reorganize github etc directory

author: netblue30 <netblue30@yahoo.com> 2020-04-21 08:24:28 -0400
committer: netblue30 <netblue30@yahoo.com> 2020-04-21 08:24:28 -0400
commit: 018d75775eab4a0f045949a9d069c57686ca2686 (patch)
tree: aac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/profile-a-l
parent: small fixes (diff)
download: firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz
firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst
firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip
483 files changed, 15478 insertions, 0 deletions
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
new file mode 100644
index 000000000..6869ea631
--- /dev/null
+++ b/etc/profile-a-l/0ad.profile
@@ -0,0 +1,53 @@
+# Firejail profile for 0ad
+# Description: Real-time strategy game of ancient warfare
+# This file is overwritten after every install/update
+# Persistent local customizations
+include 0ad.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/0ad
+noblacklist ${HOME}/.config/0ad
+noblacklist ${HOME}/.local/share/0ad
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.cache/0ad
+mkdir ${HOME}/.config/0ad
+mkdir ${HOME}/.local/share/0ad
+whitelist ${HOME}/.cache/0ad
+whitelist ${HOME}/.config/0ad
+whitelist ${HOME}/.local/share/0ad
+whitelist /usr/share/0ad
+whitelist /usr/share/games
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin 0ad,pyrogenesis,sh,which
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/2048-qt.profile b/etc/profile-a-l/2048-qt.profile
new file mode 100644
index 000000000..12268706a
--- /dev/null
+++ b/etc/profile-a-l/2048-qt.profile
@@ -0,0 +1,43 @@
+# Firejail profile for 2048-qt
+# Description: Mathematics based puzzle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include 2048-qt.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/2048-qt
+noblacklist ${HOME}/.config/xiaoyong
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.config/2048-qt
+mkdir ${HOME}/.config/xiaoyong
+whitelist ${HOME}/.config/2048-qt
+whitelist ${HOME}/.config/xiaoyong
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile
new file mode 100644
index 000000000..02a2e7ea0
--- /dev/null
+++ b/etc/profile-a-l/7z.profile
@@ -0,0 +1,47 @@
+# Firejail profile for 7z
+# Description: File archiver with high compression ratio
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include 7z.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+hostname 7z
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+#nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+#private-bin 7z,7z*,p7zip
+private-cache
+private-dev
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/7za.profile b/etc/profile-a-l/7za.profile
new file mode 100644
index 000000000..9cd04cad1
--- /dev/null
+++ b/etc/profile-a-l/7za.profile
@@ -0,0 +1,12 @@
+# Firejail profile for 7za
+# Description: File archiver with high compression ratio
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include 7za.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include 7z.profile
diff --git a/etc/profile-a-l/7zr.profile b/etc/profile-a-l/7zr.profile
new file mode 100644
index 000000000..bd3842900
--- /dev/null
+++ b/etc/profile-a-l/7zr.profile
@@ -0,0 +1,12 @@
+# Firejail profile for 7zr
+# Description: File archiver with high compression ratio
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include 7zr.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include 7z.profile
diff --git a/etc/profile-a-l/Builder.profile b/etc/profile-a-l/Builder.profile
new file mode 100644
index 000000000..54b437441
--- /dev/null
+++ b/etc/profile-a-l/Builder.profile
@@ -0,0 +1,6 @@
+# Firejail profile for gnome-builder
+# This file is overwritten after every install/update
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-builder.profile
diff --git a/etc/profile-a-l/Cheese.profile b/etc/profile-a-l/Cheese.profile
new file mode 100644
index 000000000..5bb5064f0
--- /dev/null
+++ b/etc/profile-a-l/Cheese.profile
@@ -0,0 +1,6 @@
+# Firejail profile for cheese
+# This file is overwritten after every install/update
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include cheese.profile
diff --git a/etc/profile-a-l/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile
new file mode 100644
index 000000000..e9cc07bd7
--- /dev/null
+++ b/etc/profile-a-l/Cryptocat.profile
@@ -0,0 +1,31 @@
+# Firejail profile for Cryptocat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Cryptocat.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Cryptocat
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/Cyberfox.profile b/etc/profile-a-l/Cyberfox.profile
new file mode 100644
index 000000000..26a4348c9
--- /dev/null
+++ b/etc/profile-a-l/Cyberfox.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for cyberfox
+# This file is overwritten after every install/update
+# Redirect
+include cyberfox.profile
diff --git a/etc/profile-a-l/Discord.profile b/etc/profile-a-l/Discord.profile
new file mode 100644
index 000000000..3f274b21c
--- /dev/null
+++ b/etc/profile-a-l/Discord.profile
@@ -0,0 +1,17 @@
+# Firejail profile for Discord
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Discord.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/discord
+mkdir ${HOME}/.config/discord
+whitelist ${HOME}/.config/discord
+private-bin Discord
+private-opt Discord
+# Redirect
+include discord-common.profile
diff --git a/etc/profile-a-l/DiscordCanary.profile b/etc/profile-a-l/DiscordCanary.profile
new file mode 100644
index 000000000..d24e73ed8
--- /dev/null
+++ b/etc/profile-a-l/DiscordCanary.profile
@@ -0,0 +1,17 @@
+# Firejail profile for DiscordCanary
+# This file is overwritten after every install/update
+# Persistent local customizations
+include DiscordCanary.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/discordcanary
+mkdir ${HOME}/.config/discordcanary
+whitelist ${HOME}/.config/discordcanary
+private-bin DiscordCanary
+private-opt DiscordCanary
+# Redirect
+include discord-common.profile
diff --git a/etc/profile-a-l/Documents.profile b/etc/profile-a-l/Documents.profile
new file mode 100644
index 000000000..171ab4357
--- /dev/null
+++ b/etc/profile-a-l/Documents.profile
@@ -0,0 +1,6 @@
+# Firejail profile for gnome-documents
+# This file is overwritten after every install/update
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-documents.profile
diff --git a/etc/profile-a-l/FossaMail.profile b/etc/profile-a-l/FossaMail.profile
new file mode 100644
index 000000000..9e1f61421
--- /dev/null
+++ b/etc/profile-a-l/FossaMail.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for fossamail
+# This file is overwritten after every install/update
+# Redirect
+include fossamail.profile
diff --git a/etc/profile-a-l/Fritzing.profile b/etc/profile-a-l/Fritzing.profile
new file mode 100644
index 000000000..d318da885
--- /dev/null
+++ b/etc/profile-a-l/Fritzing.profile
@@ -0,0 +1,39 @@
+# Firejail profile for fritzing
+# Description: Easy-to-use electronic design software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Fritzing.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Fritzing
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/Gitter.profile b/etc/profile-a-l/Gitter.profile
new file mode 100644
index 000000000..a8bcb6a54
--- /dev/null
+++ b/etc/profile-a-l/Gitter.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for Gitter
+# This file is overwritten after every install/update
+# Redirect
+include gitter.profile
diff --git a/etc/profile-a-l/JDownloader.profile b/etc/profile-a-l/JDownloader.profile
new file mode 100644
index 000000000..45ec71e63
--- /dev/null
+++ b/etc/profile-a-l/JDownloader.profile
@@ -0,0 +1,48 @@
+# Firejail profile for JDownloader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include JDownloader.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.jd
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.jd
+whitelist ${HOME}/.jd
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/Logs.profile b/etc/profile-a-l/Logs.profile
new file mode 100644
index 000000000..431439f17
--- /dev/null
+++ b/etc/profile-a-l/Logs.profile
@@ -0,0 +1,6 @@
+# Firejail profile for gnome-logs
+# This file is overwritten after every install/update
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-logs.profile
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
new file mode 100644
index 000000000..948d3774a
--- /dev/null
+++ b/etc/profile-a-l/abiword.profile
@@ -0,0 +1,48 @@
+# Firejail profile for abiword
+# Description: flexible cross-platform word processor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include abiword.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/abiword
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist /usr/share/abiword-3.0
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin abiword
+private-cache
+private-dev
+private-etc fonts,gtk-3.0,passwd
+private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile
new file mode 100644
index 000000000..2e6e8f1af
--- /dev/null
+++ b/etc/profile-a-l/abrowser.profile
@@ -0,0 +1,20 @@
+# Firejail profile for abrowser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include abrowser.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.mozilla
+mkdir ${HOME}/.cache/mozilla/abrowser
+mkdir ${HOME}/.mozilla
+whitelist ${HOME}/.cache/mozilla/abrowser
+whitelist ${HOME}/.mozilla
+# private-etc must first be enabled in firefox-common.profile
+#private-etc abrowser
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/acat.profile b/etc/profile-a-l/acat.profile
new file mode 100644
index 000000000..522d8db4e
--- /dev/null
+++ b/etc/profile-a-l/acat.profile
@@ -0,0 +1,11 @@
+# Firejail profile for acat
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include acat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include atool.profile
diff --git a/etc/profile-a-l/adiff.profile b/etc/profile-a-l/adiff.profile
new file mode 100644
index 000000000..a80886d56
--- /dev/null
+++ b/etc/profile-a-l/adiff.profile
@@ -0,0 +1,11 @@
+# Firejail profile for adiff
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include adiff.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include atool.profile
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
new file mode 100644
index 000000000..ffc613f1e
--- /dev/null
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -0,0 +1,55 @@
+# Firejail profile for akonadi_control
+# Persistent local customizations
+include akonadi_control.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/akonadi*
+noblacklist ${HOME}/.config/akonadi*
+noblacklist ${HOME}/.config/baloorc
+noblacklist ${HOME}/.config/emaildefaults
+noblacklist ${HOME}/.config/emailidentities
+noblacklist ${HOME}/.config/kmail2rc
+noblacklist ${HOME}/.config/mailtransports
+noblacklist ${HOME}/.config/specialmailcollectionsrc
+noblacklist ${HOME}/.local/share/akonadi*
+noblacklist ${HOME}/.local/share/apps/korganizer
+noblacklist ${HOME}/.local/share/contacts
+noblacklist ${HOME}/.local/share/local-mail
+noblacklist ${HOME}/.local/share/notes
+noblacklist /sbin
+noblacklist /tmp/akonadi-*
+noblacklist /usr/sbin
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+# disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
+# this affects ubuntu and debian currently
+# apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+# nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# protocol unix,inet,inet6,netlink
+# seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set
+tracelog
+private-dev
+# private-tmp - breaks programs that depend on akonadi
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
new file mode 100644
index 000000000..34933f283
--- /dev/null
+++ b/etc/profile-a-l/akregator.profile
@@ -0,0 +1,46 @@
+# Firejail profile for akregator
+# Description: RSS/Atom feed aggregator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include akregator.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/akregatorrc
+noblacklist ${HOME}/.local/share/akregator
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkfile ${HOME}/.config/akregatorrc
+mkdir ${HOME}/.local/share/akregator
+whitelist ${HOME}/.config/akregatorrc
+whitelist ${HOME}/.local/share/akregator
+whitelist ${HOME}/.local/share/kssl
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+# chroot syscalls are needed for setting up the built-in sandbox
+seccomp !chroot
+shell none
+disable-mnt
+private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kshell4,kshell5
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/als.profile b/etc/profile-a-l/als.profile
new file mode 100644
index 000000000..5eae228b6
--- /dev/null
+++ b/etc/profile-a-l/als.profile
@@ -0,0 +1,11 @@
+# Firejail profile for als
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include als.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include atool.profile
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
new file mode 100644
index 000000000..0b974e9ac
--- /dev/null
+++ b/etc/profile-a-l/amarok.profile
@@ -0,0 +1,35 @@
+# Firejail profile for amarok
+# Description: Easy to use media player based on the KDE Platform
+# This file is overwritten after every install/update
+# Persistent local customizations
+include amarok.local
+# Persistent global definitions
+include globals.local
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+# seccomp
+shell none
+# private-bin amarok
+private-dev
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
+private-tmp
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile
new file mode 100644
index 000000000..feb4a5e7e
--- /dev/null
+++ b/etc/profile-a-l/amule.profile
@@ -0,0 +1,42 @@
+# Firejail profile for amule
+# Description: Client for the eD2k and Kad networks, like eMule
+# This file is overwritten after every install/update
+# Persistent local customizations
+include amule.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.aMule
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.aMule
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.aMule
+include whitelist-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin amule
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/amuled.profile b/etc/profile-a-l/amuled.profile
new file mode 100644
index 000000000..58b796875
--- /dev/null
+++ b/etc/profile-a-l/amuled.profile
@@ -0,0 +1,13 @@
+# Firejail profile for amuled
+# Description: Daemon for amule
+# This file is overwritten after every install/update
+# Persistent local customizations
+include amule.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+private-bin amuled
+# Redirect
+include amule.profile
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
new file mode 100644
index 000000000..2e4e564dd
--- /dev/null
+++ b/etc/profile-a-l/android-studio.profile
@@ -0,0 +1,41 @@
+# Firejail profile for android-studio
+# This file is overwritten after every install/update
+# Persistent local customizations
+include android-studio.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.AndroidStudio*
+noblacklist ${HOME}/.android
+noblacklist ${HOME}/.jack-server
+noblacklist ${HOME}/.jack-settings
+noblacklist ${HOME}/.local/share/JetBrains
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.tooling
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-cache
+# private-tmp
+# noexec /tmp breaks 'Android Profiler'
+#noexec /tmp
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
new file mode 100644
index 000000000..fa688f1a5
--- /dev/null
+++ b/etc/profile-a-l/anki.profile
@@ -0,0 +1,57 @@
+# Firejail profile for anki
+# Description: flexible, intelligent flashcard program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include anki.local
+# Persistent global definitions
+include globals.local
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.local/share/Anki2
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.local/share/Anki2
+whitelist ${DOCUMENTS}
+whitelist ${HOME}/.local/share/Anki2
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
+shell none
+tracelog
+disable-mnt
+private-bin anki,python*
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/anydesk.profile b/etc/profile-a-l/anydesk.profile
new file mode 100644
index 000000000..35b18bab4
--- /dev/null
+++ b/etc/profile-a-l/anydesk.profile
@@ -0,0 +1,35 @@
+# Firejail profile for AnyDesk
+# This file is overwritten after every install/update
+# Persistent local customizations
+include anydesk.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.anydesk
+include disable-common.inc
+include disable-devel.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-interpreters.inc
+mkdir ${HOME}/.anydesk
+whitelist ${HOME}/.anydesk
+include whitelist-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin anydesk
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile
new file mode 100644
index 000000000..a5b1ba9f1
--- /dev/null
+++ b/etc/profile-a-l/aosp.profile
@@ -0,0 +1,42 @@
+# Firejail profile for aosp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include aosp.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.android
+noblacklist ${HOME}/.bash_history
+noblacklist ${HOME}/.jack-server
+noblacklist ${HOME}/.jack-settings
+noblacklist ${HOME}/.repo_.gitconfig.json
+noblacklist ${HOME}/.repoconfig
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.tooling
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+#seccomp
+shell none
+private-tmp
diff --git a/etc/profile-a-l/apack.profile b/etc/profile-a-l/apack.profile
new file mode 100644
index 000000000..9fef911af
--- /dev/null
+++ b/etc/profile-a-l/apack.profile
@@ -0,0 +1,11 @@
+# Firejail profile for apack
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include apack.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include atool.profile
diff --git a/etc/profile-a-l/apktool.profile b/etc/profile-a-l/apktool.profile
new file mode 100644
index 000000000..39c5da9ab
--- /dev/null
+++ b/etc/profile-a-l/apktool.profile
@@ -0,0 +1,38 @@
+# Firejail profile for apktool
+# Description: Tool for reverse engineering Android apk files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include apktool.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-bin apktool,basename,bash,dirname,expr,java,sh
+private-cache
+private-dev
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile
new file mode 100644
index 000000000..6ed60ffe5
--- /dev/null
+++ b/etc/profile-a-l/ar.profile
@@ -0,0 +1,47 @@
+# Firejail profile for ar
+# Description: Create, modify, and extract from archives
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ar.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+hostname ar
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+private-bin ar
+private-cache
+private-dev
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/arch-audit.profile b/etc/profile-a-l/arch-audit.profile
new file mode 100644
index 000000000..324730bde
--- /dev/null
+++ b/etc/profile-a-l/arch-audit.profile
@@ -0,0 +1,51 @@
+# Firejail profile for arch-audit
+# Description: A utility like pkg-audit based on Arch CVE Monitoring Team data
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include arch-audit.local
+# Persistent global definitions
+include globals.local
+noblacklist /var/lib/pacman
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/arch-audit
+include whitelist-usr-share-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+disable-mnt
+private
+private-bin arch-audit
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/archaudit-report.profile b/etc/profile-a-l/archaudit-report.profile
new file mode 100644
index 000000000..19c37f90e
--- /dev/null
+++ b/etc/profile-a-l/archaudit-report.profile
@@ -0,0 +1,40 @@
+# Firejail profile for archaudit-report
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include archaudit-report.local
+# Persistent global definitions
+include globals.local
+noblacklist /var/lib/pacman
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private
+private-bin arch-audit,archaudit-report,bash,cat,comm,cut,date,fold,grep,pacman,pactree,rm,sed,sort,whoneeds
+#private-dev
+private-tmp
+memory-deny-write-execute
diff --git a/etc/profile-a-l/ardour4.profile b/etc/profile-a-l/ardour4.profile
new file mode 100644
index 000000000..4ad8dd456
--- /dev/null
+++ b/etc/profile-a-l/ardour4.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for ardour5
+# This file is overwritten after every install/update
+# Redirect
+include ardour5.profile
diff --git a/etc/profile-a-l/ardour5.profile b/etc/profile-a-l/ardour5.profile
new file mode 100644
index 000000000..a27cb4f6e
--- /dev/null
+++ b/etc/profile-a-l/ardour5.profile
@@ -0,0 +1,43 @@
+# Firejail profile for ardour5
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ardour5.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/ardour4
+noblacklist ${HOME}/.config/ardour5
+noblacklist ${HOME}/.lv2
+noblacklist ${HOME}/.vst
+noblacklist ${DOCUMENTS}
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+#private-bin ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,ldd,nm,sed,sh
+private-cache
+private-dev
+#private-etc alternatives,ardour4,ardour5,asound.conf,fonts,machine-id,pulse,X11
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile
new file mode 100644
index 000000000..fd1ca9a09
--- /dev/null
+++ b/etc/profile-a-l/arduino.profile
@@ -0,0 +1,40 @@
+# Firejail profile for arduino
+# Description: AVR development board IDE and built-in libraries
+# This file is overwritten after every install/update
+# Persistent local customizations
+include arduino.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.arduino15
+noblacklist ${HOME}/Arduino
+noblacklist ${DOCUMENTS}
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+# nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-cache
+private-tmp
diff --git a/etc/profile-a-l/arepack.profile b/etc/profile-a-l/arepack.profile
new file mode 100644
index 000000000..012f2f049
--- /dev/null
+++ b/etc/profile-a-l/arepack.profile
@@ -0,0 +1,11 @@
+# Firejail profile for arepack
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include arepack.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include atool.profile
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
new file mode 100644
index 000000000..d2dcaace1
--- /dev/null
+++ b/etc/profile-a-l/aria2c.profile
@@ -0,0 +1,55 @@
+# Firejail profile for aria2c
+# Description: Download utility that supports HTTP(S), FTP, BitTorrent and Metalink
+# This file is overwritten after every install/update
+# Persistent local customizations
+include aria2c.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.aria2
+noblacklist ${HOME}/.config/aria2
+noblacklist ${HOME}/.netrc
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+# disable-mnt
+# Add your custom event hook commands to 'private-bin' in your aria2c.local
+private-bin aria2c,gzip
+# Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772)
+#private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-lib libreadline.so.*
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
new file mode 100644
index 000000000..01004d772
--- /dev/null
+++ b/etc/profile-a-l/ark.profile
@@ -0,0 +1,45 @@
+# Firejail profile for ark
+# Description: Archive utility
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ark.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/arkrc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist /usr/share/ark
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo
+#private-etc alternatives,drirc,fonts,group,kde5rc,mtab,passwd,samba,smb.conf,xdg
+private-dev
+private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
new file mode 100644
index 000000000..51dad94d1
--- /dev/null
+++ b/etc/profile-a-l/arm.profile
@@ -0,0 +1,48 @@
+# Firejail profile for arm
+# Description: Terminal status monitor for Tor relays
+# This file is overwritten after every install/update
+# Persistent local customizations
+include arm.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.arm
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.arm
+whitelist ${HOME}/.arm
+include whitelist-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
+private-tmp
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
new file mode 100644
index 000000000..19a4771aa
--- /dev/null
+++ b/etc/profile-a-l/artha.profile
@@ -0,0 +1,65 @@
+# Firejail profile for artha
+# Description: A free cross-platform English thesaurus based on WordNet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include artha.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/artha.conf
+noblacklist ${HOME}/.config/artha.log
+noblacklist ${HOME}/.config/enchant
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+# whitelisting in ${HOME} makes settings immutable, see #3112
+#mkfile ${HOME}/.config/artha.conf
+#mkdir ${HOME}/.config/enchant
+#whitelist ${HOME}/.config/artha.conf
+#whitelist ${HOME}/.config/artha.log
+#whitelist ${HOME}/.config/enchant
+whitelist /usr/share/artha
+whitelist /usr/share/wordnet
+#include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+# net none - breaks on Ubuntu
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin artha,enchant,notify-send
+private-cache
+private-dev
+private-etc alternatives,fonts,machine-id
+private-lib libnotify.so.*
+private-tmp
+# dbus-user none
+# dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile
new file mode 100644
index 000000000..da72a4a73
--- /dev/null
+++ b/etc/profile-a-l/assogiate.profile
@@ -0,0 +1,52 @@
+# Firejail profile for assogiate
+# Description: An editor of the MIME file types database for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include assogiate.local
+# Persistent global definitions
+include globals.local
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin assogiate,gtk-update-icon-cache,update-mime-database
+private-cache
+private-dev
+private-lib gnome-vfs-2.0,libacl.so.*,libattr.so.*,libfam.so.*
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile
new file mode 100644
index 000000000..33dd4103f
--- /dev/null
+++ b/etc/profile-a-l/asunder.profile
@@ -0,0 +1,48 @@
+# Firejail profile for asounder
+# Description: Graphical audio CD ripper and encoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include asunder.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/asunder
+noblacklist ${HOME}/.asunder_album_genre
+noblacklist ${HOME}/.asunder_album_title
+noblacklist ${HOME}/.asunder_album_artist
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+no3d
+# nogroups
+nonewprivs
+noroot
+nou2f
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
+# mdwe is disabled due to breaking hardware accelerated decoding
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/atom-beta.profile b/etc/profile-a-l/atom-beta.profile
new file mode 100644
index 000000000..c0ee2c492
--- /dev/null
+++ b/etc/profile-a-l/atom-beta.profile
@@ -0,0 +1,10 @@
+# Firejail profile for atom-beta
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atom-beta.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include atom.profile
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
new file mode 100644
index 000000000..fceef9579
--- /dev/null
+++ b/etc/profile-a-l/atom.profile
@@ -0,0 +1,40 @@
+# Firejail profile for atom
+# Description: A hackable text editor for the 21st Century
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atom.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.atom
+noblacklist ${HOME}/.config/Atom
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
new file mode 100644
index 000000000..e501e956c
--- /dev/null
+++ b/etc/profile-a-l/atool.profile
@@ -0,0 +1,53 @@
+# Firejail profile for atool
+# Description: Tool for managing file archives of various types
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include atool.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+hostname atool
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+# private-bin atool,perl
+private-cache
+private-dev
+# without login.defs atool complains and uses UID/GID 1000 by default
+private-etc alternatives,group,login.defs,passwd
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/atril-previewer.profile b/etc/profile-a-l/atril-previewer.profile
new file mode 100644
index 000000000..7f4697357
--- /dev/null
+++ b/etc/profile-a-l/atril-previewer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for atril-previewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atril-previewer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include atril.profile
diff --git a/etc/profile-a-l/atril-thumbnailer.profile b/etc/profile-a-l/atril-thumbnailer.profile
new file mode 100644
index 000000000..8f6129ea6
--- /dev/null
+++ b/etc/profile-a-l/atril-thumbnailer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for atril-thumbnailer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atril-thumbnailer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include atril.profile
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
new file mode 100644
index 000000000..adca38cb5
--- /dev/null
+++ b/etc/profile-a-l/atril.profile
@@ -0,0 +1,52 @@
+# Firejail profile for atril
+# Description: MATE document viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atril.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/atril
+noblacklist ${HOME}/.config/atril
+noblacklist ${DOCUMENTS}
+#noblacklist ${HOME}/.local/share
+# it seems to use only ${HOME}/.local/share/webkitgtk
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+# apparmor
+caps.drop all
+machine-id
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin atril,atril-previewer,atril-thumbnailer
+private-dev
+private-etc alternatives,fonts,ld.so.cache
+# atril uses webkit gtk to display epub files
+# waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
+#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
+private-tmp
+# webkit gtk killed by memory-deny-write-execute
+#memory-deny-write-execute
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
new file mode 100644
index 000000000..2e1f6f32a
--- /dev/null
+++ b/etc/profile-a-l/audacious.profile
@@ -0,0 +1,44 @@
+# Firejail profile for audacious
+# Description: Small and fast audio player which supports lots of formats
+# This file is overwritten after every install/update
+# Persistent local customizations
+include audacious.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Audaciousrc
+noblacklist ${HOME}/.config/audacious
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+# private-bin audacious
+private-cache
+private-dev
+private-tmp
+# dbus needed for MPRIS
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
new file mode 100644
index 000000000..5a454d31d
--- /dev/null
+++ b/etc/profile-a-l/audacity.profile
@@ -0,0 +1,45 @@
+# Firejail profile for audacity
+# Description: Fast, cross-platform audio editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include audacity.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.audacity-data
+noblacklist ${DOCUMENTS}
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin audacity
+private-dev
+private-tmp
+# problems on Fedora 27
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
new file mode 100644
index 000000000..b2ed3b030
--- /dev/null
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -0,0 +1,50 @@
+# Firejail profile for audio-recorder
+# Description: Audio Recorder Application
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include audio-recorder.local
+# Persistent global definitions
+include globals.local
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist ${MUSIC}
+whitelist ${DOWNLOADS}
+whitelist /usr/share/audio-recorder
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+# private-bin audio-recorder
+private-cache
+private-etc alternatives,fonts
+private-tmp
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/aunpack.profile b/etc/profile-a-l/aunpack.profile
new file mode 100644
index 000000000..6ce4aa491
--- /dev/null
+++ b/etc/profile-a-l/aunpack.profile
@@ -0,0 +1,11 @@
+# Firejail profile for aunpack
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include aunpack.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include atool.profile
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
new file mode 100644
index 000000000..131b20c70
--- /dev/null
+++ b/etc/profile-a-l/authenticator.profile
@@ -0,0 +1,49 @@
+# Firejail profile for authenticator
+# Description: 2FA code generator for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include authenticator.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/Authenticator
+noblacklist ${HOME}/.config/Authenticator
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+# novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+# private-bin authenticator,python*
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl
+private-tmp
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
new file mode 100644
index 000000000..b1a77c0a4
--- /dev/null
+++ b/etc/profile-a-l/autokey-common.profile
@@ -0,0 +1,42 @@
+# Firejail profile for autokey
+# Description: Desktop automation utility
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+noblacklist ${HOME}/.config/autokey
+noblacklist ${HOME}/.local/share/autokey
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+# disable-exec.inc might break scripting functionality
+#include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/autokey-gtk.profile b/etc/profile-a-l/autokey-gtk.profile
new file mode 100644
index 000000000..e16449064
--- /dev/null
+++ b/etc/profile-a-l/autokey-gtk.profile
@@ -0,0 +1,10 @@
+# Firejail profile for autokey-gtk
+# Description: Desktop automation utility (GTK version)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-gtk.local
+# Persistent global definitions
+include globals.local
+# Redirect
+include autokey-common.profile
diff --git a/etc/profile-a-l/autokey-qt.profile b/etc/profile-a-l/autokey-qt.profile
new file mode 100644
index 000000000..b6f1210dd
--- /dev/null
+++ b/etc/profile-a-l/autokey-qt.profile
@@ -0,0 +1,10 @@
+# Firejail profile for autokey-qt
+# Description: Desktop automation utility (Qt version)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-qt.local
+# Persistent global definitions
+include globals.local
+# Redirect
+include autokey-common.profile
diff --git a/etc/profile-a-l/autokey-run.profile b/etc/profile-a-l/autokey-run.profile
new file mode 100644
index 000000000..05669351a
--- /dev/null
+++ b/etc/profile-a-l/autokey-run.profile
@@ -0,0 +1,10 @@
+# Firejail profile for autokey-run
+# Description: Desktop automation utility (CLI version)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-run.local
+# Persistent global definitions
+include globals.local
+# Redirect
+include autokey-common.profile
diff --git a/etc/profile-a-l/autokey-shell.profile b/etc/profile-a-l/autokey-shell.profile
new file mode 100644
index 000000000..dfbd8759f
--- /dev/null
+++ b/etc/profile-a-l/autokey-shell.profile
@@ -0,0 +1,10 @@
+# Firejail profile for autokey-shell
+# Description: Desktop automation utility (CLI shell)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-shell.local
+# Persistent global definitions
+include globals.local
+# Redirect
+include autokey-common.profile
diff --git a/etc/profile-a-l/aweather.profile b/etc/profile-a-l/aweather.profile
new file mode 100644
index 000000000..d7228570f
--- /dev/null
+++ b/etc/profile-a-l/aweather.profile
@@ -0,0 +1,39 @@
+# Firejail profile for aweather
+# Description: Advanced Weather Monitoring Program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include aweather.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/aweather
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.config/aweather
+whitelist ${HOME}/.config/aweather
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin aweather
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile
new file mode 100644
index 000000000..5d1bf5071
--- /dev/null
+++ b/etc/profile-a-l/awesome.profile
@@ -0,0 +1,19 @@
+# Firejail profile for awesome
+# Description: Standards-compliant, fast, light-weight and extensible window manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include awesome.local
+# Persistent global definitions
+include globals.local
+# all applications started in awesome will run in this profile
+noblacklist ${HOME}/.config/awesome
+include disable-common.inc
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
+read-only ${HOME}/.config/awesome/autorun.sh
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
new file mode 100644
index 000000000..785e37a16
--- /dev/null
+++ b/etc/profile-a-l/baloo_file.profile
@@ -0,0 +1,54 @@
+# Firejail profile for baloo_file
+# This file is overwritten after every install/update
+# Persistent local customizations
+include baloo_file.local
+# Persistent global definitions
+include globals.local
+# Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo
+# Note: Baloo will not be able to update the "first run" key in its configuration files.
+# mkdir ${HOME}/.local/share/baloo
+# read-only ${HOME}
+# read-write ${HOME}/.local/share/baloo
+# ignore read-write
+noblacklist ${HOME}/.config/baloofilerc
+noblacklist ${HOME}/.kde/share/config/baloofilerc
+noblacklist ${HOME}/.kde/share/config/baloorc
+noblacklist ${HOME}/.kde4/share/config/baloofilerc
+noblacklist ${HOME}/.kde4/share/config/baloorc
+noblacklist ${HOME}/.local/share/baloo
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+# net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+# blacklisting of ioprio_set system calls breaks baloo_file
+seccomp !ioprio_set
+shell none
+# x11 xorg
+private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/baloo_filemetadata_temp_extractor.profile b/etc/profile-a-l/baloo_filemetadata_temp_extractor.profile
new file mode 100644
index 000000000..ff10e9965
--- /dev/null
+++ b/etc/profile-a-l/baloo_filemetadata_temp_extractor.profile
@@ -0,0 +1,14 @@
+# Firejail profile for baloo_filemetadata_temp_extractor
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include baloo_filemetadata_temp_extractor.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+ignore read-write
+read-only ${HOME}
+# Redirect
+include baloo_file.profile
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
new file mode 100644
index 000000000..50f7531c0
--- /dev/null
+++ b/etc/profile-a-l/baobab.profile
@@ -0,0 +1,42 @@
+# Firejail profile for baobab
+# Description: GNOME disk usage analyzer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include baobab.local
+# Persistent global definitions
+include globals.local
+# include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# include disable-programs.inc
+# include disable-xdg.inc
+include whitelist-runuser-common.inc
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin baobab
+private-dev
+private-tmp
+# dbus-user none
+# dbus-system none
+read-only ${HOME}
diff --git a/etc/profile-a-l/barrier.profile b/etc/profile-a-l/barrier.profile
new file mode 100644
index 000000000..f5da3782e
--- /dev/null
+++ b/etc/profile-a-l/barrier.profile
@@ -0,0 +1,45 @@
+# Firejail profile for barrier
+# Description: Keyboard and mouse sharing application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include barrier.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Debauchee/Barrier.conf
+noblacklist ${HOME}/.local/share/barrier
+noblacklist ${PATH}/openssl
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-dev
+private-cache
+private-tmp
+memory-deny-write-execute
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile
new file mode 100644
index 000000000..8dc3847a0
--- /dev/null
+++ b/etc/profile-a-l/basilisk.profile
@@ -0,0 +1,26 @@
+# Firejail profile for basilisk
+# This file is overwritten after every install/update
+# Persistent local customizations
+include basilisk.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/moonchild productions/basilisk
+noblacklist ${HOME}/.moonchild productions/basilisk
+mkdir ${HOME}/.cache/moonchild productions/basilisk
+mkdir ${HOME}/.moonchild productions
+whitelist ${HOME}/.cache/moonchild productions/basilisk
+whitelist ${HOME}/.moonchild productions
+# Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
+seccomp
+ignore seccomp
+#private-bin basilisk
+# private-etc must first be enabled in firefox-common.profile
+#private-etc basilisk
+#private-opt basilisk
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile
new file mode 100644
index 000000000..cc1886a49
--- /dev/null
+++ b/etc/profile-a-l/beaker.profile
@@ -0,0 +1,19 @@
+# Firejail profile for beaker
+# This file is overwritten after every install/update
+# Persistent local customizations
+include beaker.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+noblacklist ${HOME}/.config/Beaker Browser
+include disable-devel.inc
+include disable-interpreters.inc
+mkdir ${HOME}/.config/Beaker Browser
+whitelist ${HOME}/.config/Beaker Browser
+include whitelist-common.inc
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
new file mode 100644
index 000000000..99e2802eb
--- /dev/null
+++ b/etc/profile-a-l/bibletime.profile
@@ -0,0 +1,58 @@
+# Firejail profile for bibletime
+# Description: Bible study tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bibletime.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.bibletime
+noblacklist ${HOME}/.sword
+noblacklist ${HOME}/.local/share/bibletime
+blacklist ${HOME}/.bashrc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.bibletime
+mkdir ${HOME}/.sword
+mkdir ${HOME}/.local/share/bibletime
+whitelist ${HOME}/.bibletime
+whitelist ${HOME}/.sword
+whitelist ${HOME}/.local/share/bibletime
+whitelist /usr/share/bibletime
+whitelist /usr/share/sword
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+disable-mnt
+# private-bin bibletime,qt5ct
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/bibtex.profile b/etc/profile-a-l/bibtex.profile
new file mode 100644
index 000000000..e868dcbab
--- /dev/null
+++ b/etc/profile-a-l/bibtex.profile
@@ -0,0 +1,12 @@
+# Firejail profile for bibtex
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bibtex.local
+# Persistent global definitions
+include globals.local
+private-bin bibtex
+# Redirect
+include latex-common.profile
diff --git a/etc/profile-a-l/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile
new file mode 100644
index 000000000..ac1e21ba7
--- /dev/null
+++ b/etc/profile-a-l/bitcoin-qt.profile
@@ -0,0 +1,49 @@
+# Firejail profile for bitcoin-qt
+# Description: Bitcoin is a peer-to-peer network based digital currency
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bitcoin-qt.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.bitcoin
+noblacklist ${HOME}/.config/Bitcoin
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.bitcoin
+mkdir ${HOME}/.config/Bitcoin
+whitelist ${HOME}/.bitcoin
+whitelist ${HOME}/.config/Bitcoin
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin bitcoin-qt
+private-dev
+# Causes problem with loading of libGL.so
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+private-tmp
+memory-deny-write-execute
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
new file mode 100644
index 000000000..62eeb88f3
--- /dev/null
+++ b/etc/profile-a-l/bitlbee.profile
@@ -0,0 +1,40 @@
+# Firejail profile for bitlbee
+# Description: IRC to other chat networks gateway
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bitlbee.local
+# Persistent global definitions
+include globals.local
+ignore noexec ${HOME}
+noblacklist /sbin
+noblacklist /usr/sbin
+# noblacklist /var/log
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+netfilter
+no3d
+nodvd
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+disable-mnt
+private
+private-cache
+private-dev
+private-tmp
+read-write /var/lib/bitlbee
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
new file mode 100644
index 000000000..3095e7505
--- /dev/null
+++ b/etc/profile-a-l/bitwarden.profile
@@ -0,0 +1,57 @@
+# Firejail profile for bitwarden
+# Description: A secure and free password manager for all of your devices
+# This file is overwritten after every install/update.
+# Persistent local customisations
+include bitwarden.local
+# Persistent global definitions
+include globals.local
+ignore noexec /tmp
+noblacklist ${HOME}/.config/Bitwarden
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/Bitwarden
+whitelist ${HOME}/.config/Bitwarden
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+#tracelog - breaks on Arch
+private-bin bitwarden
+private-cache
+?HAS_APPIMAGE: ignore private-dev
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-opt Bitwarden
+private-tmp
+# breaks appindicator (tray) functionality
+# dbus-user none
+# dbus-system none
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile
new file mode 100644
index 000000000..13e83493d
--- /dev/null
+++ b/etc/profile-a-l/blackbox.profile
@@ -0,0 +1,18 @@
+# Firejail profile for blackbox
+# Description: Standards-compliant, fast, light-weight and extensible window manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blackbox.local
+# Persistent global definitions
+include globals.local
+# all applications started in awesome will run in this profile
+noblacklist ${HOME}/.blackbox
+include disable-common.inc
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile
new file mode 100644
index 000000000..8f230a413
--- /dev/null
+++ b/etc/profile-a-l/bleachbit.profile
@@ -0,0 +1,42 @@
+# Firejail profile for bleachbit
+# Description: Delete unnecessary files from the system
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bleachbit.local
+# Persistent global definitions
+include globals.local
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# include disable-programs.inc
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-dev
+# private-tmp
+dbus-user none
+dbus-system none
+# memory-deny-write-execute breaks some systems, see issue #1850
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/blender-2.8.profile b/etc/profile-a-l/blender-2.8.profile
new file mode 100644
index 000000000..b7242c443
--- /dev/null
+++ b/etc/profile-a-l/blender-2.8.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for blender
+# This file is overwritten after every install/update
+# Redirect
+include blender.profile
diff --git a/etc/profile-a-l/blender.profile b/etc/profile-a-l/blender.profile
new file mode 100644
index 000000000..6a72fb602
--- /dev/null
+++ b/etc/profile-a-l/blender.profile
@@ -0,0 +1,41 @@
+# Firejail profile for blender
+# Description: Very fast and versatile 3D modeller/renderer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blender.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/blender
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# Allow usage of AMD GPU by OpenCL
+noblacklist /sys/module
+whitelist /sys/module/amdgpu
+read-only /sys/module/amdgpu
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
new file mode 100644
index 000000000..216e86109
--- /dev/null
+++ b/etc/profile-a-l/bless.profile
@@ -0,0 +1,42 @@
+# Firejail profile for bless
+# Description: A full featured hexadecimal editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bless.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/bless
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+# private-bin bash,bless,mono,sh
+private-cache
+private-dev
+private-etc alternatives,fonts,mono
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
new file mode 100644
index 000000000..2a56bdf94
--- /dev/null
+++ b/etc/profile-a-l/blobwars.profile
@@ -0,0 +1,49 @@
+# Firejail profile for blobwars
+# Description: Mission and Objective based 2D Platform Game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blobwars.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.parallelrealities/blobwars
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.parallelrealities/blobwars
+whitelist ${HOME}/.parallelrealities/blobwars
+whitelist /usr/share/blobwars
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin blobwars
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile
new file mode 100644
index 000000000..88ac9c0ed
--- /dev/null
+++ b/etc/profile-a-l/bluefish.profile
@@ -0,0 +1,40 @@
+# Firejail profile for bluefish
+# Description: Advanced Gtk+ text editor for web and software development
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bluefish.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin bluefish
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile
new file mode 100644
index 000000000..031f3f4bd
--- /dev/null
+++ b/etc/profile-a-l/bnox.profile
@@ -0,0 +1,17 @@
+# Firejail profile for bnox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bnox.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/bnox
+noblacklist ${HOME}/.config/bnox
+mkdir ${HOME}/.cache/bnox
+mkdir ${HOME}/.config/bnox
+whitelist ${HOME}/.cache/bnox
+whitelist ${HOME}/.config/bnox
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile
new file mode 100644
index 000000000..70f62813e
--- /dev/null
+++ b/etc/profile-a-l/brackets.profile
@@ -0,0 +1,34 @@
+# Firejail profile for brackets
+# This file is overwritten after every install/update
+# Persistent local customizations
+include brackets.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Brackets
+#noblacklist /opt/brackets
+#noblacklist /opt/google
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot,!ioperm
+shell none
+private-cache
+private-dev
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile
new file mode 100644
index 000000000..417a6b3e0
--- /dev/null
+++ b/etc/profile-a-l/brasero.profile
@@ -0,0 +1,37 @@
+# Firejail profile for brasero
+# Description: CD/DVD burning application for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include brasero.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/brasero
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# private-bin brasero
+private-cache
+# private-dev
+# private-tmp
diff --git a/etc/profile-a-l/brave-browser-beta.profile b/etc/profile-a-l/brave-browser-beta.profile
new file mode 100644
index 000000000..528a6402d
--- /dev/null
+++ b/etc/profile-a-l/brave-browser-beta.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for brave (beta channel)
+# This file is overwritten after every install/update
+# Redirect
+include brave.profile
diff --git a/etc/profile-a-l/brave-browser-dev.profile b/etc/profile-a-l/brave-browser-dev.profile
new file mode 100644
index 000000000..4601de119
--- /dev/null
+++ b/etc/profile-a-l/brave-browser-dev.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for brave (development channel)
+# This file is overwritten after every install/update
+# Redirect
+include brave.profile
diff --git a/etc/profile-a-l/brave-browser-nightly.profile b/etc/profile-a-l/brave-browser-nightly.profile
new file mode 100644
index 000000000..43d3cc724
--- /dev/null
+++ b/etc/profile-a-l/brave-browser-nightly.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for brave (nightly channel)
+# This file is overwritten after every install/update
+# Redirect
+include brave.profile
diff --git a/etc/profile-a-l/brave-browser-stable.profile b/etc/profile-a-l/brave-browser-stable.profile
new file mode 100644
index 000000000..06d33dea4
--- /dev/null
+++ b/etc/profile-a-l/brave-browser-stable.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for brave (release channel)
+# This file is overwritten after every install/update
+# Redirect
+include brave.profile
diff --git a/etc/profile-a-l/brave-browser.profile b/etc/profile-a-l/brave-browser.profile
new file mode 100644
index 000000000..e223ecf87
--- /dev/null
+++ b/etc/profile-a-l/brave-browser.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for brave
+# This file is overwritten after every install/update
+# Redirect
+include brave.profile
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
new file mode 100644
index 000000000..35c59f5a3
--- /dev/null
+++ b/etc/profile-a-l/brave.profile
@@ -0,0 +1,32 @@
+# Firejail profile for brave
+# Description: Web browser that blocks ads and trackers by default.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include brave.local
+# Persistent global definitions
+include globals.local
+# noexec /tmp is included in chromium-common.profile and breaks Brave
+ignore noexec /tmp
+noblacklist ${HOME}/.cache/BraveSoftware
+noblacklist ${HOME}/.config/BraveSoftware
+noblacklist ${HOME}/.config/brave
+noblacklist ${HOME}/.config/brave-flags.conf
+# brave uses gpg for built-in password manager
+noblacklist ${HOME}/.gnupg
+mkdir ${HOME}/.cache/BraveSoftware
+mkdir ${HOME}/.config/BraveSoftware
+mkdir ${HOME}/.config/brave
+whitelist ${HOME}/.cache/BraveSoftware
+whitelist ${HOME}/.config/BraveSoftware
+whitelist ${HOME}/.config/brave
+whitelist ${HOME}/.config/brave-flags.conf
+whitelist ${HOME}/.gnupg
+# Brave sandbox needs read access to /proc/config.gz
+noblacklist /proc/config.gz
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/bsdcat.profile b/etc/profile-a-l/bsdcat.profile
new file mode 100644
index 000000000..5271ee5d6
--- /dev/null
+++ b/etc/profile-a-l/bsdcat.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for bsdtar
+# This file is overwritten after every install/update
+# Redirect
+include bsdtar.profile
diff --git a/etc/profile-a-l/bsdcpio.profile b/etc/profile-a-l/bsdcpio.profile
new file mode 100644
index 000000000..5271ee5d6
--- /dev/null
+++ b/etc/profile-a-l/bsdcpio.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for bsdtar
+# This file is overwritten after every install/update
+# Redirect
+include bsdtar.profile
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
new file mode 100644
index 000000000..08e51f3c1
--- /dev/null
+++ b/etc/profile-a-l/bsdtar.profile
@@ -0,0 +1,48 @@
+# Firejail profile for bsdtar
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bsdtar.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+hostname bsdtar
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+# noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+# support compressed archives
+private-bin bash,bsdcat,bsdcpio,bsdtar,bzip2,compress,gtar,gzip,lbzip2,libarchive,lz4,lzip,lzma,lzop,sh,xz
+private-cache
+private-dev
+private-etc alternatives,group,localtime,passwd
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/bunzip2.profile b/etc/profile-a-l/bunzip2.profile
new file mode 100644
index 000000000..37b47c2ce
--- /dev/null
+++ b/etc/profile-a-l/bunzip2.profile
@@ -0,0 +1,12 @@
+# Firejail profile for bunzip2
+# Description: A high-quality data compression program
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bunzip2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/bzcat.profile b/etc/profile-a-l/bzcat.profile
new file mode 100644
index 000000000..edefb6bb8
--- /dev/null
+++ b/etc/profile-a-l/bzcat.profile
@@ -0,0 +1,15 @@
+# Firejail profile for bzcat
+# Description: A high-quality data compression program
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bzcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+ignore read-write
+read-only ${HOME}
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/bzflag.profile b/etc/profile-a-l/bzflag.profile
new file mode 100644
index 000000000..1f56d5169
--- /dev/null
+++ b/etc/profile-a-l/bzflag.profile
@@ -0,0 +1,46 @@
+# Firejail profile for bzflag
+# Description: 3D multi-player tank battle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bzflag.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.bzf
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.bzf
+whitelist ${HOME}/.bzf
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin bzadmin,bzflag,bzflag-wrapper,bzfs
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/bzip2.profile b/etc/profile-a-l/bzip2.profile
new file mode 100644
index 000000000..0756e0537
--- /dev/null
+++ b/etc/profile-a-l/bzip2.profile
@@ -0,0 +1,12 @@
+# Firejail profile for bzip2
+# Description: A high-quality data compression program
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bzip2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/caja.profile b/etc/profile-a-l/caja.profile
new file mode 100644
index 000000000..7bf901ae3
--- /dev/null
+++ b/etc/profile-a-l/caja.profile
@@ -0,0 +1,43 @@
+# Firejail profile for caja
+# Description: File manager for the MATE desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include caja.local
+# Persistent global definitions
+include globals.local
+# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
+# is already a caja process running on MATE desktops firejail will have no effect.
+noblacklist ${HOME}/.local/share/Trash
+# noblacklist ${HOME}/.config/caja - disable-programs.inc is disabled, see below
+# noblacklist ${HOME}/.local/share/caja-python
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# include disable-programs.inc
+allusers
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# caja needs to be able to start arbitrary applications so we cannot blacklist their files
+# private-bin caja
+# private-dev
+# private-tmp
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile
new file mode 100644
index 000000000..d17cfa85f
--- /dev/null
+++ b/etc/profile-a-l/calibre.profile
@@ -0,0 +1,38 @@
+# Firejail profile for calibre
+# Description: Powerful and easy to use e-book manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include calibre.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/calibre
+noblacklist ${HOME}/.config/calibre
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
new file mode 100644
index 000000000..489036e39
--- /dev/null
+++ b/etc/profile-a-l/calligra.profile
@@ -0,0 +1,37 @@
+# Firejail profile for calligra
+# Description: Extensive productivity and creative suite
+# This file is overwritten after every install/update
+# Persistent local customizations
+include calligra.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+ipc-namespace
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4
+private-dev
+# dbus-user none
+# dbus-system none
+# noexec ${HOME}
+noexec /tmp
diff --git a/etc/profile-a-l/calligraauthor.profile b/etc/profile-a-l/calligraauthor.profile
new file mode 100644
index 000000000..7804a3b97
--- /dev/null
+++ b/etc/profile-a-l/calligraauthor.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligraconverter.profile b/etc/profile-a-l/calligraconverter.profile
new file mode 100644
index 000000000..7804a3b97
--- /dev/null
+++ b/etc/profile-a-l/calligraconverter.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligraflow.profile b/etc/profile-a-l/calligraflow.profile
new file mode 100644
index 000000000..7804a3b97
--- /dev/null
+++ b/etc/profile-a-l/calligraflow.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligraplan.profile b/etc/profile-a-l/calligraplan.profile
new file mode 100644
index 000000000..7804a3b97
--- /dev/null
+++ b/etc/profile-a-l/calligraplan.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligraplanwork.profile b/etc/profile-a-l/calligraplanwork.profile
new file mode 100644
index 000000000..7804a3b97
--- /dev/null
+++ b/etc/profile-a-l/calligraplanwork.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligrasheets.profile b/etc/profile-a-l/calligrasheets.profile
new file mode 100644
index 000000000..7804a3b97
--- /dev/null
+++ b/etc/profile-a-l/calligrasheets.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligrastage.profile b/etc/profile-a-l/calligrastage.profile
new file mode 100644
index 000000000..7804a3b97
--- /dev/null
+++ b/etc/profile-a-l/calligrastage.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligrawords.profile b/etc/profile-a-l/calligrawords.profile
new file mode 100644
index 000000000..7804a3b97
--- /dev/null
+++ b/etc/profile-a-l/calligrawords.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
new file mode 100644
index 000000000..f48cc43a1
--- /dev/null
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -0,0 +1,55 @@
+# Firejail profile for cameramonitor
+# Description: A little monitor to check your webcam status
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cameramonitor.local
+# Persistent global definitions
+include globals.local
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/cameramonitor
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin cameramonitor,python*
+private-cache
+private-etc alternatives,fonts
+private-tmp
+# dbus-user none
+# dbus-system none
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile
new file mode 100644
index 000000000..c44d56b90
--- /dev/null
+++ b/etc/profile-a-l/cantata.profile
@@ -0,0 +1,39 @@
+# Firejail profile for Cantata
+# Description: Multimedia player - Qt5 client for the music Player daemon (MPD)
+# This file is overwritten during software install.
+# Persistent local customizations
+include cantata.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/cantata
+noblacklist ${HOME}/.config/cantata
+noblacklist ${HOME}/.local/share/cantata
+noblacklist ${MUSIC}
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+# apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nonewprivs
+noroot
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+# private-etc drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
+private-bin cantata,mpd,perl
+private-dev
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile
new file mode 100644
index 000000000..009d3a049
--- /dev/null
+++ b/etc/profile-a-l/catfish.profile
@@ -0,0 +1,50 @@
+# Firejail profile for catfish
+# Description: File searching tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include catfish.local
+# Persistent global definitions
+include globals.local
+# We can't blacklist much since catfish
+# is for finding files/content
+noblacklist ${HOME}/.config/catfish
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+# include disable-common.inc
+# include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# include disable-programs.inc
+whitelist /var/lib/mlocate
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# These options work but are disabled in case
+# a users wants to search in these directories.
+# private-bin bash,catfish,env,locate,ls,mlocate,python*
+# private-dev
+# private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
new file mode 100644
index 000000000..9be6b1631
--- /dev/null
+++ b/etc/profile-a-l/celluloid.profile
@@ -0,0 +1,54 @@
+# Firejail profile for celluloid
+# Description: Simple GTK+ frontend for mpv
+# This file is overwritten after every install/update
+# Persistent local customizations
+include celluloid.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/celluloid
+noblacklist ${HOME}/.config/gnome-mpv
+noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin celluloid,env,gnome-mpv,python*,youtube-dl
+private-cache
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
+private-dev
+private-tmp
+# uses dconf, MPRIS
+# dbus-user none
+# dbus-system none
+read-only ${HOME}
+read-write ${HOME}/.config/celluloid
diff --git a/etc/profile-a-l/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile
new file mode 100644
index 000000000..93f61091b
--- /dev/null
+++ b/etc/profile-a-l/checkbashisms.profile
@@ -0,0 +1,56 @@
+# Firejail profile for checkbashisms
+# Description: Lint tool for shell scripts
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include checkbashisms.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+noblacklist ${DOCUMENTS}
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/perl5
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+x11 none
+private-cache
+private-dev
+private-lib libfreebl3.so,perl*
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
new file mode 100644
index 000000000..337117c4a
--- /dev/null
+++ b/etc/profile-a-l/cheese.profile
@@ -0,0 +1,47 @@
+# Firejail profile for cheese
+# Description: taking pictures and movies from a webcam
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cheese.local
+# Persistent global definitions
+include globals.local
+noblacklist ${VIDEOS}
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist ${VIDEOS}
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin cheese
+private-cache
+private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/cherrytree.profile b/etc/profile-a-l/cherrytree.profile
new file mode 100644
index 000000000..70dea5bd9
--- /dev/null
+++ b/etc/profile-a-l/cherrytree.profile
@@ -0,0 +1,43 @@
+# Firejail profile for cherrytree
+# Description: Hierarchical note taking application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cherrytree.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/cherrytree
+noblacklist ${DOCUMENTS}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/chromium-browser.profile b/etc/profile-a-l/chromium-browser.profile
new file mode 100644
index 000000000..f83052d9a
--- /dev/null
+++ b/etc/profile-a-l/chromium-browser.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for chromium
+# This file is overwritten after every install/update
+# Redirect
+include chromium.profile
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
new file mode 100644
index 000000000..c54fb0e19
--- /dev/null
+++ b/etc/profile-a-l/chromium-common.profile
@@ -0,0 +1,44 @@
+# Firejail profile for chromium-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chromium-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.keep sys_admin,sys_chroot
+netfilter
+# nodbus - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
+nodvd
+nogroups
+notv
+?BROWSER_DISABLE_U2F: nou2f
+shell none
+disable-mnt
+?BROWSER_DISABLE_U2F: private-dev
+# private-tmp - problems with multiple browser sessions
+# the file dialog needs to work without d-bus
+?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
new file mode 100644
index 000000000..dab9ce449
--- /dev/null
+++ b/etc/profile-a-l/chromium.profile
@@ -0,0 +1,22 @@
+# Firejail profile for chromium
+# Description: A web browser built for speed, simplicity, and security
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chromium.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/chromium
+noblacklist ${HOME}/.config/chromium
+noblacklist ${HOME}/.config/chromium-flags.conf
+mkdir ${HOME}/.cache/chromium
+mkdir ${HOME}/.config/chromium
+whitelist ${HOME}/.cache/chromium
+whitelist ${HOME}/.config/chromium
+whitelist ${HOME}/.config/chromium-flags.conf
+# private-bin chromium,chromium-browser,chromedriver
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/cin.profile b/etc/profile-a-l/cin.profile
new file mode 100644
index 000000000..8c3fb42d1
--- /dev/null
+++ b/etc/profile-a-l/cin.profile
@@ -0,0 +1,37 @@
+# Firejail profile for cin
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cin.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.bcast5
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+ipc-namespace
+net none
+nodvd
+#nogroups
+nonewprivs
+notv
+nou2f
+noroot
+protocol unix
+# if an 1-1.2% gap per thread hurts you, comment seccomp
+seccomp
+shell none
+#private-bin cin,ffmpeg
+private-cache
+private-dev
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/cinelerra.profile b/etc/profile-a-l/cinelerra.profile
new file mode 100644
index 000000000..88a65037e
--- /dev/null
+++ b/etc/profile-a-l/cinelerra.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for cin
+# This file is overwritten after every install/update
+# Redirect
+include cin.profile
diff --git a/etc/profile-a-l/clamav.profile b/etc/profile-a-l/clamav.profile
new file mode 100644
index 000000000..2726ab5af
--- /dev/null
+++ b/etc/profile-a-l/clamav.profile
@@ -0,0 +1,39 @@
+# Firejail profile for clamav
+# Description: Anti-virus utility for Unix
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include clamav.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+include disable-exec.inc
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+private-dev
+dbus-user none
+dbus-system none
+read-only ${HOME}
+memory-deny-write-execute
diff --git a/etc/profile-a-l/clamdscan.profile b/etc/profile-a-l/clamdscan.profile
new file mode 100644
index 000000000..4c6c56c5f
--- /dev/null
+++ b/etc/profile-a-l/clamdscan.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for clamav
+# This file is overwritten after every install/update
+# Redirect
+include clamav.profile
diff --git a/etc/profile-a-l/clamdtop.profile b/etc/profile-a-l/clamdtop.profile
new file mode 100644
index 000000000..4c6c56c5f
--- /dev/null
+++ b/etc/profile-a-l/clamdtop.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for clamav
+# This file is overwritten after every install/update
+# Redirect
+include clamav.profile
diff --git a/etc/profile-a-l/clamscan.profile b/etc/profile-a-l/clamscan.profile
new file mode 100644
index 000000000..4c6c56c5f
--- /dev/null
+++ b/etc/profile-a-l/clamscan.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for clamav
+# This file is overwritten after every install/update
+# Redirect
+include clamav.profile
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile
new file mode 100644
index 000000000..4425a2bd0
--- /dev/null
+++ b/etc/profile-a-l/clamtk.profile
@@ -0,0 +1,29 @@
+# Firejail profile for clamtk
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clamtk.local
+# Persistent global definitions
+include globals.local
+include disable-exec.inc
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-dev
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
new file mode 100644
index 000000000..24954b2d8
--- /dev/null
+++ b/etc/profile-a-l/claws-mail.profile
@@ -0,0 +1,22 @@
+# Firejail profile for claws-mail
+# Description: Fast, lightweight and user-friendly GTK+2 based email client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include claws-mail.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.claws-mail
+mkdir ${HOME}/.claws-mail
+whitelist ${HOME}/.claws-mail
+# If you use python-based plugins you need to uncomment the below (or put them in your claws-mail.local)
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+#include allow-python3.inc
+whitelist /usr/share/doc/claws-mail
+# Redirect
+include email-common.profile
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
new file mode 100644
index 000000000..12ce47401
--- /dev/null
+++ b/etc/profile-a-l/clawsker.profile
@@ -0,0 +1,55 @@
+# Firejail profile for clawsker
+# Description: An applet to edit Claws Mail's hidden preferences
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clawsker.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.claws-mail
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.claws-mail
+whitelist ${HOME}/.claws-mail
+whitelist /usr/share/perl5
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+private-bin bash,clawsker,perl,sh,which
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
+private-tmp
+dbus-user none
+dbus-system none
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile
new file mode 100644
index 000000000..4d92157d0
--- /dev/null
+++ b/etc/profile-a-l/clementine.profile
@@ -0,0 +1,33 @@
+# Firejail profile for clementine
+# Description: Modern music player and library organizer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clementine.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/Clementine
+noblacklist ${HOME}/.config/Clementine
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+# blacklisting of ioprio_set system calls breaks clementine
+seccomp !ioprio_set
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
new file mode 100644
index 000000000..b27d93684
--- /dev/null
+++ b/etc/profile-a-l/clion.profile
@@ -0,0 +1,38 @@
+# Firejail profile for CLion
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clion.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.CLion*
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.java
+noblacklist ${HOME}/.local/share/JetBrains
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.tooling
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-cache
+private-dev
+# private-tmp
+noexec /tmp
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
new file mode 100644
index 000000000..dace5e83e
--- /dev/null
+++ b/etc/profile-a-l/clipgrab.profile
@@ -0,0 +1,47 @@
+# Firejail profile for clipgrab
+# Description: A free video downloader and converter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clipgrab.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Philipp Schmieder
+noblacklist ${HOME}/.pki
+noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+disable-mnt
+private-cache
+private-dev
+private-tmp
+# Breaks tray icon, uncomment or add to clipgrab.local if you don't need it
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile
new file mode 100644
index 000000000..66b5fc859
--- /dev/null
+++ b/etc/profile-a-l/clipit.profile
@@ -0,0 +1,50 @@
+# Firejail profile for clipit
+# Description: Lightweight GTK+ clipboard manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clipit.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/clipit
+noblacklist ${HOME}/.local/share/clipit
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/clipit
+mkdir ${HOME}/.local/share/clipit
+whitelist ${HOME}/.config/clipit
+whitelist ${HOME}/.local/share/clipit
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile
new file mode 100644
index 000000000..d0b8cc0ef
--- /dev/null
+++ b/etc/profile-a-l/cliqz.profile
@@ -0,0 +1,23 @@
+# Firejail profile for cliqz
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cliqz.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/cliqz
+noblacklist ${HOME}/.cliqz
+noblacklist ${HOME}/.config/cliqz
+mkdir ${HOME}/.cache/cliqz
+mkdir ${HOME}/.cliqz
+mkdir ${HOME}/.config/cliqz
+whitelist ${HOME}/.cache/cliqz
+whitelist ${HOME}/.cliqz
+whitelist ${HOME}/.config/cliqz
+# private-etc must first be enabled in firefox-common.profile
+#private-etc cliqz
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/clocks.profile b/etc/profile-a-l/clocks.profile
new file mode 100644
index 000000000..da50e7d49
--- /dev/null
+++ b/etc/profile-a-l/clocks.profile
@@ -0,0 +1,6 @@
+# Firejail profile for gnome-clocks
+# This file is overwritten after every install/update
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-clocks.profile
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile
new file mode 100644
index 000000000..fa1e5d722
--- /dev/null
+++ b/etc/profile-a-l/cmus.profile
@@ -0,0 +1,30 @@
+# Firejail profile for cmus
+# Description: Lightweight ncurses audio player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cmus.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/cmus
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin cmus
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-a-l/code-oss.profile b/etc/profile-a-l/code-oss.profile
new file mode 100644
index 000000000..6d45d5994
--- /dev/null
+++ b/etc/profile-a-l/code-oss.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for Visual Studio Code
+# This file is overwritten after every install/update
+# Persistent local customizations
+include code-oss.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include code.profile
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile
new file mode 100644
index 000000000..6f8a25211
--- /dev/null
+++ b/etc/profile-a-l/code.profile
@@ -0,0 +1,42 @@
+# Firejail profile for Visual Studio Code
+# This file is overwritten after every install/update
+# Persistent local customizations
+include code.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Code
+noblacklist ${HOME}/.config/Code - OSS
+noblacklist ${HOME}/.vscode
+noblacklist ${HOME}/.vscode-oss
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-cache
+private-dev
+private-tmp
+# Disabling noexec ${HOME} for now since it will
+# probably interfere with running some programmes
+# in VS Code
+# noexec ${HOME}
+noexec /tmp
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
new file mode 100644
index 000000000..ea5370649
--- /dev/null
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -0,0 +1,60 @@
+# Firejail profile for com.github.dahenson.agenda
+# Description: Simple, fast, no-nonsense to-do (task) list
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.dahenson.agenda.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/agenda
+noblacklist ${HOME}/.config/agenda
+noblacklist ${HOME}/.local/share/agenda
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/agenda
+mkdir ${HOME}/.config/agenda
+mkdir ${HOME}/.local/share/agenda
+whitelist ${HOME}/.cache/agenda
+whitelist ${HOME}/.config/agenda
+whitelist ${HOME}/.local/share/agenda
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin com.github.dahenson.agenda
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0
+private-tmp
+read-only ${HOME}
+read-write ${HOME}/.cache/agenda
+read-write ${HOME}/.config/agenda
+read-write ${HOME}/.local/share/agenda
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
new file mode 100644
index 000000000..39a9a360d
--- /dev/null
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -0,0 +1,62 @@
+# Firejail profile for foliate
+# Description: Simple and modern GTK eBook reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include foliate.local
+# Persistent global definitions
+include globals.local
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
+noblacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/com.github.johnfactotum.Foliate
+mkdir ${HOME}/.local/share/com.github.johnfactotum.Foliate
+whitelist ${HOME}/.cache/com.github.johnfactotum.Foliate
+whitelist ${HOME}/.local/share/com.github.johnfactotum.Foliate
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist /usr/share/com.github.johnfactotum.Foliate
+whitelist /usr/share/hyphen
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin com.github.johnfactotum.Foliate,gjs
+private-cache
+private-dev
+private-etc dconf,fonts,gconf,gtk-3.0
+private-tmp
+read-only ${HOME}
+read-write ${HOME}/.cache/com.github.johnfactotum.Foliate
+read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate
diff --git a/etc/profile-a-l/conkeror.profile b/etc/profile-a-l/conkeror.profile
new file mode 100644
index 000000000..38edf0d21
--- /dev/null
+++ b/etc/profile-a-l/conkeror.profile
@@ -0,0 +1,36 @@
+# Firejail profile for conkeror
+# This file is overwritten after every install/update
+# Persistent local customizations
+include conkeror.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.conkeror.mozdev.org
+include disable-common.inc
+include disable-programs.inc
+mkdir ${HOME}/.conkeror.mozdev.org
+mkfile ${HOME}/.conkerorrc
+whitelist ${HOME}/.conkeror.mozdev.org
+whitelist ${HOME}/.conkerorrc
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.pentadactyl
+whitelist ${HOME}/.pentadactylrc
+whitelist ${HOME}/.vimperator
+whitelist ${HOME}/.vimperatorrc
+whitelist ${HOME}/.zotero
+whitelist ${HOME}/dwhelper
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+disable-mnt
diff --git a/etc/profile-a-l/conky.profile b/etc/profile-a-l/conky.profile
new file mode 100644
index 000000000..e5cd7085a
--- /dev/null
+++ b/etc/profile-a-l/conky.profile
@@ -0,0 +1,46 @@
+# Firejail profile for conky
+# Description: Highly configurable system monitor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include conky.local
+# Persistent global definitions
+include globals.local
+noblacklist ${PICTURES}
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-cache
+private-dev
+private-tmp
+memory-deny-write-execute
diff --git a/etc/profile-a-l/conplay.profile b/etc/profile-a-l/conplay.profile
new file mode 100644
index 000000000..8d9f3324f
--- /dev/null
+++ b/etc/profile-a-l/conplay.profile
@@ -0,0 +1,18 @@
+# Firejail profile for conplay
+# Description: MPEG audio player/decoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include conplay.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+## system-wide profile
+#+ overrides
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+whitelist /usr/share/perl5
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile
new file mode 100644
index 000000000..dbb043c17
--- /dev/null
+++ b/etc/profile-a-l/corebird.profile
@@ -0,0 +1,37 @@
+# Firejail profile for corebird
+# Description: Native Gtk+ Twitter client for the Linux desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include corebird.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/corebird
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin corebird
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
new file mode 100644
index 000000000..8efe48240
--- /dev/null
+++ b/etc/profile-a-l/cower.profile
@@ -0,0 +1,49 @@
+# Firejail profile for cower
+# Description: a simple AUR agent with a pretentious name
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cower.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/cower
+noblacklist /var/lib/pacman
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+# This profile could be significantly strengthened by adding the following to cower.local
+# whitelist ${HOME}/<Your Build Folder>
+# whitelist ${HOME}/.config/cower
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin cower
+private-cache
+private-dev
+private-tmp
+memory-deny-write-execute
+read-only ${HOME}/.config/cower/config
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile
new file mode 100644
index 000000000..087a5b2bb
--- /dev/null
+++ b/etc/profile-a-l/cpio.profile
@@ -0,0 +1,46 @@
+# Firejail profile for cpio
+# Description: A program to manage archives of files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cpio.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+noblacklist /sbin
+noblacklist /usr/sbin
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+hostname cpio
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+seccomp
+shell none
+tracelog
+x11 none
+private-cache
+private-dev
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/crawl-tiles.profile b/etc/profile-a-l/crawl-tiles.profile
new file mode 100644
index 000000000..39151865e
--- /dev/null
+++ b/etc/profile-a-l/crawl-tiles.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for crawl
+# This file is overwritten after every install/update
+ignore no3d
+# Redirect
+include crawl.profile
diff --git a/etc/profile-a-l/crawl.profile b/etc/profile-a-l/crawl.profile
new file mode 100644
index 000000000..3da2413d9
--- /dev/null
+++ b/etc/profile-a-l/crawl.profile
@@ -0,0 +1,47 @@
+# Firejail profile for crawl-tiles
+# Description: Roguelike dungeon exploration game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include crawl-tiles.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.crawl
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.crawl
+whitelist ${HOME}/.crawl
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+private-bin crawl,crawl-tiles
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
new file mode 100644
index 000000000..755b6e9f8
--- /dev/null
+++ b/etc/profile-a-l/crow.profile
@@ -0,0 +1,45 @@
+# Firejail profile for crow
+# Description: A translator that allows to translate and say selected text using Google, Yandex and Bing translate API
+# This file is overwritten after every install/update
+# Persistent local customizations
+include crow.local
+# Persistent global definitions
+include globals.local
+mkdir ${HOME}/.config/crow
+mkdir ${HOME}/.cache/gstreamer-1.0
+whitelist ${HOME}/.config/crow
+whitelist ${HOME}/.cache/gstreamer-1.0
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+disable-mnt
+private-bin crow
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-opt none
+private-tmp
+private-srv none
diff --git a/etc/profile-a-l/cryptocat.profile b/etc/profile-a-l/cryptocat.profile
new file mode 100644
index 000000000..69aa39de2
--- /dev/null
+++ b/etc/profile-a-l/cryptocat.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for Cryptocat
+# This file is overwritten after every install/update
+# Redirect
+include Cryptocat.profile
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
new file mode 100644
index 000000000..996ff51d3
--- /dev/null
+++ b/etc/profile-a-l/curl.profile
@@ -0,0 +1,52 @@
+# Firejail profile for curl
+# Description: Command line tool for transferring data with URL syntax
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include curl.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.curlrc
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your curl.local
+#include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+tracelog
+# private-bin curl
+private-cache
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/cvlc.profile b/etc/profile-a-l/cvlc.profile
new file mode 100644
index 000000000..56c0d965c
--- /dev/null
+++ b/etc/profile-a-l/cvlc.profile
@@ -0,0 +1,13 @@
+# Firejail profile for cvlc
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cvlc.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# cvlc doesn't like private-bin
+ignore private-bin
+# Redirect
+include vlc.profile
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
new file mode 100644
index 000000000..d1fff0004
--- /dev/null
+++ b/etc/profile-a-l/cyberfox.profile
@@ -0,0 +1,21 @@
+# Firejail profile for cyberfox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cyberfox.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.8pecxstudios
+noblacklist ${HOME}/.cache/8pecxstudios
+mkdir ${HOME}/.8pecxstudios
+mkdir ${HOME}/.cache/8pecxstudios
+whitelist ${HOME}/.8pecxstudios
+whitelist ${HOME}/.cache/8pecxstudios
+# private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
+# private-etc must first be enabled in firefox-common.profile
+#private-etc cyberfox
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
new file mode 100644
index 000000000..51df7b455
--- /dev/null
+++ b/etc/profile-a-l/d-feet.profile
@@ -0,0 +1,55 @@
+# Firejail profile for d-feet
+# Description: D-Bus debugger for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include d-feet.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/d-feet
+# Allow python (disabled by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/d-feet
+whitelist ${HOME}/.config/d-feet
+whitelist /usr/share/d-feet
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+# net none - breaks on Ubuntu
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+private-bin d-feet,python*
+private-cache
+private-dev
+private-etc alternatives,dbus-1,fonts,machine-id
+private-tmp
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile
new file mode 100644
index 000000000..2a71ad11c
--- /dev/null
+++ b/etc/profile-a-l/darktable.profile
@@ -0,0 +1,38 @@
+# Firejail profile for darktable
+# Description: Virtual lighttable and darkroom for photographers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include darktable.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/darktable
+noblacklist ${HOME}/.config/darktable
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+#private-bin darktable
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
new file mode 100644
index 000000000..e7cc66e32
--- /dev/null
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -0,0 +1,46 @@
+# Firejail profile for dconf-editor
+# Description: dconf configuration editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dconf-editor.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist ${HOME}/.local/share/glib-2.0
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+# net none - breaks application on older versions
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin dconf-editor
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
+private-lib
+private-tmp
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
new file mode 100644
index 000000000..ea19b2209
--- /dev/null
+++ b/etc/profile-a-l/dconf.profile
@@ -0,0 +1,53 @@
+# Firejail profile for dconf
+# Description: Configuration database system
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dconf.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist ${HOME}/.local/share/glib-2.0
+# dconf paths are whitelisted by the following
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+disable-mnt
+private-bin dconf,gsettings
+private-cache
+private-dev
+private-etc alternatives,dconf
+private-lib
+private-tmp
+memory-deny-write-execute
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
new file mode 100644
index 000000000..5b95b74be
--- /dev/null
+++ b/etc/profile-a-l/ddgtk.profile
@@ -0,0 +1,55 @@
+# Firejail profile for ddgtk
+# Description: A frontend GUI to dd for making bootable USB disks
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ddgtk.local
+# Persistent global definitions
+include globals.local
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist ${DOWNLOADS}
+whitelist /usr/share/ddgtk
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr
+private-cache
+private-etc alternatives,fonts
+private-tmp
+dbus-user none
+dbus-system none
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile
new file mode 100644
index 000000000..8e67d9daa
--- /dev/null
+++ b/etc/profile-a-l/deadbeef.profile
@@ -0,0 +1,35 @@
+# Firejail profile for deadbeef
+# Description: A GTK+ audio player for GNU/Linux
+# This file is overwritten after every install/update
+# Persistent local customizations
+include deadbeef.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/deadbeef
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
new file mode 100644
index 000000000..74314cf92
--- /dev/null
+++ b/etc/profile-a-l/default.profile
@@ -0,0 +1,59 @@
+# Firejail profile for default
+# This file is overwritten after every install/update
+# Persistent local customizations
+include default.local
+# Persistent global definitions
+include globals.local
+# generic gui profile
+# depending on your usage, you can enable some of the commands below:
+include disable-common.inc
+# include disable-devel.inc
+# include disable-exec.inc
+# include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+# include whitelist-common.inc
+# include whitelist-usr-share-common.inc
+# include whitelist-runuser-common.inc
+# include whitelist-var-common.inc
+# apparmor
+caps.drop all
+# ipc-namespace
+# machine-id
+# net none
+netfilter
+# no3d
+# nodvd
+# nogroups
+nonewprivs
+noroot
+# nosound
+# notv
+# nou2f
+# novideo
+protocol unix,inet,inet6
+seccomp
+# shell none
+# tracelog
+# disable-mnt
+# private
+# private-bin program
+# private-cache
+# private-dev
+# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
+# private-etc alternatives,fonts,machine-id
+# private-lib
+# private-opt none
+# private-tmp
+# dbus-user none
+# dbus-system none
+# memory-deny-write-execute
+# read-only ${HOME}
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile
new file mode 100644
index 000000000..17c5059f5
--- /dev/null
+++ b/etc/profile-a-l/deluge.profile
@@ -0,0 +1,46 @@
+# Firejail profile for deluge
+# Description: BitTorrent client written in Python/PyGTK
+# This file is overwritten after every install/update
+# Persistent local customizations
+include deluge.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/deluge
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.config/deluge
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/deluge
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+# deluge is using python on Debian
+private-bin deluge,deluge-console,deluge-gtk,deluge-web,deluged,python*,sh,uname
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile
new file mode 100644
index 000000000..9a98c4933
--- /dev/null
+++ b/etc/profile-a-l/desktopeditors.profile
@@ -0,0 +1,45 @@
+# Firejail profile for desktopeditors
+# Description: ONLYOFFICE DesktopEditors
+# This file is overwritten after every install/update
+# Persistent local customizations
+include desktopeditors.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/onlyoffice
+noblacklist ${HOME}/.local/share/onlyoffice
+noblacklist ${HOME}/.pki
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-bin desktopeditors,sh
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
new file mode 100644
index 000000000..f3c012acb
--- /dev/null
+++ b/etc/profile-a-l/devhelp.profile
@@ -0,0 +1,53 @@
+# Firejail profile for devhelp
+# Description: API documentation browser for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include devhelp.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/devhelp
+whitelist /usr/share/doc
+whitelist /usr/share/gtk-doc/html
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+apparmor
+caps.drop all
+# net none - makes settings immutable
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin devhelp
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl
+private-tmp
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
+read-only ${HOME}
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
new file mode 100644
index 000000000..1ab10a6f6
--- /dev/null
+++ b/etc/profile-a-l/devilspie.profile
@@ -0,0 +1,60 @@
+# Firejail profile for devilspie
+# Description: Window matching daemon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include devilspie.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+noblacklist ${HOME}/.devilspie
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.devilspie
+whitelist ${HOME}/.devilspie
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+disable-mnt
+private-bin devilspie
+private-cache
+private-dev
+private-etc alternatives
+private-lib gconv
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-a-l/devilspie2.profile b/etc/profile-a-l/devilspie2.profile
new file mode 100644
index 000000000..9eab3f536
--- /dev/null
+++ b/etc/profile-a-l/devilspie2.profile
@@ -0,0 +1,24 @@
+# Firejail profile for devilspie2
+# Description: Window matching daemon (Lua)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include devilspie2.local
+# Persistent global definitions
+#include globals.local
+blacklist ${HOME}/.devilspie
+blacklist ${RUNUSER}/wayland-*
+noblacklist ${HOME}/.config/devilspie2
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+mkdir ${HOME}/.config/devilspie2
+whitelist ${HOME}/.config/devilspie2
+private-bin devilspie2
+# Redirect
+include devilspie.profile
diff --git a/etc/profile-a-l/dex2jar.profile b/etc/profile-a-l/dex2jar.profile
new file mode 100644
index 000000000..7a59c5d73
--- /dev/null
+++ b/etc/profile-a-l/dex2jar.profile
@@ -0,0 +1,42 @@
+# Firejail profile for dex2jar
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include dex2jar.local
+# Persistent global definitions
+include globals.local
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-bin bash,dex2jar,dirname,expr,grep,java,ls,sh,uname
+private-cache
+private-dev
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
new file mode 100644
index 000000000..52bf1c7f8
--- /dev/null
+++ b/etc/profile-a-l/dia.profile
@@ -0,0 +1,47 @@
+# Firejail profile for dia
+# Description: Diagram editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dia.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.dia
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include allow-python2.inc
+include allow-python3.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+#private-bin dia
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
new file mode 100644
index 000000000..152dfd980
--- /dev/null
+++ b/etc/profile-a-l/dig.profile
@@ -0,0 +1,60 @@
+# Firejail profile for dig
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include dig.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.digrc
+noblacklist ${PATH}/dig
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+# include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+#mkfile ${HOME}/.digrc -- see #903
+whitelist ${HOME}/.digrc
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin bash,dig,sh
+private-dev
+# Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)
+#private-lib
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
new file mode 100644
index 000000000..ae4a63c62
--- /dev/null
+++ b/etc/profile-a-l/digikam.profile
@@ -0,0 +1,43 @@
+# Firejail profile for digikam
+# Description: Digital photo management application for KDE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include digikam.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/digikam
+noblacklist ${HOME}/.config/digikamrc
+noblacklist ${HOME}/.kde/share/apps/digikam
+noblacklist ${HOME}/.kde4/share/apps/digikam
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
+shell none
+# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile
new file mode 100644
index 000000000..7103d0285
--- /dev/null
+++ b/etc/profile-a-l/dillo.profile
@@ -0,0 +1,37 @@
+# Firejail profile for dillo
+# Description: Small and fast web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dillo.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.dillo
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.dillo
+mkdir ${HOME}/.fltk
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.dillo
+whitelist ${HOME}/.fltk
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+tracelog
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
new file mode 100644
index 000000000..82ddf2819
--- /dev/null
+++ b/etc/profile-a-l/dino.profile
@@ -0,0 +1,43 @@
+# Firejail profile for dino
+# Description: Modern XMPP Chat Client using GTK+/Vala
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dino.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/dino
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.local/share/dino
+whitelist ${HOME}/.local/share/dino
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin dino
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection
+private-tmp
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile
new file mode 100644
index 000000000..3e9dacd1e
--- /dev/null
+++ b/etc/profile-a-l/discord-canary.profile
@@ -0,0 +1,17 @@
+# Firejail profile for discord-canary
+# This file is overwritten after every install/update
+# Persistent local customizations
+include discord-canary.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/discordcanary
+mkdir ${HOME}/.config/discordcanary
+whitelist ${HOME}/.config/discordcanary
+private-bin discord-canary
+private-opt discord-canary
+# Redirect
+include discord-common.profile
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
new file mode 100644
index 000000000..cbeef798f
--- /dev/null
+++ b/etc/profile-a-l/discord-common.profile
@@ -0,0 +1,38 @@
+# Firejail profile for discord
+# This file is overwritten after every install/update
+# Persistent local customizations
+include discord-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+ignore noexec ${HOME}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/BetterDiscord
+whitelist ${HOME}/.local/share/betterdiscordctl
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
+private-tmp
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile
new file mode 100644
index 000000000..8ef02a30f
--- /dev/null
+++ b/etc/profile-a-l/discord.profile
@@ -0,0 +1,17 @@
+# Firejail profile for discord
+# This file is overwritten after every install/update
+# Persistent local customizations
+include discord.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/discord
+mkdir ${HOME}/.config/discord
+whitelist ${HOME}/.config/discord
+private-bin discord
+private-opt discord
+# Redirect
+include discord-common.profile
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
new file mode 100644
index 000000000..2ae4edced
--- /dev/null
+++ b/etc/profile-a-l/display.profile
@@ -0,0 +1,46 @@
+# Firejail profile for display
+# This file is overwritten after every install/update
+# Persistent local customizations
+include display.local
+# Persistent global definitions
+include globals.local
+noblacklist ${PICTURES}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+# x11 xorg - problems on kubuntu 17.04
+private-bin display,python*
+private-dev
+# On Debian-based systems, display is a symlink in /etc/alternatives
+private-etc alternatives
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile
new file mode 100644
index 000000000..e02395771
--- /dev/null
+++ b/etc/profile-a-l/dnox.profile
@@ -0,0 +1,17 @@
+# Firejail profile for dnox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dnox.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/dnox
+noblacklist ${HOME}/.config/dnox
+mkdir ${HOME}/.cache/dnox
+mkdir ${HOME}/.config/dnox
+whitelist ${HOME}/.cache/dnox
+whitelist ${HOME}/.config/dnox
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile
new file mode 100644
index 000000000..e48e9d1ac
--- /dev/null
+++ b/etc/profile-a-l/dnscrypt-proxy.profile
@@ -0,0 +1,54 @@
+# Firejail profile for dnscrypt-proxy
+# Description: Tool for securing communications between a client and a DNS resolver
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include dnscrypt-proxy.local
+# Persistent global definitions
+include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+noblacklist /sbin
+noblacklist /usr/sbin
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/dnscrypt-proxy
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
+shell none
+tracelog
+disable-mnt
+private
+private-cache
+private-dev
+dbus-user none
+dbus-system none
+# mdwe can break modules/plugins
+memory-deny-write-execute
diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile
new file mode 100644
index 000000000..6db71bd49
--- /dev/null
+++ b/etc/profile-a-l/dnsmasq.profile
@@ -0,0 +1,37 @@
+# Firejail profile for dnsmasq
+# Description: Small caching DNS proxy and DHCP/TFTP server
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include dnsmasq.local
+# Persistent global definitions
+include globals.local
+noblacklist /sbin
+noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.keep net_admin,net_bind_service,net_raw,setgid,setuid
+no3d
+nodvd
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+disable-mnt
+private
+private-cache
+private-dev
diff --git a/etc/profile-a-l/dolphin.profile b/etc/profile-a-l/dolphin.profile
new file mode 100644
index 000000000..d264470af
--- /dev/null
+++ b/etc/profile-a-l/dolphin.profile
@@ -0,0 +1,42 @@
+# Firejail profile for dolphin
+# Description: File manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dolphin.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/Trash
+# noblacklist ${HOME}/.cache/dolphin - disable-programs.inc is disabled, see below
+# noblacklist ${HOME}/.config/dolphinrc
+# noblacklist ${HOME}/.local/share/dolphin
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
+# include disable-programs.inc
+allusers
+caps.drop all
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+# Comment the next line (or put 'ignore noroot' in your dolphin.local) if you use MPV+Vulkan (see issue #3012)
+noroot
+notv
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-dev
+# private-tmp
+join-or-start dolphin
diff --git a/etc/profile-a-l/dooble-qt4.profile b/etc/profile-a-l/dooble-qt4.profile
new file mode 100644
index 000000000..70a21e11c
--- /dev/null
+++ b/etc/profile-a-l/dooble-qt4.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for dooble
+# This file is overwritten after every install/update
+# Redirect
+include dooble.profile
diff --git a/etc/profile-a-l/dooble.profile b/etc/profile-a-l/dooble.profile
new file mode 100644
index 000000000..bc197b223
--- /dev/null
+++ b/etc/profile-a-l/dooble.profile
@@ -0,0 +1,41 @@
+# Firejail profile for dooble
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dooble.local
+# Backward compatibility
+include dooble-qt4.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.dooble
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.dooble
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.dooble
+include whitelist-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
new file mode 100644
index 000000000..17ccc9b9a
--- /dev/null
+++ b/etc/profile-a-l/dosbox.profile
@@ -0,0 +1,37 @@
+# Firejail profile for dosbox
+# Description: x86 emulator with Tandy/Herc/CGA/EGA/VGA/SVGA graphics, sound and DOS
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dosbox.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.dosbox
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin dosbox
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile
new file mode 100644
index 000000000..df839cc47
--- /dev/null
+++ b/etc/profile-a-l/dragon.profile
@@ -0,0 +1,40 @@
+# Firejail profile for dragon
+# Description: A multimedia player where the focus is on simplicity, instead of features
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dragon.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/dragonplayerrc
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/dragonplayer
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin dragon
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
new file mode 100644
index 000000000..4132caa4f
--- /dev/null
+++ b/etc/profile-a-l/drawio.profile
@@ -0,0 +1,53 @@
+# Firejail profile for drawio
+# Description: Diagram drawing application built on web technology - desktop version
+# This file is overwritten after every install/update
+# Persistent local customizations
+include drawio.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/draw.io
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/draw.io
+whitelist ${HOME}/.config/draw.io
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp !chroot
+shell none
+# tracelog - breaks on Arch
+private-bin drawio
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-tmp
+dbus-user none
+dbus-system none
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile
new file mode 100644
index 000000000..1b242d422
--- /dev/null
+++ b/etc/profile-a-l/dropbox.profile
@@ -0,0 +1,46 @@
+# Firejail profile for dropbox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dropbox.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/autostart
+noblacklist ${HOME}/.dropbox
+noblacklist ${HOME}/.dropbox-dist
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.dropbox
+mkdir ${HOME}/.dropbox-dist
+mkdir ${HOME}/Dropbox
+mkfile ${HOME}/.config/autostart/dropbox.desktop
+whitelist ${HOME}/.config/autostart/dropbox.desktop
+whitelist ${HOME}/.dropbox
+whitelist ${HOME}/.dropbox-dist
+whitelist ${HOME}/Dropbox
+include whitelist-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
+private-tmp
+noexec /tmp
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
new file mode 100644
index 000000000..bb711b1bf
--- /dev/null
+++ b/etc/profile-a-l/easystroke.profile
@@ -0,0 +1,56 @@
+# Firejail profile for easystroke
+# Description: Control your desktop using mouse gestures
+# This file is overwritten after every install/update
+# Persistent local customizations
+include easystroke.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.easystroke
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.easystroke
+whitelist ${HOME}/.easystroke
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+# breaks custom shell command functionality
+#private-bin bash,easystroke,sh
+private-cache
+private-dev
+private-etc alternatives,fonts,group,passwd
+# breaks custom shell command functionality
+#private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
+private-tmp
+# dbus-user none
+# dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/ebook-viewer.profile b/etc/profile-a-l/ebook-viewer.profile
new file mode 100644
index 000000000..706aec737
--- /dev/null
+++ b/etc/profile-a-l/ebook-viewer.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for calibre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ebook-viewer.local
+net none
+dbus-user none
+dbus-system none
+# Redirect
+include calibre.profile
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
new file mode 100644
index 000000000..d5def68c2
--- /dev/null
+++ b/etc/profile-a-l/electron-mail.profile
@@ -0,0 +1,55 @@
+# Firejail profile for electron-mail
+# Description: Unofficial desktop app for several E2E encrypted email providers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include electron-mail.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/electron-mail
+whitelist ${DOWNLOADS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/electron-mail
+whitelist ${HOME}/.config/electron-mail
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+# tracelog - breaks on Arch
+private-bin electron-mail
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-opt ElectronMail
+private-tmp
+# breaks tray functionality
+# dbus-user none
+# dbus-system none
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
new file mode 100644
index 000000000..9b99c7ffb
--- /dev/null
+++ b/etc/profile-a-l/electron.profile
@@ -0,0 +1,27 @@
+# Firejail profile for electron
+# Description: Build cross platform desktop apps with web technologies
+# This file is overwritten after every install/update
+# Persistent local customizations
+include electron.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist ${DOWNLOADS}
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
new file mode 100644
index 000000000..bcc84ddb8
--- /dev/null
+++ b/etc/profile-a-l/electrum.profile
@@ -0,0 +1,53 @@
+# Firejail profile for electrum
+# Description: Lightweight Bitcoin wallet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include electrum.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.electrum
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.electrum
+whitelist ${HOME}/.electrum
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin electrum,python*
+private-cache
+?HAS_APPIMAGE: ignore private-dev
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl
+private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile
new file mode 100644
index 000000000..2a306d704
--- /dev/null
+++ b/etc/profile-a-l/elinks.profile
@@ -0,0 +1,43 @@
+# Firejail profile for elinks
+# Description: Advanced text-mode WWW browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include elinks.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.elinks
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-runuser-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+# private-bin elinks
+private-cache
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+private-tmp
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile
new file mode 100644
index 000000000..ab378105e
--- /dev/null
+++ b/etc/profile-a-l/emacs.profile
@@ -0,0 +1,31 @@
+# Firejail profile for emacs
+# Description: GNU Emacs editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include emacs.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.emacs
+noblacklist ${HOME}/.emacs.d
+# if you need gpg uncomment the following line
+# or put it into your emacs.local
+#noblacklist ${HOME}/.gnupg
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
new file mode 100644
index 000000000..f9d96858b
--- /dev/null
+++ b/etc/profile-a-l/email-common.profile
@@ -0,0 +1,68 @@
+# Firejail profile for email-common
+# Description: Common profile for claws-mail and sylpheed email clients
+# This file is overwritten after every install/update
+# Persistent local customizations
+include email-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.signature
+# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
+# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
+noblacklist ${HOME}/Mail
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+mkfile ${HOME}/.config/mimeapps.list
+mkdir ${HOME}/.gnupg
+mkfile ${HOME}/.signature
+whitelist ${HOME}/.config/mimeapps.list
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.signature
+# when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
+whitelist ${HOME}/Mail
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
+# encrypting and signing email
+read-only ${HOME}/.config/mimeapps.list
+writable-run-user
+# If you want to read local mail stored in /var/mail, add the following to email-common.local:
+# whitelist /var/mail
+# whitelist /var/spool/mail
+# writable-var
diff --git a/etc/profile-a-l/empathy.profile b/etc/profile-a-l/empathy.profile
new file mode 100644
index 000000000..5ca640d30
--- /dev/null
+++ b/etc/profile-a-l/empathy.profile
@@ -0,0 +1,26 @@
+# Firejail profile for empathy
+# Description: GNOME multi-protocol chat and call client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include empathy.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+private-cache
+private-tmp
diff --git a/etc/profile-a-l/enchant-2.profile b/etc/profile-a-l/enchant-2.profile
new file mode 100644
index 000000000..32cc0e691
--- /dev/null
+++ b/etc/profile-a-l/enchant-2.profile
@@ -0,0 +1,10 @@
+# Firejail profile for enchant-2
+# This file is overwritten after every install/update
+# Persistent local customizations
+include enchant-2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include enchant.profile
diff --git a/etc/profile-a-l/enchant-lsmod-2.profile b/etc/profile-a-l/enchant-lsmod-2.profile
new file mode 100644
index 000000000..a7199955e
--- /dev/null
+++ b/etc/profile-a-l/enchant-lsmod-2.profile
@@ -0,0 +1,10 @@
+# Firejail profile for enchant-lsmod-2
+# This file is overwritten after every install/update
+# Persistent local customizations
+include enchant-lsmod-2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include enchant.profile
diff --git a/etc/profile-a-l/enchant-lsmod.profile b/etc/profile-a-l/enchant-lsmod.profile
new file mode 100644
index 000000000..ba4353d15
--- /dev/null
+++ b/etc/profile-a-l/enchant-lsmod.profile
@@ -0,0 +1,10 @@
+# Firejail profile for enchant-lsmod
+# This file is overwritten after every install/update
+# Persistent local customizations
+include enchant-lsmod.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include enchant.profile
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
new file mode 100644
index 000000000..2b5de799f
--- /dev/null
+++ b/etc/profile-a-l/enchant.profile
@@ -0,0 +1,58 @@
+# Firejail profile for enchant
+# Description: Wrapper for various spell checker engines
+# This file is overwritten after every install/update
+# Persistent local customizations
+include enchant.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+noblacklist ${HOME}/.config/enchant
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/enchant
+whitelist ${HOME}/.config/enchant
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+private-bin enchant,enchant-*
+private-cache
+private-dev
+private-etc alternatives
+private-lib
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
new file mode 100644
index 000000000..6c0892c56
--- /dev/null
+++ b/etc/profile-a-l/engrampa.profile
@@ -0,0 +1,42 @@
+# Firejail profile for engrampa
+# Description: Archive manager for MATE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include engrampa.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# private-bin engrampa
+private-dev
+# private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile
new file mode 100644
index 000000000..d8ac8b24a
--- /dev/null
+++ b/etc/profile-a-l/enox.profile
@@ -0,0 +1,19 @@
+# Firejail profile for enox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include enox.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/Enox
+noblacklist ${HOME}/.config/Enox
+#mkdir ${HOME}/.cache/dnox
+#mkdir ${HOME}/.config/dnox
+mkdir ${HOME}/.cache/Enox
+mkdir ${HOME}/.config/Enox
+whitelist ${HOME}/.cache/Enox
+whitelist ${HOME}/.config/Enox
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile
new file mode 100644
index 000000000..68113e294
--- /dev/null
+++ b/etc/profile-a-l/enpass.profile
@@ -0,0 +1,62 @@
+# Firejail profile for enpass
+# Description: A multiplatform password manager
+# This file is overwritten after every install/update.
+# Persistent local customisations
+include enpass.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/Enpass
+noblacklist ${HOME}/.config/sinew.in
+noblacklist ${HOME}/.config/Sinew Software Systems
+noblacklist ${HOME}/.local/share/Enpass
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/Enpass
+mkfile ${HOME}/.config/sinew.in
+mkdir ${HOME}/.config/Sinew Software Systems
+mkdir ${HOME}/.local/share/Enpass
+whitelist ${HOME}/.cache/Enpass
+whitelist ${HOME}/.config/sinew.in
+whitelist ${HOME}/.config/Sinew Software Systems
+whitelist ${HOME}/.local/share/Enpass
+whitelist ${DOCUMENTS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+# machine-id and nosound break audio notification functionality
+# comment both if you need that functionality or put 'ignore machine-id'
+# and 'ignore nosound' in your enpass.local
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-bin dirname,Enpass,importer_enpass,readlink,sh
+?HAS_APPIMAGE: ignore private-dev
+private-dev
+private-opt Enpass
+private-tmp
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
new file mode 100644
index 000000000..80c704c6b
--- /dev/null
+++ b/etc/profile-a-l/eo-common.profile
@@ -0,0 +1,47 @@
+# Firejail profile for eo-common
+# Description: Common profile for Eye of GNOME/MATE graphics viewer program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include eo-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+noblacklist ${HOME}/.local/share/Trash
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.steam
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0
+private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
+private-tmp
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
new file mode 100644
index 000000000..6690b33ca
--- /dev/null
+++ b/etc/profile-a-l/eog.profile
@@ -0,0 +1,19 @@
+# Firejail profile for eog
+# Description: Eye of GNOME graphics viewer program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include eog.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/eog
+whitelist /usr/share/eog
+# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'
+# comment those if you need that functionality
+# or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local
+private-bin eog
+# Redirect
+include eo-common.profile
diff --git a/etc/profile-a-l/eom.profile b/etc/profile-a-l/eom.profile
new file mode 100644
index 000000000..5bfeb8c8f
--- /dev/null
+++ b/etc/profile-a-l/eom.profile
@@ -0,0 +1,19 @@
+# Firejail profile for eom
+# Description: Eye of MATE graphics viewer program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include eom.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/mate/eom
+whitelist /usr/share/eom
+# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'
+# comment those if you need that functionality
+# or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eom.local
+private-bin eom
+# Redirect
+include eo-common.profile
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
new file mode 100644
index 000000000..029f613c6
--- /dev/null
+++ b/etc/profile-a-l/ephemeral.profile
@@ -0,0 +1,63 @@
+# Firejail profile for ephemeral
+# Description: The always-incognito web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ephemeral.local
+# Persistent global definitions
+include globals.local
+# enforce private-cache
+#noblacklist ${HOME}/.cache/ephemeral
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+# enforce private-cache
+#mkdir ${HOME}/.cache/ephemeral
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+# enforce private-cache
+#whitelist ${HOME}/.cache/ephemeral
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
+#machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
+noroot
+notv
+?BROWSER_DISABLE_U2F: nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-cache
+?BROWSER_DISABLE_U2F: private-dev
+# private-etc below works fine on most distributions. There are some problems on CentOS.
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+# breaks preferences
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/epiphany.profile b/etc/profile-a-l/epiphany.profile
new file mode 100644
index 000000000..225811226
--- /dev/null
+++ b/etc/profile-a-l/epiphany.profile
@@ -0,0 +1,36 @@
+# Firejail profile for epiphany
+# Description: The GNOME Web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include epiphany.local
+# Persistent global definitions
+include globals.local
+# Note: Epiphany use bwrap since 3.34 and can not be firejailed any more.
+# See https://github.com/netblue30/firejail/issues/2995
+noblacklist ${HOME}/.cache/epiphany
+noblacklist ${HOME}/.config/epiphany
+noblacklist ${HOME}/.local/share/epiphany
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+mkdir ${HOME}/.cache/epiphany
+mkdir ${HOME}/.config/epiphany
+mkdir ${HOME}/.local/share/epiphany
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/epiphany
+whitelist ${HOME}/.config/epiphany
+whitelist ${HOME}/.local/share/epiphany
+include whitelist-common.inc
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+notv
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/profile-a-l/et.profile b/etc/profile-a-l/et.profile
new file mode 100644
index 000000000..4e70bb114
--- /dev/null
+++ b/etc/profile-a-l/et.profile
@@ -0,0 +1,11 @@
+# Firejail profile for et
+# Description: WPS Office - Spreadsheets
+# This file is overwritten after every install/update
+# Persistent local customizations
+include et.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include wps.profile
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
new file mode 100644
index 000000000..7afcd01d7
--- /dev/null
+++ b/etc/profile-a-l/etr.profile
@@ -0,0 +1,46 @@
+# Firejail profile for etr
+# Description: High speed arctic racing game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include etr.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.etr
+include disable-common.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.etr
+whitelist ${HOME}/.etr
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin etr
+private-cache
+private-dev
+# private-etc alternatives,drirc,machine-id,openal
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/evince-previewer.profile b/etc/profile-a-l/evince-previewer.profile
new file mode 100644
index 000000000..3857d6f7b
--- /dev/null
+++ b/etc/profile-a-l/evince-previewer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for evince-previewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include evince-previewer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include evince.profile
diff --git a/etc/profile-a-l/evince-thumbnailer.profile b/etc/profile-a-l/evince-thumbnailer.profile
new file mode 100644
index 000000000..080a04a52
--- /dev/null
+++ b/etc/profile-a-l/evince-thumbnailer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for evince-thumbnailer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include evince-thumbnailer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include evince.profile
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
new file mode 100644
index 000000000..04964ce33
--- /dev/null
+++ b/etc/profile-a-l/evince.profile
@@ -0,0 +1,56 @@
+# Firejail profile for evince
+# Description: Document (PostScript, PDF) viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include evince.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/evince
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/doc
+whitelist /usr/share/evince
+whitelist /usr/share/poppler
+whitelist /usr/share/tracker
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+machine-id
+# net none - breaks AppArmor on Ubuntu systems
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin evince,evince-previewer,evince-thumbnailer
+private-cache
+private-dev
+private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
+# private-lib might break two-page-view on some systems
+private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
+private-tmp
+# might break two-page-view on some systems
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
new file mode 100644
index 000000000..4740bf935
--- /dev/null
+++ b/etc/profile-a-l/evolution.profile
@@ -0,0 +1,46 @@
+# Firejail profile for evolution
+# Description: Groupware suite with mail client and organizer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include evolution.local
+# Persistent global definitions
+include globals.local
+noblacklist /var/mail
+noblacklist /var/spool/mail
+noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.cache/evolution
+noblacklist ${HOME}/.config/evolution
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.local/share/evolution
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-runuser-common.inc
+caps.drop all
+netfilter
+# no3d breaks under wayland
+#no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/exfalso.profile b/etc/profile-a-l/exfalso.profile
new file mode 100644
index 000000000..0b961f534
--- /dev/null
+++ b/etc/profile-a-l/exfalso.profile
@@ -0,0 +1,60 @@
+# Firejail profile for exfalso
+# Description: GTK audio tag editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include exfalso.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.quodlibet
+noblacklist ${MUSIC}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.quodlibet
+whitelist ${HOME}/.quodlibet
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin exfalso,python*
+private-cache
+private-dev
+private-etc alternatives,fonts,group,passwd
+private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3*
+private-tmp
+dbus-user none
+dbus-system none
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
new file mode 100644
index 000000000..90d8a0fc2
--- /dev/null
+++ b/etc/profile-a-l/exiftool.profile
@@ -0,0 +1,57 @@
+# Firejail profile for exiftool
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include exiftool.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist /usr/share/perl5
+whitelist /usr/share/perl-image-exiftool
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below.
+# Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening.
+#private-bin exiftool,perl
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
new file mode 100644
index 000000000..0024b6660
--- /dev/null
+++ b/etc/profile-a-l/falkon.profile
@@ -0,0 +1,43 @@
+# Firejail profile for falkon
+# Description: Lightweight web browser based on Qt WebEngine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include falkon.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/falkon
+noblacklist ${HOME}/.config/falkon
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.cache/falkon
+mkdir ${HOME}/.config/falkon
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/falkon
+whitelist ${HOME}/.config/falkon
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+# blacklisting of chroot system calls breaks falkon
+seccomp !chroot
+# tracelog
+private-dev
+# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
+# private-tmp - interferes with the opening of downloaded files
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile
new file mode 100644
index 000000000..af670cee2
--- /dev/null
+++ b/etc/profile-a-l/fbreader.profile
@@ -0,0 +1,38 @@
+# Firejail profile for fbreader
+# Description: E-book reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fbreader.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.FBReader
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin fbreader,FBReader
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
new file mode 100644
index 000000000..179540806
--- /dev/null
+++ b/etc/profile-a-l/fdns.profile
@@ -0,0 +1,50 @@
+# Firejail profile for server
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fdns.local
+# Persistent global definitions
+include globals.local
+noblacklist /sbin
+noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+#include whitelist-usr-share-common.inc
+#include whitelist-var-common.inc
+caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot
+ipc-namespace
+# netfilter /etc/firejail/webserver.net
+no3d
+nodvd
+nogroups
+nonewprivs
+# noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+#seccomp
+#shell none
+disable-mnt
+private
+private-bin bash,fdns,sh
+# private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
+# private-lib
+private-tmp
+memory-deny-write-execute
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile
new file mode 100644
index 000000000..7d3c7a8f4
--- /dev/null
+++ b/etc/profile-a-l/feedreader.profile
@@ -0,0 +1,50 @@
+# Firejail profile for feedreader
+# Description: RSS client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include feedreader.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/feedreader
+noblacklist ${HOME}/.local/share/feedreader
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/feedreader
+mkdir ${HOME}/.local/share/feedreader
+whitelist ${HOME}/.cache/feedreader
+whitelist ${HOME}/.local/share/feedreader
+whitelist /usr/share/feedreader
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+# no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+# nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
new file mode 100644
index 000000000..91123fa0e
--- /dev/null
+++ b/etc/profile-a-l/feh.profile
@@ -0,0 +1,43 @@
+# Firejail profile for feh
+# Description: imlib2 based image viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include feh.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# This profile disables network access
+# In order to enable network access,
+# uncomment the following or put it in your feh.local:
+# include feh-network.inc
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-bin feh,jpegexiforient,jpegtran
+private-cache
+private-dev
+private-etc alternatives,feh
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
new file mode 100644
index 000000000..9b4c5f114
--- /dev/null
+++ b/etc/profile-a-l/ferdi.profile
@@ -0,0 +1,46 @@
+# Firejail profile for ferdi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ferdi.local
+# Persistent global definitions
+include globals.local
+ignore noexec /tmp
+noblacklist ${HOME}/.cache/Ferdi
+noblacklist ${HOME}/.config/Ferdi
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+mkdir ${HOME}/.cache/Ferdi
+mkdir ${HOME}/.config/Ferdi
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/Ferdi
+whitelist ${HOME}/.config/Ferdi
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/fetchmail.profile b/etc/profile-a-l/fetchmail.profile
new file mode 100644
index 000000000..d64fe830f
--- /dev/null
+++ b/etc/profile-a-l/fetchmail.profile
@@ -0,0 +1,34 @@
+# Firejail profile for fetchmail
+# Description: SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fetchmail.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.fetchmailrc
+noblacklist ${HOME}/.netrc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+#private-bin bash,chmod,fetchmail,procmail
+private-dev
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
new file mode 100644
index 000000000..37c46e7d6
--- /dev/null
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -0,0 +1,55 @@
+# Firejail profile for ffmpeg
+# Description: Tools for transcoding, streaming and playing of multimedia files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ffmpeg.local
+# Persistent global definitions
+include globals.local
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/devedeng
+whitelist /usr/share/ffmpeg
+whitelist /usr/share/qtchooser
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+# allow set_mempolicy, which is required to encode using libx265
+seccomp !set_mempolicy
+shell none
+tracelog
+private-bin ffmpeg
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl
+private-tmp
+dbus-user none
+dbus-system none
+# memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/profile-a-l/ffmpegthumbnailer.profile b/etc/profile-a-l/ffmpegthumbnailer.profile
new file mode 100644
index 000000000..6d72c3b99
--- /dev/null
+++ b/etc/profile-a-l/ffmpegthumbnailer.profile
@@ -0,0 +1,18 @@
+# Firejail profile for ffmpegthumbnailer
+# Description: FFmpeg-based video thumbnailer
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ffmpegthumbnailer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+private-bin ffmpegthumbnailer
+private-lib libffmpegthumbnailer.so.*
+# fix for ranger video thumbnails
+ignore private-cache
+# Redirect
+include ffmpeg.profile
diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile
new file mode 100644
index 000000000..04134cbf4
--- /dev/null
+++ b/etc/profile-a-l/ffplay.profile
@@ -0,0 +1,20 @@
+# Firejail profile for ffplay
+# Description: FFmpeg-based media player
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ffplay.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+protocol unix,inet,inet6
+ignore ipc-namespace
+ignore nogroups
+ignore nosound
+private-bin ffplay
+private-etc alsa,asound.conf,group
+# Redirect
+include ffmpeg.profile
diff --git a/etc/profile-a-l/ffprobe.profile b/etc/profile-a-l/ffprobe.profile
new file mode 100644
index 000000000..e7c9f678d
--- /dev/null
+++ b/etc/profile-a-l/ffprobe.profile
@@ -0,0 +1,14 @@
+# Firejail profile for ffprobe
+# Description: FFmpeg-based media prober
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ffprobe.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+ignore private-bin
+# Redirect
+include ffmpeg.profile
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
new file mode 100644
index 000000000..70dd030ee
--- /dev/null
+++ b/etc/profile-a-l/file-roller.profile
@@ -0,0 +1,44 @@
+# Firejail profile for file-roller
+# Description: Archive manager for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include file-roller.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist /usr/share/file-roller
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+#ipc-namespace - causing issues launching on archlinux
+machine-id
+# net none - breaks on older Ubuntu versions
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,p7zip,rar,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,xdg
+# private-tmp
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
new file mode 100644
index 000000000..74620d4cd
--- /dev/null
+++ b/etc/profile-a-l/file.profile
@@ -0,0 +1,48 @@
+# Firejail profile for file
+# Description: Recognize the type of data in a file using "magic" numbers
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include file.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+hostname file
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+#private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd
+private-cache
+private-dev
+#private-etc alternatives,localtime,magic,magic.mgc
+#private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*,libseccomp.so.*
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile
new file mode 100644
index 000000000..6c7ab8f0d
--- /dev/null
+++ b/etc/profile-a-l/filezilla.profile
@@ -0,0 +1,40 @@
+# Firejail profile for filezilla
+# Description: Full-featured graphical FTP/FTPS/SFTP client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include filezilla.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/filezilla
+noblacklist ${HOME}/.filezilla
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+# private-bin breaks --join if the user has zsh set as $SHELL - adding zsh on private-bin
+private-bin bash,filezilla,fzputtygen,fzsftp,lsb_release,python*,sh,uname,zsh
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/firefox-beta.profile b/etc/profile-a-l/firefox-beta.profile
new file mode 100644
index 000000000..fa8bbb1f5
--- /dev/null
+++ b/etc/profile-a-l/firefox-beta.profile
@@ -0,0 +1,10 @@
+# Firejail profile for firefox-beta
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-beta.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
new file mode 100644
index 000000000..7c343c26d
--- /dev/null
+++ b/etc/profile-a-l/firefox-common.profile
@@ -0,0 +1,60 @@
+# Firejail profile for firefox-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins.
+#include firefox-common-addons.inc
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
+#machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
+noroot
+notv
+?BROWSER_DISABLE_U2F: nou2f
+protocol unix,inet,inet6,netlink
+# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
+seccomp !chroot
+shell none
+# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
+#tracelog
+disable-mnt
+?BROWSER_DISABLE_U2F: private-dev
+# private-etc below works fine on most distributions. There are some problems on CentOS.
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+# breaks various desktop integration features
+# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/firefox-developer-edition.profile b/etc/profile-a-l/firefox-developer-edition.profile
new file mode 100644
index 000000000..8c7ca3887
--- /dev/null
+++ b/etc/profile-a-l/firefox-developer-edition.profile
@@ -0,0 +1,11 @@
+# Firejail profile for firefox-developer-edition
+# Description: Developer Edition of the popular Firefox web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-developer-edition.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/firefox-esr.profile b/etc/profile-a-l/firefox-esr.profile
new file mode 100644
index 000000000..5e69fdb51
--- /dev/null
+++ b/etc/profile-a-l/firefox-esr.profile
@@ -0,0 +1,12 @@
+# Firejail profile for firefox-esr
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-esr.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+whitelist /usr/share/firefox-esr
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/firefox-nightly.profile b/etc/profile-a-l/firefox-nightly.profile
new file mode 100644
index 000000000..96d2bf898
--- /dev/null
+++ b/etc/profile-a-l/firefox-nightly.profile
@@ -0,0 +1,10 @@
+# Firejail profile for firefox-nightly
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-nightly.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/firefox-wayland.profile b/etc/profile-a-l/firefox-wayland.profile
new file mode 100644
index 000000000..17c9f059e
--- /dev/null
+++ b/etc/profile-a-l/firefox-wayland.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for firefox-wayland
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-wayland.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/firefox-x11.profile b/etc/profile-a-l/firefox-x11.profile
new file mode 100644
index 000000000..ffd64aad7
--- /dev/null
+++ b/etc/profile-a-l/firefox-x11.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for firefox-x11
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-x11.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
new file mode 100644
index 000000000..4a2cb260f
--- /dev/null
+++ b/etc/profile-a-l/firefox.profile
@@ -0,0 +1,32 @@
+# Firejail profile for firefox
+# Description: Safe and easy web browser from Mozilla
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.mozilla
+mkdir ${HOME}/.cache/mozilla/firefox
+mkdir ${HOME}/.mozilla
+whitelist ${HOME}/.cache/mozilla/firefox
+whitelist ${HOME}/.mozilla
+whitelist /usr/share/doc
+whitelist /usr/share/firefox
+whitelist /usr/share/gtk-doc/html
+whitelist /usr/share/mozilla
+whitelist /usr/share/webext
+include whitelist-usr-share-common.inc
+# firefox requires a shell to launch on Arch.
+#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
+# Fedora use shell scripts to launch firefox, at least this is required
+#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname
+# private-etc must first be enabled in firefox-common.profile
+#private-etc firefox
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/five-or-more.profile b/etc/profile-a-l/five-or-more.profile
new file mode 100644
index 000000000..2c86d3ac7
--- /dev/null
+++ b/etc/profile-a-l/five-or-more.profile
@@ -0,0 +1,21 @@
+# Firejail profile for five-or-more
+# Description: GNOME port of the once-popular Colour Lines game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include five-or-more.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/five-or-more
+mkdir ${HOME}/.local/share/five-or-more
+whitelist ${HOME}/.local/share/five-or-more
+whitelist /usr/share/five-or-more
+private-bin five-or-more
+dbus-user.own org.gnome.five-or-more
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/flacsplt.profile b/etc/profile-a-l/flacsplt.profile
new file mode 100644
index 000000000..2efef0f22
--- /dev/null
+++ b/etc/profile-a-l/flacsplt.profile
@@ -0,0 +1,6 @@
+# Firejail profile for flacsplt
+# This file is overwritten after every install/update
+include flacsplt.local
+# Redirect
+include mp3splt.profile
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
new file mode 100644
index 000000000..5a69684b5
--- /dev/null
+++ b/etc/profile-a-l/flameshot.profile
@@ -0,0 +1,46 @@
+# Firejail profile for flameshot
+# Description: Powerful yet simple-to-use screenshot software
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include flameshot.local
+# Persistent global definitions
+include globals.local
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-runuser-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin flameshot
+private-cache
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl
+private-dev
+private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile
new file mode 100644
index 000000000..b841bce75
--- /dev/null
+++ b/etc/profile-a-l/flashpeak-slimjet.profile
@@ -0,0 +1,17 @@
+# Firejail profile for flashpeak-slimjet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include flashpeak-slimjet.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/slimjet
+noblacklist ${HOME}/.config/slimjet
+mkdir ${HOME}/.cache/slimjet
+mkdir ${HOME}/.config/slimjet
+whitelist ${HOME}/.cache/slimjet
+whitelist ${HOME}/.config/slimjet
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/flowblade.profile b/etc/profile-a-l/flowblade.profile
new file mode 100644
index 000000000..40472ab93
--- /dev/null
+++ b/etc/profile-a-l/flowblade.profile
@@ -0,0 +1,38 @@
+# Firejail profile for flowblade
+# Description: Non-linear video editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include flowblade.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/flowblade
+noblacklist ${HOME}/.flowblade
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile
new file mode 100644
index 000000000..c296c0491
--- /dev/null
+++ b/etc/profile-a-l/fluxbox.profile
@@ -0,0 +1,18 @@
+# Firejail profile for fluxbox
+# Description: Standards-compliant, fast, light-weight and extensible window manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fluxbox.local
+# Persistent global definitions
+include globals.local
+# all applications started in awesome will run in this profile
+noblacklist ${HOME}/.fluxbox
+include disable-common.inc
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile
new file mode 100644
index 000000000..ae0e32d1e
--- /dev/null
+++ b/etc/profile-a-l/font-manager.profile
@@ -0,0 +1,56 @@
+# Firejail profile for font-manager
+# Description: A simple font management application for GTK desktop environments
+# This file is overwritten after every install/update
+# Persistent local customizations
+include font-manager.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/font-manager
+noblacklist ${HOME}/.config/font-manager
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/font-manager
+mkdir ${HOME}/.config/font-manager
+whitelist ${HOME}/.cache/font-manager
+whitelist ${HOME}/.config/font-manager
+whitelist /usr/share/font-manager
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+# net none - issues on older versions
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin font-manager,python*,yelp
+private-dev
+private-tmp
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/fontforge.profile b/etc/profile-a-l/fontforge.profile
new file mode 100644
index 000000000..6d305e2af
--- /dev/null
+++ b/etc/profile-a-l/fontforge.profile
@@ -0,0 +1,41 @@
+# Firejail profile for fontforge
+# Description: Font editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fontforge.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.FontForge
+noblacklist ${DOCUMENTS}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/fossamail.profile b/etc/profile-a-l/fossamail.profile
new file mode 100644
index 000000000..2d700d336
--- /dev/null
+++ b/etc/profile-a-l/fossamail.profile
@@ -0,0 +1,23 @@
+# Firejail profile for fossamail
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fossamail.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+noblacklist ${HOME}/.cache/fossamail
+noblacklist ${HOME}/.fossamail
+noblacklist ${HOME}/.gnupg
+mkdir ${HOME}/.cache/fossamail
+mkdir ${HOME}/.fossamail
+mkdir ${HOME}/.gnupg
+whitelist ${HOME}/.cache/fossamail
+whitelist ${HOME}/.fossamail
+whitelist ${HOME}/.gnupg
+include whitelist-common.inc
+# allow browsers
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/four-in-a-row.profile b/etc/profile-a-l/four-in-a-row.profile
new file mode 100644
index 000000000..eb0c43ca5
--- /dev/null
+++ b/etc/profile-a-l/four-in-a-row.profile
@@ -0,0 +1,19 @@
+# Firejail profile for four-in-a-row
+# Description: four-in-a-row game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include four-in-a-row.local
+# Persistent global definitions
+include globals.local
+ignore machine-id
+ignore nosound
+whitelist /usr/share/four-in-a-row
+private-bin four-in-a-row
+dbus-user.own org.gnome.Four-in-a-row
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile
new file mode 100644
index 000000000..344804ca9
--- /dev/null
+++ b/etc/profile-a-l/franz.profile
@@ -0,0 +1,46 @@
+# Firejail profile for franz
+# This file is overwritten after every install/update
+# Persistent local customizations
+include franz.local
+# Persistent global definitions
+include globals.local
+ignore noexec /tmp
+noblacklist ${HOME}/.cache/Franz
+noblacklist ${HOME}/.config/Franz
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+mkdir ${HOME}/.cache/Franz
+mkdir ${HOME}/.config/Franz
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/Franz
+whitelist ${HOME}/.config/Franz
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/freecad.profile b/etc/profile-a-l/freecad.profile
new file mode 100644
index 000000000..0a1d4a750
--- /dev/null
+++ b/etc/profile-a-l/freecad.profile
@@ -0,0 +1,45 @@
+# Firejail profile for freecad
+# Description: Extensible Open Source CAx program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freecad.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/FreeCAD
+noblacklist ${DOCUMENTS}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-bin freecad,freecadcmd,python*
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/freecadcmd.profile b/etc/profile-a-l/freecadcmd.profile
new file mode 100644
index 000000000..44bf62cfe
--- /dev/null
+++ b/etc/profile-a-l/freecadcmd.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for freecad
+# This file is overwritten after every install/update
+# Redirect
+include freecad.profile
diff --git a/etc/profile-a-l/freeciv-gtk3.profile b/etc/profile-a-l/freeciv-gtk3.profile
new file mode 100644
index 000000000..fa36459e7
--- /dev/null
+++ b/etc/profile-a-l/freeciv-gtk3.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for freeciv
+# This file is overwritten after every install/update
+# Redirect
+include freeciv.profile
diff --git a/etc/profile-a-l/freeciv-mp-gtk3.profile b/etc/profile-a-l/freeciv-mp-gtk3.profile
new file mode 100644
index 000000000..fa36459e7
--- /dev/null
+++ b/etc/profile-a-l/freeciv-mp-gtk3.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for freeciv
+# This file is overwritten after every install/update
+# Redirect
+include freeciv.profile
diff --git a/etc/profile-a-l/freeciv.profile b/etc/profile-a-l/freeciv.profile
new file mode 100644
index 000000000..0fe933478
--- /dev/null
+++ b/etc/profile-a-l/freeciv.profile
@@ -0,0 +1,47 @@
+# Firejail profile for freeciv
+# Description: A multi-player strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeciv.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.freeciv
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.freeciv
+whitelist ${HOME}/.freeciv
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin freeciv-gtk3,freeciv-manual,freeciv-mp-gtk3,freeciv-server
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/freecol.profile b/etc/profile-a-l/freecol.profile
new file mode 100644
index 000000000..3cbd2ff53
--- /dev/null
+++ b/etc/profile-a-l/freecol.profile
@@ -0,0 +1,58 @@
+# Firejail profile for freecol
+# Description: Turn-based multi-player strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freecol.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.freecol
+noblacklist ${HOME}/.cache/freecol
+noblacklist ${HOME}/.config/freecol
+noblacklist ${HOME}/.local/share/freecol
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.java
+mkdir ${HOME}/.cache/freecol
+mkdir ${HOME}/.config/freecol
+mkdir ${HOME}/.local/share/freecol
+whitelist ${HOME}/.freecol
+whitelist ${HOME}/.java
+whitelist ${HOME}/.cache/freecol
+whitelist ${HOME}/.config/freecol
+whitelist ${HOME}/.local/share/freecol
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile
new file mode 100644
index 000000000..0ffb5c54d
--- /dev/null
+++ b/etc/profile-a-l/freemind.profile
@@ -0,0 +1,53 @@
+# Firejail profile for freemind
+# Description: Free mind mapping software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freemind.local
+# Persistent global definitions
+include globals.local
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.freemind
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin bash,cp,dirname,dpkg,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which
+private-cache
+private-dev
+#private-etc alternatives,fonts,java
+private-tmp
+private-opt none
+private-srv none
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/freeoffice-planmaker.profile b/etc/profile-a-l/freeoffice-planmaker.profile
new file mode 100644
index 000000000..9449e7c48
--- /dev/null
+++ b/etc/profile-a-l/freeoffice-planmaker.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for freeoffice-planmaker
+# Description: SoftMaker FreeOffice - spreadsheet program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-planmaker.local
+# Persistent global definitions
+include globals.local
+# Redirect
+include softmaker-common.inc
diff --git a/etc/profile-a-l/freeoffice-presentations.profile b/etc/profile-a-l/freeoffice-presentations.profile
new file mode 100644
index 000000000..636868e2e
--- /dev/null
+++ b/etc/profile-a-l/freeoffice-presentations.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for freeoffice-presentations
+# Description: SoftMaker FreeOffice - presentations software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-presentations.local
+# Persistent global definitions
+include globals.local
+# Redirect
+include softmaker-common.inc
diff --git a/etc/profile-a-l/freeoffice-textmaker.profile b/etc/profile-a-l/freeoffice-textmaker.profile
new file mode 100644
index 000000000..5d98d1cc6
--- /dev/null
+++ b/etc/profile-a-l/freeoffice-textmaker.profile
@@ -0,0 +1,9 @@
+# Firejail profile alias for freeoffice-textmaker
+# Description: SoftMaker Office - word processor
+# This file is overwritten after every install/update
+include freeoffice-textmaker.local
+# Persistent global definitions
+include globals.local
+# Redirect
+include softmaker-common.inc
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile
new file mode 100644
index 000000000..2bab79e2e
--- /dev/null
+++ b/etc/profile-a-l/freshclam.profile
@@ -0,0 +1,35 @@
+# Firejail profile for freshclam
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include clamav.local
+# Persistent global definitions
+include globals.local
+include disable-exec.inc
+caps.keep setgid,setuid
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-cache
+private-dev
+private-tmp
+writable-var
+writable-var-log
+memory-deny-write-execute
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
new file mode 100644
index 000000000..06f13e8c6
--- /dev/null
+++ b/etc/profile-a-l/frogatto.profile
@@ -0,0 +1,49 @@
+# Firejail profile for frogatto
+# Description: 2D platformer game starring a quixotic frog
+# This file is overwritten after every install/update
+# Persistent local customizations
+include frogatto.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.frogatto
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.frogatto
+whitelist ${HOME}/.frogatto
+whitelist /usr/share/frogatto
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin frogatto,sh
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
new file mode 100644
index 000000000..d1dc64bb9
--- /dev/null
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -0,0 +1,46 @@
+# Firejail profile for frozen-bubble
+# Description: Cool game where you pop out the bubbles
+# This file is overwritten after every install/update
+# Persistent local customizations
+include frozen-bubble.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.frozen-bubble
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.frozen-bubble
+whitelist ${HOME}/.frozen-bubble
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+disable-mnt
+# private-bin frozen-bubble
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gajim-history-manager.profile b/etc/profile-a-l/gajim-history-manager.profile
new file mode 100644
index 000000000..2ae6dd9d8
--- /dev/null
+++ b/etc/profile-a-l/gajim-history-manager.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for gajim-history-manager
+# This file is overwritten after every install/update
+# Redirect
+include gajim.profile
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
new file mode 100644
index 000000000..85d9b9bd9
--- /dev/null
+++ b/etc/profile-a-l/gajim.profile
@@ -0,0 +1,55 @@
+# Firejail profile for gajim
+# Description: GTK+-based Jabber client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gajim.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/gajim
+noblacklist ${HOME}/.config/gajim
+noblacklist ${HOME}/.local/share/gajim
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# Comment the following line if you need to whitelist other folders than ~/Downloads
+include disable-xdg.inc
+mkdir ${HOME}/.cache/gajim
+mkdir ${HOME}/.config/gajim
+mkdir ${HOME}/.local/share/gajim
+whitelist ${HOME}/.cache/gajim
+whitelist ${HOME}/.config/gajim
+whitelist ${HOME}/.local/share/gajim
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python,python3,sh,zsh
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
+private-tmp
+join-or-start gajim
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
new file mode 100644
index 000000000..404d89742
--- /dev/null
+++ b/etc/profile-a-l/galculator.profile
@@ -0,0 +1,52 @@
+# Firejail profile for galculator
+# Description: Scientific calculator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include galculator.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/galculator
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/galculator
+whitelist ${HOME}/.config/galculator
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+#hostname galculator - breaks Arch Linux
+#ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin galculator
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-lib
+private-tmp
+dbus-user none
+dbus-system none
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/gcalccmd.profile b/etc/profile-a-l/gcalccmd.profile
new file mode 100644
index 000000000..691d6b0c4
--- /dev/null
+++ b/etc/profile-a-l/gcalccmd.profile
@@ -0,0 +1,13 @@
+# Firejail profile for gcalccmd
+# Description: GNOME console calculator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gcalccmd.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+private-bin gcalccmd
+# Redirect
+include gnome-calculator.profile
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile
new file mode 100644
index 000000000..46a862a21
--- /dev/null
+++ b/etc/profile-a-l/gcloud.profile
@@ -0,0 +1,42 @@
+# Firejail profile for gcloud
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gcloud.local
+# Persistent global definitions
+include globals.local
+# noexec ${HOME} will break user-local installs of gcloud tooling
+ignore noexec ${HOME}
+noblacklist ${HOME}/.boto
+noblacklist ${HOME}/.config/gcloud
+noblacklist /var/run/docker.sock
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+# required for sudo-free docker
+#nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gconf-editor.profile b/etc/profile-a-l/gconf-editor.profile
new file mode 100644
index 000000000..cb39174e5
--- /dev/null
+++ b/etc/profile-a-l/gconf-editor.profile
@@ -0,0 +1,17 @@
+# Firejail profile for gconf-editor
+# Description: Graphical gconf registry editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconf-editor.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+blacklist /tmp/.X11-unix
+whitelist /usr/share/gconf-editor
+ignore x11 none
+# Redirect
+include gconf.profile
diff --git a/etc/profile-a-l/gconf-merge-schema.profile b/etc/profile-a-l/gconf-merge-schema.profile
new file mode 100644
index 000000000..619f801b0
--- /dev/null
+++ b/etc/profile-a-l/gconf-merge-schema.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gconf-merge-schema
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconf-merge-schema.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include gconf.profile
diff --git a/etc/profile-a-l/gconf-merge-tree.profile b/etc/profile-a-l/gconf-merge-tree.profile
new file mode 100644
index 000000000..2f6bfe5e5
--- /dev/null
+++ b/etc/profile-a-l/gconf-merge-tree.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gconf-merge-tree
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconf-merge-tree.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include gconf.profile
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
new file mode 100644
index 000000000..96848575d
--- /dev/null
+++ b/etc/profile-a-l/gconf.profile
@@ -0,0 +1,61 @@
+# Firejail profile for gconf
+# Description: An obsolete configuration database system
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconf.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+noblacklist ${HOME}/.config/gconf
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+#include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/gconf
+whitelist ${HOME}/.config/gconf
+whitelist /usr/share/GConf
+whitelist /usr/share/gconf
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+disable-mnt
+private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2*
+private-cache
+private-dev
+private-etc alternatives,fonts,gconf
+private-lib GConf,libpython*,python2*
+private-tmp
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gconfpkg.profile b/etc/profile-a-l/gconfpkg.profile
new file mode 100644
index 000000000..5bfc1250a
--- /dev/null
+++ b/etc/profile-a-l/gconfpkg.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gconfpkg
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconfpkg.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include gconf.profile
diff --git a/etc/profile-a-l/gconftool-2.profile b/etc/profile-a-l/gconftool-2.profile
new file mode 100644
index 000000000..947e4252f
--- /dev/null
+++ b/etc/profile-a-l/gconftool-2.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gconftool-2
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconftool-2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include gconf.profile
diff --git a/etc/profile-a-l/geany.profile b/etc/profile-a-l/geany.profile
new file mode 100644
index 000000000..31599e32a
--- /dev/null
+++ b/etc/profile-a-l/geany.profile
@@ -0,0 +1,35 @@
+# Firejail profile for geany
+# Description: Fast and lightweight IDE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include geany.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/geany
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
new file mode 100644
index 000000000..fa01d04b7
--- /dev/null
+++ b/etc/profile-a-l/geary.profile
@@ -0,0 +1,33 @@
+# Firejail profile for geary
+# Description: Lightweight email client designed for the GNOME desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include geary.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Users have Geary set to open a browser by clicking a link in an email
+# We are not allowed to blacklist browser-specific directories
+ignore dbus-user none
+ignore dbus-system none
+ignore private-tmp
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.local/share/geary
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.config/geary
+mkdir ${HOME}/.local/share/geary
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.config/geary
+whitelist ${HOME}/.local/share/geary
+read-only ${HOME}/.config/mimeapps.list
+whitelist /usr/share/geary
+# allow Mozilla browsers
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
new file mode 100644
index 000000000..17b7ad563
--- /dev/null
+++ b/etc/profile-a-l/gedit.profile
@@ -0,0 +1,51 @@
+# Firejail profile for gedit
+# Description: Official text editor of the GNOME desktop environment
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gedit.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/enchant
+noblacklist ${HOME}/.config/gedit
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+# include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+# apparmor - makes settings immutable
+caps.drop all
+machine-id
+# net none - makes settings immutable
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# private-bin gedit
+private-dev
+# private-lib breaks python plugins, uncomment or add to your gedit.local if you don't use them.
+#private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
+private-tmp
+# makes settings immutable
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
new file mode 100644
index 000000000..e06a9afad
--- /dev/null
+++ b/etc/profile-a-l/geekbench.profile
@@ -0,0 +1,55 @@
+# Firejail profile for geekbench
+# Description: A cross-platform benchmark that measures processor and memory performance
+# This file is overwritten after every install/update
+# Persistent local customizations
+include geekbench.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+hostname geekbench
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin bash,geekbenc*,sh
+private-cache
+private-dev
+private-etc alternatives,group,lsb-release,passwd
+private-lib gcc/*/*/libstdc++.so.*
+private-opt none
+private-tmp
+dbus-user none
+dbus-system none
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
+read-only ${HOME}
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
new file mode 100644
index 000000000..8810ca161
--- /dev/null
+++ b/etc/profile-a-l/geeqie.profile
@@ -0,0 +1,33 @@
+# Firejail profile for geeqie
+# Description: Image viewer using GTK+
+# This file is overwritten after every install/update
+# Persistent local customizations
+include geeqie.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/geeqie
+noblacklist ${HOME}/.config/geeqie
+noblacklist ${HOME}/.local/share/geeqie
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+# private-bin geeqie
+private-dev
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
new file mode 100644
index 000000000..e7913f5e4
--- /dev/null
+++ b/etc/profile-a-l/gfeeds.profile
@@ -0,0 +1,62 @@
+# Firejail profile for gfeeds
+# Description: RSS/Atom feed reader for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gfeeds.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/gfeeds
+noblacklist ${HOME}/.cache/org.gabmus.gfeeds
+noblacklist ${HOME}/.config/org.gabmus.gfeeds.json
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/gfeeds
+mkdir ${HOME}/.cache/org.gabmus.gfeeds
+mkfile ${HOME}/.config/org.gabmus.gfeeds.json
+whitelist ${HOME}/.cache/gfeeds
+whitelist ${HOME}/.cache/org.gabmus.gfeeds
+whitelist ${HOME}/.config/org.gabmus.gfeeds.json
+whitelist /usr/share/gfeeds
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin gfeeds,python3*
+# private-cache -- feeds are stored in ~/.cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/ghb.profile b/etc/profile-a-l/ghb.profile
new file mode 100644
index 000000000..1e7ce2350
--- /dev/null
+++ b/etc/profile-a-l/ghb.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for handbrake
+# This file is overwritten after every install/update
+# Redirect
+include handbrake.profile
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
new file mode 100644
index 000000000..c18a6b72e
--- /dev/null
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -0,0 +1,50 @@
+# Firejail profile for ghostwriter
+# Description: Cross-platform, aesthetic, distraction-free Markdown editor.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ghostwriter.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/ghostwriter
+noblacklist ${HOME}/.local/share/ghostwriter
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/ghostwriter
+whitelist /usr/share/mozilla-dicts
+whitelist /usr/share/texlive
+whitelist /usr/share/pandoc*
+include whitelist-usr-share-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+#tracelog -- breaks
+private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
+private-cache
+private-dev
+# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
+private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg
+private-tmp
diff --git a/etc/profile-a-l/gimp-2.10.profile b/etc/profile-a-l/gimp-2.10.profile
new file mode 100644
index 000000000..dbf49ac22
--- /dev/null
+++ b/etc/profile-a-l/gimp-2.10.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for gimp
+# This file is overwritten after every install/update
+# Redirect
+include gimp.profile
diff --git a/etc/profile-a-l/gimp-2.8.profile b/etc/profile-a-l/gimp-2.8.profile
new file mode 100644
index 000000000..dbf49ac22
--- /dev/null
+++ b/etc/profile-a-l/gimp-2.8.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for gimp
+# This file is overwritten after every install/update
+# Redirect
+include gimp.profile
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
new file mode 100644
index 000000000..8093c0c39
--- /dev/null
+++ b/etc/profile-a-l/gimp.profile
@@ -0,0 +1,55 @@
+# Firejail profile for gimp
+# Description: GNU Image Manipulation Program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gimp.local
+# Persistent global definitions
+include globals.local
+# gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
+# if you are not using external plugins, you can comment 'ignore noexec' statement below
+# or put 'noexec ${HOME}' in your gimp.local
+ignore noexec ${HOME}
+noblacklist ${HOME}/.cache/babl
+noblacklist ${HOME}/.cache/gegl-0.4
+noblacklist ${HOME}/.cache/gimp
+noblacklist ${HOME}/.config/GIMP
+noblacklist ${HOME}/.gimp*
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-exec.inc
+include disable-devel.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/gegl-0.4
+whitelist /usr/share/gimp
+whitelist /usr/share/mypaint-data
+whitelist /usr/share/lensfun
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+tracelog
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gist-paste.profile b/etc/profile-a-l/gist-paste.profile
new file mode 100644
index 000000000..56b3176ed
--- /dev/null
+++ b/etc/profile-a-l/gist-paste.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gist-paste
+# Description: Potentially the best command line gister
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gist-paste.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include gist.profile
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
new file mode 100644
index 000000000..681fc2829
--- /dev/null
+++ b/etc/profile-a-l/gist.profile
@@ -0,0 +1,61 @@
+# Firejail profile for gist
+# Description: Potentially the best command line gister
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gist.local
+# Persistent global definitions
+include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+noblacklist ${HOME}/.gist
+# Allow ruby (blacklisted by disable-interpreters.inc)
+include allow-ruby.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.gist
+whitelist ${HOME}/.gist
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile
new file mode 100644
index 000000000..e5a2f3985
--- /dev/null
+++ b/etc/profile-a-l/git.profile
@@ -0,0 +1,59 @@
+# Firejail profile for git
+# Description: Fast, scalable, distributed revision control system
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include git.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.config/nano
+noblacklist ${HOME}/.emacs
+noblacklist ${HOME}/.emacs.d
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.nanorc
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.vim
+noblacklist ${HOME}/.viminfo
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist /usr/share/git
+whitelist /usr/share/git-core
+whitelist /usr/share/gitgui
+whitelist /usr/share/gitweb
+whitelist /usr/share/nano
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-cache
+private-dev
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
new file mode 100644
index 000000000..68f38c3ce
--- /dev/null
+++ b/etc/profile-a-l/gitg.profile
@@ -0,0 +1,54 @@
+# Firejail profile for gitg
+# Description: Git repository viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gitg.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.local/share/gitg
+noblacklist ${HOME}/.ssh
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+#whitelist ${HOME}/YOUR_GIT_PROJECTS_DIRECTORY
+#whitelist ${HOME}/.config/git
+#whitelist ${HOME}/.gitconfig
+#whitelist ${HOME}/.git-credentials
+#whitelist ${HOME}/.local/share/gitg
+#whitelist ${HOME}/.ssh
+#include whitelist-common.inc
+whitelist /usr/share/gitg
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin git,gitg,ssh
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
new file mode 100644
index 000000000..b25b138ad
--- /dev/null
+++ b/etc/profile-a-l/github-desktop.profile
@@ -0,0 +1,48 @@
+# Firejail profile for github-desktop
+# Description: Extend your GitHub workflow beyond your browser with GitHub Desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include github-desktop.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/GitHub Desktop
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+caps.drop all
+netfilter
+# no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+# Note: On debian-based distributions the binary might be located in
+# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
+# If that's the case you can start GitHub Desktop with firejail via
+# `firejail "/opt/GitHub Desktop/github-desktop"`.
+disable-mnt
+# private-bin github-desktop
+private-cache
+?HAS_APPIMAGE: ignore private-dev
+private-dev
+# private-lib
+private-tmp
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
new file mode 100644
index 000000000..017b1765a
--- /dev/null
+++ b/etc/profile-a-l/gitter.profile
@@ -0,0 +1,44 @@
+# Firejail profile for gitter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gitter.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/autostart
+noblacklist ${HOME}/.config/Gitter
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.config/Gitter
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/autostart
+whitelist ${HOME}/.config/Gitter
+include whitelist-var-common.inc
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+disable-mnt
+private-bin bash,env,gitter
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl
+private-opt Gitter
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile
new file mode 100644
index 000000000..9c8848b8a
--- /dev/null
+++ b/etc/profile-a-l/gjs.profile
@@ -0,0 +1,45 @@
+# Firejail profile for gjs
+# Description: Mozilla-based javascript bindings for the GNOME platform
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gjs.local
+# Persistent global definitions
+include globals.local
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+noblacklist ${HOME}/.cache/libgweather
+noblacklist ${HOME}/.cache/org.gnome.Books
+noblacklist ${HOME}/.config/libreoffice
+noblacklist ${HOME}/.local/share/gnome-photos
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+# private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+private-tmp
diff --git a/etc/profile-a-l/globaltime.profile b/etc/profile-a-l/globaltime.profile
new file mode 100644
index 000000000..bb78a608e
--- /dev/null
+++ b/etc/profile-a-l/globaltime.profile
@@ -0,0 +1,37 @@
+# Firejail profile for globaltime
+# This file is overwritten after every install/update
+# Persistent local customizations
+include globaltime.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/globaltime
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
new file mode 100644
index 000000000..b3aad8b2c
--- /dev/null
+++ b/etc/profile-a-l/gmpc.profile
@@ -0,0 +1,55 @@
+# Firejail profile for gmpc
+# Description: MPD client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gmpc.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/gmpc
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/gmpc
+whitelist ${HOME}/.config/gmpc
+whitelist ${MUSIC}
+whitelist /usr/share/gmpc
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+#private-bin gmpc
+private-cache
+private-etc alternatives,fonts
+private-tmp
+writable-run-user
+# dbus-user none
+# dbus-system none
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/gnome-2048.profile b/etc/profile-a-l/gnome-2048.profile
new file mode 100644
index 000000000..777c81dbe
--- /dev/null
+++ b/etc/profile-a-l/gnome-2048.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-2048
+# Description: Sliding tile puzzle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-2048.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/gnome-2048
+mkdir ${HOME}/.local/share/gnome-2048
+whitelist ${HOME}/.local/share/gnome-2048
+private-bin gnome-2048
+dbus-user.own org.gnome.TwentyFortyEight
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
new file mode 100644
index 000000000..998109ca7
--- /dev/null
+++ b/etc/profile-a-l/gnome-books.profile
@@ -0,0 +1,46 @@
+# Firejail profile for gnome-books
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-books.local
+# Persistent global definitions
+include globals.local
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+noblacklist ${HOME}/.cache/org.gnome.Books
+noblacklist ${DOCUMENTS}
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# private-bin gjs,gnome-books
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile
new file mode 100644
index 000000000..7a684dd59
--- /dev/null
+++ b/etc/profile-a-l/gnome-builder.profile
@@ -0,0 +1,36 @@
+# Firejail profile for gnome-builder
+# Description: IDE for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-builder.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/gnome-builder
+noblacklist ${HOME}/.config/gnome-builder
+noblacklist ${HOME}/.local/share/gnome-builder
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-runuser-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
new file mode 100644
index 000000000..a18a123d3
--- /dev/null
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -0,0 +1,53 @@
+# Firejail profile for gnome-calculator
+# Description: GNOME desktop calculator
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gnome-calculator.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+# net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin gnome-calculator
+private-cache
+private-dev
+#private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.*
+private-tmp
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-character-map.profile b/etc/profile-a-l/gnome-character-map.profile
new file mode 100644
index 000000000..27804fdd0
--- /dev/null
+++ b/etc/profile-a-l/gnome-character-map.profile
@@ -0,0 +1,10 @@
+# Firejail profile for gnome-character-map
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-character-map.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include gucharmap.profile
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
new file mode 100644
index 000000000..3d7a2e4a6
--- /dev/null
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -0,0 +1,59 @@
+# Firejail profile for gnome-characters
+# Description: Character map application for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-characters.local
+# Persistent global definitions
+include globals.local
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/org.gnome.Characters
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+# Uncomment the next line (or add it to your gnome-characters.local)
+# if you don't need recently used chars
+#private
+private-bin gjs,gnome-characters
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg
+private-tmp
+# Uncomment the next lines (or add it to your gnome-characters.local)
+# if you don't need recently used chars
+# dbus-user none
+# dbus-system none
+read-only ${HOME}
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
new file mode 100644
index 000000000..2e2e86ac9
--- /dev/null
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -0,0 +1,49 @@
+# Firejail profile for gnome-chess
+# Description: Simple chess game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-chess.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/gnome-chess
+noblacklist ${HOME}/.local/share/gnome-chess
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/gnuchess
+whitelist /usr/share/gnome-chess
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin fairymax,gnome-chess,gnuchess,hoichess
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0
+private-tmp
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
new file mode 100644
index 000000000..b865423c5
--- /dev/null
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -0,0 +1,46 @@
+# Firejail profile for gnome-clocks
+# Description: Simple GNOME app with stopwatch, timer, and world clock support
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-clocks.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/gnome-clocks
+whitelist /usr/share/libgweather
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin gnome-clocks,gsound-play
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl
+private-tmp
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
new file mode 100644
index 000000000..7c1e4bb58
--- /dev/null
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -0,0 +1,39 @@
+# Firejail profile for gnome-contacts
+# Description: Contacts manager for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-contacts.local
+# Persistent global definitions
+include globals.local
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile
new file mode 100644
index 000000000..705fe624e
--- /dev/null
+++ b/etc/profile-a-l/gnome-documents.profile
@@ -0,0 +1,44 @@
+# Firejail profile for gnome-documents
+# Description: Document manager for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-documents.local
+# Persistent global definitions
+include globals.local
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+noblacklist ${HOME}/.config/libreoffice
+noblacklist ${DOCUMENTS}
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/gnome-font-viewer.profile b/etc/profile-a-l/gnome-font-viewer.profile
new file mode 100644
index 000000000..b2327133c
--- /dev/null
+++ b/etc/profile-a-l/gnome-font-viewer.profile
@@ -0,0 +1,37 @@
+# Firejail profile for gnome-font-viewer
+# Description: Font viewer for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-font-viewer.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
new file mode 100644
index 000000000..873a47ea9
--- /dev/null
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -0,0 +1,50 @@
+# Firejail profile for gnome-hexgl
+# Description: Gthree port of HexGL
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-hexgl.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/mesa_shader_cache
+whitelist /usr/share/gnome-hexgl
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin gnome-hexgl
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+dbus-user none
+dbus-system none
+read-only ${HOME}
+read-write ${HOME}/.cache/mesa_shader_cache
diff --git a/etc/profile-a-l/gnome-keyring-3.profile b/etc/profile-a-l/gnome-keyring-3.profile
new file mode 100644
index 000000000..e9961e4f0
--- /dev/null
+++ b/etc/profile-a-l/gnome-keyring-3.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gnome-keyring-3
+# Description: Stores passwords and encryption keys
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-keyring-3.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include gnome-keyring.profile
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
new file mode 100644
index 000000000..ecbb74158
--- /dev/null
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -0,0 +1,57 @@
+# Firejail profile for gnome-keyring
+# Description: Stores passwords and encryption keys
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gnome-keyring.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
+whitelist ${DOWNLOADS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+#private-bin gnome-keyrin*,secret-tool
+private-cache
+private-dev
+#private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security
+private-tmp
+# dbus-user none
+# dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-klotski.profile b/etc/profile-a-l/gnome-klotski.profile
new file mode 100644
index 000000000..c67a5c0da
--- /dev/null
+++ b/etc/profile-a-l/gnome-klotski.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-klotski
+# Description: Sliding block puzzles game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-klotski.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/gnome-klotski
+mkdir ${HOME}/.local/share/gnome-klotski
+whitelist ${HOME}/.local/share/gnome-klotski
+private-bin gnome-klotski
+dbus-user.own org.gnome.Klotski
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
new file mode 100644
index 000000000..ea4151137
--- /dev/null
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -0,0 +1,51 @@
+# Firejail profile for gnome-latex
+# Description: LaTeX editor for the GNOME desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-latex.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/gnome-latex
+noblacklist ${HOME}/.local/share/gnome-latex
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist /usr/share/gnome-latex
+whitelist /usr/share/perl5
+whitelist /usr/share/texlive
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+# May cause issues.
+#include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
+private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
new file mode 100644
index 000000000..4b6453015
--- /dev/null
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -0,0 +1,57 @@
+# Firejail profile for gnome-logs
+# Description: Viewer for the systemd journal
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-logs.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /var/log/journal
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
+# comment both 'nogroups' and 'noroot'
+# or put 'ignore nogroups' and 'ignore noroot' in your gnome-logs.local.
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin gnome-logs
+private-cache
+private-dev
+private-etc alternatives,fonts,localtime,machine-id
+private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
+private-tmp
+writable-var-log
+dbus-user none
+dbus-system none
+# comment this if you export logs to a file in your ${HOME}
+# or put 'ignore read-only ${HOME}' in your gnome-logs.local.
+read-only ${HOME}
diff --git a/etc/profile-a-l/gnome-mahjongg.profile b/etc/profile-a-l/gnome-mahjongg.profile
new file mode 100644
index 000000000..42409dce8
--- /dev/null
+++ b/etc/profile-a-l/gnome-mahjongg.profile
@@ -0,0 +1,16 @@
+# Firejail profile for gnome-mahjongg
+# Description: A matching game played with Mahjongg tiles
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-mahjongg.local
+# Persistent global definitions
+include globals.local
+whitelist /usr/share/gnome-mahjongg
+private-bin gnome-mahjongg
+dbus-user.own org.gnome.Mahjongg
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
new file mode 100644
index 000000000..bf263efa9
--- /dev/null
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -0,0 +1,64 @@
+# Firejail profile for gnome-maps
+# Description: Map application for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-maps.local
+# Persistent global definitions
+include globals.local
+# Some distributions use gapplications to start gnome-maps over D-Bus. As firecfg cannot handle that, you need to run the following command.
+# sed -e "s/Exec=gapplication launch org.gnome.Maps %U/Exec=gnome-maps %U/" -e "s/DBusActivatable=true/DBusActivatable=false/" "/usr/share/applications/org.gnome.Maps.desktop" > "~/.local/share/applications/org.gnome.Maps.desktop"
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+noblacklist ${HOME}/.cache/champlain
+noblacklist ${HOME}/.cache/org.gnome.Maps
+noblacklist ${HOME}/.local/share/maps-places.json
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/champlain
+mkfile ${HOME}/.local/share/maps-places.json
+whitelist ${HOME}/.cache/champlain
+whitelist ${HOME}/.local/share/maps-places.json
+whitelist ${DOWNLOADS}
+whitelist ${PICTURES}
+whitelist /usr/share/gnome-maps
+whitelist /usr/share/libgweather
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin gjs,gnome-maps
+# private-cache -- gnome-maps cache all maps/satelite-images
+private-dev
+private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
diff --git a/etc/profile-a-l/gnome-mines.profile b/etc/profile-a-l/gnome-mines.profile
new file mode 100644
index 000000000..4fe8986c2
--- /dev/null
+++ b/etc/profile-a-l/gnome-mines.profile
@@ -0,0 +1,20 @@
+# Firejail profile for gnome-mines
+# Description: The popular logic puzzle minesweeper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-mines.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/gnome-mines
+mkdir ${HOME}/.local/share/gnome-mines
+whitelist ${HOME}/.local/share/gnome-mines
+whitelist /usr/share/gnome-mines
+private-bin gnome-mines
+dbus-user.own org.gnome.Mines
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
new file mode 100644
index 000000000..12bee6448
--- /dev/null
+++ b/etc/profile-a-l/gnome-mplayer.profile
@@ -0,0 +1,34 @@
+# Firejail profile for gnome-mplayer
+# Description: GTK/Gnome interface around MPlayer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-mplayer.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/gnome-mplayer
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+# private-bin gnome-mplayer,mplayer
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/gnome-mpv.profile b/etc/profile-a-l/gnome-mpv.profile
new file mode 100644
index 000000000..f5d652732
--- /dev/null
+++ b/etc/profile-a-l/gnome-mpv.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for celluloid (formerly GNOME MPV)
+# This file is overwritten after every install/update
+# Redirect
+include celluloid.profile
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
new file mode 100644
index 000000000..36b46897c
--- /dev/null
+++ b/etc/profile-a-l/gnome-music.profile
@@ -0,0 +1,47 @@
+# Firejail profile for gnome-music
+# Description: GNOME music player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-music.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/gnome-music
+noblacklist ${MUSIC}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# private-bin calls a file manager - whatever is installed!
+#private-bin env,gio-launch-desktop,gnome-music,python*,yelp
+private-dev
+private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg
+private-tmp
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
new file mode 100644
index 000000000..33eb9c81a
--- /dev/null
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -0,0 +1,48 @@
+# Firejail profile for gnome-nettool
+# Description: Graphical interface for various networking tools
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-nettool.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/gnome-nettool
+#include whitelist-common.inc -- see #903
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.keep net_raw
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+# ping needs to elevate privileges, noroot and nonewprivs will kill it
+#nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+#seccomp
+#shell none
+disable-mnt
+private
+private-cache
+private-dev
+private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libgtk-3.so.*,libgtop*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.*
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gnome-nibbles.profile b/etc/profile-a-l/gnome-nibbles.profile
new file mode 100644
index 000000000..b22810d34
--- /dev/null
+++ b/etc/profile-a-l/gnome-nibbles.profile
@@ -0,0 +1,23 @@
+# Firejail profile for gnome-nibbles
+# Description: A worm game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-nibbles.local
+# Persistent global definitions
+include globals.local
+ignore machine-id
+ignore nosound
+noblacklist ${HOME}/.local/share/gnome-nibbles
+mkdir ${HOME}/.local/share/gnome-nibbles
+whitelist ${HOME}/.local/share/gnome-nibbles
+whitelist /usr/share/gnome-nibbles
+private-bin gnome-nibbles
+dbus-user.own org.gnome.Nibbles
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
new file mode 100644
index 000000000..555a59d93
--- /dev/null
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -0,0 +1,53 @@
+# Firejail profile for gnome-passwordsafe
+# Description: Password manager for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-passwordsafe.local
+# Persistent global definitions
+include globals.local
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/*.kdb
+noblacklist ${HOME}/*.kdbx
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/cracklib
+whitelist /usr/share/passwordsafe
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin gnome-passwordsafe,python3*
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,passwd
+private-tmp
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
new file mode 100644
index 000000000..2af406af9
--- /dev/null
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -0,0 +1,42 @@
+# Firejail profile for gnome-photos
+# Description: Access, organize and share your photos with GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-photos.local
+# Persistent global definitions
+include globals.local
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+noblacklist ${HOME}/.local/share/gnome-photos
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# private-bin gjs,gnome-photos
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
new file mode 100644
index 000000000..c1d2dae35
--- /dev/null
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -0,0 +1,41 @@
+# Firejail profile for gnome-pie
+# Description: Alternative AppMenu
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-pie.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/gnome-pie
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+#include disable-interpreters.inc
+include disable-passwdmgr.inc
+#include disable-programs.inc
+caps.drop all
+ipc-namespace
+# net none - breaks dbus
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,fonts,machine-id
+private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
+private-tmp
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
new file mode 100644
index 000000000..f8be23f07
--- /dev/null
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -0,0 +1,51 @@
+# Firejail profile for gnome-pomodoro
+# Description: time management utility for GNOME based on the pomodoro technique
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-pomodoro.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/gnome-pomodoro
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.local/share/gnome-pomodoro
+whitelist ${HOME}/.local/share/gnome-pomodoro
+whitelist /usr/share/gnome-pomodoro
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin gnome-pomodoro
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
+private-tmp
+read-only ${HOME}
+read-write ${HOME}/.local/share/gnome-pomodoro
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
new file mode 100644
index 000000000..20c355371
--- /dev/null
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -0,0 +1,52 @@
+# Firejail profile for gnome-recipes
+# Description: Recipe application for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-recipes.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/gnome-recipes
+noblacklist ${HOME}/.local/share/gnome-recipes
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.cache/gnome-recipes
+mkdir ${HOME}/.local/share/gnome-recipes
+whitelist ${HOME}/.cache/gnome-recipes
+whitelist ${HOME}/.local/share/gnome-recipes
+whitelist /usr/share/gnome-recipes
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin gnome-recipes,tar
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.*
+private-tmp
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile
new file mode 100644
index 000000000..78ceb9c4f
--- /dev/null
+++ b/etc/profile-a-l/gnome-ring.profile
@@ -0,0 +1,34 @@
+# Firejail profile for gnome-ring
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-ring.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/gnome-ring
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+disable-mnt
+# private-dev
+private-tmp
diff --git a/etc/profile-a-l/gnome-robots.profile b/etc/profile-a-l/gnome-robots.profile
new file mode 100644
index 000000000..8835f2b93
--- /dev/null
+++ b/etc/profile-a-l/gnome-robots.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-robots
+# Description: Based on classic BSD Robots
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-robots.local
+# Persistent global definitions
+include globals.local
+ignore machine-id
+ignore nosound
+whitelist /usr/share/gnome-robots
+private-bin gnome-robots
+dbus-user.own org.gnome.Robots
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
new file mode 100644
index 000000000..55913a2d7
--- /dev/null
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -0,0 +1,65 @@
+# Firejail profile for gnome-schedule
+# Description: Graphical interface to crontab and at for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-schedule.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.gnome/gnome-schedule
+# Needs at and crontab to read/write user cron
+noblacklist ${PATH}/at
+noblacklist ${PATH}/crontab
+# Needs access to these files/dirs
+noblacklist /etc/cron.allow
+noblacklist /etc/cron.deny
+noblacklist /etc/shadow
+noblacklist /var/spool/cron
+# cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc)
+# add 'noblacklist ${PATH}/your-terminal' to gnome-schedule.local if you need that functionality
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkfile ${HOME}/.gnome/gnome-schedule
+whitelist ${HOME}/.gnome/gnome-schedule
+whitelist /usr/share/gnome-schedule
+whitelist /var/spool/atd
+whitelist /var/spool/cron
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.keep chown,dac_override,setgid,setuid
+ipc-namespace
+machine-id
+#net none - breaks on Ubuntu
+no3d
+nodvd
+nogroups
+nosound
+notv
+nou2f
+novideo
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+writable-var
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
new file mode 100644
index 000000000..cc5efb161
--- /dev/null
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -0,0 +1,44 @@
+# Firejail profile for gnome-screenshot
+# Description: GNOME screenshot tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-screenshot.local
+# Persistent global definitions
+include globals.local
+noblacklist ${PICTURES}
+noblacklist ${HOME}/.cache/gnome-screenshot
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin gnome-screenshot
+private-dev
+private-etc dconf,fonts,gtk-3.0,localtime,machine-id
+private-tmp
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
new file mode 100644
index 000000000..a64ec25a9
--- /dev/null
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -0,0 +1,43 @@
+# Firejail profile for gnome-sound-recorder
+# Description: simple sound recordings for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-sound-recorder.local
+# Persistent global definitions
+include globals.local
+noblacklist ${MUSIC}
+noblacklist ${HOME}/.local/share/Trash
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg
+private-tmp
diff --git a/etc/profile-a-l/gnome-sudoku.profile b/etc/profile-a-l/gnome-sudoku.profile
new file mode 100644
index 000000000..12fd48a86
--- /dev/null
+++ b/etc/profile-a-l/gnome-sudoku.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-sudoku
+# Description: puzzle game for the popular Japanese sudoku logic puzzle
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-sudoku.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/gnome-sudoku
+mkdir ${HOME}/.local/share/gnome-sudoku
+whitelist ${HOME}/.local/share/gnome-sudoku
+private-bin gnome-sudoku
+dbus-user.own org.gnome.Sudoku
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
new file mode 100644
index 000000000..f597f5cd3
--- /dev/null
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -0,0 +1,58 @@
+# Firejail profile for gnome-system-log
+# Description: View your system logs
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-system-log.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /var/log
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+# net none - breaks dbus
+no3d
+nodvd
+# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
+# comment both 'nogroups' and 'noroot'
+# or put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local.
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+private-bin gnome-system-log
+private-cache
+private-dev
+private-etc alternatives,fonts,localtime,machine-id
+private-lib
+private-tmp
+writable-var-log
+# dbus-user none
+# dbus-system none
+memory-deny-write-execute
+# comment this if you export logs to a file in your ${HOME}
+# or put 'ignore read-only ${HOME}' in your gnome-system-log.local
+read-only ${HOME}
diff --git a/etc/profile-a-l/gnome-taquin.profile b/etc/profile-a-l/gnome-taquin.profile
new file mode 100644
index 000000000..2341334f7
--- /dev/null
+++ b/etc/profile-a-l/gnome-taquin.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-taquin
+# Description: A sliding puzzle game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-taquin.local
+# Persistent global definitions
+include globals.local
+ignore machine-id
+ignore nosound
+whitelist /usr/share/gnome-taquin
+private-bin gnome-taquin
+dbus-user.own org.gnome.Taquin
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-tetravex.profile b/etc/profile-a-l/gnome-tetravex.profile
new file mode 100644
index 000000000..6e820dd70
--- /dev/null
+++ b/etc/profile-a-l/gnome-tetravex.profile
@@ -0,0 +1,14 @@
+# Firejail profile for gnome-tetravex
+# Description: A simple puzzle game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-tetravex.local
+# Persistent global definitions
+include globals.local
+private-bin gnome-tetravex
+dbus-user.own org.gnome.Tetravex
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
new file mode 100644
index 000000000..6240cce65
--- /dev/null
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -0,0 +1,51 @@
+# Firejail profile for gnome-todo
+# Description: Personal task manager for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-todo.local
+# Persistent global definitions
+include globals.local
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/gnome-todo
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+#private
+private-bin gnome-todo
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg
+private-tmp
+read-only ${HOME}
diff --git a/etc/profile-a-l/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile
new file mode 100644
index 000000000..5e8153035
--- /dev/null
+++ b/etc/profile-a-l/gnome-twitch.profile
@@ -0,0 +1,40 @@
+# Firejail profile for gnome-twitch
+# Description: GNOME Twitch app for watching Twitch.tv streams without a browser or flash
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-twitch.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/gnome-twitch
+noblacklist ${HOME}/.local/share/gnome-twitch
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.cache/gnome-twitch
+mkdir ${HOME}/.local/share/gnome-twitch
+whitelist ${HOME}/.cache/gnome-twitch
+whitelist ${HOME}/.local/share/gnome-twitch
+include whitelist-common.inc
+caps.drop all
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
new file mode 100644
index 000000000..a181f1b9e
--- /dev/null
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -0,0 +1,48 @@
+# Firejail profile for gnome-weather
+# Description: Access current conditions and forecasts
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-weather.local
+# Persistent global definitions
+include globals.local
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+noblacklist ${HOME}/.cache/libgweather
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+# private-bin gjs,gnome-weather
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+private-tmp
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
new file mode 100644
index 000000000..5a17d0ff8
--- /dev/null
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -0,0 +1,47 @@
+# Firejail profile for gnome_games-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome_games-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11
+private-tmp
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
new file mode 100644
index 000000000..8324a4eb5
--- /dev/null
+++ b/etc/profile-a-l/godot.profile
@@ -0,0 +1,45 @@
+# Firejail profile for godot
+# Description: multi-platform 2D and 3D game engine with a feature-rich editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include godot.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/godot
+noblacklist ${HOME}/.config/godot
+noblacklist ${HOME}/.local/share/godot
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+# private-bin godot
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile
new file mode 100644
index 000000000..c932ad528
--- /dev/null
+++ b/etc/profile-a-l/goobox.profile
@@ -0,0 +1,35 @@
+# Firejail profile for goobox
+# Description: CD player and ripper with GNOME 3 integration
+# This file is overwritten after every install/update
+# Persistent local customizations
+include goobox.local
+# Persistent global definitions
+include globals.local
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+# private-bin goobox
+private-dev
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+# private-tmp
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile
new file mode 100644
index 000000000..73101f509
--- /dev/null
+++ b/etc/profile-a-l/google-chrome-beta.profile
@@ -0,0 +1,17 @@
+# Firejail profile for google-chrome-beta
+# This file is overwritten after every install/update
+# Persistent local customizations
+include google-chrome-beta.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/google-chrome-beta
+noblacklist ${HOME}/.config/google-chrome-beta
+mkdir ${HOME}/.cache/google-chrome-beta
+mkdir ${HOME}/.config/google-chrome-beta
+whitelist ${HOME}/.cache/google-chrome-beta
+whitelist ${HOME}/.config/google-chrome-beta
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/google-chrome-stable.profile b/etc/profile-a-l/google-chrome-stable.profile
new file mode 100644
index 000000000..a456e8d61
--- /dev/null
+++ b/etc/profile-a-l/google-chrome-stable.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for google-chrome
+# This file is overwritten after every install/update
+# Redirect
+include google-chrome.profile
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile
new file mode 100644
index 000000000..50e9923aa
--- /dev/null
+++ b/etc/profile-a-l/google-chrome-unstable.profile
@@ -0,0 +1,17 @@
+# Firejail profile for google-chrome-unstable
+# This file is overwritten after every install/update
+# Persistent local customizations
+include google-chrome-unstable.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/google-chrome-unstable
+noblacklist ${HOME}/.config/google-chrome-unstable
+mkdir ${HOME}/.cache/google-chrome-unstable
+mkdir ${HOME}/.config/google-chrome-unstable
+whitelist ${HOME}/.cache/google-chrome-unstable
+whitelist ${HOME}/.config/google-chrome-unstable
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile
new file mode 100644
index 000000000..c69e98271
--- /dev/null
+++ b/etc/profile-a-l/google-chrome.profile
@@ -0,0 +1,17 @@
+# Firejail profile for google-chrome
+# This file is overwritten after every install/update
+# Persistent local customizations
+include google-chrome.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/google-chrome
+noblacklist ${HOME}/.config/google-chrome
+mkdir ${HOME}/.cache/google-chrome
+mkdir ${HOME}/.config/google-chrome
+whitelist ${HOME}/.cache/google-chrome
+whitelist ${HOME}/.config/google-chrome
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile
new file mode 100644
index 000000000..c1f919769
--- /dev/null
+++ b/etc/profile-a-l/google-earth-pro.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for google-earth
+# This file is overwritten after every install/update
+private-bin google-earth-pro
+# Redirect
+include google-earth.profile
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
new file mode 100644
index 000000000..a331ef8d2
--- /dev/null
+++ b/etc/profile-a-l/google-earth.profile
@@ -0,0 +1,51 @@
+# Firejail profile for google-earth
+# This file is overwritten after every install/update
+# Persistent local customizations
+include google-earth.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Google
+noblacklist ${HOME}/.googleearth/Cache
+noblacklist ${HOME}/.googleearth/Temp
+noblacklist ${HOME}/.googleearth/myplaces.backup.kml
+noblacklist ${HOME}/.googleearth/myplaces.kml
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.config/Google
+mkdir ${HOME}/.googleearth/Cache
+mkdir ${HOME}/.googleearth/Temp
+mkfile ${HOME}/.googleearth/myplaces.backup.kml
+mkfile ${HOME}/.googleearth/myplaces.kml
+whitelist ${HOME}/.config/Google
+whitelist ${HOME}/.googleearth/Cache
+whitelist ${HOME}/.googleearth/Temp
+whitelist ${HOME}/.googleearth/myplaces.backup.kml
+whitelist ${HOME}/.googleearth/myplaces.kml
+include whitelist-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin bash,dirname,google-earth,grep,ls,sed,sh
+private-dev
+private-opt google
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
new file mode 100644
index 000000000..daa385234
--- /dev/null
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
@@ -0,0 +1,42 @@
+# Firejail profile for google-play-music-desktop-player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include google-play-music-desktop-player.local
+# Persistent global definitions
+include globals.local
+# noexec /tmp breaks mpris support
+ignore noexec /tmp
+noblacklist ${HOME}/.config/Google Play Music Desktop Player
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.config/Google Play Music Desktop Player
+# whitelist ${HOME}/.config/pulse
+# whitelist ${HOME}/.pulse
+whitelist ${HOME}/.config/Google Play Music Desktop Player
+include whitelist-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile
new file mode 100644
index 000000000..ce7c8496d
--- /dev/null
+++ b/etc/profile-a-l/gpa.profile
@@ -0,0 +1,33 @@
+# Firejail profile for gpa
+# Description: GNU Privacy Assistant (GPA)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gpa.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.gnupg
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+# private-bin gpa,gpg
+private-dev
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
new file mode 100644
index 000000000..adc8957e6
--- /dev/null
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -0,0 +1,52 @@
+# Firejail profile for gpg-agent
+# Description: GNU privacy guard - cryptographic agent
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gpg-agent.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.gnupg
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+# private-bin gpg-agent,gpg
+private-cache
+private-dev
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile
new file mode 100644
index 000000000..787f35f9e
--- /dev/null
+++ b/etc/profile-a-l/gpg.profile
@@ -0,0 +1,54 @@
+# Firejail profile for gpg
+# Description: GNU Privacy Guard -- minimalist public key operations
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gpg.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.gnupg
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /usr/share/pacman/keyrings
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+# private-bin gpg,gpg-agent
+private-cache
+private-dev
+# On Arch 'archlinux-keyring' needs read-write access to /etc/pacman.d/gnupg
+# and /usr/share/pacman/keyrings. Although this works, it makes
+# installing/upgrading archlinux-keyring extremely slow.
+read-write /etc/pacman.d/gnupg
+read-write /usr/share/pacman/keyrings
diff --git a/etc/profile-a-l/gpg2.profile b/etc/profile-a-l/gpg2.profile
new file mode 100644
index 000000000..b831b0f62
--- /dev/null
+++ b/etc/profile-a-l/gpg2.profile
@@ -0,0 +1,13 @@
+# Firejail profile for gpg2
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gpg2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# private-bin gpg2
+# Redirect
+include gpg.profile
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
new file mode 100644
index 000000000..578ccaef9
--- /dev/null
+++ b/etc/profile-a-l/gpicview.profile
@@ -0,0 +1,50 @@
+# Firejail profile for gpicview
+# Description: Lightweight image viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gpicview.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/gpicview
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist /usr/share/gpicview
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin gpicview
+private-cache
+private-dev
+private-etc alternatives,fonts,group,passwd
+private-lib
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
new file mode 100644
index 000000000..c1f1b53a0
--- /dev/null
+++ b/etc/profile-a-l/gpredict.profile
@@ -0,0 +1,40 @@
+# Firejail profile for gpredict
+# Description: Satellite tracking program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gpredict.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Gpredict
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.config/Gpredict
+whitelist ${HOME}/.config/Gpredict
+include whitelist-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin gpredict
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl
+private-tmp
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
new file mode 100644
index 000000000..82e2504b9
--- /dev/null
+++ b/etc/profile-a-l/gradio.profile
@@ -0,0 +1,40 @@
+# Firejail profile for gradio
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gradio.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/gradio
+noblacklist ${HOME}/.local/share/gradio
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.cache/gradio
+mkdir ${HOME}/.local/share/gradio
+whitelist ${HOME}/.cache/gradio
+whitelist ${HOME}/.local/share/gradio
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-tmp
diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile
new file mode 100644
index 000000000..427fe2d7a
--- /dev/null
+++ b/etc/profile-a-l/gramps.profile
@@ -0,0 +1,51 @@
+# Firejail profile for gramps
+# Description: genealogy program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gramps.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.gramps
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.gramps
+whitelist ${HOME}/.gramps
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
new file mode 100644
index 000000000..7a1a9440e
--- /dev/null
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -0,0 +1,46 @@
+# Firejail profile for gravity-beams-and-evaporating-stars
+# Description: a game about hurling asteroids into the sun
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gravity-beams-and-evaporating-stars.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/gravity-beams-and-evaporating-stars
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin gravity-beams-and-evaporating-stars
+private-cache
+private-dev
+private-etc fonts,machine-id
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gsettings-data-convert.profile b/etc/profile-a-l/gsettings-data-convert.profile
new file mode 100644
index 000000000..6f1d43939
--- /dev/null
+++ b/etc/profile-a-l/gsettings-data-convert.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gsettings-data-convert
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gsettings-data-convert.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include gconf.profile
diff --git a/etc/profile-a-l/gsettings-schema-convert.profile b/etc/profile-a-l/gsettings-schema-convert.profile
new file mode 100644
index 000000000..5c8b0e2e2
--- /dev/null
+++ b/etc/profile-a-l/gsettings-schema-convert.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gsettings-schema-convert
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gsettings-schema-convert.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include gconf.profile
diff --git a/etc/profile-a-l/gsettings.profile b/etc/profile-a-l/gsettings.profile
new file mode 100644
index 000000000..2203fac15
--- /dev/null
+++ b/etc/profile-a-l/gsettings.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gsettings
+# Description: GSettings configuration tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gsettings.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include dconf.profile
diff --git a/etc/profile-a-l/gtar.profile b/etc/profile-a-l/gtar.profile
new file mode 100644
index 000000000..2391c121b
--- /dev/null
+++ b/etc/profile-a-l/gtar.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for tar
+# This file is overwritten after every install/update
+# Redirect
+include tar.profile
diff --git a/etc/profile-a-l/gthumb.profile b/etc/profile-a-l/gthumb.profile
new file mode 100644
index 000000000..77de59802
--- /dev/null
+++ b/etc/profile-a-l/gthumb.profile
@@ -0,0 +1,36 @@
+# Firejail profile for gthumb
+# Description: Image viewer and browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gthumb.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/gthumb
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.steam
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin gthumb
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
new file mode 100644
index 000000000..ac2e9891b
--- /dev/null
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -0,0 +1,55 @@
+# Firejail profile for gtk-update-icon-cache
+# Description: Icon theme caching utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gtk-update-icon-cache.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+disable-mnt
+private-bin gtk-update-icon-cache
+private-cache
+private-dev
+private-etc none
+private-lib
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/guayadeque.profile b/etc/profile-a-l/guayadeque.profile
new file mode 100644
index 000000000..8ffd7ff58
--- /dev/null
+++ b/etc/profile-a-l/guayadeque.profile
@@ -0,0 +1,34 @@
+# Firejail profile for guayadeque
+# This file is overwritten after every install/update
+# Persistent local customizations
+include guayadeque.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.guayadeque
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-bin guayadeque
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
new file mode 100644
index 000000000..624914759
--- /dev/null
+++ b/etc/profile-a-l/gucharmap.profile
@@ -0,0 +1,52 @@
+# Firejail profile for gucharmap
+# Description: Unicode character picker and font browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gucharmap.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+#net none - breaks dbus
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin gnome-character-map,gucharmap
+private-cache
+private-dev
+private-etc alternatives,dbus-1,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,X11,xdg
+private-lib
+private-tmp
+# breaks state saving
+# dbus-user none
+# dbus-system none
+read-only ${HOME}
diff --git a/etc/profile-a-l/gummi.profile b/etc/profile-a-l/gummi.profile
new file mode 100644
index 000000000..922b2cbde
--- /dev/null
+++ b/etc/profile-a-l/gummi.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gummi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gummi.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/gummi
+noblacklist ${HOME}/.config/gummi
+include allow-lua.inc
+include allow-perl.inc
+include allow-python3.inc
+private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,lualatex,luatex,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex
+# Redirect
+include latex-common.profile
diff --git a/etc/profile-a-l/gunzip.profile b/etc/profile-a-l/gunzip.profile
new file mode 100644
index 000000000..6e97c6b78
--- /dev/null
+++ b/etc/profile-a-l/gunzip.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gunzip
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gunzip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
new file mode 100644
index 000000000..dee0ba9a2
--- /dev/null
+++ b/etc/profile-a-l/gwenview.profile
@@ -0,0 +1,52 @@
+# Firejail profile for gwenview
+# Description: Image viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gwenview.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/GIMP
+noblacklist ${HOME}/.config/gwenviewrc
+noblacklist ${HOME}/.config/org.kde.gwenviewrc
+noblacklist ${HOME}/.gimp*
+noblacklist ${HOME}/.kde/share/apps/gwenview
+noblacklist ${HOME}/.kde/share/config/gwenviewrc
+noblacklist ${HOME}/.kde4/share/apps/gwenview
+noblacklist ${HOME}/.kde4/share/config/gwenviewrc
+noblacklist ${HOME}/.local/share/gwenview
+noblacklist ${HOME}/.local/share/org.kde.gwenview
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+# tracelog
+private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
+private-dev
+private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg
+# dbus-user none
+# dbus-system none
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/gzexe.profile b/etc/profile-a-l/gzexe.profile
new file mode 100644
index 000000000..bb570d553
--- /dev/null
+++ b/etc/profile-a-l/gzexe.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gzexe
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gzexe.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile
new file mode 100644
index 000000000..8ec39d8ca
--- /dev/null
+++ b/etc/profile-a-l/gzip.profile
@@ -0,0 +1,49 @@
+# Firejail profile for gzip
+# Description: GNU compression utilities
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gzip.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
+noblacklist /var/lib/pacman
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+hostname gzip
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+private-cache
+private-dev
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/handbrake-gtk.profile b/etc/profile-a-l/handbrake-gtk.profile
new file mode 100644
index 000000000..1e7ce2350
--- /dev/null
+++ b/etc/profile-a-l/handbrake-gtk.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for handbrake
+# This file is overwritten after every install/update
+# Redirect
+include handbrake.profile
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile
new file mode 100644
index 000000000..0539ffcb8
--- /dev/null
+++ b/etc/profile-a-l/handbrake.profile
@@ -0,0 +1,39 @@
+# Firejail profile for handbrake
+# Description: Versatile DVD ripper and video transcoder (GTK+ GUI)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include handbrake.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/ghb
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nogroups
+nonewprivs
+noroot
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile
new file mode 100644
index 000000000..8ec67ff19
--- /dev/null
+++ b/etc/profile-a-l/hashcat.profile
@@ -0,0 +1,46 @@
+# Firejail profile for hashcat
+# Description: World's fastest and most advanced password recovery utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include hashcat.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+noblacklist ${HOME}/.hashcat
+noblacklist /usr/include
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+x11 none
+disable-mnt
+private-bin hashcat
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile
new file mode 100644
index 000000000..898a07a5f
--- /dev/null
+++ b/etc/profile-a-l/hedgewars.profile
@@ -0,0 +1,35 @@
+# Firejail profile for hedgewars
+# Description: Funny turn-based artillery game, featuring fighting hedgehogs
+# This file is overwritten after every install/update
+# Persistent local customizations
+include hedgewars.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.hedgewars
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.hedgewars
+whitelist ${HOME}/.hedgewars
+include whitelist-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+seccomp
+tracelog
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
new file mode 100644
index 000000000..7723cbd6b
--- /dev/null
+++ b/etc/profile-a-l/hexchat.profile
@@ -0,0 +1,52 @@
+# Firejail profile for hexchat
+# Description: IRC client for X based on X-Chat 2
+# This file is overwritten after every install/update
+# Persistent local customizations
+include hexchat.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/hexchat
+noblacklist /usr/share/perl*
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/hexchat
+whitelist ${HOME}/.config/hexchat
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+#machine-id -- breaks sound
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+# debug note: private-bin requires perl, python, etc on some systems
+private-bin hexchat,python*
+private-dev
+#private-lib - python problems
+private-tmp
+# memory-deny-write-execute - breaks python
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile
new file mode 100644
index 000000000..8d2987b62
--- /dev/null
+++ b/etc/profile-a-l/highlight.profile
@@ -0,0 +1,41 @@
+# Firejail profile for highlight
+# Description: Universal source code to formatted text converter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include highlight.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+private-bin highlight
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile
new file mode 100644
index 000000000..e5a5a7efa
--- /dev/null
+++ b/etc/profile-a-l/host.profile
@@ -0,0 +1,52 @@
+# Firejail profile for host
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include host.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}
+noblacklist ${PATH}/host
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin bash,host,sh
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile
new file mode 100644
index 000000000..f8d9f999d
--- /dev/null
+++ b/etc/profile-a-l/hugin.profile
@@ -0,0 +1,41 @@
+# Firejail profile for hugin
+# Description: Panorama photo stitcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include hugin.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.hugin
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
new file mode 100644
index 000000000..1e3663b8f
--- /dev/null
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -0,0 +1,50 @@
+# Firejail profile for hyperrogue
+# Description: An SDL roguelike in a non-euclidean world
+# This file is overwritten after every install/update
+# Persistent local customizations
+include hyperrogue.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/hyperrogue.ini
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkfile ${HOME}/hyperrogue.ini
+whitelist ${HOME}/hyperrogue.ini
+whitelist /usr/share/hyperrogue
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin hyperrogue
+private-cache
+private-cwd ${HOME}
+private-dev
+private-etc fonts,machine-id
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
new file mode 100644
index 000000000..9ffdb9e9b
--- /dev/null
+++ b/etc/profile-a-l/i2prouter.profile
@@ -0,0 +1,71 @@
+# Firejail profile for I2P
+# Description: A distributed anonymous network
+# This file is overwritten after every install/update
+# Persistent local customizations
+include i2prouter.local
+# Persistent global definitions
+include globals.local
+# Notice: default browser will most likely not be able to automatically open, due to sandbox.
+# Auto-opening default browser can be disabled in the I2P router console.
+# This profile will not currently work with any Arch User Repository I2P packages,
+# use the distro-independent official I2P java installer instead
+# Only needed if i2prouter binary is in home directory, official I2P java installer does this
+ignore noexec ${HOME}
+noblacklist ${HOME}/.config/i2p
+noblacklist ${HOME}/.i2p
+noblacklist ${HOME}/.local/share/i2p
+noblacklist ${HOME}/i2p
+# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this
+noblacklist /usr/sbin
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/i2p
+mkdir ${HOME}/.i2p
+mkdir ${HOME}/.local/share/i2p
+mkdir ${HOME}/i2p
+whitelist ${HOME}/.config/i2p
+whitelist ${HOME}/.i2p
+whitelist ${HOME}/.local/share/i2p
+whitelist ${HOME}/i2p
+# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this
+whitelist /usr/sbin/wrapper*
+include whitelist-common.inc
+# May break I2P if wrapper is placed in the home directory; official I2P java installer does this
+# If using ubuntu official I2P ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/
+#apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-tmp
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile
new file mode 100644
index 000000000..c1ca0e413
--- /dev/null
+++ b/etc/profile-a-l/i3.profile
@@ -0,0 +1,18 @@
+# Firejail profile for i3
+# Description: Standards-compliant, fast, light-weight and extensible window manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include i3.local
+# Persistent global definitions
+include globals.local
+# all applications started in awesome will run in this profile
+noblacklist ${HOME}/.config/i3
+include disable-common.inc
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
new file mode 100644
index 000000000..a99c603bd
--- /dev/null
+++ b/etc/profile-a-l/iagno.profile
@@ -0,0 +1,39 @@
+# Firejail profile for iagno
+# Description: Reversi clone for Gnome desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include iagno.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+private
+private-bin iagno
+private-dev
+private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile
new file mode 100644
index 000000000..660343a29
--- /dev/null
+++ b/etc/profile-a-l/icecat.profile
@@ -0,0 +1,20 @@
+# Firejail profile for icecat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include icecat.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.mozilla
+mkdir ${HOME}/.cache/mozilla/icecat
+mkdir ${HOME}/.mozilla
+whitelist ${HOME}/.cache/mozilla/icecat
+whitelist ${HOME}/.mozilla
+# private-etc must first be enabled in firefox-common.profile
+#private-etc icecat
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/icedove.profile b/etc/profile-a-l/icedove.profile
new file mode 100644
index 000000000..19690cd5a
--- /dev/null
+++ b/etc/profile-a-l/icedove.profile
@@ -0,0 +1,28 @@
+# Firejail profile for icedove
+# This file is overwritten after every install/update
+# Persistent local customizations
+include icedove.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Users have icedove set to open a browser by clicking a link in an email
+# We are not allowed to blacklist browser-specific directories
+noblacklist ${HOME}/.cache/icedove
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.icedove
+mkdir ${HOME}/.cache/icedove
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.icedove
+whitelist ${HOME}/.cache/icedove
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.icedove
+include whitelist-common.inc
+ignore private-tmp
+# allow browsers
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/iceweasel.profile b/etc/profile-a-l/iceweasel.profile
new file mode 100644
index 000000000..badd2648a
--- /dev/null
+++ b/etc/profile-a-l/iceweasel.profile
@@ -0,0 +1,13 @@
+# Firejail profile for iceweasel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include iceweasel.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# private-etc must first be enabled in firefox-common.profile
+#private-etc iceweasel
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/idea.profile b/etc/profile-a-l/idea.profile
new file mode 100644
index 000000000..4e43bb629
--- /dev/null
+++ b/etc/profile-a-l/idea.profile
@@ -0,0 +1,10 @@
+# Firejail profile for idea
+# This file is overwritten after every install/update
+# Persistent local customizations
+include idea.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include idea.sh.profile
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
new file mode 100644
index 000000000..a7d0d531f
--- /dev/null
+++ b/etc/profile-a-l/idea.sh.profile
@@ -0,0 +1,40 @@
+# Firejail profile for idea.sh
+# This file is overwritten after every install/update
+# Persistent local customizations
+include idea.sh.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.IdeaIC*
+noblacklist ${HOME}/.android
+noblacklist ${HOME}/.jack-server
+noblacklist ${HOME}/.jack-settings
+noblacklist ${HOME}/.local/share/JetBrains
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.tooling
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-cache
+private-dev
+# private-tmp
+noexec /tmp
diff --git a/etc/profile-a-l/ideaIC.profile b/etc/profile-a-l/ideaIC.profile
new file mode 100644
index 000000000..7e1778f58
--- /dev/null
+++ b/etc/profile-a-l/ideaIC.profile
@@ -0,0 +1,10 @@
+# Firejail profile for ideaIC
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ideaIC.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include idea.sh.profile
diff --git a/etc/profile-a-l/imagej.profile b/etc/profile-a-l/imagej.profile
new file mode 100644
index 000000000..91a60c188
--- /dev/null
+++ b/etc/profile-a-l/imagej.profile
@@ -0,0 +1,41 @@
+# Firejail profile for imagej
+# Description: Image processing program with a focus on microscopy images
+# This file is overwritten after every install/update
+# Persistent local customizations
+include imagej.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.imagej
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-bin awk,basename,bash,cut,free,grep,hostname,imagej,ln,ls,mkdir,rm,sort,tail,touch,tr,uname,update-java-alternatives,whoami,xprop
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile
new file mode 100644
index 000000000..ae03fc8bc
--- /dev/null
+++ b/etc/profile-a-l/img2txt.profile
@@ -0,0 +1,52 @@
+# Firejail profile for img2txt
+# This file is overwritten after every install/update
+# Persistent local customizations
+include img2txt.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/imlib2
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+# private-bin img2txt
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/impressive.profile b/etc/profile-a-l/impressive.profile
new file mode 100644
index 000000000..af82fb059
--- /dev/null
+++ b/etc/profile-a-l/impressive.profile
@@ -0,0 +1,57 @@
+# Firejail profile for impressive
+# Description: presentation tool with eye candy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include impressive.local
+# Persistent global definitions
+#include globals.local
+noblacklist ${DOCUMENTS}
+noblacklist /sbin
+noblacklist /usr/sbin
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/mesa_shader_cache
+whitelist /usr/share/opengl-games-utils
+whitelist /usr/share/zenity
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
+read-only ${HOME}
+read-write ${HOME}/.cache/mesa_shader_cache
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
new file mode 100644
index 000000000..f14868668
--- /dev/null
+++ b/etc/profile-a-l/inkscape.profile
@@ -0,0 +1,61 @@
+# Firejail profile for inkscape
+# Description: Vector-based drawing program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include inkscape.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/inkscape
+noblacklist ${HOME}/.config/inkscape
+noblacklist ${HOME}/.inkscape
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+# Allow exporting .xcf files
+noblacklist ${HOME}/.config/GIMP
+noblacklist ${HOME}/.gimp*
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/inkscape
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# private-bin inkscape,potrace,python* - problems on Debian stretch
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/inkview.profile b/etc/profile-a-l/inkview.profile
new file mode 100644
index 000000000..4f88b0258
--- /dev/null
+++ b/etc/profile-a-l/inkview.profile
@@ -0,0 +1,11 @@
+# Firejail profile for inkview
+# Description: an SVG slideshow program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include inkview.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include inkscape.profile
diff --git a/etc/profile-a-l/inox.profile b/etc/profile-a-l/inox.profile
new file mode 100644
index 000000000..1b3db73b4
--- /dev/null
+++ b/etc/profile-a-l/inox.profile
@@ -0,0 +1,17 @@
+# Firejail profile for inox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include inox.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/inox
+noblacklist ${HOME}/.config/inox
+mkdir ${HOME}/.cache/inox
+mkdir ${HOME}/.config/inox
+whitelist ${HOME}/.cache/inox
+whitelist ${HOME}/.config/inox
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/iridium-browser.profile b/etc/profile-a-l/iridium-browser.profile
new file mode 100644
index 000000000..c7ee64d56
--- /dev/null
+++ b/etc/profile-a-l/iridium-browser.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for iridium
+# This file is overwritten after every install/update
+# Redirect
+include iridium.profile
diff --git a/etc/profile-a-l/iridium.profile b/etc/profile-a-l/iridium.profile
new file mode 100644
index 000000000..ebb39b0a3
--- /dev/null
+++ b/etc/profile-a-l/iridium.profile
@@ -0,0 +1,17 @@
+# Firejail profile for iridium
+# This file is overwritten after every install/update
+# Persistent local customizations
+include iridium.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/iridium
+noblacklist ${HOME}/.config/iridium
+mkdir ${HOME}/.cache/iridium
+mkdir ${HOME}/.config/iridium
+whitelist ${HOME}/.cache/iridium
+whitelist ${HOME}/.config/iridium
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/itch.profile b/etc/profile-a-l/itch.profile
new file mode 100644
index 000000000..b3c78c810
--- /dev/null
+++ b/etc/profile-a-l/itch.profile
@@ -0,0 +1,42 @@
+# Firejail profile for itch
+# This file is overwritten after every install/update
+# Persistent local customizations
+include itch.local
+# Persistent global definitions
+include globals.local
+# itch.io has native firejail/sandboxing support bundled in
+# See https://itch.io/docs/itch/using/sandbox/linux.html
+noblacklist ${HOME}/.itch
+noblacklist ${HOME}/.config/itch
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.itch
+mkdir ${HOME}/.config/itch
+whitelist ${HOME}/.itch
+whitelist ${HOME}/.config/itch
+include whitelist-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-dev
+private-tmp
+noexec /tmp
diff --git a/etc/profile-a-l/jd-gui.profile b/etc/profile-a-l/jd-gui.profile
new file mode 100644
index 000000000..0944051e5
--- /dev/null
+++ b/etc/profile-a-l/jd-gui.profile
@@ -0,0 +1,44 @@
+# Firejail profile for jd-gui
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jd-gui.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/jd-gui.cfg
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-bin bash,jd-gui,sh
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/jdownloader.profile b/etc/profile-a-l/jdownloader.profile
new file mode 100644
index 000000000..b5f892a9d
--- /dev/null
+++ b/etc/profile-a-l/jdownloader.profile
@@ -0,0 +1,10 @@
+# Firejail profile for jdownloader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jdownloader.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include JDownloader.profile
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
new file mode 100644
index 000000000..b79ae0ee0
--- /dev/null
+++ b/etc/profile-a-l/jerry.profile
@@ -0,0 +1,43 @@
+# Firejail profile for jerry
+# Description: Chess GUI
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jerry.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/dkl
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin bash,jerry,sh,stockfish
+private-dev
+private-etc fonts,gtk-2.0,gtk-3.0
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile
new file mode 100644
index 000000000..c4121d835
--- /dev/null
+++ b/etc/profile-a-l/jitsi-meet-desktop.profile
@@ -0,0 +1,39 @@
+# Firejail profile for jitsi-meet-desktop
+# Description: Jitsi Meet desktop application powered by Electron
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jitsi-meet-desktop.local
+# Persistent global definitions
+include globals.local
+ignore noexec /tmp
+noblacklist ${HOME}/.config/Jitsi Meet
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-xdg.inc
+nowhitelist ${DOWNLOADS}
+mkdir ${HOME}/.config/Jitsi Meet
+whitelist ${HOME}/.config/Jitsi Meet
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+seccomp !chroot
+disable-mnt
+private-bin bash,jitsi-meet-desktop
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/jitsi.profile b/etc/profile-a-l/jitsi.profile
new file mode 100644
index 000000000..223c360b8
--- /dev/null
+++ b/etc/profile-a-l/jitsi.profile
@@ -0,0 +1,32 @@
+# Firejail profile for jitsi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jitsi.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.jitsi
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-cache
+private-tmp
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
new file mode 100644
index 000000000..b1852b015
--- /dev/null
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -0,0 +1,15 @@
+# Firejail profile for jumpnbump-menu
+# Description: Level selection and config menu for the Jump 'n Bump game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jumpnbump-menu.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+include allow-python3.inc
+private-bin jumpnbump-menu,python3*
+# Redirect
+include jumpnbump.profile
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
new file mode 100644
index 000000000..daeb54610
--- /dev/null
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -0,0 +1,49 @@
+# Firejail profile for jumpnbump
+# Description: Cute multiplayer platform game with bunnies
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jumpnbump.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.jumpnbump
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.jumpnbump
+whitelist ${HOME}/.jumpnbump
+whitelist /usr/share/jumpnbump
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin jumpnbump
+private-cache
+private-dev
+private-etc none
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
new file mode 100644
index 000000000..0c1da7ae1
--- /dev/null
+++ b/etc/profile-a-l/k3b.profile
@@ -0,0 +1,37 @@
+# Firejail profile for k3b
+# Description: Sophisticated CD/DVD burning application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include k3b.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/k3brc
+noblacklist ${HOME}/.kde/share/config/k3brc
+noblacklist ${HOME}/.kde4/share/config/k3brc
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource
+# net none
+netfilter
+no3d
+# nonewprivs - breaks privileged helpers
+# noroot - breaks privileged helpers
+nosound
+notv
+novideo
+# protocol unix - breaks privileged helpers
+# seccomp - breaks privileged helpers
+shell none
+private-dev
+# private-tmp
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
new file mode 100644
index 000000000..c7f811939
--- /dev/null
+++ b/etc/profile-a-l/kaffeine.profile
@@ -0,0 +1,42 @@
+# Firejail profile for kaffeine
+# Description: Versatile media player for KDE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kaffeine.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/kaffeinerc
+noblacklist ${HOME}/.kde/share/apps/kaffeine
+noblacklist ${HOME}/.kde/share/config/kaffeinerc
+noblacklist ${HOME}/.kde4/share/apps/kaffeine
+noblacklist ${HOME}/.kde4/share/config/kaffeinerc
+noblacklist ${HOME}/.local/share/kaffeine
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+# private-bin kaffeine
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
new file mode 100644
index 000000000..e1e93163b
--- /dev/null
+++ b/etc/profile-a-l/kalgebra.profile
@@ -0,0 +1,49 @@
+# Firejail profile for kalgebra
+# Description: 2D and 3D Graph Calculator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kalgebra.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/kalgebrarc
+noblacklist ${HOME}/.local/share/kalgebra
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/kalgebramobile
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp !chroot
+shell none
+# tracelog
+disable-mnt
+private-bin kalgebra,kalgebramobile
+private-cache
+private-dev
+private-etc fonts,machine-id
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/kalgebramobile.profile b/etc/profile-a-l/kalgebramobile.profile
new file mode 100644
index 000000000..d2394fe20
--- /dev/null
+++ b/etc/profile-a-l/kalgebramobile.profile
@@ -0,0 +1,5 @@
+# Firejail profile for kalgebramobile
+# This file is overwritten after every install/update
+# Redirect
+include kalgebra.profile
diff --git a/etc/profile-a-l/karbon.profile b/etc/profile-a-l/karbon.profile
new file mode 100644
index 000000000..3b2e93b0a
--- /dev/null
+++ b/etc/profile-a-l/karbon.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for krita
+# This file is overwritten after every install/update
+# Redirect
+include krita.profile
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
new file mode 100644
index 000000000..321c4558f
--- /dev/null
+++ b/etc/profile-a-l/kate.profile
@@ -0,0 +1,53 @@
+# Firejail profile for kate
+# Description: Powerful text editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kate.local
+# Persistent global definitions
+include globals.local
+ignore noexec ${HOME}
+noblacklist ${HOME}/.config/katemetainfos
+noblacklist ${HOME}/.config/katepartrc
+noblacklist ${HOME}/.config/katerc
+noblacklist ${HOME}/.config/kateschemarc
+noblacklist ${HOME}/.config/katesyntaxhighlightingrc
+noblacklist ${HOME}/.config/katevirc
+noblacklist ${HOME}/.local/share/kate
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+# include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+# apparmor
+caps.drop all
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+# private-bin kate,kbuildsycoca4,kdeinit4
+private-dev
+# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
+private-tmp
+# dbus-user none
+# dbus-system none
+join-or-start kate
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
new file mode 100644
index 000000000..6f94777aa
--- /dev/null
+++ b/etc/profile-a-l/kcalc.profile
@@ -0,0 +1,49 @@
+# Firejail profile for kcalc
+# Description: Simple and scientific calculator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kcalc.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkfile ${HOME}/.config/kcalcrc
+mkfile ${HOME}/.kde/share/config/kcalcrc
+mkfile ${HOME}/.kde4/share/config/kcalcrc
+whitelist ${HOME}/.config/kcalcrc
+whitelist ${HOME}/.kde/share/config/kcalcrc
+whitelist ${HOME}/.kde4/share/config/kcalcrc
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+private-bin kcalc
+private-dev
+# private-lib - problems on Arch
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile
new file mode 100644
index 000000000..082045c62
--- /dev/null
+++ b/etc/profile-a-l/kdeinit4.profile
@@ -0,0 +1,36 @@
+# Firejail profile for kdeinit4
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kdeinit4.local
+# Persistent global definitions
+include globals.local
+# use outside KDE Plasma 4
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+# nosound - disabled for knotify
+noroot
+nou2f
+novideo
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-bin kbuildsycoca4,kded4,kdeinit4,knotify4
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
new file mode 100644
index 000000000..e3560cb35
--- /dev/null
+++ b/etc/profile-a-l/kdenlive.profile
@@ -0,0 +1,40 @@
+# Firejail profile for kdenlive
+# Description: Non-linear video editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kdenlive.local
+# Persistent global definitions
+include globals.local
+ignore noexec ${HOME}
+noblacklist ${HOME}/.cache/kdenlive
+noblacklist ${HOME}/.config/kdenliverc
+noblacklist ${HOME}/.local/share/kdenlive
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+# net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,netlink
+seccomp
+shell none
+private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
+private-dev
+# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/keepass.profile b/etc/profile-a-l/keepass.profile
new file mode 100644
index 000000000..9852f8a79
--- /dev/null
+++ b/etc/profile-a-l/keepass.profile
@@ -0,0 +1,44 @@
+# Firejail profile for keepass
+# Description: An easy-to-use password manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include keepass.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/*.kdb
+noblacklist ${HOME}/*.kdbx
+noblacklist ${HOME}/.config/KeePass
+noblacklist ${HOME}/.config/keepass
+noblacklist ${HOME}/.keepass
+noblacklist ${HOME}/.local/share/KeePass
+noblacklist ${HOME}/.local/share/keepass
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/keepass2.profile b/etc/profile-a-l/keepass2.profile
new file mode 100644
index 000000000..aef236ccc
--- /dev/null
+++ b/etc/profile-a-l/keepass2.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for keepass
+# This file is overwritten after every install/update
+# Redirect
+include keepass.profile
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile
new file mode 100644
index 000000000..b8239e140
--- /dev/null
+++ b/etc/profile-a-l/keepassx.profile
@@ -0,0 +1,50 @@
+# Firejail profile for keepassx
+# Description: Cross Platform Password Manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include keepassx.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/*.kdb
+noblacklist ${HOME}/*.kdbx
+noblacklist ${HOME}/.config/keepassx
+noblacklist ${HOME}/.keepassx
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin keepassx,keepassx2
+private-dev
+private-etc alternatives,fonts,machine-id
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/keepassx2.profile b/etc/profile-a-l/keepassx2.profile
new file mode 100644
index 000000000..fdd27e9f9
--- /dev/null
+++ b/etc/profile-a-l/keepassx2.profile
@@ -0,0 +1,6 @@
+# Firejail profile for keepassx2
+# Description: Cross platform password manager
+# This file is overwritten after every install/update
+# Redirects
+include keepassx.profile
diff --git a/etc/profile-a-l/keepassxc-cli.profile b/etc/profile-a-l/keepassxc-cli.profile
new file mode 100644
index 000000000..925609384
--- /dev/null
+++ b/etc/profile-a-l/keepassxc-cli.profile
@@ -0,0 +1,11 @@
+# Firejail profile for keepassxc-cli
+# Description: command line interface for KeePassXC
+# This file is overwritten after every install/update
+# Persistent local customizations
+include keepassxc-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include keepassxc.profile
diff --git a/etc/profile-a-l/keepassxc-proxy.profile b/etc/profile-a-l/keepassxc-proxy.profile
new file mode 100644
index 000000000..b2b6763ee
--- /dev/null
+++ b/etc/profile-a-l/keepassxc-proxy.profile
@@ -0,0 +1,10 @@
+# Firejail profile for keepassxc-cli
+# This file is overwritten after every install/update
+# Persistent local customizations
+include keepassxc-proxy.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include keepassxc.profile
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
new file mode 100644
index 000000000..43dbad5f9
--- /dev/null
+++ b/etc/profile-a-l/keepassxc.profile
@@ -0,0 +1,62 @@
+# Firejail profile for keepassxc
+# Description: Cross Platform Password Manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include keepassxc.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/*.kdb
+noblacklist ${HOME}/*.kdbx
+noblacklist ${HOME}/.config/keepassxc
+noblacklist ${HOME}/.keepassxc
+# 2.2.4 needs this path when compiled with "Native messaging browser extension"
+noblacklist ${HOME}/.mozilla
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /usr/share/keepassxc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+# Breaks 'Lock database when session is locked or lid is closed' (#2899).
+# Also breaks (Plasma) tray icon,
+# you can safely uncomment it or add to keepassxc.local if you don't need these features.
+#
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+private-bin keepassxc,keepassxc-cli,keepassxc-proxy
+private-dev
+private-etc alternatives,fonts,ld.so.cache,machine-id
+private-tmp
+# Breaks 'Lock database when session is locked or lid is closed' (#2899).
+# Also breaks (Plasma) tray icon,
+# you can safely uncomment it or add to keepassxc.local if you don't need these features.
+# dbus-user none
+# dbus-system none
+# Mutex is stored in /tmp by default, which is broken by private-tmp
+join-or-start keepassxc
diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile
new file mode 100644
index 000000000..ed815676a
--- /dev/null
+++ b/etc/profile-a-l/kfind.profile
@@ -0,0 +1,47 @@
+# Firejail profile for kfind
+# Description: File search utility
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kfind.local
+# Persistent global definitions
+include globals.local
+# searching in blacklisted or masked paths fails silently
+# adjust filesystem restrictions as necessary
+# noblacklist ${HOME}/.cache/kfind - disable-programs.inc is disabled, see below
+# noblacklist ${HOME}/.config/kfindrc
+# noblacklist ${HOME}/.kde/share/config/kfindrc
+# noblacklist ${HOME}/.kde4/share/config/kfindrc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# include disable-programs.inc
+apparmor
+caps.drop all
+machine-id
+# net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+# private-bin kbuildsycoca4,kdeinit4,kfind
+private-dev
+private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
new file mode 100644
index 000000000..485edc1a4
--- /dev/null
+++ b/etc/profile-a-l/kget.profile
@@ -0,0 +1,41 @@
+# Firejail profile for kget
+# Description: Download manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kget.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/kgetrc
+noblacklist ${HOME}/.kde/share/apps/kget
+noblacklist ${HOME}/.kde/share/config/kgetrc
+noblacklist ${HOME}/.kde4/share/apps/kget
+noblacklist ${HOME}/.kde4/share/config/kgetrc
+noblacklist ${HOME}/.local/share/kget
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+private-dev
+private-tmp
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/kid3-cli.profile b/etc/profile-a-l/kid3-cli.profile
new file mode 100644
index 000000000..bee62b5d9
--- /dev/null
+++ b/etc/profile-a-l/kid3-cli.profile
@@ -0,0 +1,6 @@
+# Firejail profile for kid3-cli
+# This file is overwritten after every install/update
+include kid3-cli.local
+# Redirect
+include kid3.profile
diff --git a/etc/profile-a-l/kid3-qt.profile b/etc/profile-a-l/kid3-qt.profile
new file mode 100644
index 000000000..9bcede077
--- /dev/null
+++ b/etc/profile-a-l/kid3-qt.profile
@@ -0,0 +1,8 @@
+# Firejail profile for kid3-qt
+# This file is overwritten after every install/update
+include kid3-qt.local
+noblacklist ${HOME}/.config/Kid3
+# Redirect
+include kid3.profile
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
new file mode 100644
index 000000000..cce92a93f
--- /dev/null
+++ b/etc/profile-a-l/kid3.profile
@@ -0,0 +1,47 @@
+# Firejail profile for kid3
+# Description: Audio Tag Editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kid3.local
+# Persistent global definitions
+include globals.local
+noblacklist ${MUSIC}
+noblacklist ${HOME}/.config/kid3rc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+private-opt none
+private-srv none
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/kino.profile b/etc/profile-a-l/kino.profile
new file mode 100644
index 000000000..b3ade0dd9
--- /dev/null
+++ b/etc/profile-a-l/kino.profile
@@ -0,0 +1,37 @@
+# Firejail profile for kino
+# Description: Non-linear editor for Digital Video data
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kino.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.kino-history
+noblacklist ${HOME}/.kinorc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
new file mode 100644
index 000000000..d222d6d24
--- /dev/null
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -0,0 +1,51 @@
+# Firejail profile for kiwix-desktop
+# Description: view/manage ZIM files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kiwix-desktop.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/kiwix
+noblacklist ${HOME}/.local/share/kiwix-desktop
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.local/share/kiwix
+mkdir ${HOME}/.local/share/kiwix-desktop
+whitelist ${HOME}/.local/share/kiwix
+whitelist ${HOME}/.local/share/kiwix-desktop
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+# no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+# nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+disable-mnt
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/klatexformula.profile b/etc/profile-a-l/klatexformula.profile
new file mode 100644
index 000000000..10b689ce5
--- /dev/null
+++ b/etc/profile-a-l/klatexformula.profile
@@ -0,0 +1,45 @@
+# Firejail profile for klatexformula
+# Description: generating images from LaTeX equations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include klatexformula.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.kde/share/apps/klatexformula
+noblacklist ${HOME}/.klatexformula
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/klatexformula_cmdl.profile b/etc/profile-a-l/klatexformula_cmdl.profile
new file mode 100644
index 000000000..9137963c4
--- /dev/null
+++ b/etc/profile-a-l/klatexformula_cmdl.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for klatexformula_cmdl
+# This file is overwritten after every install/update
+# Redirect
+include klatexformula.profile
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
new file mode 100644
index 000000000..c03d75098
--- /dev/null
+++ b/etc/profile-a-l/klavaro.profile
@@ -0,0 +1,54 @@
+# Firejail profile for klavaro
+# Description: Yet another touch typing tutor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include klavaro.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/klavaro
+noblacklist ${HOME}/.local/share/klavaro
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.local/share/klavaro
+mkdir ${HOME}/.config/klavaro
+whitelist ${HOME}/.local/share/klavaro
+whitelist ${HOME}/.config/klavaro
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin bash,klavaro,sh,tclsh,tclsh*
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-tmp
+private-opt none
+private-srv none
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
new file mode 100644
index 000000000..198b05a11
--- /dev/null
+++ b/etc/profile-a-l/kmail.profile
@@ -0,0 +1,60 @@
+# Firejail profile for kmail
+# Description: Full featured graphical email client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kmail.local
+# Persistent global definitions
+include globals.local
+# kmail has problems launching akonadi in debian and ubuntu.
+# one solution is to have akonadi already running when kmail is started
+noblacklist ${HOME}/.cache/akonadi*
+noblacklist ${HOME}/.cache/kmail2
+noblacklist ${HOME}/.config/akonadi*
+noblacklist ${HOME}/.config/baloorc
+noblacklist ${HOME}/.config/emaildefaults
+noblacklist ${HOME}/.config/emailidentities
+noblacklist ${HOME}/.config/kmail2rc
+noblacklist ${HOME}/.config/kmailsearchindexingrc
+noblacklist ${HOME}/.config/mailtransports
+noblacklist ${HOME}/.config/specialmailcollectionsrc
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.local/share/akonadi*
+noblacklist ${HOME}/.local/share/apps/korganizer
+noblacklist ${HOME}/.local/share/contacts
+noblacklist ${HOME}/.local/share/emailidentities
+noblacklist ${HOME}/.local/share/kmail2
+noblacklist ${HOME}/.local/share/local-mail
+noblacklist ${HOME}/.local/share/notes
+noblacklist /tmp/akonadi-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+# apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+# we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
+seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
+# tracelog
+private-dev
+# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
+# writable-run-user is needed for signing and encrypting emails
+writable-run-user
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
new file mode 100644
index 000000000..7eabde61d
--- /dev/null
+++ b/etc/profile-a-l/kmplayer.profile
@@ -0,0 +1,41 @@
+# Firejail profile for mplayer
+# Description: mplayer KDE GUI (movie player)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kmplayer.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/kmplayerrc
+noblacklist ${HOME}/.kde/share/config/kmplayerrc
+noblacklist ${HOME}/.local/share/kmplayer
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+# private-bin kmplayer,mplayer
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/knotes.profile b/etc/profile-a-l/knotes.profile
new file mode 100644
index 000000000..ababfcdb1
--- /dev/null
+++ b/etc/profile-a-l/knotes.profile
@@ -0,0 +1,17 @@
+# Firejail profile for knotes
+# Description: Sticky notes application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include knotes.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# knotes has problems launching akonadi in debian and ubuntu.
+# one solution is to have akonadi already running when knotes is started
+noblacklist ${HOME}/.config/knotesrc
+noblacklist ${HOME}/.local/share/knotes
+# Redirect
+include kmail.profile
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
new file mode 100644
index 000000000..86afe46b5
--- /dev/null
+++ b/etc/profile-a-l/kodi.profile
@@ -0,0 +1,44 @@
+# Firejail profile for kodi
+# Description: Open Source Home Theatre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kodi.local
+# Persistent global definitions
+include globals.local
+# noexec ${HOME} breaks plugins
+ignore noexec ${HOME}
+noblacklist ${HOME}/.kodi
+noblacklist ${MUSIC}
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
new file mode 100644
index 000000000..dd3e9617f
--- /dev/null
+++ b/etc/profile-a-l/konversation.profile
@@ -0,0 +1,42 @@
+# Firejail profile for konversation
+# Description: User friendly Internet Relay Chat (IRC) client for KDE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include konversation.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/konversationrc
+noblacklist ${HOME}/.kde/share/config/konversationrc
+noblacklist ${HOME}/.kde4/share/config/konversationrc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-bin kbuildsycoca4,konversation
+private-cache
+private-dev
+private-tmp
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/kopete.profile b/etc/profile-a-l/kopete.profile
new file mode 100644
index 000000000..e0bdce059
--- /dev/null
+++ b/etc/profile-a-l/kopete.profile
@@ -0,0 +1,38 @@
+# Firejail profile for kopete
+# Description: Instant messaging and chat application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kopete.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.kde/share/apps/kopete
+noblacklist ${HOME}/.kde/share/config/kopeterc
+noblacklist ${HOME}/.kde4/share/apps/kopete
+noblacklist ${HOME}/.kde4/share/config/kopeterc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist /var/lib/winpopup
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+private-dev
+private-tmp
+writable-var
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile
new file mode 100644
index 000000000..be9921478
--- /dev/null
+++ b/etc/profile-a-l/krita.profile
@@ -0,0 +1,51 @@
+# Firejail profile for krita
+# Description: Pixel-based image manipulation program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include krita.local
+# Persistent global definitions
+include globals.local
+# noexec ${HOME} may break krita, see issue #1953
+ignore noexec ${HOME}
+noblacklist ${HOME}/.config/kritarc
+noblacklist ${HOME}/.local/share/krita
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+apparmor
+caps.drop all
+ipc-namespace
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-cache
+private-dev
+private-tmp
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
new file mode 100644
index 000000000..c64113c15
--- /dev/null
+++ b/etc/profile-a-l/krunner.profile
@@ -0,0 +1,38 @@
+# Firejail profile for krunner
+# Description: Framework for providing different actions given a string query
+# This file is overwritten after every install/update
+# Persistent local customizations
+include krunner.local
+# Persistent global definitions
+include globals.local
+# - programs started in krunner run with this generic profile.
+# - when a file is opened in krunner, the file viewer runs in its own sandbox
+#   with its own profile, if it is sandboxed automatically.
+# noblacklist ${HOME}/.cache/krunner
+# noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
+# noblacklist ${HOME}/.config/chromium
+noblacklist ${HOME}/.config/krunnerrc
+noblacklist ${HOME}/.kde/share/config/krunnerrc
+noblacklist ${HOME}/.kde4/share/config/krunnerrc
+# noblacklist ${HOME}/.local/share/baloo
+# noblacklist ${HOME}/.mozilla
+include disable-common.inc
+# include disable-devel.inc
+# include disable-interpreters.inc
+# include disable-passwdmgr.inc
+# include disable-programs.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+# private-cache
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
new file mode 100644
index 000000000..2eb46a7e8
--- /dev/null
+++ b/etc/profile-a-l/ktorrent.profile
@@ -0,0 +1,60 @@
+# Firejail profile for ktorrent
+# Description: BitTorrent client based on the KDE platform
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ktorrent.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/ktorrentrc
+noblacklist ${HOME}/.kde/share/apps/ktorrent
+noblacklist ${HOME}/.kde/share/config/ktorrentrc
+noblacklist ${HOME}/.kde4/share/apps/ktorrent
+noblacklist ${HOME}/.kde4/share/config/ktorrentrc
+noblacklist ${HOME}/.local/share/ktorrent
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.kde/share/apps/ktorrent
+mkdir ${HOME}/.kde4/share/apps/ktorrent
+mkdir ${HOME}/.local/share/ktorrent
+mkfile ${HOME}/.config/ktorrentrc
+mkfile ${HOME}/.kde/share/config/ktorrentrc
+mkfile ${HOME}/.kde4/share/config/ktorrentrc
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/ktorrentrc
+whitelist ${HOME}/.kde/share/apps/ktorrent
+whitelist ${HOME}/.kde/share/config/ktorrentrc
+whitelist ${HOME}/.kde4/share/apps/ktorrent
+whitelist ${HOME}/.kde4/share/config/ktorrentrc
+whitelist ${HOME}/.local/share/ktorrent
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-bin kbuildsycoca4,kdeinit4,ktorrent
+private-dev
+# private-lib - problems on Arch
+private-tmp
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
new file mode 100644
index 000000000..b23b23730
--- /dev/null
+++ b/etc/profile-a-l/ktouch.profile
@@ -0,0 +1,52 @@
+# Firejail profile for KTouch
+# Description: a typing tutor by KDE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ktouch.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/ktouch2rc
+noblacklist ${HOME}/.local/share/ktouch
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkfile ${HOME}/.config/ktouch2rc
+mkdir ${HOME}/.local/share/ktouch
+whitelist ${HOME}/.config/ktouch2rc
+whitelist ${HOME}/.local/share/ktouch
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin ktouch
+private-cache
+private-dev
+private-etc alternatives,fonts,kde5rc,machine-id
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
new file mode 100644
index 000000000..d512dd100
--- /dev/null
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -0,0 +1,45 @@
+# Firejail profile for kwin_x11
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kwin_x11.local
+# Persistent global definitions
+include globals.local
+# fix automatical kwin_x11 sandboxing:
+# echo KDEWM=kwin_x11 >> ~/.pam_environment
+noblacklist ${HOME}/.cache/kwin
+noblacklist ${HOME}/.config/kwinrc
+noblacklist ${HOME}/.config/kwinrulesrc
+noblacklist ${HOME}/.local/share/kwin
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin kwin_x11
+private-dev
+private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg
+private-tmp
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
new file mode 100644
index 000000000..a71e3bfb9
--- /dev/null
+++ b/etc/profile-a-l/kwrite.profile
@@ -0,0 +1,53 @@
+# Firejail profile for kwrite
+# Description: Simple text editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kwrite.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/katepartrc
+noblacklist ${HOME}/.config/katerc
+noblacklist ${HOME}/.config/kateschemarc
+noblacklist ${HOME}/.config/katesyntaxhighlightingrc
+noblacklist ${HOME}/.config/katevirc
+noblacklist ${HOME}/.config/kwriterc
+noblacklist ${HOME}/.local/share/kwrite
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+# nosound - KWrite is using ALSA!
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin kbuildsycoca4,kdeinit4,kwrite
+private-dev
+private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
+private-tmp
+# dbus-user none
+# dbus-system none
+join-or-start kwrite
diff --git a/etc/profile-a-l/latex-common.profile b/etc/profile-a-l/latex-common.profile
new file mode 100644
index 000000000..b090be726
--- /dev/null
+++ b/etc/profile-a-l/latex-common.profile
@@ -0,0 +1,41 @@
+# Firejail profile for latex-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include latex-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+whitelist /var/lib
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/latex.profile b/etc/profile-a-l/latex.profile
new file mode 100644
index 000000000..2230dd570
--- /dev/null
+++ b/etc/profile-a-l/latex.profile
@@ -0,0 +1,12 @@
+# Firejail profile for latex
+# This file is overwritten after every install/update
+# Persistent local customizations
+include latex.local
+# Persistent global definitions
+include globals.local
+private-bin latex
+# Redirect
+include latex-common.profile
diff --git a/etc/profile-a-l/lbunzip2.profile b/etc/profile-a-l/lbunzip2.profile
new file mode 100644
index 000000000..338d8c8bb
--- /dev/null
+++ b/etc/profile-a-l/lbunzip2.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for gzip
+# Description: GNU compression utilities
+# This file is overwritten after every install/update
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/lbzcat.profile b/etc/profile-a-l/lbzcat.profile
new file mode 100644
index 000000000..338d8c8bb
--- /dev/null
+++ b/etc/profile-a-l/lbzcat.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for gzip
+# Description: GNU compression utilities
+# This file is overwritten after every install/update
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/lbzip2.profile b/etc/profile-a-l/lbzip2.profile
new file mode 100644
index 000000000..338d8c8bb
--- /dev/null
+++ b/etc/profile-a-l/lbzip2.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for gzip
+# Description: GNU compression utilities
+# This file is overwritten after every install/update
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile
new file mode 100644
index 000000000..c456541aa
--- /dev/null
+++ b/etc/profile-a-l/leafpad.profile
@@ -0,0 +1,40 @@
+# Firejail profile for leafpad
+# Description: GTK+ based simple text editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include leafpad.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/leafpad
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-bin leafpad
+private-dev
+private-lib
+private-tmp
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
new file mode 100644
index 000000000..de6fa67d1
--- /dev/null
+++ b/etc/profile-a-l/less.profile
@@ -0,0 +1,52 @@
+# Firejail profile for less
+# Description: Pager program similar to more
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include less.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+noblacklist ${HOME}/.lesshst
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+# The user can have a custom coloring script configured in ${HOME}/.lessfilter.
+# Enable private-bin and private-lib if you are not using any filter.
+# private-bin less
+# private-lib
+private-cache
+private-dev
+writable-var-log
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}
+read-write ${HOME}/.lesshst
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
new file mode 100644
index 000000000..aa113883e
--- /dev/null
+++ b/etc/profile-a-l/libreoffice.profile
@@ -0,0 +1,49 @@
+# Firejail profile for libreoffice
+# Description: Office productivity suite
+# This file is overwritten after every install/update
+# Persistent local customizations
+include libreoffice.local
+# Persistent global definitions
+include globals.local
+noblacklist /usr/local/sbin
+noblacklist ${HOME}/.config/libreoffice
+# libreoffice uses java for some certain operations
+# comment if you don't care about java functionality
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+# ubuntu 18.04 comes with its own apparmor profile, but it is not in enforce mode.
+# comment the next line to use the ubuntu profile instead of firejail's apparmor profile
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+# comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+# comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile
+protocol unix,inet,inet6
+# comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile
+seccomp
+shell none
+# comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile
+tracelog
+private-dev
+private-tmp
+join-or-start libreoffice
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
new file mode 100644
index 000000000..7cfd4fc10
--- /dev/null
+++ b/etc/profile-a-l/liferea.profile
@@ -0,0 +1,53 @@
+# Firejail profile for liferea
+# Description: Feed/news/podcast client with plugin support
+# This file is overwritten after every install/update
+# Persistent local customizations
+include liferea.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/liferea
+noblacklist ${HOME}/.config/liferea
+noblacklist ${HOME}/.local/share/liferea
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.cache/liferea
+mkdir ${HOME}/.config/liferea
+mkdir ${HOME}/.local/share/liferea
+whitelist ${HOME}/.cache/liferea
+whitelist ${HOME}/.config/liferea
+whitelist ${HOME}/.local/share/liferea
+whitelist /usr/share/liferea
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+# no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+# nosound
+notv
+nou2f
+# novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/lightsoff.profile b/etc/profile-a-l/lightsoff.profile
new file mode 100644
index 000000000..c065c44a9
--- /dev/null
+++ b/etc/profile-a-l/lightsoff.profile
@@ -0,0 +1,16 @@
+# Firejail profile for lightsoff
+# Description: GNOME Lightsoff game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lightsoff.local
+# Persistent global definitions
+include globals.local
+whitelist /usr/share/lightsoff
+private-bin lightsoff
+dbus-user.own org.gnome.LightsOff
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile
new file mode 100644
index 000000000..624d4a8bd
--- /dev/null
+++ b/etc/profile-a-l/lincity-ng.profile
@@ -0,0 +1,47 @@
+# Firejail profile for lincity-ng
+# Description: City simulation game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lincity-ng.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.lincity-ng
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.lincity-ng
+whitelist ${HOME}/.lincity-ng
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin lincity-ng
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
new file mode 100644
index 000000000..b2f94d3cf
--- /dev/null
+++ b/etc/profile-a-l/links.profile
@@ -0,0 +1,66 @@
+# Firejail profile for links
+# Description: Text WWW browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include links.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.links
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# you may want to noblacklist files/directories blacklisted in
+# disable-programs.inc and used as associated programs
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.links
+whitelist ${HOME}/.links
+whitelist ${DOWNLOADS}
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+# comment machine-id (or put 'ignore machine-id' in your links.local) if you want
+# to allow access only to user-configured associated media player
+machine-id
+netfilter
+# comment no3d (or put 'ignore no3d' in your links.local) if you want
+# to allow access only to user-configured associated media player
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+# comment nosound (or put 'ignore nosound' in your links.local) if you want
+# to allow access only to user-configured associated media player
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local
+# or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin links,sh
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+# Uncomment the following line (or put it in your links.local) allow external
+# media players
+# private-etc alsa,asound.conf,machine-id,openal,pulse
+private-tmp
+memory-deny-write-execute
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile
new file mode 100644
index 000000000..dc156b298
--- /dev/null
+++ b/etc/profile-a-l/linphone.profile
@@ -0,0 +1,43 @@
+# Firejail profile for linphone
+# Description: SIP softphone - graphical client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include linphone.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.linphone-history.db
+noblacklist ${HOME}/.linphonerc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkfile ${HOME}/.linphone-history.db
+mkfile ${HOME}/.linphonerc
+whitelist ${HOME}/.linphone-history.db
+whitelist ${HOME}/.linphonerc
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/lmms.profile b/etc/profile-a-l/lmms.profile
new file mode 100644
index 000000000..afe1ad635
--- /dev/null
+++ b/etc/profile-a-l/lmms.profile
@@ -0,0 +1,40 @@
+# Firejail profile for lmms
+# Description: Linux Multimedia Studio
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lmms.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.lmmsrc.xml
+noblacklist ${DOCUMENTS}
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/lobase.profile b/etc/profile-a-l/lobase.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/profile-a-l/lobase.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/localc.profile b/etc/profile-a-l/localc.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/profile-a-l/localc.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/lodraw.profile b/etc/profile-a-l/lodraw.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/profile-a-l/lodraw.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/loffice.profile b/etc/profile-a-l/loffice.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/profile-a-l/loffice.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/lofromtemplate.profile b/etc/profile-a-l/lofromtemplate.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/profile-a-l/lofromtemplate.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/loimpress.profile b/etc/profile-a-l/loimpress.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/profile-a-l/loimpress.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
new file mode 100644
index 000000000..1ce83822d
--- /dev/null
+++ b/etc/profile-a-l/lollypop.profile
@@ -0,0 +1,42 @@
+# Firejail profile for lollypop
+# Description: Music player for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lollypop.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/lollypop
+noblacklist ${MUSIC}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-tmp
diff --git a/etc/profile-a-l/lomath.profile b/etc/profile-a-l/lomath.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/profile-a-l/lomath.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/loweb.profile b/etc/profile-a-l/loweb.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/profile-a-l/loweb.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/lowriter.profile b/etc/profile-a-l/lowriter.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/profile-a-l/lowriter.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/lrunzip.profile b/etc/profile-a-l/lrunzip.profile
new file mode 100644
index 000000000..c010cbd96
--- /dev/null
+++ b/etc/profile-a-l/lrunzip.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrunzip
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lrunzip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lrz.profile b/etc/profile-a-l/lrz.profile
new file mode 100644
index 000000000..8077be945
--- /dev/null
+++ b/etc/profile-a-l/lrz.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrz
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lrz.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lrzcat.profile b/etc/profile-a-l/lrzcat.profile
new file mode 100644
index 000000000..d05ee7aae
--- /dev/null
+++ b/etc/profile-a-l/lrzcat.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrzcat
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lrzcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lrzip.profile b/etc/profile-a-l/lrzip.profile
new file mode 100644
index 000000000..3767767f6
--- /dev/null
+++ b/etc/profile-a-l/lrzip.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrzip
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lrzip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lrztar.profile b/etc/profile-a-l/lrztar.profile
new file mode 100644
index 000000000..673e9f62e
--- /dev/null
+++ b/etc/profile-a-l/lrztar.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrztar
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lrztar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lrzuntar.profile b/etc/profile-a-l/lrzuntar.profile
new file mode 100644
index 000000000..245d1c669
--- /dev/null
+++ b/etc/profile-a-l/lrzuntar.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrzuntar
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lrzuntar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lugaru.profile b/etc/profile-a-l/lugaru.profile
new file mode 100644
index 000000000..26157b942
--- /dev/null
+++ b/etc/profile-a-l/lugaru.profile
@@ -0,0 +1,51 @@
+# Firejail profile for lugaru
+# Description: Ninja rabbit fighting game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lugaru.local
+# Persistent global definitions
+include globals.local
+# note: crashes after entering
+noblacklist ${HOME}/.config/lugaru
+noblacklist ${HOME}/.local/share/lugaru
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/lugaru
+mkdir ${HOME}/.local/share/lugaru
+whitelist ${HOME}/.config/lugaru
+whitelist ${HOME}/.local/share/lugaru
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin lugaru
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile
new file mode 100644
index 000000000..2b0feaa17
--- /dev/null
+++ b/etc/profile-a-l/luminance-hdr.profile
@@ -0,0 +1,39 @@
+# Firejail profile for luminance-hdr
+# Description: Graphical user interface providing a workflow for HDR imaging
+# This file is overwritten after every install/update
+# Persistent local customizations
+include luminance-hdr.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Luminance
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+#private-bin luminance-hdr,luminance-hdr-cli,align_image_stack
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile
new file mode 100644
index 000000000..a33ddab78
--- /dev/null
+++ b/etc/profile-a-l/lximage-qt.profile
@@ -0,0 +1,38 @@
+# Firejail profile for lximage-qt
+# Description: Image viewer for LXQt
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lximage-qt.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/lximage-qt
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/lxmusic.profile b/etc/profile-a-l/lxmusic.profile
new file mode 100644
index 000000000..9094f4377
--- /dev/null
+++ b/etc/profile-a-l/lxmusic.profile
@@ -0,0 +1,40 @@
+# Firejail profile for lxmusic
+# Description: LXDE music player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lxmusic.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/xmms2
+noblacklist ${HOME}/.config/xmms2
+noblacklist ${MUSIC}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
new file mode 100644
index 000000000..dbd0a61e5
--- /dev/null
+++ b/etc/profile-a-l/lynx.profile
@@ -0,0 +1,41 @@
+# Firejail profile for lynx
+# Description: Classic non-graphical (text-mode) web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lynx.local
+# Persistent global definitions
+include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-runuser-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+# private-bin lynx
+private-cache
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+private-tmp
diff --git a/etc/profile-a-l/lzcat.profile b/etc/profile-a-l/lzcat.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-a-l/lzcat.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzcmp.profile b/etc/profile-a-l/lzcmp.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-a-l/lzcmp.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzdiff.profile b/etc/profile-a-l/lzdiff.profile
new file mode 100644
index 000000000..f7410b928
--- /dev/null
+++ b/etc/profile-a-l/lzdiff.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzegrep.profile b/etc/profile-a-l/lzegrep.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-a-l/lzegrep.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzfgrep.profile b/etc/profile-a-l/lzfgrep.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-a-l/lzfgrep.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzgrep.profile b/etc/profile-a-l/lzgrep.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-a-l/lzgrep.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzip.profile b/etc/profile-a-l/lzip.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-a-l/lzip.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzless.profile b/etc/profile-a-l/lzless.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-a-l/lzless.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzma.profile b/etc/profile-a-l/lzma.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-a-l/lzma.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzmadec.profile b/etc/profile-a-l/lzmadec.profile
new file mode 100644
index 000000000..0c5ec1b09
--- /dev/null
+++ b/etc/profile-a-l/lzmadec.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for xzdec
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Redirect
+include xzdec.profile
diff --git a/etc/profile-a-l/lzmainfo.profile b/etc/profile-a-l/lzmainfo.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-a-l/lzmainfo.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzmore.profile b/etc/profile-a-l/lzmore.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-a-l/lzmore.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Redirect
+include cpio.profile
author	netblue30 <netblue30@yahoo.com>	2020-04-21 08:24:28 -0400
committer	netblue30 <netblue30@yahoo.com>	2020-04-21 08:24:28 -0400
commit	018d75775eab4a0f045949a9d069c57686ca2686 (patch)
tree	aac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/profile-a-l
parent	small fixes (diff)
download	firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip