+        if (arg_debug) {
+                for (i = 0; i < len; i++)
+                        printf("\t%s\n", cmd[i]);
+        }
+        
+        // fork and execute
+        pid_t child = fork();
+        if (child == -1)
+                errExit("fork");
+        if (child == 0) {
+                int rv = execvp(cmd[0], cmd);
+                errExit("execv");
+        }
+        
+        // wait for all processes to finish
+        int status;
+        if (waitpid(child, &status, 0) != child)
+                errExit("waitpid");
+
+        if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
+                printf("\n\n\n");
+                printf("############################################\n");
+                printf("# %s profile\n", argv[index]);
+                printf("############################################\n");
+                printf("# Persistent global definitions\n");
+                printf("# include /etc/firejail/globals.local\n");
+                printf("\n");
+                
+                printf("### basic blacklisting\n");
+                printf("include /etc/firejail/disable-common.inc\n");
+                printf("# include /etc/firejail/disable-devel.inc\n");
+                printf("include /etc/firejail/disable-passwdmgr.inc\n");
+                printf("# include /etc/firejail/disable-programs.inc\n");
+                printf("\n");
+                
+                printf("### home directory whitelisting\n");
+                build_home(TRACE_OUTPUT);
+                printf("\n");
+                
+                printf("### filesystem\n");
+                build_tmp(TRACE_OUTPUT);
+                build_dev(TRACE_OUTPUT);
+                build_etc(TRACE_OUTPUT);
+                build_var(TRACE_OUTPUT);
+                build_bin(TRACE_OUTPUT);
+                printf("\n");
+
+                printf("### security filters\n");
+                printf("caps.drop all\n");
+                printf("nonewprivs\n");
+                printf("seccomp\n");
+                if (have_strace)
+                        build_seccomp(STRACE_OUTPUT);
+                else {
+                        printf("# If you install strace on your system, Firejail will also create a\n");
+                        printf("# whitelisted seccomp filter.\n");
+                }
+                printf("\n");
+
+                printf("### network\n");
+                build_protocol(TRACE_OUTPUT);
+                printf("\n");
+                
+                printf("### environment\n");
+                printf("shell none\n");
+
+        }
+        else {
+                fprintf(stderr, "Error: cannot run the sandbox\n");
+                exit(1);
+        }
+}
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c
new file mode 100644
index 000000000..18a767518
--- /dev/null
+++ b/src/fbuilder/build_seccomp.c
@@ -0,0 +1,191 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#include "fbuilder.h"
+
+void build_seccomp(const char *fname) {
+        assert(fname);
+        
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                exit(1);
+        }
+        
+        char buf[MAX_BUF];
+        int line = 1;
+        int position = 0;
+        int cnt = 0;
+        while (fgets(buf, MAX_BUF, fp)) {
+                // remove \n
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                
+                // first line:
+                //% time     seconds  usecs/call     calls    errors syscall
+                if (line == 1) {
+                        // extract syscall position
+                        ptr = strstr(buf, "syscall");
+                        if (*buf != '%' || ptr == NULL) {
+                                // skip this line, it could be garbage from strace
+                                continue;
+                        }
+                        position = (int) (ptr - buf);
+                }
+                else if (line == 2) {
+                        if (*buf != '-') {
+                                fprintf(stderr, "Error: invalid strace output\n%s\n", buf);
+                                exit(1);
+                        }
+                }
+                else {
+                        // get out on the next "----" line
+                        if (*buf == '-')
+                                break;
+                        
+                        if (line == 3)
+                                printf("# seccomp.keep %s", buf + position);
+                        else
+                                printf(",%s", buf + position);
+                        cnt++;
+                }
+                line++;
+        }
+        printf("\n");
+        printf("# %d syscalls total\n", cnt);
+        printf("# Probably you will need to add more syscalls to seccomp.keep. Look for\n");
+        printf("# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while\n");
+        printf("# running your sandbox.\n");
+
+        fclose(fp);
+}
+
+//***************************************
+// protocol
+//***************************************
+int unix_s = 0;
+int inet = 0;
+int inet6 = 0;
+int netlink = 0;
+int packet = 0;
+static void process_protocol(const char *fname) {
+        assert(fname);
+        
+        // process trace file
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                exit(1);
+        }
+        
+        char buf[MAX_BUF];
+        while (fgets(buf, MAX_BUF, fp)) {
+                // remove \n
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+        
+                // parse line: 4:galculator:access /etc/fonts/conf.d:0
+                // number followed by :
+                ptr = buf;
+                if (!isdigit(*ptr))
+                        continue;
+                while (isdigit(*ptr))
+                        ptr++;
+                if (*ptr != ':')
+                        continue;
+                ptr++;
+
+                // next :
+                ptr = strchr(ptr, ':');
+                if (!ptr)
+                        continue;
+                ptr++;
+                if (strncmp(ptr, "socket ", 7) == 0)
+                        ptr +=  7;
+                else
+                        continue;
+
+                if (strncmp(ptr, "AF_LOCAL ", 9) == 0)
+                        unix_s = 1;
+                else if (strncmp(ptr, "AF_INET ", 8) == 0)
+                        inet = 1;
+                else if (strncmp(ptr, "AF_INET6 ", 9) == 0)
+                        inet6 = 1;
+                else if (strncmp(ptr, "AF_NETLINK ", 9) == 0)
+                        netlink = 1;
+                else if (strncmp(ptr, "AF_PACKET ", 9) == 0)
+                        packet = 1;
+        }
+        
+        fclose(fp);
+}
+
+
+// process fname, fname.1, fname.2, fname.3, fname.4, fname.5
+void build_protocol(const char *fname) {
+        assert(fname);
+        
+        // run fname
+        process_protocol(fname);
+        
+        // run all the rest
+        struct stat s;
+        int i;
+        for (i = 1; i <= 5; i++) {
+                char *newname;
+                if (asprintf(&newname, "%s.%d", fname, i) == -1)
+                        errExit("asprintf");
+                if (stat(newname, &s) == 0)
+                        process_protocol(newname);
+                free(newname);
+        }
+        
+        int net = 0;
+        if (unix_s || inet || inet6 || netlink || packet) {
+                printf("protocol ");
+                if (unix_s)
+                        printf("unix,");
+                if (inet) {
+                        printf("inet,");
+                        net = 1;
+                }
+                if (inet6) {
+                        printf("inet6,");
+                        net = 1;
+                }
+                if (netlink)
+                        printf("netlink,");
+                if (packet) {
+                        printf("packet");
+                        net = 1;
+                }
+                printf("\n");
+        }
+
+        if (net == 0)
+                printf("net none\n");
+        else {
+                printf("# net eth0\n");
+                printf("netfilter\n");
+        }
+}
+
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h
new file mode 100644
index 000000000..c448f3e06
--- /dev/null
+++ b/src/fbuilder/fbuilder.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#ifndef FBUILDER_H
+#define FBUILDER_H
+#include "../include/common.h"
+#include <sys/types.h>
+#include <pwd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+ 
+
+#define MAX_BUF 4096
+// main.c
+extern int arg_debug;
+
+// build_profile.c
+void build_profile(int argc, char **argv, int index);
+
+// build_seccomp.c
+void build_seccomp(const char *fname);
+void build_protocol(const char *fname);
+
+// build_fs.c
+void build_etc(const char *fname);
+void build_var(const char *fname);
+void build_tmp(const char *fname);
+void build_dev(const char *fname);
+
+// build_bin.c
+void build_bin(const char *fname);
+
+// build_home.c
+void build_home(const char *fname);
+
+// utils.c
+int is_dir(const char *fname);
+char *extract_dir(char *fname);
+
+// filedb.c
+typedef struct filedb_t {
+        struct filedb_t *next;
+        char *fname;    // file name
+        int len;                // length of file name
+} FileDB;
+
+FileDB *filedb_add(FileDB *head, const char *fname);
+FileDB *filedb_find(FileDB *head, const char *fname);
+void filedb_print(FileDB *head, const char *prefix);
+
+#endif
\ No newline at end of file
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c
new file mode 100644
index 000000000..a76fbc961
--- /dev/null
+++ b/src/fbuilder/filedb.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#include "fbuilder.h"
+
+FileDB *filedb_find(FileDB *head, const char *fname) {
+        FileDB *ptr = head;
+        int found = 0;
+        int len = strlen(fname);
+        
+        while (ptr) {
+                // exact name
+                if (strcmp(fname, ptr->fname) == 0) {
+                        found = 1;
+                        break;
+                }
+                
+                // parent directory in the list
+                if (len > ptr->len &&
+                    fname[ptr->len] == '/' &&
+                    strncmp(ptr->fname, fname, ptr->len) == 0) {
+                        found = 1;
+                        break;
+                }
+
+                ptr = ptr->next;
+        }
+        
+        if (found)
+                return ptr;
+        
+        return NULL;
+}
+
+FileDB *filedb_add(FileDB *head, const char *fname) {
+        assert(fname);
+
+        // don't add it if it is already there or if the parent directory is already in the list
+        if (filedb_find(head, fname))
+                return head;
+        
+        // add a new entry
+        FileDB *entry = malloc(sizeof(FileDB));
+        if (!entry)
+                errExit("malloc");
+        memset(entry, 0, sizeof(FileDB));
+        entry->fname = strdup(fname);
+        if (!entry->fname)
+                errExit("strdup");
+        entry->len = strlen(entry->fname);
+        entry->next = head;
+        return entry;
+};
+
+void filedb_print(FileDB *head, const char *prefix) {
+        FileDB *ptr = head;
+        while (ptr) {
+                printf("%s%s\n", prefix, ptr->fname);
+                ptr = ptr->next;
+        }
+}
+
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c
new file mode 100644
index 000000000..83217ef98
--- /dev/null
+++ b/src/fbuilder/main.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fbuilder.h"
+int arg_debug = 0;
+
+static void usage(void) {
+        printf("Firejail profile builder\n");
+        printf("Usage: firejail [--debug] --build program-and-arguments\n");
+}
+
+int main(int argc, char **argv) {
+#if 0
+{
+system("cat /proc/self/status");
+int i;
+for (i = 0; i < argc; i++)
+        printf("*%s* ", argv[i]);
+printf("\n");
+}
+#endif
+
+        int i;
+        int prog_index = 0;
+        
+        // parse arguments and extract program index
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "-h") == 0 || strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") ==0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--debug") == 0)
+                        arg_debug = 1;
+                else if (strcmp(argv[i], "--build") == 0)
+                        ; // do nothing, this is passed down from firejail
+                else {
+                        if (*argv[i] == '-') {
+                                fprintf(stderr, "Error fbuilder: invalid program\n");
+                                usage();
+                                exit(1);
+                        }
+                        prog_index = i;
+                        break;
+                }
+        }
+        
+        if (prog_index == 0) {
+                fprintf(stderr, "Error fbuilder: program and arguments required\n");
+                usage();
+                exit(1);
+        }
+        
+        build_profile(argc, argv, prog_index);
+        return 0;
+}
diff --git a/src/fbuilder/utils.c b/src/fbuilder/utils.c
new file mode 100644
index 000000000..902290899
--- /dev/null
+++ b/src/fbuilder/utils.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#include "fbuilder.h"
+
+// todo: duplicated from src/firejail/util.c - remove dplication
+// return 1 if the file is a directory
+int is_dir(const char *fname) {
+        assert(fname);
+        if (*fname == '\0')
+                return 0;
+
+        // if fname doesn't end in '/', add one
+        int rv;
+        struct stat s;
+        if (fname[strlen(fname) - 1] == '/')
+                rv = stat(fname, &s);
+        else {
+                char *tmp;
+                if (asprintf(&tmp, "%s/", fname) == -1) {
+                        fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__);
+                        errExit("asprintf");
+                }
+                rv = stat(tmp, &s);
+                free(tmp);
+        }
+
+        if (rv == -1)
+                return 0;
+
+        if (S_ISDIR(s.st_mode))
+                return 1;
+
+        return 0;
+}
+
+// return NULL if fname is already a directory, or if no directory found
+char *extract_dir(char *fname) {
+        assert(fname);
+        if (is_dir(fname))
+                return NULL;
+        
+        char *name = strdup(fname);
+        if (!name)
+                errExit("strdup");
+                
+        char *ptr = strrchr(name, '/');
+        if (!ptr) {
+                free(name);
+                return NULL;
+        }
+        *ptr = '\0';
+        
+        return name;
+}
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index da5ade428..e7b4ffa8a 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -22,6 +22,7 @@
 #include <fcntl.h>
 #include <ftw.h>
 #include <errno.h>
+#include <pwd.h>
 
 int arg_quiet = 0;
 static int arg_follow_link = 0;
@@ -199,10 +200,22 @@ static char *check(const char *src) {
         if (!rsrc || stat(rsrc, &s) == -1)
                 goto errexit;
 
-        // check uid
+        // on systems with systemd-resolved installed /etc/resolve.conf is a symlink to
+        //    /run/systemd/resolve/resolv.conf; this file is owned by systemd-resolve user
         // checking gid will fail for files with a larger group such as /usr/bin/mutt_dotlock
-        if (s.st_uid != getuid()/* || s.st_gid != getgid()*/)
-                goto errexit;
+        uid_t user = getuid();
+        if (user == 0 && strcmp(rsrc, "/run/systemd/resolve/resolv.conf") == 0) {
+                // check user systemd-resolve
+                struct passwd *p = getpwnam("systemd-resolve");
+                if (!p)
+                        goto errexit;
+                if (s.st_uid != user && s.st_uid != p->pw_uid)
+                        goto errexit;
+        }
+        else {
+                if (s.st_uid != user)
+                        goto errexit;
+        }
 
         // dir, link, regular file
         if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode))
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 79b263823..95fc14d04 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -8,15 +8,20 @@
 Cyberfox
 FossaMail
 Mathematica
+Natron
 Telegram
+Viber
 VirtualBox
 Wire
 Xephyr
 abrowser
 akregator
 amarok
+amule
 android-studio
 apktool
+ardour4
+ardour5
 arduino
 ark
 arm
@@ -34,18 +39,33 @@ bitlbee
 bleachbit
 blender
 bless
+brackets
 brasero
 brave
 calibre
+calligra
+calligraauthor
+calligraconverter
+calligraflow
+calligraplan
+calligraplanwork
+calligrasheets
+calligrastage
+calligrawords
 catfish
 cherrytree
 chromium
 chromium-browser
+cin
+clamdscan
+clamdtop
+clamscan
 claws-mail
 clementine
 clipit
 cmus
 conkeror
+conky
 corebird
 cvlc
 cyberfox
@@ -61,6 +81,8 @@ display
 dnscrypt-proxy
 dnsmasq
 dolphin
+dooble
+dooble-qt4
 dosbox
 dragon
 dropbox
@@ -85,6 +107,9 @@ flashpeak-slimjet
 flowblade
 fontforge
 franz
+freecad
+freecadcmd
+freshclam
 frozen-bubble
 gajim
 galculator
@@ -118,6 +143,7 @@ google-chrome
 google-chrome-beta
 google-chrome-stable
 google-chrome-unstable
+google-earth
 google-play-music-desktop-player
 gpa
 gpicview
@@ -137,6 +163,7 @@ icecat
 icedove
 iceweasel
 idea.sh
+imagej
 img2txt
 inkscape
 inox
@@ -145,8 +172,10 @@ iridium-browser
 jd-gui
 jitsi
 k3b
+karbon
 kate
 kcalc
+kdenlive
 keepass
 keepass2
 keepassx
@@ -157,12 +186,15 @@ kmail
 knotes
 kodi
 konversation
+krita
 ktorrent
 kwrite
 leafpad
 less
 libreoffice
 liferea
+linphone
+lmms
 localc
 lodraw
 loffice
@@ -176,6 +208,7 @@ luminance-hdr
 lximage-qt
 lxmusic
 lynx
+macrofusion
 mate-calc
 mate-calculator
 mate-color-select
@@ -196,6 +229,7 @@ mupdf
 mupen64plus
 musescore
 mutt
+natron
 nautilus
 netsurf
 neverball
@@ -234,13 +268,16 @@ rambox
 ranger
 remmina
 rhythmbox
+ricochet
 riot-web
 ristretto
+rocketchat
 rtorrent
 scribus
 sdat2img
 seamonkey
 seamonkey-bin
+shotcut
 silentarmy
 simple-scan
 simutrans
@@ -261,9 +298,12 @@ stellarium
 strings
 supertux2
 synfigstudio
+teamspeak3
 telegram
 telegram-desktop
+terasology
 thunderbird
+tor-browser-en
 totem
 tracker
 transmission-cli
@@ -304,6 +344,7 @@ xfce4-dict
 xfce4-notes
 xiphos
 xmms
+xmr-stak-cpu
 xonotic
 xonotic-glx
 xonotic-sdl
@@ -314,5 +355,6 @@ xreader
 xviewer
 yandex-browser
 youtube-dl
+zart
 zathura
 zoom
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 1ecfbf524..82b30c2c5 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -330,23 +330,39 @@ static void set_links(void) {
         free(firejail_exec);
 }
 
-int have_profile(const char *filename) {
+// look for a profile file in /etc/firejail diectory and in homedir/.config/firejail directory
+static int have_profile(const char *filename, const char *homedir) {
+        assert(filename);
+        assert(homedir);
+printf("test #%s# #%s#\n", filename, homedir);
+
         // remove .desktop extension
         char *f1 = strdup(filename);
         if (!f1)
                 errExit("strdup");
         f1[strlen(filename) - 8] = '\0';
+printf("#%s#\n", f1);
 
         // build profile name
-        char *profname;
-        if (asprintf(&profname, "%s/%s.profile", SYSCONFDIR, f1) == -1)
+        char *profname1;
+        char *profname2;
+        if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, f1) == -1)
                 errExit("asprintf");
-
-        struct stat s;
-        int rv = stat(profname, &s);
+        if (asprintf(&profname2, "%s/./configure/firejail/%s.profile", homedir, f1) == -1)
+                errExit("asprintf");
+printf("#%s#\n", profname1);
+printf("#%s#\n", profname2);
+
+        int rv = 0;
+        if (access(profname1, R_OK) == 0)
+                rv = 1;
+        else if (access(profname2, R_OK) == 0)
+                rv == 1;
+                
         free(f1);
-        free(profname);
-        return (rv == 0)? 1: 0;
+        free(profname1);
+        free(profname2);
+        return rv;
 }
 
 static void fix_desktop_files(char *homedir) {
@@ -411,7 +427,7 @@ static void fix_desktop_files(char *homedir) {
                         errExit("stat");
 
                 // no profile in /etc/firejail, no desktop file fixing
-                if (!have_profile(filename))
+                if (!have_profile(filename, homedir))
                         continue;
 
                 /* coverity[toctou] */
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 399770142..1b49c5fb3 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -849,6 +849,24 @@ static int check_arg(int argc, char **argv, const char *argument) {
         return found;
 }
 
+static void run_builder(int argc, char **argv) {
+        EUID_ASSERT();
+
+        // drop privileges
+        if (setgid(getgid()) < 0)
+                errExit("setgid/getgid");
+        if (setuid(getuid()) < 0)
+                errExit("setuid/getuid");
+        assert(getenv("LD_PRELOAD") == NULL);
+        
+        argv[0] = LIBDIR "/firejail/fbuilder";
+        execvp(argv[0], argv);
+
+        perror("execvp");
+        exit(1);
+}
+
+
 //*******************************************
 // Main program
 //*******************************************
@@ -907,6 +925,10 @@ int main(int argc, char **argv) {
                 git_uninstall(); // this function will not return
 #endif
 
+        // profile builder
+        if (check_arg(argc, argv, "--build"))
+                run_builder(argc, argv); // this function will not return
+                
         // check argv[0] symlink wrapper if this is not a login shell
         if (*argv[0] != '-')
                 run_symlink(argc, argv); // this function will not return
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index fc7dbd69c..f09eb6416 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -44,6 +44,7 @@ void usage(void) {
         printf("    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n");
 #endif
         printf("    --blacklist=filename - blacklist directory or file.\n");
+        printf("    --build - build a whitelisted profile for the application.\n");
         printf("    -c - execute command and exit.\n");
         printf("    --caps - enable default Linux capabilities filter.\n");
         printf("    --caps.drop=all - drop all capabilities.\n");
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3e0729620..4d1c94c25 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -196,7 +196,7 @@ static int copy_file_by_fd(int src, int dst) {
                         done += rv;
                 }
         }
-        fflush(0);
+//      fflush(0);
         return 0;
 }
 
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index 5cdb254a3..04cf64997 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -673,3 +673,15 @@ int setresgid(gid_t rgid, gid_t egid, gid_t sgid) {
 
         return rv;
 }
+
+// every time a new process is started, this gets called
+// it can be used to build things like private-bin
+__attribute__((constructor))
+static void log_exec(int argc, char** argv) {
+        static char buf[PATH_MAX + 1];
+        int rv = readlink("/proc/self/exe", buf, PATH_MAX);
+        if (rv != -1) {
+                buf[rv] = '\0'; // readlink does not add a '\0' at the end
+                printf("%u:%s:exec %s:0\n", pid(), name(), buf);
+        }
+}
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2dd3abbb7..f205bfa30 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -154,6 +154,18 @@ $ firejail "\-\-blacklist=/home/username/My Virtual Machines"
 .br
 $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
 .TP
+\fB\-\-build
+The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
+builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
+with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
+in order to allow strace to run. Chromium and Chromium-based browsers will not work.
+.br
+
+.br
+Example:
+.br
+$ firejail --build vlc ~/Videos/test.mp4
+.TP
 \fB\-c
 Execute command and exit.
 .TP