reorganize github etc directory

487 files changed, 14560 insertions, 0 deletions

diff --git a/etc/profile-m-z/Maelstrom.profile b/etc/profile-m-z/Maelstrom.profile
new file mode 100644
index 000000000..5cf570f80
--- /dev/null
+++ b/etc/profile-m-z/Maelstrom.profile
@@ -0,0 +1,45 @@
+# Firejail profile for Maelstrom
+# Description: A space combat game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Maelstrom.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /var/lib/games/Maelstrom-Scores
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /var/lib/games
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+#nonewprivs
+#noroot
+notv
+nou2f
+novideo
+#protocol unix
+#seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin Maelstrom
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/Maps.profile b/etc/profile-m-z/Maps.profile
new file mode 100644
index 000000000..c52d2f2da
--- /dev/null
+++ b/etc/profile-m-z/Maps.profile
@@ -0,0 +1,6 @@
+# Firejail profile for gnome-maps
+# This file is overwritten after every install/update
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-maps.profile
diff --git a/etc/profile-m-z/Mathematica.profile b/etc/profile-m-z/Mathematica.profile
new file mode 100644
index 000000000..c2734b1c1
--- /dev/null
+++ b/etc/profile-m-z/Mathematica.profile
@@ -0,0 +1,30 @@
+# Firejail profile for Mathematica
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Mathematica.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.Mathematica
+noblacklist ${HOME}/.Wolfram Research
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.Mathematica
+mkdir ${HOME}/.Wolfram Research
+mkdir ${HOME}/Documents/Wolfram Mathematica
+whitelist ${HOME}/.Mathematica
+whitelist ${HOME}/.Wolfram Research
+whitelist ${HOME}/Documents/Wolfram Mathematica
+include whitelist-common.inc
+
+caps.drop all
+nodvd
+nonewprivs
+noroot
+notv
+seccomp
diff --git a/etc/profile-m-z/Natron.profile b/etc/profile-m-z/Natron.profile
new file mode 100644
index 000000000..42c22bf67
--- /dev/null
+++ b/etc/profile-m-z/Natron.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for natron
+# This file is overwritten after every install/update
+
+# Redirect
+include natron.profile
diff --git a/etc/profile-m-z/PPSSPPQt.profile b/etc/profile-m-z/PPSSPPQt.profile
new file mode 100644
index 000000000..c5592f99c
--- /dev/null
+++ b/etc/profile-m-z/PPSSPPQt.profile
@@ -0,0 +1,9 @@
+# Firejail profile for PPSSPPQt
+# This file is overwritten after every install/update
+# Persistent local customizations
+include PPSSPPQt.local
+# added by included profile
+#include globals.local
+
+# Redirect
+include ppsspp.profile
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
new file mode 100644
index 000000000..d1548a864
--- /dev/null
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -0,0 +1,58 @@
+# Firejail profile for QMediathekView
+# Description: Search, download or stream files from mediathek.de
+# This file is overwritten after every install/update
+# Persistent local customizations
+include QMediathekView.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/QMediathekView
+noblacklist ${HOME}/.local/share/QMediathekView
+
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/totem
+noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/xplayer
+noblacklist ${HOME}/.local/share/totem
+noblacklist ${HOME}/.local/share/xplayer
+noblacklist ${HOME}/.mplayer
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/qtchooser
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+# no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer
+private-cache
+private-dev
+private-tmp
+
+# dbus-user none
+# dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
new file mode 100644
index 000000000..8157cdff4
--- /dev/null
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -0,0 +1,54 @@
+# Firejail profile for QOwnNotes
+# Description: Plain-text file notepad with markdown support and ownCloud integration
+# This file is overwritten after every install/update
+# Persistent local customizations
+include QOwnNotes.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/Nextcloud/Notes
+noblacklist ${HOME}/.config/PBE
+noblacklist ${HOME}/.local/share/PBE
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/Nextcloud/Notes
+mkdir ${HOME}/.config/PBE
+mkdir ${HOME}/.local/share/PBE
+whitelist ${DOCUMENTS}
+whitelist ${HOME}/Nextcloud/Notes
+whitelist ${HOME}/.config/PBE
+whitelist ${HOME}/.local/share/PBE
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin gio,QOwnNotes
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-tmp
+
diff --git a/etc/profile-m-z/Screenshot.profile b/etc/profile-m-z/Screenshot.profile
new file mode 100644
index 000000000..d4b083736
--- /dev/null
+++ b/etc/profile-m-z/Screenshot.profile
@@ -0,0 +1,6 @@
+# Firejail profile for gnome-screenshot
+# This file is overwritten after every install/update
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-screenshot.profile
diff --git a/etc/profile-m-z/Telegram.profile b/etc/profile-m-z/Telegram.profile
new file mode 100644
index 000000000..310e0237e
--- /dev/null
+++ b/etc/profile-m-z/Telegram.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for telegram
+# This file is overwritten after every install/update
+
+# Redirect
+include telegram.profile
diff --git a/etc/profile-m-z/Thunar.profile b/etc/profile-m-z/Thunar.profile
new file mode 100644
index 000000000..761440ccc
--- /dev/null
+++ b/etc/profile-m-z/Thunar.profile
@@ -0,0 +1,33 @@
+# Firejail profile for Thunar
+# Description: File Manager for Xfce
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Thunar.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/Trash
+noblacklist ${HOME}/.config/Thunar
+noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# include disable-programs.inc
+
+allusers
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
new file mode 100644
index 000000000..3195e39fa
--- /dev/null
+++ b/etc/profile-m-z/Viber.profile
@@ -0,0 +1,38 @@
+# Firejail profile for Viber
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Viber.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ViberPC
+noblacklist ${PATH}/dig
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.ViberPC
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.ViberPC
+include whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp !chroot
+shell none
+
+disable-mnt
+private-bin awk,bash,dig,sh,Viber
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
+private-tmp
diff --git a/etc/profile-m-z/VirtualBox.profile b/etc/profile-m-z/VirtualBox.profile
new file mode 100644
index 000000000..4c99ae9a3
--- /dev/null
+++ b/etc/profile-m-z/VirtualBox.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for virtualbox
+# Description: x86 virtualization solution
+# This file is overwritten after every install/update
+
+# Redirect
+include virtualbox.profile
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile
new file mode 100644
index 000000000..7e7c0c3cd
--- /dev/null
+++ b/etc/profile-m-z/XMind.profile
@@ -0,0 +1,38 @@
+# Firejail profile for XMind
+# This file is overwritten after every install/update
+# Persistent local customizations
+include XMind.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.xmind
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.xmind
+whitelist ${HOME}/.xmind
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin cp,sh,XMind
+private-tmp
+private-dev
+
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
new file mode 100644
index 000000000..ab5fdf942
--- /dev/null
+++ b/etc/profile-m-z/Xephyr.profile
@@ -0,0 +1,42 @@
+# Firejail profile for Xephyr
+# This file is overwritten after every install/update
+# Persistent local customizations
+quiet
+include Xephyr.local
+# Persistent global definitions
+include globals.local
+
+#
+# This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr.
+# To enable it, create a firejail-Xephyr symlink in /usr/local/bin:
+#
+#    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr
+#
+# or run "sudo firecfg"
+#
+
+whitelist /var/lib/xkb
+include whitelist-common.inc
+
+caps.drop all
+# Xephyr needs to be allowed access to the abstract Unix socket namespace.
+nodvd
+nogroups
+nonewprivs
+# In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
+# noroot
+nosound
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+# using a private home directory
+private
+# private-bin sh,Xephyr,xkbcomp
+# private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp
+private-dev
+# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
+#private-tmp
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
new file mode 100644
index 000000000..937d02d60
--- /dev/null
+++ b/etc/profile-m-z/Xvfb.profile
@@ -0,0 +1,46 @@
+# Firejail profile for Xvfb
+# Description: Virtual Framebuffer 'fake' X server
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include Xvfb.local
+# Persistent global definitions
+include globals.local
+
+#
+# This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb.
+# The target program is sandboxed with its own profile. By default the this functionality
+# is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin:
+#
+#    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb
+#
+# We have this functionality disabled by default because it creates problems on
+# some Linux distributions. Also, older versions of Xpra use Xvfb.
+#
+
+whitelist /var/lib/xkb
+include whitelist-common.inc
+
+caps.drop all
+# Xvfb needs to be allowed access to the abstract Unix socket namespace.
+nodvd
+nogroups
+nonewprivs
+# In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix.
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+# using a private home directory
+private
+# private-bin sh,xkbcomp,Xvfb
+# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
+private-dev
+private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
+private-tmp
diff --git a/etc/profile-m-z/macrofusion.profile b/etc/profile-m-z/macrofusion.profile
new file mode 100644
index 000000000..3eef22f98
--- /dev/null
+++ b/etc/profile-m-z/macrofusion.profile
@@ -0,0 +1,44 @@
+# Firejail profile for macrofusion
+# This file is overwritten after every install/update
+# Persistent local customizations
+include macrofusion.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mfusion
+noblacklist ${PICTURES}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin align_image_stack,enfuse,env,exiftool,macrofusion,python*
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
new file mode 100644
index 000000000..380a59957
--- /dev/null
+++ b/etc/profile-m-z/magicor.profile
@@ -0,0 +1,51 @@
+# Firejail profile for magicor
+# Description: Push ice blocks around to extinguish all fires
+# This file is overwritten after every install/update
+# Persistent local customizations
+include magicor.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.magicor
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.magicor
+whitelist ${HOME}/.magicor
+whitelist /usr/share/magicor
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin magicor,python2*
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
new file mode 100644
index 000000000..513fcae55
--- /dev/null
+++ b/etc/profile-m-z/makepkg.profile
@@ -0,0 +1,61 @@
+# Firejail profile for makepkg
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include makepkg.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+# Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
+# for potential issues and their solutions when Firejailing makepkg
+
+# This profile could be significantly strengthened by adding the following to makepkg.local
+# whitelist ${HOME}/<Your Build Folder>
+# whitelist ${HOME}/.gnupg
+
+# Enable severely restricted access to ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
+read-only ${HOME}/.gnupg/gpg.conf
+read-only ${HOME}/.gnupg/trustdb.gpg
+read-only ${HOME}/.gnupg/pubring.kbx
+blacklist ${HOME}/.gnupg/random_seed
+blacklist ${HOME}/.gnupg/pubring.kbx~
+blacklist ${HOME}/.gnupg/private-keys-v1.d
+blacklist ${HOME}/.gnupg/crls.d
+blacklist ${HOME}/.gnupg/openpgp-revocs.d
+
+# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
+noblacklist /var/lib/pacman
+
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+machine-id
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+# noroot is only disabled to allow the creation of kernel headers from an official PKGBUILD.
+#noroot
+nosound
+nou2f
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/manaplus.profile b/etc/profile-m-z/manaplus.profile
new file mode 100644
index 000000000..b29a489a6
--- /dev/null
+++ b/etc/profile-m-z/manaplus.profile
@@ -0,0 +1,50 @@
+# Firejail profile for manaplus
+# Description: 2D MMORPG client for Evol Online and The Mana World
+# This file is overwritten after every install/update
+# Persistent local customizations
+include manaplus.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mana
+noblacklist ${HOME}/.local/share/mana
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/mana
+mkdir ${HOME}/.config/mana/mana
+mkdir ${HOME}/.local/share/mana
+whitelist ${HOME}/.config/mana
+whitelist ${HOME}/.local/share/mana
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin manaplus
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
new file mode 100644
index 000000000..e4da0c66a
--- /dev/null
+++ b/etc/profile-m-z/masterpdfeditor.profile
@@ -0,0 +1,41 @@
+# Firejail profile for masterpdfeditor
+# Description: A complete solution for creating and editing PDF files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include masterpdfeditor.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Code Industry
+noblacklist ${HOME}/.masterpdfeditor
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-tmp
+
diff --git a/etc/profile-m-z/masterpdfeditor4.profile b/etc/profile-m-z/masterpdfeditor4.profile
new file mode 100644
index 000000000..84e78171f
--- /dev/null
+++ b/etc/profile-m-z/masterpdfeditor4.profile
@@ -0,0 +1,11 @@
+# Firejail profile for masterpdfeditor4
+# Description: A complete solution for creating and editing PDF files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include masterpdfeditor4.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include masterpdfeditor.profile
diff --git a/etc/profile-m-z/masterpdfeditor5.profile b/etc/profile-m-z/masterpdfeditor5.profile
new file mode 100644
index 000000000..057d343dd
--- /dev/null
+++ b/etc/profile-m-z/masterpdfeditor5.profile
@@ -0,0 +1,11 @@
+# Firejail profile for masterpdfeditor5
+# Description: A complete solution for creating and editing PDF files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include masterpdfeditor5.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include masterpdfeditor.profile
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
new file mode 100644
index 000000000..ce418d68f
--- /dev/null
+++ b/etc/profile-m-z/mate-calc.profile
@@ -0,0 +1,53 @@
+# Firejail profile for mate-calc
+# Description: MATE desktop calculator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mate-calc.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mate-calc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/mate-calc
+mkdir ${HOME}/.config/caja
+mkdir ${HOME}/.config/mate-menu
+whitelist ${HOME}/.cache/mate-calc
+whitelist ${HOME}/.config/caja
+whitelist ${HOME}/.config/mate-menu
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin mate-calc,mate-calculator
+private-etc alternatives,dconf,fonts,gtk-3.0
+private-dev
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/mate-calculator.profile b/etc/profile-m-z/mate-calculator.profile
new file mode 100644
index 000000000..bb438f5f0
--- /dev/null
+++ b/etc/profile-m-z/mate-calculator.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for mate-calc
+# This file is overwritten after every install/update
+
+# Redirect
+include mate-calc.profile
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile
new file mode 100644
index 000000000..f1a7ca18f
--- /dev/null
+++ b/etc/profile-m-z/mate-color-select.profile
@@ -0,0 +1,39 @@
+# Firejail profile for mate-color-select
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mate-color-select.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin mate-color-select
+private-etc alternatives,fonts
+private-dev
+private-lib
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
new file mode 100644
index 000000000..59f439c91
--- /dev/null
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -0,0 +1,44 @@
+# Firejail profile for mate-dictionary
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mate-dictionary.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mate/mate-dictionary
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/mate/mate-dictionary
+whitelist ${HOME}/.config/mate/mate-dictionary
+include whitelist-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin mate-dictionary
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl
+private-opt mate-dictionary
+private-dev
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/mathematica.profile b/etc/profile-m-z/mathematica.profile
new file mode 100644
index 000000000..964060350
--- /dev/null
+++ b/etc/profile-m-z/mathematica.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for Mathematica
+# This file is overwritten after every install/update
+
+# Redirect
+include Mathematica.profile
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile
new file mode 100644
index 000000000..134a6ae63
--- /dev/null
+++ b/etc/profile-m-z/mcabber.profile
@@ -0,0 +1,33 @@
+# Firejail profile for mcabber
+# Description: Small Jabber (XMPP) console client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mcabber.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.mcabber
+noblacklist ${HOME}/.mcabberrc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+
+private-bin mcabber
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
new file mode 100644
index 000000000..c62d3f6d5
--- /dev/null
+++ b/etc/profile-m-z/mediainfo.profile
@@ -0,0 +1,50 @@
+# Firejail profile for mediainfo
+# Description: Command-line utility for reading information from audio/video files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mediainfo.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin mediainfo
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile
new file mode 100644
index 000000000..95cd673c6
--- /dev/null
+++ b/etc/profile-m-z/mediathekview.profile
@@ -0,0 +1,49 @@
+# Firejail profile for mediathekview
+# Description: View streams from German public television stations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mediathekview.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/totem
+noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/xplayer
+noblacklist ${HOME}/.local/share/totem
+noblacklist ${HOME}/.local/share/xplayer
+noblacklist ${HOME}/.mediathek3
+noblacklist ${HOME}/.mplayer
+noblacklist ${VIDEOS}
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
new file mode 100644
index 000000000..86e7f129e
--- /dev/null
+++ b/etc/profile-m-z/megaglest.profile
@@ -0,0 +1,46 @@
+# Firejail profile for megaglest
+# Description: 3D multi-player real time strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include megaglest.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.megaglest
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.megaglest
+whitelist ${HOME}/.megaglest
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin megaglest,megaglest_editor,megaglest_g3dviewer
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/megaglest_editor.profile b/etc/profile-m-z/megaglest_editor.profile
new file mode 100644
index 000000000..02aad8084
--- /dev/null
+++ b/etc/profile-m-z/megaglest_editor.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for megaglest
+# This file is overwritten after every install/update
+
+# Redirect
+include megaglest.profile
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
new file mode 100644
index 000000000..be13e9643
--- /dev/null
+++ b/etc/profile-m-z/meld.profile
@@ -0,0 +1,74 @@
+# Firejail profile for meld
+# Description: Graphical tool to diff and merge files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include meld.local
+# Persistent global definitions
+include globals.local
+
+# If you want to use meld as git-mergetool (and maybe some other VCS integrations) you need
+# to bypass firejail, you can do this by removing the symlink or calling it by its absolute path
+# Removing the symlink:
+#  sudo rm /usr/local/bin/meld
+# Calling by its absolute path (example for git-mergetool):
+#  git config --global mergetool.meld.cmd /usr/bin/meld
+
+noblacklist ${HOME}/.config/meld
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.local/share/meld
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.subversion
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+# Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions.
+#include allow-python2.inc
+
+# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc.
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc.
+#include disable-programs.inc
+
+include whitelist-runuser-common.inc
+
+# Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share.
+#whitelist /usr/share/meld
+#include whitelist-usr-share-common.inc
+
+# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in /var.
+#include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin bzr,cvs,git,hg,meld,python*,svn
+private-cache
+private-dev
+# Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc.
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
+private-tmp
+
+read-only ${HOME}/.ssh
diff --git a/etc/profile-m-z/mencoder.profile b/etc/profile-m-z/mencoder.profile
new file mode 100644
index 000000000..caf238785
--- /dev/null
+++ b/etc/profile-m-z/mencoder.profile
@@ -0,0 +1,35 @@
+# Firejail profile for mencoder
+# Description: Free command line video decoding, encoding and filtering tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mencoder.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# added by included profile
+#include disable-common.inc
+#include disable-devel.inc
+#include disable-interpreters.inc
+#include disable-passwdmgr.inc
+#include disable-programs.inc
+
+ipc-namespace
+machine-id
+net none
+no3d
+nosound
+notv
+protocol unix
+tracelog
+x11 none
+
+private-bin mencoder
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+
+# Redirect
+include mplayer.profile
diff --git a/etc/profile-m-z/mendeleydesktop.profile b/etc/profile-m-z/mendeleydesktop.profile
new file mode 100644
index 000000000..6022b110a
--- /dev/null
+++ b/etc/profile-m-z/mendeleydesktop.profile
@@ -0,0 +1,50 @@
+# Firejail profile for Mendeley
+# Description: Academic software for managing and sharing research papers.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mendeleydesktop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.cache/Mendeley Ltd.
+noblacklist ${HOME}/.config/Mendeley Ltd.
+noblacklist ${HOME}/.local/share/Mendeley Ltd.
+noblacklist ${HOME}/.local/share/data/Mendeley Ltd.
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin cat,env,gconftool-2,ln,mendeleydesktop,python*,sh,update-desktop-database,which
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile
new file mode 100644
index 000000000..f9466eb61
--- /dev/null
+++ b/etc/profile-m-z/meteo-qt.profile
@@ -0,0 +1,53 @@
+# Firejail profile for meteo-qt
+# Description: System tray application for weather status information
+# This file is overwritten after every install/update
+# Persistent local customizations
+include meteo-qt.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/autostart
+noblacklist ${HOME}/.config/meteo-qt
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/meteo-qt
+whitelist ${HOME}/.config/autostart
+whitelist ${HOME}/.config/meteo-qt
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin meteo-qt,python*
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile
new file mode 100644
index 000000000..e15259608
--- /dev/null
+++ b/etc/profile-m-z/midori.profile
@@ -0,0 +1,65 @@
+# Firejail profile for midori
+# Description: Lightweight web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include midori.local
+# Persistent global definitions
+include globals.local
+
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/midori
+noblacklist ${HOME}/.config/midori
+noblacklist ${HOME}/.local/share/midori
+# noblacklist ${HOME}/.local/share/webkit
+# noblacklist ${HOME}/.local/share/webkitgtk
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+noblacklist ${HOME}/.cache/gnome-mplayer
+noblacklist ${HOME}/.config/gnome-mplayer
+noblacklist ${HOME}/.lastpass
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+#include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/midori
+mkdir ${HOME}/.config/midori
+mkdir ${HOME}/.local/share/midori
+mkdir ${HOME}/.local/share/webkit
+mkdir ${HOME}/.local/share/webkitgtk
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/midori
+whitelist ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.config/midori
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.local/share/midori
+whitelist ${HOME}/.local/share/webkit
+whitelist ${HOME}/.local/share/webkitgtk
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+# noroot - problems on Ubuntu 14.04
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+disable-mnt
+private-tmp
diff --git a/etc/profile-m-z/min.profile b/etc/profile-m-z/min.profile
new file mode 100644
index 000000000..7f3aeab44
--- /dev/null
+++ b/etc/profile-m-z/min.profile
@@ -0,0 +1,15 @@
+# Firejail profile for min
+# Description: A faster, smarter web browser.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include min.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Min
+
+mkdir ${HOME}/.config/Min
+whitelist ${HOME}/.config/Min
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
new file mode 100644
index 000000000..e6ea54522
--- /dev/null
+++ b/etc/profile-m-z/mindless.profile
@@ -0,0 +1,50 @@
+# Firejail profile for mindless
+# Description: figure out the secret code
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mindless.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/mindless
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin mindless
+private-cache
+private-dev
+private-etc fonts
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
new file mode 100644
index 000000000..619173024
--- /dev/null
+++ b/etc/profile-m-z/minetest.profile
@@ -0,0 +1,51 @@
+# Firejail profile for minetest
+# Description: Multiplayer infinite-world block sandbox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include minetest.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/minetest
+noblacklist ${HOME}/.minetest
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/minetest
+mkdir ${HOME}/.minetest
+whitelist ${HOME}/.cache/minetest
+whitelist ${HOME}/.minetest
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin minetest
+private-cache
+private-dev
+# private-etc needs to be updated, see #1702
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
new file mode 100644
index 000000000..ef0748436
--- /dev/null
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -0,0 +1,50 @@
+# Firejail profile for mirrormagic
+# Description: Puzzle game where you steer a beam of light using mirrors
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mirrormagic.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.mirrormagic
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.mirrormagic
+whitelist ${HOME}/.mirrormagic
+whitelist /usr/share/mirrormagic
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin mirrormagic
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mousepad.profile b/etc/profile-m-z/mousepad.profile
new file mode 100644
index 000000000..868313c40
--- /dev/null
+++ b/etc/profile-m-z/mousepad.profile
@@ -0,0 +1,39 @@
+# Firejail profile for mousepad
+# Description: Simple Xfce oriented text editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mousepad.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Mousepad
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin mousepad
+private-dev
+private-lib
+private-tmp
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
new file mode 100644
index 000000000..bf6077395
--- /dev/null
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -0,0 +1,43 @@
+# Firejail profile for mp3splt-gtk
+# Description: Gtk utility for mp3/ogg splitting without decoding
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mp3splt-gtk.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.mp3splt-gtk
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin mp3splt-gtk
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
new file mode 100644
index 000000000..c65754a03
--- /dev/null
+++ b/etc/profile-m-z/mp3splt.profile
@@ -0,0 +1,53 @@
+# Firejail profile for mp3splt
+# Description: utility for mp3 splitting without decoding
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mp3splt.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin flacsplt,mp3splt,mp3wrap,oggsplt
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+memory-deny-write-execute
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mp3wrap.profile b/etc/profile-m-z/mp3wrap.profile
new file mode 100644
index 000000000..9e48f7807
--- /dev/null
+++ b/etc/profile-m-z/mp3wrap.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mp3wrap
+# This file is overwritten after every install/update
+include mp3wrap.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mp3splt.profile
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
new file mode 100644
index 000000000..fd0351db0
--- /dev/null
+++ b/etc/profile-m-z/mpDris2.profile
@@ -0,0 +1,57 @@
+# Firejail profile for mpDris2
+# Description: MPRIS2 support for MPD
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mpDris2.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mpDris2
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${MUSIC}
+
+mkdir ${HOME}/.config/mpDris2
+whitelist ${HOME}/.config/mpDris2
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin mpDris2,notify-send,python*
+private-cache
+private-dev
+private-etc alternatives,hosts,nsswitch.conf
+private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
+private-tmp
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
+
+read-only ${HOME}
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile
new file mode 100644
index 000000000..3fda87a48
--- /dev/null
+++ b/etc/profile-m-z/mpd.profile
@@ -0,0 +1,44 @@
+# Firejail profile for mpd
+# Description: Music Player Daemon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mpd.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mpd
+noblacklist ${HOME}/.mpd
+noblacklist ${HOME}/.mpdconf
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+# blacklisting of ioprio_set system calls breaks auto-updating of
+# MPD's database when files in music_directory are changed
+seccomp !ioprio_set
+shell none
+
+#private-bin bash,mpd
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/mpg123-alsa.profile b/etc/profile-m-z/mpg123-alsa.profile
new file mode 100644
index 000000000..378435af1
--- /dev/null
+++ b/etc/profile-m-z/mpg123-alsa.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-alsa
+# Persistent local customizations
+include mpg123-alsa.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-id3dump.profile b/etc/profile-m-z/mpg123-id3dump.profile
new file mode 100644
index 000000000..370a57b3c
--- /dev/null
+++ b/etc/profile-m-z/mpg123-id3dump.profile
@@ -0,0 +1,12 @@
+# Firejail profile for mpg123-id3dump
+# Persistent local customizations
+include mpg123-id3dump.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+machine-id
+nosound
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-jack.profile b/etc/profile-m-z/mpg123-jack.profile
new file mode 100644
index 000000000..e36a2e5b3
--- /dev/null
+++ b/etc/profile-m-z/mpg123-jack.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-jack
+# Persistent local customizations
+include mpg123-jack.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-nas.profile b/etc/profile-m-z/mpg123-nas.profile
new file mode 100644
index 000000000..cdbf0b1d2
--- /dev/null
+++ b/etc/profile-m-z/mpg123-nas.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-nas
+# Persistent local customizations
+include mpg123-nas.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-openal.profile b/etc/profile-m-z/mpg123-openal.profile
new file mode 100644
index 000000000..e5585feaa
--- /dev/null
+++ b/etc/profile-m-z/mpg123-openal.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-openal
+# Persistent local customizations
+include mpg123-openal.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-oss.profile b/etc/profile-m-z/mpg123-oss.profile
new file mode 100644
index 000000000..dcb92ecd6
--- /dev/null
+++ b/etc/profile-m-z/mpg123-oss.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-oss
+# Persistent local customizations
+include mpg123-oss.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-portaudio.profile b/etc/profile-m-z/mpg123-portaudio.profile
new file mode 100644
index 000000000..319843504
--- /dev/null
+++ b/etc/profile-m-z/mpg123-portaudio.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-portaudio
+# Persistent local customizations
+include mpg123-portaudio.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-pulse.profile b/etc/profile-m-z/mpg123-pulse.profile
new file mode 100644
index 000000000..31063a96b
--- /dev/null
+++ b/etc/profile-m-z/mpg123-pulse.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-pulse
+# Persistent local customizations
+include mpg123-pulse.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-strip.profile b/etc/profile-m-z/mpg123-strip.profile
new file mode 100644
index 000000000..62de57c22
--- /dev/null
+++ b/etc/profile-m-z/mpg123-strip.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-strip
+# Persistent local customizations
+include mpg123-strip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123.bin.profile b/etc/profile-m-z/mpg123.bin.profile
new file mode 100644
index 000000000..0a01d0829
--- /dev/null
+++ b/etc/profile-m-z/mpg123.bin.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123.bin
+# Persistent local customizations
+include mpg123.bin.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile
new file mode 100644
index 000000000..6e18aa401
--- /dev/null
+++ b/etc/profile-m-z/mpg123.profile
@@ -0,0 +1,41 @@
+# Firejail profile for mpg123
+# Description: MPEG audio player/decoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mpg123.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+#private-bin mpg123*
+private-dev
+private-tmp
+
+memory-deny-write-execute
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
new file mode 100644
index 000000000..cd25d6c0b
--- /dev/null
+++ b/etc/profile-m-z/mplayer.profile
@@ -0,0 +1,39 @@
+# Firejail profile for mplayer
+# Description: Movie player for Unix-like systems
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mplayer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.mplayer
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+# net none - mplayer can be used for streaming.
+netfilter
+# nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-bin mplayer
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
new file mode 100644
index 000000000..f30fd48eb
--- /dev/null
+++ b/etc/profile-m-z/mpsyt.profile
@@ -0,0 +1,70 @@
+# Firejail profile for mpsyt
+# Description: Terminal based YouTube player and downloader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mpsyt.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mps-youtube
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.mplayer
+noblacklist ${HOME}/.netrc
+noblacklist ${HOME}/mps
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/mps-youtube
+mkdir ${HOME}/.config/mpv
+mkdir ${HOME}/.config/youtube-dl
+mkdir ${HOME}/.mplayer
+mkdir ${HOME}/mps
+whitelist ${HOME}/.config/mps-youtube
+whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.mplayer
+whitelist ${HOME}/.netrc
+whitelist ${HOME}/mps
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${VIDEOS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+# Seems to cause issues with Nvidia drivers sometimes
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl
+#private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
new file mode 100644
index 000000000..8c463e7db
--- /dev/null
+++ b/etc/profile-m-z/mpv.profile
@@ -0,0 +1,56 @@
+# Firejail profile for mpv
+# Description: Video player based on MPlayer/mplayer2
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include mpv.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.netrc
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+noblacklist ${MUSIC}
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/vulkan
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+
+# Seems to cause issues with Nvidia drivers sometimes
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin env,mpv,python*,youtube-dl
+# Causes slow OSD, see #2838
+#private-cache
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
new file mode 100644
index 000000000..f02a4f357
--- /dev/null
+++ b/etc/profile-m-z/mrrescue.profile
@@ -0,0 +1,49 @@
+# Firejail profile for mrrescue
+# Description: Arcade-style fire fighting game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mrrescue.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/love
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/love
+whitelist ${HOME}/.local/share/love
+whitelist /usr/share/mrrescue
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin love,mrrescue,sh
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/ms-excel.profile b/etc/profile-m-z/ms-excel.profile
new file mode 100644
index 000000000..db24e8f9b
--- /dev/null
+++ b/etc/profile-m-z/ms-excel.profile
@@ -0,0 +1,13 @@
+# Firejail profile for Microsoft Office Online - Excel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ms-excel.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/ms-excel-online
+private-bin ms-excel
+
+# Redirect
+include ms-office.profile
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile
new file mode 100644
index 000000000..a6892d698
--- /dev/null
+++ b/etc/profile-m-z/ms-office.profile
@@ -0,0 +1,43 @@
+# Firejail profile for Microsoft Office Online
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ms-office.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/ms-office-online
+noblacklist ${HOME}/.jak
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,env,fonts,jak,ms-office,python*,sh
+private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/ms-onenote.profile b/etc/profile-m-z/ms-onenote.profile
new file mode 100644
index 000000000..9ea0637bd
--- /dev/null
+++ b/etc/profile-m-z/ms-onenote.profile
@@ -0,0 +1,13 @@
+# Firejail profile for Microsoft Office Online - Onenote
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ms-onenote.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/ms-onenote-online
+private-bin ms-onenote
+
+# Redirect
+include ms-office.profile
diff --git a/etc/profile-m-z/ms-outlook.profile b/etc/profile-m-z/ms-outlook.profile
new file mode 100644
index 000000000..fc3e7c009
--- /dev/null
+++ b/etc/profile-m-z/ms-outlook.profile
@@ -0,0 +1,13 @@
+# Firejail profile for Microsoft Office Online - Outlook
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ms-outlook.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/ms-outlook-online
+private-bin ms-outlook
+
+# Redirect
+include ms-office.profile
diff --git a/etc/profile-m-z/ms-powerpoint.profile b/etc/profile-m-z/ms-powerpoint.profile
new file mode 100644
index 000000000..dadcd5b1e
--- /dev/null
+++ b/etc/profile-m-z/ms-powerpoint.profile
@@ -0,0 +1,13 @@
+# Firejail profile for Microsoft Office Online - Powerpoint
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ms-powerpoint.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/ms-powerpoint-online
+private-bin ms-powerpoint
+
+# Redirect
+include ms-office.profile
diff --git a/etc/profile-m-z/ms-skype.profile b/etc/profile-m-z/ms-skype.profile
new file mode 100644
index 000000000..df1618361
--- /dev/null
+++ b/etc/profile-m-z/ms-skype.profile
@@ -0,0 +1,16 @@
+# Firejail profile for Microsoft Office Online - Skype
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ms-skype.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore novideo
+
+noblacklist ${HOME}/.cache/ms-skype-online
+
+private-bin ms-skype
+
+# Redirect
+include ms-office.profile
diff --git a/etc/profile-m-z/ms-word.profile b/etc/profile-m-z/ms-word.profile
new file mode 100644
index 000000000..5a617a893
--- /dev/null
+++ b/etc/profile-m-z/ms-word.profile
@@ -0,0 +1,13 @@
+# Firejail profile for Microsoft Office Online - Word
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ms-word.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/ms-word-online
+private-bin ms-word
+
+# Redirect
+include ms-office.profile
diff --git a/etc/profile-m-z/multimc.profile b/etc/profile-m-z/multimc.profile
new file mode 100644
index 000000000..338f494c9
--- /dev/null
+++ b/etc/profile-m-z/multimc.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for multimc5
+# This file is overwritten after every install/update
+
+# Redirect
+include multimc5.profile
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile
new file mode 100644
index 000000000..475307418
--- /dev/null
+++ b/etc/profile-m-z/multimc5.profile
@@ -0,0 +1,48 @@
+# Firejail profile for multimc5
+# This file is overwritten after every install/update
+# Persistent local customizations
+include multimc5.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/multimc
+noblacklist ${HOME}/.local/share/multimc5
+noblacklist ${HOME}/.multimc5
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.local/share/multimc
+mkdir ${HOME}/.local/share/multimc5
+mkdir ${HOME}/.multimc5
+whitelist ${HOME}/.local/share/multimc
+whitelist ${HOME}/.local/share/multimc5
+whitelist ${HOME}/.multimc5
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+# seccomp
+shell none
+
+disable-mnt
+# private-bin works, but causes weirdness
+# private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile
new file mode 100644
index 000000000..a16934806
--- /dev/null
+++ b/etc/profile-m-z/mumble.profile
@@ -0,0 +1,46 @@
+# Firejail profile for mumble
+# Description: Low latency encrypted VoIP client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mumble.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Mumble
+noblacklist ${HOME}/.local/share/data/Mumble
+noblacklist ${HOME}/.local/share/Mumble
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/Mumble
+mkdir ${HOME}/.local/share/data/Mumble
+mkdir ${HOME}/.local/share/Mumble
+whitelist ${HOME}/.config/Mumble
+whitelist ${HOME}/.local/share/data/Mumble
+whitelist ${HOME}/.local/share/Mumble
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin mumble
+private-tmp
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/mupdf-gl.profile b/etc/profile-m-z/mupdf-gl.profile
new file mode 100644
index 000000000..be94a9083
--- /dev/null
+++ b/etc/profile-m-z/mupdf-gl.profile
@@ -0,0 +1,13 @@
+# Firejail profile for mupdf-gl
+# Description: Lightweight PDF viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mupdf-gl.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.mupdf.history
+
+# Redirect
+include mupdf.profile
diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile
new file mode 100644
index 000000000..a04d386a2
--- /dev/null
+++ b/etc/profile-m-z/mupdf-x11-curl.profile
@@ -0,0 +1,18 @@
+# Firejail profile for mupdf-x11-curl
+# Description: Lightweight PDF viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mupdf-x11-curl.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore net none
+
+netfilter
+protocol unix,inet,inet6
+
+private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl
+
+# Redirect
+include mupdf.profile
diff --git a/etc/profile-m-z/mupdf-x11.profile b/etc/profile-m-z/mupdf-x11.profile
new file mode 100644
index 000000000..256201d0c
--- /dev/null
+++ b/etc/profile-m-z/mupdf-x11.profile
@@ -0,0 +1,14 @@
+# Firejail profile for mupdf-x11
+# Description: Lightweight PDF viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mupdf-x11.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+memory-deny-write-execute
+read-only ${HOME}
+
+# Redirect
+include mupdf.profile
diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile
new file mode 100644
index 000000000..a3e56170a
--- /dev/null
+++ b/etc/profile-m-z/mupdf.profile
@@ -0,0 +1,43 @@
+# Firejail profile for mupdf
+# Description: Lightweight PDF viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mupdf.local
+# Persistent global definitions
+#include globals.local
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mupen64plus.profile b/etc/profile-m-z/mupen64plus.profile
new file mode 100644
index 000000000..00983a8f3
--- /dev/null
+++ b/etc/profile-m-z/mupen64plus.profile
@@ -0,0 +1,35 @@
+# Firejail profile for mupen64plus
+# Description: Nintendo64 Emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mupen64plus.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mupen64plus
+noblacklist ${HOME}/.local/share/mupen64plus
+
+include disable-common.inc
+include disable-devel.inc
+include disable-passwdmgr.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+# you'll need to manually whitelist ROM files
+mkdir ${HOME}/.config/mupen64plus
+mkdir ${HOME}/.local/share/mupen64plus
+whitelist ${HOME}/.config/mupen64plus
+whitelist ${HOME}/.local/share/mupen64plus
+include whitelist-common.inc
+
+caps.drop all
+net none
+nodvd
+nonewprivs
+noroot
+notv
+novideo
+seccomp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/muraster.profile b/etc/profile-m-z/muraster.profile
new file mode 100644
index 000000000..90e3f2050
--- /dev/null
+++ b/etc/profile-m-z/muraster.profile
@@ -0,0 +1,11 @@
+# Firejail profile for muraster
+# Description: Lightweight PDF viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include muraster.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mupdf.profile
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile
new file mode 100644
index 000000000..679e82ae8
--- /dev/null
+++ b/etc/profile-m-z/musescore.profile
@@ -0,0 +1,43 @@
+# Firejail profile for musescore
+# Description: Free music composition and notation software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include musescore.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/MusE
+noblacklist ${HOME}/.config/MuseScore
+noblacklist ${HOME}/.local/share/data/MusE
+noblacklist ${HOME}/.local/share/data/MuseScore
+noblacklist ${DOCUMENTS}
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
+shell none
+tracelog
+
+# private-bin musescore,mscore
+private-tmp
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
new file mode 100644
index 000000000..a6b85a8e4
--- /dev/null
+++ b/etc/profile-m-z/musixmatch.profile
@@ -0,0 +1,36 @@
+# Firejail profile for Musixmatch
+# This file is overwritten after every install/update
+# Persistent local customizations
+include musixmatch.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nogroups
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+
+disable-mnt
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
+
diff --git a/etc/profile-m-z/mutool.profile b/etc/profile-m-z/mutool.profile
new file mode 100644
index 000000000..e61f4665d
--- /dev/null
+++ b/etc/profile-m-z/mutool.profile
@@ -0,0 +1,11 @@
+# Firejail profile for mutool
+# Description: Lightweight PDF viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mutool.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mupdf.profile
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
new file mode 100644
index 000000000..8ff547b52
--- /dev/null
+++ b/etc/profile-m-z/mutt.profile
@@ -0,0 +1,61 @@
+# Firejail profile for mutt
+# Description: Text-based mailreader supporting MIME, GPG, PGP and threading
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mutt.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /var/mail
+noblacklist /var/spool/mail
+noblacklist ${HOME}/.Mail
+noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.cache/mutt
+noblacklist ${HOME}/.config/nano
+noblacklist ${HOME}/.elinks
+noblacklist ${HOME}/.emacs
+noblacklist ${HOME}/.emacs.d
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mail
+noblacklist ${HOME}/.msmtprc
+noblacklist ${HOME}/.mutt
+noblacklist ${HOME}/.muttrc
+noblacklist ${HOME}/.nanorc
+noblacklist ${HOME}/.signature
+noblacklist ${HOME}/.vim
+noblacklist ${HOME}/.viminfo
+noblacklist ${HOME}/.vimrc
+noblacklist ${HOME}/.w3m
+noblacklist ${HOME}/Mail
+noblacklist ${HOME}/mail
+noblacklist ${HOME}/postponed
+noblacklist ${HOME}/sent
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-runuser-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+writable-run-user
diff --git a/etc/profile-m-z/mypaint-ora-thumbnailer.profile b/etc/profile-m-z/mypaint-ora-thumbnailer.profile
new file mode 100644
index 000000000..59b3024ed
--- /dev/null
+++ b/etc/profile-m-z/mypaint-ora-thumbnailer.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for mypaint-ora-thumbnailer
+# This file is overwritten after every install/update
+
+# Redirect
+include mypaint.profile
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile
new file mode 100644
index 000000000..c592e8477
--- /dev/null
+++ b/etc/profile-m-z/mypaint.profile
@@ -0,0 +1,50 @@
+# Firejail profile for mypaint
+# Description: A fast and easy graphics application for digital painters
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mypaint.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/mypaint
+noblacklist ${HOME}/.config/mypaint
+noblacklist ${HOME}/.local/share/mypaint
+noblacklist ${PICTURES}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
new file mode 100644
index 000000000..2a4625896
--- /dev/null
+++ b/etc/profile-m-z/nano.profile
@@ -0,0 +1,55 @@
+# Firejail profile for nano
+# Description: nano is an easy text editor for the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include nano.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${HOME}/.config/nano
+noblacklist ${HOME}/.nanorc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+whitelist /usr/share/nano
+include whitelist-usr-share-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+# disable-mnt
+private-bin nano,rnano
+private-cache
+private-dev
+# Comment the next line if you want to edit files in /etc directly
+private-etc alternatives,nanorc
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile
new file mode 100644
index 000000000..5bf152f84
--- /dev/null
+++ b/etc/profile-m-z/natron.profile
@@ -0,0 +1,38 @@
+# Firejail profile for natron
+# This file is overwritten after every install/update
+# Persistent local customizations
+include natron.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.Natron
+noblacklist ${HOME}/.cache/INRIA/Natron
+noblacklist ${HOME}/.config/INRIA
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+
+private-bin natron,Natron,NatronRenderer
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/nautilus.profile b/etc/profile-m-z/nautilus.profile
new file mode 100644
index 000000000..e003488de
--- /dev/null
+++ b/etc/profile-m-z/nautilus.profile
@@ -0,0 +1,44 @@
+# Firejail profile for nautilus
+# Description: File manager and graphical shell for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nautilus.local
+# Persistent global definitions
+include globals.local
+
+# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there
+# is already a nautilus process running on gnome desktops firejail will have no effect.
+
+noblacklist ${HOME}/.config/nautilus
+noblacklist ${HOME}/.local/share/Trash
+noblacklist ${HOME}/.local/share/nautilus
+noblacklist ${HOME}/.local/share/nautilus-python
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# include disable-programs.inc
+
+allusers
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
+# private-bin nautilus
+# private-dev
+# private-tmp
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile
new file mode 100644
index 000000000..651804bf1
--- /dev/null
+++ b/etc/profile-m-z/ncdu.profile
@@ -0,0 +1,36 @@
+# Firejail profile for ncdu
+# Description: Ncurses disk usage viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ncdu.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-exec.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+x11 none
+
+private-dev
+# private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/nemo.profile b/etc/profile-m-z/nemo.profile
new file mode 100644
index 000000000..6a62a3a0c
--- /dev/null
+++ b/etc/profile-m-z/nemo.profile
@@ -0,0 +1,38 @@
+# Firejail profile for nemo
+# Description: File manager and graphical shell for Cinnamon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nemo.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/nemo
+noblacklist ${HOME}/.local/share/Trash
+noblacklist ${HOME}/.local/share/nemo
+noblacklist ${HOME}/.local/share/nemo-python
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+
+allusers
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile
new file mode 100644
index 000000000..cbf0d235d
--- /dev/null
+++ b/etc/profile-m-z/netactview.profile
@@ -0,0 +1,54 @@
+# Firejail profile for netactview
+# Description: A graphical network connections viewer similar in functionality to netstat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include netactview.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.netactview
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.netactview
+whitelist ${HOME}/.netactview
+whitelist /usr/share/netactview
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+shell none
+
+disable-mnt
+private-bin netactview,netactview_polkit
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile
new file mode 100644
index 000000000..4daa8054b
--- /dev/null
+++ b/etc/profile-m-z/nethack-vultures.profile
@@ -0,0 +1,45 @@
+# Firejail profile for nethack-vultures
+# Description: A rogue-like single player dungeon exploration game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nethack.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.vultures
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.vultures
+whitelist ${HOME}/.vultures
+whitelist /var/log/vultures
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+#nonewprivs
+#noroot
+notv
+novideo
+#protocol unix,netlink
+#seccomp
+shell none
+
+disable-mnt
+#private
+private-cache
+private-dev
+private-tmp
+writable-var
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/nethack.profile b/etc/profile-m-z/nethack.profile
new file mode 100644
index 000000000..c8c927db2
--- /dev/null
+++ b/etc/profile-m-z/nethack.profile
@@ -0,0 +1,47 @@
+# Firejail profile for nethack
+# Description: A rogue-like single player dungeon exploration game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nethack.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /var/games/nethack
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+whitelist /var/games/nethack
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+#nonewprivs
+#noroot
+nosound
+notv
+novideo
+#protocol unix,netlink
+#seccomp
+shell none
+
+disable-mnt
+#private
+private-cache
+private-dev
+private-tmp
+writable-var
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute
diff --git a/etc/profile-m-z/netsurf.profile b/etc/profile-m-z/netsurf.profile
new file mode 100644
index 000000000..0ddb7bbbe
--- /dev/null
+++ b/etc/profile-m-z/netsurf.profile
@@ -0,0 +1,34 @@
+# Firejail profile for netsurf
+# Description: Lightweight and fast web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include netsurf.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/netsurf
+noblacklist ${HOME}/.config/netsurf
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/netsurf
+mkdir ${HOME}/.config/netsurf
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/netsurf
+whitelist ${HOME}/.config/netsurf
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+disable-mnt
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile
new file mode 100644
index 000000000..84c634549
--- /dev/null
+++ b/etc/profile-m-z/neverball.profile
@@ -0,0 +1,39 @@
+# Firejail profile for neverball
+# Description: 3D floor-tilting game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include neverball.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.neverball
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.neverball
+whitelist ${HOME}/.neverball
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+
+disable-mnt
+private-bin neverball
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/neverputt.profile b/etc/profile-m-z/neverputt.profile
new file mode 100644
index 000000000..d370d1218
--- /dev/null
+++ b/etc/profile-m-z/neverputt.profile
@@ -0,0 +1,11 @@
+# Firejail profile for neverputt
+# This file is overwritten after every install/update
+# Persistent local customizations
+include neverputt.local
+# added by included profile
+#include globals.local
+
+private-bin neverputt
+
+# Redirect
+include neverball.profile
diff --git a/etc/profile-m-z/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile
new file mode 100644
index 000000000..85581a2f0
--- /dev/null
+++ b/etc/profile-m-z/newsbeuter.profile
@@ -0,0 +1,21 @@
+# Firejail profile for Newsbeuter
+# Description: Text based Atom/RSS feed reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsbeuter.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/newsbeuter
+noblacklist ${HOME}/.newsbeuter
+
+mkdir ${HOME}/.config/newsbeuter
+mkdir ${HOME}/.newsbeuter
+whitelist ${HOME}/.config/newsbeuter
+whitelist ${HOME}/.newsbeuter
+
+private-bin newsbeuter
+
+# Redirect
+include newsboat.profile
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
new file mode 100644
index 000000000..a7bac6286
--- /dev/null
+++ b/etc/profile-m-z/newsboat.profile
@@ -0,0 +1,50 @@
+# Firejail profile for Newsboat
+# Description: RSS program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsboat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.newsboat
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.newsboat
+whitelist ${HOME}/.newsboat
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin newsboat
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
new file mode 100644
index 000000000..119b30239
--- /dev/null
+++ b/etc/profile-m-z/nheko.profile
@@ -0,0 +1,41 @@
+# Firejail profile for nheko
+# Description: Desktop IM client for the Matrix protocol
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nheko.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/nheko
+noblacklist ${HOME}/.cache/nheko/nheko
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/nheko
+mkdir ${HOME}/.cache/nheko/nheko
+whitelist ${HOME}/.config/nheko
+whitelist ${HOME}/.cache/nheko/nheko
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin nheko
+private-tmp
+
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
new file mode 100644
index 000000000..7764edffb
--- /dev/null
+++ b/etc/profile-m-z/nicotine.profile
@@ -0,0 +1,55 @@
+# Firejail profile for Nicotine Plus
+# Description: Soulseek music-sharing client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nicotine.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.nicotine
+
+include allow-python2.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.nicotine
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.nicotine
+whitelist /usr/share/GeoIP
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+#ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin nicotine,python2*
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/nitroshare-cli.profile b/etc/profile-m-z/nitroshare-cli.profile
new file mode 100644
index 000000000..d9cb2edc5
--- /dev/null
+++ b/etc/profile-m-z/nitroshare-cli.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+
+# Redirect
+include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-nmh.profile b/etc/profile-m-z/nitroshare-nmh.profile
new file mode 100644
index 000000000..d9cb2edc5
--- /dev/null
+++ b/etc/profile-m-z/nitroshare-nmh.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+
+# Redirect
+include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-send.profile b/etc/profile-m-z/nitroshare-send.profile
new file mode 100644
index 000000000..d9cb2edc5
--- /dev/null
+++ b/etc/profile-m-z/nitroshare-send.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+
+# Redirect
+include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-ui.profile b/etc/profile-m-z/nitroshare-ui.profile
new file mode 100644
index 000000000..d9cb2edc5
--- /dev/null
+++ b/etc/profile-m-z/nitroshare-ui.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+
+# Redirect
+include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
new file mode 100644
index 000000000..1743a771e
--- /dev/null
+++ b/etc/profile-m-z/nitroshare.profile
@@ -0,0 +1,52 @@
+# Firejail profile for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nitroshare.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Nathan Osman
+noblacklist ${HOME}/.config/NitroShare
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+disable-mnt
+private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl
+# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
+private-tmp
+
+# dbus-user none
+# dbus-system none
+
+# memory-deny-write-execute
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
new file mode 100644
index 000000000..7a7ff504a
--- /dev/null
+++ b/etc/profile-m-z/nomacs.profile
@@ -0,0 +1,47 @@
+# Firejail profile for nomacs
+# Description: a fast and small image viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nomacs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/nomacs
+noblacklist ${HOME}/.local/share/nomacs
+noblacklist ${HOME}/.local/share/data/nomacs
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+#private-bin nomacs
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile
new file mode 100644
index 000000000..a8e0ddd89
--- /dev/null
+++ b/etc/profile-m-z/nslookup.profile
@@ -0,0 +1,56 @@
+# Firejail profile for nslookup
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include nslookup.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+noblacklist ${PATH}/nslookup
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${HOME}/.nslookuprc
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,nslookup,sh
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/nylas.profile b/etc/profile-m-z/nylas.profile
new file mode 100644
index 000000000..c959eb991
--- /dev/null
+++ b/etc/profile-m-z/nylas.profile
@@ -0,0 +1,38 @@
+# Firejail profile for nylas
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nylas.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Nylas Mail
+noblacklist ${HOME}/.nylas-mail
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/Nylas Mail
+mkdir ${HOME}/.nylas-mail
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/Nylas Mail
+whitelist ${HOME}/.nylas-mail
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-dev
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile
new file mode 100644
index 000000000..df214ff20
--- /dev/null
+++ b/etc/profile-m-z/nyx.profile
@@ -0,0 +1,53 @@
+# Firejail profile for nyx
+# Description: Command-line status monitor for tor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nyx.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+noblacklist ${HOME}/.nyx
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.nyx
+whitelist ${HOME}/.nyx
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin nyx,python*
+private-cache
+private-dev
+private-etc alternatives,fonts,passwd,tor
+private-opt none
+private-srv none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile
new file mode 100644
index 000000000..4277bdab3
--- /dev/null
+++ b/etc/profile-m-z/obs.profile
@@ -0,0 +1,43 @@
+# Firejail profile for obs
+# This file is overwritten after every install/update
+# Persistent local customizations
+include obs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/obs-studio
+noblacklist ${MUSIC}
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin bash,obs,obs-ffmpeg-mux,python*,sh
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
new file mode 100644
index 000000000..61fe14c08
--- /dev/null
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -0,0 +1,54 @@
+# Firejail profile for ocenaudio
+# Description: Cross-platform, easy to use, fast and functional audio editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ocenaudio.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/ocenaudio
+noblacklist ${DOCUMENTS}
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# net none - breaks update functionality and AppArmor on Ubuntu systems
+# uncomment (or put 'net none' in your ocenaudio.local) when needed
+#net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin ocenaudio
+private-cache
+private-dev
+private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
+private-tmp
+
+# breaks preferences
+# dbus-user none
+# dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
new file mode 100644
index 000000000..3e4bd94b6
--- /dev/null
+++ b/etc/profile-m-z/odt2txt.profile
@@ -0,0 +1,46 @@
+# Firejail profile for odt2txt
+# Description: Simple converter from OpenDocument Text to plain text
+# This file is overwritten after every install/update
+# Persistent local customizations
+include odt2txt.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin odt2txt
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
diff --git a/etc/profile-m-z/oggsplt.profile b/etc/profile-m-z/oggsplt.profile
new file mode 100644
index 000000000..5aedadde9
--- /dev/null
+++ b/etc/profile-m-z/oggsplt.profile
@@ -0,0 +1,9 @@
+# Firejail profile for oggsplt
+# This file is overwritten after every install/update
+include oggsplt.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mp3splt.profile
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
new file mode 100644
index 000000000..de82f8266
--- /dev/null
+++ b/etc/profile-m-z/okular.profile
@@ -0,0 +1,63 @@
+# Firejail profile for okular
+# Description: Universal document viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include okular.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/okular
+noblacklist ${HOME}/.config/okularpartrc
+noblacklist ${HOME}/.config/okularrc
+noblacklist ${HOME}/.kde/share/apps/okular
+noblacklist ${HOME}/.kde/share/config/okularpartrc
+noblacklist ${HOME}/.kde/share/config/okularrc
+noblacklist ${HOME}/.kde4/share/apps/okular
+noblacklist ${HOME}/.kde4/share/config/okularpartrc
+noblacklist ${HOME}/.kde4/share/config/okularrc
+noblacklist ${HOME}/.local/share/okular
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/config.kcfg
+whitelist /usr/share/okular
+whitelist /usr/share/poppler
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin kbuildsycoca4,kdeinit4,lpr,okular
+private-dev
+private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg
+# private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
+
+# dbus-user none
+# dbus-system none
+
+# memory-deny-write-execute
+
+join-or-start okular
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
new file mode 100644
index 000000000..5bfcd0527
--- /dev/null
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -0,0 +1,41 @@
+# Firejail profile for onionshare-gui
+# This file is overwritten after every install/update
+# Persistent local customizations
+include onionshare-gui.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/onionshare
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/ooffice.profile b/etc/profile-m-z/ooffice.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/profile-m-z/ooffice.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-m-z/ooviewdoc.profile b/etc/profile-m-z/ooviewdoc.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/profile-m-z/ooviewdoc.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
new file mode 100644
index 000000000..de1ef7800
--- /dev/null
+++ b/etc/profile-m-z/open-invaders.profile
@@ -0,0 +1,42 @@
+# Firejail profile for open-invaders
+# Description: Space Invaders clone
+# This file is overwritten after every install/update
+# Persistent local customizations
+include open-invaders.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.openinvaders
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.openinvaders
+whitelist ${HOME}/.openinvaders
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+
+private-bin open-invaders
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
new file mode 100644
index 000000000..3b15a6e42
--- /dev/null
+++ b/etc/profile-m-z/openarena.profile
@@ -0,0 +1,45 @@
+# Firejail profile for OpenArena
+# Description: deathmatch FPS game based on GPL idTech3 technology
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openarena.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.openarena
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+# ipc-namespace
+# netfilter
+# nodvd
+# nogroups
+nonewprivs
+noroot
+notv
+# nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+# tracelog
+
+# disable-mnt
+# private-bin openarena
+private-cache
+private-dev
+# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
+private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile
new file mode 100644
index 000000000..1fb93c79c
--- /dev/null
+++ b/etc/profile-m-z/openbox.profile
@@ -0,0 +1,20 @@
+# Firejail profile for openbox
+# Description: Standards-compliant, fast, light-weight and extensible window manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openbox.local
+# Persistent global definitions
+include globals.local
+
+# all applications started in OpenBox will run in this profile
+noblacklist ${HOME}/.config/openbox
+include disable-common.inc
+
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
+
+read-only ${HOME}/.config/openbox/autostart
+read-only ${HOME}/.config/openbox/environment
diff --git a/etc/profile-m-z/opencity.profile b/etc/profile-m-z/opencity.profile
new file mode 100644
index 000000000..59a2d1055
--- /dev/null
+++ b/etc/profile-m-z/opencity.profile
@@ -0,0 +1,47 @@
+# Firejail profile for opencity
+# Description: Full 3D city simulator game project
+# This file is overwritten after every install/update
+# Persistent local customizations
+include opencity.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.opencity
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.opencity
+whitelist ${HOME}/.opencity
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin opencity
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
new file mode 100644
index 000000000..37f046df2
--- /dev/null
+++ b/etc/profile-m-z/openclonk.profile
@@ -0,0 +1,48 @@
+# Firejail profile for openclonk
+# Description: Multiplayer action, tactics and skill game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openclonk.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.clonk
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.clonk
+whitelist ${HOME}/.clonk
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# net none - networked game
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin c4group,openclonk
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/openoffice.org.profile b/etc/profile-m-z/openoffice.org.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/profile-m-z/openoffice.org.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-m-z/openshot-qt.profile b/etc/profile-m-z/openshot-qt.profile
new file mode 100644
index 000000000..2f886d2ac
--- /dev/null
+++ b/etc/profile-m-z/openshot-qt.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for openshot
+# This file is overwritten after every install/update
+
+# Redirect
+include openshot.profile
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile
new file mode 100644
index 000000000..e1839c724
--- /dev/null
+++ b/etc/profile-m-z/openshot.profile
@@ -0,0 +1,42 @@
+# Firejail profile for openshot
+# Description: Create and edit videos and movies
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openshot.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.openshot
+noblacklist ${HOME}/.openshot_qt
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/openttd.profile b/etc/profile-m-z/openttd.profile
new file mode 100644
index 000000000..57e3787aa
--- /dev/null
+++ b/etc/profile-m-z/openttd.profile
@@ -0,0 +1,47 @@
+# Firejail profile for openttd
+# Description: Transport system simulation game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openttd.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.openttd
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.openttd
+whitelist ${HOME}/.openttd
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin openttd
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/opera-beta.profile b/etc/profile-m-z/opera-beta.profile
new file mode 100644
index 000000000..8658d30c6
--- /dev/null
+++ b/etc/profile-m-z/opera-beta.profile
@@ -0,0 +1,17 @@
+# Firejail profile for opera-beta
+# This file is overwritten after every install/update
+# Persistent local customizations
+include opera-beta.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/opera
+noblacklist ${HOME}/.config/opera-beta
+
+mkdir ${HOME}/.cache/opera
+mkdir ${HOME}/.config/opera-beta
+whitelist ${HOME}/.cache/opera
+whitelist ${HOME}/.config/opera-beta
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile
new file mode 100644
index 000000000..b342b3961
--- /dev/null
+++ b/etc/profile-m-z/opera.profile
@@ -0,0 +1,21 @@
+# Firejail profile for opera
+# Description: A fast and secure web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include opera.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/opera
+noblacklist ${HOME}/.config/opera
+noblacklist ${HOME}/.opera
+
+mkdir ${HOME}/.cache/opera
+mkdir ${HOME}/.config/opera
+mkdir ${HOME}/.opera
+whitelist ${HOME}/.cache/opera
+whitelist ${HOME}/.config/opera
+whitelist ${HOME}/.opera
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile
new file mode 100644
index 000000000..4e12892d6
--- /dev/null
+++ b/etc/profile-m-z/orage.profile
@@ -0,0 +1,39 @@
+# Firejail profile for orage
+# Description: Calendar for Xfce Desktop Environment
+# This file is overwritten after every install/update
+# Persistent local customizations
+include orage.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/orage
+noblacklist ${HOME}/.local/share/orage
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+# nosound - calendar application, It must be able to play sound to wake you up.
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile
new file mode 100644
index 000000000..378d267f6
--- /dev/null
+++ b/etc/profile-m-z/ostrichriders.profile
@@ -0,0 +1,47 @@
+# Firejail profile for ostrichriders
+# Description: Knights flying on ostriches compete against other riders
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ostrichriders.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ostrichriders
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.ostrichriders
+whitelist ${HOME}/.ostrichriders
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin ostrichriders
+private-cache
+# private-dev should be commented for controllers
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/out123.profile b/etc/profile-m-z/out123.profile
new file mode 100644
index 000000000..4754c05ba
--- /dev/null
+++ b/etc/profile-m-z/out123.profile
@@ -0,0 +1,9 @@
+# Firejail profile for out123
+# Persistent local customizations
+include out123.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/p7zip.profile b/etc/profile-m-z/p7zip.profile
new file mode 100644
index 000000000..652fac7bd
--- /dev/null
+++ b/etc/profile-m-z/p7zip.profile
@@ -0,0 +1,12 @@
+# Firejail profile for p7zip
+# Description: File archiver with high compression ratio
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include p7zip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include 7z.profile
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
new file mode 100644
index 000000000..acb2ce176
--- /dev/null
+++ b/etc/profile-m-z/palemoon.profile
@@ -0,0 +1,26 @@
+# Firejail profile for palemoon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include palemoon.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/moonchild productions/pale moon
+noblacklist ${HOME}/.moonchild productions/pale moon
+
+mkdir ${HOME}/.cache/moonchild productions/pale moon
+mkdir ${HOME}/.moonchild productions
+whitelist ${HOME}/.cache/moonchild productions/pale moon
+whitelist ${HOME}/.moonchild productions
+
+# Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
+seccomp
+ignore seccomp
+
+#private-bin palemoon
+# private-etc must first be enabled in firefox-common.profile
+#private-etc palemoon
+#private-opt palemoon
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
new file mode 100644
index 000000000..354f6eab8
--- /dev/null
+++ b/etc/profile-m-z/pandoc.profile
@@ -0,0 +1,56 @@
+# Firejail profile for pandoc
+# Description: general markup converter
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include pandoc.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# breaks pdf output
+#include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
+private-cache
+private-dev
+private-etc alternatives,texlive
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile
new file mode 100644
index 000000000..e7a0694ed
--- /dev/null
+++ b/etc/profile-m-z/parole.profile
@@ -0,0 +1,30 @@
+# Firejail profile for parole
+# Description: Media player based on GStreamer framework
+# This file is overwritten after every install/update
+# Persistent local customizations
+include parole.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin dbus-launch,parole
+private-cache
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
new file mode 100644
index 000000000..2bb85e3c6
--- /dev/null
+++ b/etc/profile-m-z/patch.profile
@@ -0,0 +1,50 @@
+# Firejail profile for patch
+# Description: Apply a diff file to an original
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include patch.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin patch,red
+private-dev
+private-lib libfakeroot
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/pavucontrol-qt.profile b/etc/profile-m-z/pavucontrol-qt.profile
new file mode 100644
index 000000000..f96ba14d2
--- /dev/null
+++ b/etc/profile-m-z/pavucontrol-qt.profile
@@ -0,0 +1,19 @@
+# Firejail profile for pavucontrol-qt
+# Description: PulseAudio Volume Control [Qt]
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pavucontrol-qt.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/pavucontrol-qt
+
+mkdir ${HOME}/.config/pavucontrol-qt
+whitelist ${HOME}/.config/pavucontrol-qt
+
+private-bin pavucontrol-qt
+ignore private-lib
+
+# Redirect
+include pavucontrol.profile
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
new file mode 100644
index 000000000..f7d3576da
--- /dev/null
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -0,0 +1,56 @@
+# Firejail profile for pavucontrol
+# Description: PulseAudio Volume Control [GTK]
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pavucontrol.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/pavucontrol.ini
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# whitelisting in ${HOME} is broken, see #3112
+#mkfile ${HOME}/.config/pavucontrol.ini
+#whitelist ${HOME}/.config/pavucontrol.ini
+whitelist /usr/share/pavucontrol
+whitelist /usr/share/pavucontrol-qt
+#include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin pavucontrol
+private-cache
+private-dev
+private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# mdwe is broken under Wayland, but works under Xorg.
+#memory-deny-write-execute
diff --git a/etc/profile-m-z/pcmanfm.profile b/etc/profile-m-z/pcmanfm.profile
new file mode 100644
index 000000000..4e53f9d6e
--- /dev/null
+++ b/etc/profile-m-z/pcmanfm.profile
@@ -0,0 +1,35 @@
+# Firejail profile for pcmanfm
+# Description: Extremely fast and lightweight file manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pcmanfm.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/Trash
+# noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below
+# noblacklist ${HOME}/.config/pcmanfm
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# include disable-programs.inc
+
+allusers
+caps.drop all
+# net none - see issue #1467, computer:/// location broken
+no3d
+nodvd
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
new file mode 100644
index 000000000..4b6da4d6f
--- /dev/null
+++ b/etc/profile-m-z/pdfchain.profile
@@ -0,0 +1,43 @@
+# Firejail profile for pdfchain
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pdfchain.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin pdfchain,pdftk,sh
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/pdflatex.profile b/etc/profile-m-z/pdflatex.profile
new file mode 100644
index 000000000..caf980d4d
--- /dev/null
+++ b/etc/profile-m-z/pdflatex.profile
@@ -0,0 +1,12 @@
+# Firejail profile for pdflatex
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pdflatex.local
+# Persistent global definitions
+include globals.local
+
+private-bin pdflatex
+
+# Redirect
+include latex-common.profile
+
diff --git a/etc/profile-m-z/pdfmod.profile b/etc/profile-m-z/pdfmod.profile
new file mode 100644
index 000000000..fb3c42526
--- /dev/null
+++ b/etc/profile-m-z/pdfmod.profile
@@ -0,0 +1,44 @@
+# Firejail profile for pdfmod
+# Description: Simple tool for modifying PDF documents
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pdfmod.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/pdfmod
+noblacklist ${HOME}/.config/pdfmod
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pdfsam.profile b/etc/profile-m-z/pdfsam.profile
new file mode 100644
index 000000000..2f4227159
--- /dev/null
+++ b/etc/profile-m-z/pdfsam.profile
@@ -0,0 +1,44 @@
+# Firejail profile for pdfsam
+# Description: PDF Split and Merge
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pdfsam.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin archlinux-java,awk,bash,dirname,expr,find,grep,java,java-config,ls,pdfsam,readlink,sh,sort,uname,which
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
new file mode 100644
index 000000000..d9e4aedfb
--- /dev/null
+++ b/etc/profile-m-z/pdftotext.profile
@@ -0,0 +1,53 @@
+# Firejail profile for pdftotext
+# Description: Portable Document Format (PDF) to text converter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pdftotext.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist /usr/share/poppler
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin pdftotext
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
new file mode 100644
index 000000000..66fdd6496
--- /dev/null
+++ b/etc/profile-m-z/peek.profile
@@ -0,0 +1,43 @@
+# Firejail profile for peek
+# This file is overwritten after every install/update
+# Persistent local customizations
+include peek.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/peek
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+# private-bin breaks gif mode, mp4 and webm mode work fine however
+# private-bin convert,ffmpeg,peek
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/penguin-command.profile b/etc/profile-m-z/penguin-command.profile
new file mode 100644
index 000000000..d4d3e914d
--- /dev/null
+++ b/etc/profile-m-z/penguin-command.profile
@@ -0,0 +1,41 @@
+# Firejail profile for open-invaders
+# Description: Space Invaders clone
+# This file is overwritten after every install/update
+# Persistent local customizations
+include penguin-command.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.penguin-command
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+whitelist ${HOME}/.penguin-command
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+
+private-bin penguin-command
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/picard.profile b/etc/profile-m-z/picard.profile
new file mode 100644
index 000000000..15fc7a454
--- /dev/null
+++ b/etc/profile-m-z/picard.profile
@@ -0,0 +1,43 @@
+# Firejail profile for picard
+# Description: Next-Generation MusicBrainz audio files tagger
+# This file is overwritten after every install/update
+# Persistent local customizations
+include picard.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/MusicBrainz
+noblacklist ${HOME}/.config/MusicBrainz
+noblacklist ${MUSIC}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
new file mode 100644
index 000000000..2e4215744
--- /dev/null
+++ b/etc/profile-m-z/pidgin.profile
@@ -0,0 +1,45 @@
+# Firejail profile for pidgin
+# Description: Graphical multi-protocol instant messaging client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pidgin.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${RUNUSER}
+ignore noexec /dev/shm
+
+noblacklist ${HOME}/.purple
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.purple
+whitelist ${HOME}/.purple
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+# shell none
+tracelog
+
+# private-bin pidgin
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
new file mode 100644
index 000000000..3ef8ad64a
--- /dev/null
+++ b/etc/profile-m-z/ping.profile
@@ -0,0 +1,56 @@
+# Firejail profile for ping
+# Description: send ICMP ECHO_REQUEST to network hosts
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ping.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.keep net_raw
+ipc-namespace
+#net tun0
+#netfilter /etc/firejail/ping.net
+netfilter
+no3d
+nodvd
+nogroups
+# ping needs to rise privileges, noroot and nonewprivs will kill it
+#nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+# protocol command is built using seccomp; nonewprivs will kill it
+#protocol unix,inet,inet6,netlink,packet
+# killed by no-new-privs
+#seccomp
+
+disable-mnt
+private
+#private-bin has mammoth problems with execvp: "No such file or directory"
+private-dev
+# /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem!
+#private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
+private-tmp
+
+# memory-deny-write-execute is built using seccomp; nonewprivs will kill it
+#memory-deny-write-execute
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
new file mode 100644
index 000000000..cfe45b9c9
--- /dev/null
+++ b/etc/profile-m-z/pingus.profile
@@ -0,0 +1,42 @@
+# Firejail profile for pingus
+# Description: Free Lemmings(TM) clone
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pingus.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.pingus
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.pingus
+whitelist ${HOME}/.pingus
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+
+# private-bin pingus
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pinta.profile b/etc/profile-m-z/pinta.profile
new file mode 100644
index 000000000..7d94972c4
--- /dev/null
+++ b/etc/profile-m-z/pinta.profile
@@ -0,0 +1,41 @@
+# Firejail profile for pinta
+# Description: Simple drawing/painting program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pinta.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Pinta
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+private-cache
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pioneer.profile b/etc/profile-m-z/pioneer.profile
new file mode 100644
index 000000000..8b1c5afb8
--- /dev/null
+++ b/etc/profile-m-z/pioneer.profile
@@ -0,0 +1,46 @@
+# Firejail profile for pioneer
+# Description: A game of lonely space adventure
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pioneer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.pioneer
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.pioneer
+whitelist ${HOME}/.pioneer
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin modelcompiler,pioneer,savegamedump
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pithos.profile b/etc/profile-m-z/pithos.profile
new file mode 100644
index 000000000..ad56ce525
--- /dev/null
+++ b/etc/profile-m-z/pithos.profile
@@ -0,0 +1,42 @@
+# Firejail profile for pithos
+# Description: Pandora Radio client for the GNOME desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pithos.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin env,pithos,python*
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/pitivi.profile b/etc/profile-m-z/pitivi.profile
new file mode 100644
index 000000000..c722e29b4
--- /dev/null
+++ b/etc/profile-m-z/pitivi.profile
@@ -0,0 +1,42 @@
+# Firejail profile for pitivi
+# Description: Non-linear audio/video editor using GStreamer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pitivi.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/pitivi
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/pix.profile b/etc/profile-m-z/pix.profile
new file mode 100644
index 000000000..9864ed718
--- /dev/null
+++ b/etc/profile-m-z/pix.profile
@@ -0,0 +1,36 @@
+# Firejail profile for pix
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pix.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/pix
+noblacklist ${HOME}/.local/share/pix
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.steam
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin pix
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/planmaker18.profile b/etc/profile-m-z/planmaker18.profile
new file mode 100644
index 000000000..2ba8e86c0
--- /dev/null
+++ b/etc/profile-m-z/planmaker18.profile
@@ -0,0 +1,10 @@
+# Firejail profile for planmaker18
+# Description: SoftMaker Office - spreadsheet program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include planmaker18.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.inc
diff --git a/etc/profile-m-z/planmaker18free.profile b/etc/profile-m-z/planmaker18free.profile
new file mode 100644
index 000000000..d0bce44f5
--- /dev/null
+++ b/etc/profile-m-z/planmaker18free.profile
@@ -0,0 +1,10 @@
+# Firejail profile for planmaker18free
+# Description: SoftMaker FreeOffice - spreadsheet program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include planmaker18free.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.inc
diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile
new file mode 100644
index 000000000..03091af6d
--- /dev/null
+++ b/etc/profile-m-z/playonlinux.profile
@@ -0,0 +1,37 @@
+# Firejail profile for playonlinux
+# Description: Front-end for Wine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include playonlinux.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.local/share/Steam
+noblacklist ${HOME}/.local/share/steam
+noblacklist ${HOME}/.steam
+noblacklist ${HOME}/.PlayOnLinux
+
+# nc is needed to run playonlinux
+noblacklist ${PATH}/nc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+seccomp
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile
new file mode 100644
index 000000000..ea8550bda
--- /dev/null
+++ b/etc/profile-m-z/pluma.profile
@@ -0,0 +1,53 @@
+# Firejail profile for pluma
+# Description: Official text editor of the MATE desktop environment
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pluma.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/enchant
+noblacklist ${HOME}/.config/pluma
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+# apparmor - makes settings immutable
+caps.drop all
+machine-id
+# net none - makes settings immutable
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin pluma
+private-dev
+private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
+memory-deny-write-execute
+
+join-or-start pluma
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
new file mode 100644
index 000000000..e9338d4b9
--- /dev/null
+++ b/etc/profile-m-z/pngquant.profile
@@ -0,0 +1,53 @@
+# Firejail profile for pngquant
+# Description: PNG converter and lossy image compressor
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include pngquant.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# protocol can be empty, but this is not yet supported see #639
+protocol inet
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin pngquant
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/polari.profile b/etc/profile-m-z/polari.profile
new file mode 100644
index 000000000..87a53775f
--- /dev/null
+++ b/etc/profile-m-z/polari.profile
@@ -0,0 +1,51 @@
+# Firejail profile for polari
+# Description: Internet Relay Chat (IRC) client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include polari.local
+# Persistent global definitions
+include globals.local
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/telepathy
+mkdir ${HOME}/.config/telepathy-account-widgets
+mkdir ${HOME}/.local/share/Empathy
+mkdir ${HOME}/.local/share/TpLogger
+mkdir ${HOME}/.local/share/telepathy
+mkdir ${HOME}/.purple
+whitelist ${HOME}/.cache/telepathy
+whitelist ${HOME}/.config/telepathy-account-widgets
+whitelist ${HOME}/.local/share/Empathy
+whitelist ${HOME}/.local/share/TpLogger
+whitelist ${HOME}/.local/share/telepathy
+whitelist ${HOME}/.purple
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
new file mode 100644
index 000000000..c62e53151
--- /dev/null
+++ b/etc/profile-m-z/ppsspp.profile
@@ -0,0 +1,42 @@
+# Firejail profile for ppsspp
+# Description: A PSP emulator written in C++
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ppsspp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/ppsspp
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,netlink
+seccomp
+shell none
+
+# private-dev is disabled to allow controller support
+#private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
+private-opt ppsspp
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile
new file mode 100644
index 000000000..019c1a547
--- /dev/null
+++ b/etc/profile-m-z/pragha.profile
@@ -0,0 +1,38 @@
+# Firejail profile for pragha
+# Description: A lightweight GTK music player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pragha.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/pragha
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-tmp
+
diff --git a/etc/profile-m-z/presentations18.profile b/etc/profile-m-z/presentations18.profile
new file mode 100644
index 000000000..d4f531060
--- /dev/null
+++ b/etc/profile-m-z/presentations18.profile
@@ -0,0 +1,11 @@
+# Firejail profile for presentations18
+# Description: SoftMaker Office - presentations software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include presentations18.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.inc
+
diff --git a/etc/profile-m-z/presentations18free.profile b/etc/profile-m-z/presentations18free.profile
new file mode 100644
index 000000000..e2319f13f
--- /dev/null
+++ b/etc/profile-m-z/presentations18free.profile
@@ -0,0 +1,10 @@
+# Firejail profile for presentations18free
+# Description: SoftMaker FreeOffice - presentations software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include presentations18free.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.inc
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile
new file mode 100644
index 000000000..b7aa2bf52
--- /dev/null
+++ b/etc/profile-m-z/profanity.profile
@@ -0,0 +1,52 @@
+# Firejail profile for profanity
+# Description: profanity is an XMPP chat client for the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include profanity.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/profanity
+noblacklist ${HOME}/.local/share/profanity
+
+# Allow Python
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin profanity
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
new file mode 100644
index 000000000..16fffe517
--- /dev/null
+++ b/etc/profile-m-z/psi-plus.profile
@@ -0,0 +1,45 @@
+# Firejail profile for psi-plus
+# Description: Qt-based XMPP/Jabber client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include psi-plus.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/psi+
+noblacklist ${HOME}/.local/share/psi+
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/psi+
+mkdir ${HOME}/.config/psi+
+mkdir ${HOME}/.local/share/psi+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/psi+
+whitelist ${HOME}/.config/psi+
+whitelist ${HOME}/.local/share/psi+
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
+shell none
+
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile
new file mode 100644
index 000000000..034c144c7
--- /dev/null
+++ b/etc/profile-m-z/pybitmessage.profile
@@ -0,0 +1,46 @@
+# Firejail profile for pybitmessage
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pybitmessage.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /sbin
+noblacklist /usr/local/sbin
+noblacklist /usr/sbin
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-interpreters.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+disable-mnt
+private-bin bash,env,ldconfig,pybitmessage,python*,sh,stat
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,pki,PyBitmessage,PyBitmessage.conf,resolv.conf,selinux,sni-qt.conf,ssl,system-fips,Trolltech.conf,xdg
+private-tmp
+
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile
new file mode 100644
index 000000000..9ee426a95
--- /dev/null
+++ b/etc/profile-m-z/pycharm-community.profile
@@ -0,0 +1,38 @@
+# Firejail profile for pycharm-community
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pycharm-community.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.PyCharmCE*
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+machine-id
+nodvd
+nogroups
+nosound
+notv
+nou2f
+novideo
+shell none
+tracelog
+
+# private-etc alternatives,fonts,passwd - minimal required to run but will probably break
+# program!
+private-cache
+private-dev
+private-tmp
+
+noexec /tmp
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile
new file mode 100644
index 000000000..a14d0268b
--- /dev/null
+++ b/etc/profile-m-z/pycharm-professional.profile
@@ -0,0 +1,7 @@
+# Firejail profilen alias for pycharm-professional
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.PyCharm*
+
+# Redirect
+include pycharm-community.profile
diff --git a/etc/profile-m-z/pzstd.profile b/etc/profile-m-z/pzstd.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/profile-m-z/pzstd.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+
+# Redirect
+include zstd.profile
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
new file mode 100644
index 000000000..820dc7214
--- /dev/null
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -0,0 +1,61 @@
+# Firejail profile for qbittorrent
+# Description: BitTorrent client based on libtorrent-rasterbar with a Qt5 GUI
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qbittorrent.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/qBittorrent
+noblacklist ${HOME}/.config/qBittorrent
+noblacklist ${HOME}/.config/qBittorrentrc
+noblacklist ${HOME}/.local/share/data/qBittorrent
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/qBittorrent
+mkdir ${HOME}/.config/qBittorrent
+mkfile ${HOME}/.config/qBittorrentrc
+mkdir ${HOME}/.local/share/data/qBittorrent
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/qBittorrent
+whitelist ${HOME}/.config/qBittorrent
+whitelist ${HOME}/.config/qBittorrentrc
+whitelist ${HOME}/.local/share/data/qBittorrent
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-bin python*,qbittorrent
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
diff --git a/etc/profile-m-z/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile
new file mode 100644
index 000000000..ac60384fd
--- /dev/null
+++ b/etc/profile-m-z/qemu-launcher.profile
@@ -0,0 +1,29 @@
+# Firejail profile for qemu-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qemu-launcher.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.qemu-launcher
+
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-tmp
+
+noexec /tmp
diff --git a/etc/profile-m-z/qemu-system-x86_64.profile b/etc/profile-m-z/qemu-system-x86_64.profile
new file mode 100644
index 000000000..d7d7905dd
--- /dev/null
+++ b/etc/profile-m-z/qemu-system-x86_64.profile
@@ -0,0 +1,28 @@
+# Firejail profile for qemu-system-x86_64
+# Description: QEMU system emulator for x86_64
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qemu-system-x86_64.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-tmp
+
+noexec /tmp
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile
new file mode 100644
index 000000000..eee538383
--- /dev/null
+++ b/etc/profile-m-z/qgis.profile
@@ -0,0 +1,59 @@
+# Firejail profile for qgis
+# Description: GIS application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qgis.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/QGIS
+noblacklist ${HOME}/.local/share/QGIS
+noblacklist ${HOME}/.qgis2
+noblacklist ${DOCUMENTS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/QGIS
+mkdir ${HOME}/.qgis2
+mkdir ${HOME}/.config/QGIS
+whitelist ${HOME}/.local/share/QGIS
+whitelist ${HOME}/.qgis2
+whitelist ${HOME}/.config/QGIS
+whitelist ${DOCUMENTS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+machine-id
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# blacklisting of mbind system calls breaks old version
+seccomp !mbind
+protocol unix,inet,inet6,netlink
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/qlipper.profile b/etc/profile-m-z/qlipper.profile
new file mode 100644
index 000000000..fb9dca48f
--- /dev/null
+++ b/etc/profile-m-z/qlipper.profile
@@ -0,0 +1,38 @@
+# Firejail profile for qlipper
+# Description: Lightweight and cross-platform clipboard history applet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qlipper.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Qlipper
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile
new file mode 100644
index 000000000..4dc6b6784
--- /dev/null
+++ b/etc/profile-m-z/qmmp.profile
@@ -0,0 +1,38 @@
+# Firejail profile for qmmp
+# Description: Feature-rich audio player with support of many formats
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qmmp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.qmmp
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+# no3d
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin bzip2,gzip,qmmp,tar,unzip
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
new file mode 100644
index 000000000..c082762ad
--- /dev/null
+++ b/etc/profile-m-z/qpdfview.profile
@@ -0,0 +1,45 @@
+# Firejail profile for qpdfview
+# Description: Tabbed document viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qpdfview.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.local/share/qpdfview
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin qpdfview
+private-dev
+private-tmp
+
+# needs D-Bus when started from a file manager
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/qt-faststart.profile b/etc/profile-m-z/qt-faststart.profile
new file mode 100644
index 000000000..2cdff33a6
--- /dev/null
+++ b/etc/profile-m-z/qt-faststart.profile
@@ -0,0 +1,14 @@
+# Firejail profile for qt-faststart
+# Description: FFmpeg-based media utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include qt-faststart.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin qt-faststart
+
+# Redirect
+include ffmpeg.profile
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
new file mode 100644
index 000000000..c8b77123d
--- /dev/null
+++ b/etc/profile-m-z/qtox.profile
@@ -0,0 +1,51 @@
+# Firejail profile for qtox
+# Description: Powerful Tox client written in C++/Qt that follows the Tox design guidelines
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qtox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Tox
+noblacklist ${HOME}/.config/tox
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/tox
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/tox
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin qtox
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/quassel.profile b/etc/profile-m-z/quassel.profile
new file mode 100644
index 000000000..c65089e20
--- /dev/null
+++ b/etc/profile-m-z/quassel.profile
@@ -0,0 +1,26 @@
+# Firejail profile for quassel
+# Description: Distributed IRC client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include quassel.local
+# Persistent global definitions
+include globals.local
+
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
+
+private-cache
+private-tmp
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile
new file mode 100644
index 000000000..8dbdffdc8
--- /dev/null
+++ b/etc/profile-m-z/quiterss.profile
@@ -0,0 +1,54 @@
+# Firejail profile for quiterss
+# Description: RSS/Atom news feeds reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include quiterss.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/QuiteRss
+noblacklist ${HOME}/.config/QuiteRss
+noblacklist ${HOME}/.config/QuiteRssrc
+noblacklist ${HOME}/.local/share/QuiteRss
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/QuiteRss
+mkdir ${HOME}/.config/QuiteRss
+mkdir ${HOME}/.local/share/data
+mkdir ${HOME}/.local/share/data/QuiteRss
+mkdir ${HOME}/.local/share/QuiteRss
+mkfile ${HOME}/quiterssfeeds.opml
+whitelist ${HOME}/.cache/QuiteRss
+whitelist ${HOME}/.config/QuiteRss
+whitelist ${HOME}/.config/QuiteRssrc
+whitelist ${HOME}/.local/share/data/QuiteRss
+whitelist ${HOME}/.local/share/QuiteRss
+whitelist ${HOME}/quiterssfeeds.opml
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin quiterss
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
+
diff --git a/etc/profile-m-z/qupzilla.profile b/etc/profile-m-z/qupzilla.profile
new file mode 100644
index 000000000..7aa71c848
--- /dev/null
+++ b/etc/profile-m-z/qupzilla.profile
@@ -0,0 +1,25 @@
+# Firejail profile for qupzilla
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qupzilla.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/qupzilla
+noblacklist ${HOME}/.config/qupzilla
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/qupzilla
+mkdir ${HOME}/.config/qupzilla
+whitelist ${HOME}/.cache/qupzilla
+whitelist ${HOME}/.config/qupzilla
+
+# Redirect
+include falkon.profile
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
new file mode 100644
index 000000000..fc910b589
--- /dev/null
+++ b/etc/profile-m-z/qutebrowser.profile
@@ -0,0 +1,40 @@
+# Firejail profile for qutebrowser
+# Description: Keyboard-driven, vim-like browser based on PyQt5
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qutebrowser.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/qutebrowser
+noblacklist ${HOME}/.config/qutebrowser
+noblacklist ${HOME}/.local/share/qutebrowser
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/qutebrowser
+mkdir ${HOME}/.config/qutebrowser
+mkdir ${HOME}/.local/share/qutebrowser
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/qutebrowser
+whitelist ${HOME}/.config/qutebrowser
+whitelist ${HOME}/.local/share/qutebrowser
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+# blacklisting of chroot system calls breaks qt webengine
+seccomp !chroot,!name_to_handle_at
+# tracelog
diff --git a/etc/profile-m-z/rambox.profile b/etc/profile-m-z/rambox.profile
new file mode 100644
index 000000000..ffa2022ee
--- /dev/null
+++ b/etc/profile-m-z/rambox.profile
@@ -0,0 +1,38 @@
+# Firejail profile for rambox
+# Description: Free and Open Source messaging and emailing app that combines common web applications into one (Electron-based)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rambox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Rambox
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/Rambox
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/Rambox
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+# electron-based application, needing chroot
+#seccomp
+seccomp !chroot
+# tracelog
diff --git a/etc/profile-m-z/ranger.profile b/etc/profile-m-z/ranger.profile
new file mode 100644
index 000000000..af033af1a
--- /dev/null
+++ b/etc/profile-m-z/ranger.profile
@@ -0,0 +1,44 @@
+# Firejail profile for ranger
+# Description: File manager with an ncurses frontend written in Python
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ranger.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/nano
+noblacklist ${HOME}/.config/ranger
+noblacklist ${HOME}/.nanorc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+# Allow perl
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+allusers
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+#x11 none
+
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile
new file mode 100644
index 000000000..bb1ad56d3
--- /dev/null
+++ b/etc/profile-m-z/redeclipse.profile
@@ -0,0 +1,39 @@
+# Firejail profile for redeclipse
+# Description: Free, casual arena shooter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include redeclipse.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.redeclipse
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.redeclipse
+whitelist ${HOME}/.redeclipse
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/redshift.profile b/etc/profile-m-z/redshift.profile
new file mode 100644
index 000000000..298ab1902
--- /dev/null
+++ b/etc/profile-m-z/redshift.profile
@@ -0,0 +1,53 @@
+# Firejail profile for redshift
+# Description: Adjusts the color temperature of your screen according to your surroundings
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include redshift.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/redshift
+noblacklist ${HOME}/.config/redshift.conf
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/redshift
+whitelist ${HOME}/.config/redshift
+whitelist ${HOME}/.config/redshift.conf
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
new file mode 100644
index 000000000..207156ba5
--- /dev/null
+++ b/etc/profile-m-z/regextester.profile
@@ -0,0 +1,57 @@
+# Firejail profile for regextester
+# Description: A simple regex tester built for Pantheon Shell
+# This file is overwritten after every install/update
+# Persistent local customizations
+include regextester.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/com.github.artemanufrij.regextester
+include whitelist-usr-share-common.inc
+
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin regextester
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-lib libgranite.so.*
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
+memory-deny-write-execute
+
+# never write anything
+read-only ${HOME}
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile
new file mode 100644
index 000000000..6311c91df
--- /dev/null
+++ b/etc/profile-m-z/remmina.profile
@@ -0,0 +1,40 @@
+# Firejail profile for remmina
+# Description: GTK+ Remote Desktop Client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include remmina.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.remmina
+noblacklist ${HOME}/.config/remmina
+noblacklist ${HOME}/.local/share/remmina
+noblacklist ${HOME}/.ssh
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/rhythmbox-client.profile b/etc/profile-m-z/rhythmbox-client.profile
new file mode 100644
index 000000000..29e65d716
--- /dev/null
+++ b/etc/profile-m-z/rhythmbox-client.profile
@@ -0,0 +1,11 @@
+# Firejail profile for rhythmbox-client
+# Description: controls a running instance of rhythmbox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rhythmbox-client.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include rhythmbox.profile
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
new file mode 100644
index 000000000..e8f964383
--- /dev/null
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -0,0 +1,52 @@
+# Firejail profile for rhythmbox
+# Description: Music player and organizer for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rhythmbox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+noblacklist ${HOME}/.cache/rhythmbox
+noblacklist ${HOME}/.local/share/rhythmbox
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/rhythmbox
+whitelist /usr/share/lua
+whitelist /usr/share/libquvi-scripts
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin rhythmbox,rhythmbox-client
+private-dev
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/ricochet.profile b/etc/profile-m-z/ricochet.profile
new file mode 100644
index 000000000..1b8fbbc97
--- /dev/null
+++ b/etc/profile-m-z/ricochet.profile
@@ -0,0 +1,41 @@
+# Firejail profile for ricochet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ricochet.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/Ricochet
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.local/share/Ricochet
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.local/share/Ricochet
+include whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin ricochet,tor
+private-dev
+#private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11
+
diff --git a/etc/profile-m-z/riot-desktop.profile b/etc/profile-m-z/riot-desktop.profile
new file mode 100644
index 000000000..4372fabe1
--- /dev/null
+++ b/etc/profile-m-z/riot-desktop.profile
@@ -0,0 +1,13 @@
+# Firejail profile for riot-desktop
+# Description: A glossy Matrix collaboration client for the desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include riot-desktop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+seccomp !chroot
+
+# Redirect
+include riot-web.profile
diff --git a/etc/profile-m-z/riot-web.profile b/etc/profile-m-z/riot-web.profile
new file mode 100644
index 000000000..b930adf2b
--- /dev/null
+++ b/etc/profile-m-z/riot-web.profile
@@ -0,0 +1,17 @@
+# Firejail profile for riot-web
+# Description: A glossy Matrix collaboration client for the web
+# This file is overwritten after every install/update
+# Persistent local customizations
+include riot-web.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/Riot
+
+mkdir ${HOME}/.config/Riot
+whitelist ${HOME}/.config/Riot
+include whitelist-common.inc
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/ripperx.profile b/etc/profile-m-z/ripperx.profile
new file mode 100644
index 000000000..cf6daada5
--- /dev/null
+++ b/etc/profile-m-z/ripperx.profile
@@ -0,0 +1,43 @@
+# Firejail profile for mpv
+# Description: Graphical audio CD ripper and encoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ripperx.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ripperXrc
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nou2f
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/ristretto.profile b/etc/profile-m-z/ristretto.profile
new file mode 100644
index 000000000..a1cbdf16c
--- /dev/null
+++ b/etc/profile-m-z/ristretto.profile
@@ -0,0 +1,42 @@
+# Firejail profile for ristretto
+# Description: Lightweight picture-viewer for the Xfce desktop environment
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ristretto.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/ristretto
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.steam
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/rnano.profile b/etc/profile-m-z/rnano.profile
new file mode 100644
index 000000000..d9048982a
--- /dev/null
+++ b/etc/profile-m-z/rnano.profile
@@ -0,0 +1,12 @@
+# Firejail profile for rnano
+# Description: A restricted nano
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include rnano.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include nano.profile
diff --git a/etc/profile-m-z/rocketchat.profile b/etc/profile-m-z/rocketchat.profile
new file mode 100644
index 000000000..a574e4e8b
--- /dev/null
+++ b/etc/profile-m-z/rocketchat.profile
@@ -0,0 +1,16 @@
+# Firejail profile for rocketchat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rocketchat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/Rocket.Chat
+
+mkdir ${HOME}/.config/Rocket.Chat
+whitelist ${HOME}/.config/Rocket.Chat
+include whitelist-common.inc
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
new file mode 100644
index 000000000..a39ff759a
--- /dev/null
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -0,0 +1,59 @@
+# Firejail profile for rsync
+# Description: a fast, versatile, remote (and local) file-copying tool
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include rsync.local
+# Persistent global definitions
+include globals.local
+
+# Warning: This profile is writte to use rsync as an client for downloading,
+# it is not writen to use rsync as an daemon (rsync --daemon) or to create backups.
+
+# Usage: firejail --profile=rsync-download_only rsync
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# Uncomment or add to rsync.local to enable extra hardening
+#whitelist ${DOWNLOADS}
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin rsync
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/rtorrent.profile b/etc/profile-m-z/rtorrent.profile
new file mode 100644
index 000000000..0b4d6e1b1
--- /dev/null
+++ b/etc/profile-m-z/rtorrent.profile
@@ -0,0 +1,33 @@
+# Firejail profile for rtorrent
+# Description: Ncurses BitTorrent client based on LibTorrent from rakshasa
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rtorrent.local
+# Persistent global definitions
+include globals.local
+
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+machine-id
+netfilter
+nodvd
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin rtorrent
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile
new file mode 100644
index 000000000..14740e05f
--- /dev/null
+++ b/etc/profile-m-z/rtv.profile
@@ -0,0 +1,58 @@
+# Firejail profile for rtv
+# Description: Browse Reddit from your terminal
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rtv.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${HOME}/.config/rtv
+noblacklist ${HOME}/.local/share/rtv
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/rtv
+mkdir ${HOME}/.local/share/rtv
+whitelist ${HOME}/.config/rtv
+whitelist ${HOME}/.local/share/rtv
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin python*,rtv,sh,xdg-settings
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/runenpass.sh.profile b/etc/profile-m-z/runenpass.sh.profile
new file mode 100644
index 000000000..64432c171
--- /dev/null
+++ b/etc/profile-m-z/runenpass.sh.profile
@@ -0,0 +1,5 @@
+# Firejail alias profile for enpass
+# This file is overwritten after every install/update
+
+# Redirect
+include enpass.profile
diff --git a/etc/profile-m-z/rview.profile b/etc/profile-m-z/rview.profile
new file mode 100644
index 000000000..fb72a00de
--- /dev/null
+++ b/etc/profile-m-z/rview.profile
@@ -0,0 +1,10 @@
+# Firejail profile for rview
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rview.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vim.profile
diff --git a/etc/profile-m-z/rvim.profile b/etc/profile-m-z/rvim.profile
new file mode 100644
index 000000000..7c6465d3c
--- /dev/null
+++ b/etc/profile-m-z/rvim.profile
@@ -0,0 +1,10 @@
+# Firejail profile for rvim
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rvim.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vim.profile
diff --git a/etc/profile-m-z/sayonara.profile b/etc/profile-m-z/sayonara.profile
new file mode 100644
index 000000000..8f0544f33
--- /dev/null
+++ b/etc/profile-m-z/sayonara.profile
@@ -0,0 +1,35 @@
+# Firejail profile for sayonara player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sayonara.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.Sayonara
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin sayonara
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/scallion.profile b/etc/profile-m-z/scallion.profile
new file mode 100644
index 000000000..0f67d4d09
--- /dev/null
+++ b/etc/profile-m-z/scallion.profile
@@ -0,0 +1,44 @@
+# Firejail profile for scallion
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include scallion.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/llvm*
+noblacklist ${PATH}/openssl
+noblacklist ${PATH}/openssl-1.0
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/scorched3d-wrapper.profile b/etc/profile-m-z/scorched3d-wrapper.profile
new file mode 100644
index 000000000..9cbb19bff
--- /dev/null
+++ b/etc/profile-m-z/scorched3d-wrapper.profile
@@ -0,0 +1,7 @@
+# Firejail profile for scorched3d
+# This file is overwritten after every install/update
+# Persistent local customizations
+include scorched3d-wrapper.local
+
+# Redirect
+include scorched3d.profile
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
new file mode 100644
index 000000000..b5e51198b
--- /dev/null
+++ b/etc/profile-m-z/scorched3d.profile
@@ -0,0 +1,46 @@
+# Firejail profile for scorched3d
+# Description: Game based loosely on the classic DOS game Scorched Earth
+# This file is overwritten after every install/update
+# Persistent local customizations
+include scorched3d.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.scorched3d
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.scorched3d
+whitelist ${HOME}/.scorched3d
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin scorched3d,scorched3d-wrapper,scorched3dc,scorched3ds
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
new file mode 100644
index 000000000..7cb57edce
--- /dev/null
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -0,0 +1,49 @@
+# Firejail profile for scorchwentbonkers
+# Description: Realtime remake of Scorched Earth
+# This file is overwritten after every install/update
+# Persistent local customizations
+include scorchwentbonkers.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.swb.ini
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.swb.ini
+whitelist ${HOME}/.swb.ini
+whitelist /usr/share/scorchwentbonkers
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin scorchwentbonkers
+private-cache
+private-dev
+private-etc alsa,asound.conf,machine-id,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/scp.profile b/etc/profile-m-z/scp.profile
new file mode 100644
index 000000000..287b8029a
--- /dev/null
+++ b/etc/profile-m-z/scp.profile
@@ -0,0 +1,12 @@
+# Firejail profile for scp
+# Description: Secure shell copy
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include scp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include ssh.profile
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile
new file mode 100644
index 000000000..22cd10737
--- /dev/null
+++ b/etc/profile-m-z/scribus.profile
@@ -0,0 +1,64 @@
+# Firejail profile for scribus
+# Description: Open Source Desktop Page Layout
+# This file is overwritten after every install/update
+# Persistent local customizations
+include scribus.local
+# Persistent global definitions
+include globals.local
+
+# Support for PDF readers comes with Scribus 1.5 and higher
+noblacklist ${HOME}/.cache/okular
+noblacklist ${HOME}/.config/GIMP
+noblacklist ${HOME}/.config/okularpartrc
+noblacklist ${HOME}/.config/okularrc
+noblacklist ${HOME}/.config/scribus
+noblacklist ${HOME}/.config/scribusrc
+noblacklist ${HOME}/.gimp*
+noblacklist ${HOME}/.kde/share/apps/okular
+noblacklist ${HOME}/.kde/share/config/okularpartrc
+noblacklist ${HOME}/.kde/share/config/okularrc
+noblacklist ${HOME}/.kde4/share/apps/okular
+noblacklist ${HOME}/.kde4/share/config/okularpartrc
+noblacklist ${HOME}/.kde4/share/config/okularrc
+noblacklist ${HOME}/.local/share/okular
+noblacklist ${HOME}/.local/share/scribus
+noblacklist ${HOME}/.scribus
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# private-bin gimp*,gs,scribus
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/sdat2img.profile b/etc/profile-m-z/sdat2img.profile
new file mode 100644
index 000000000..b45eff4cd
--- /dev/null
+++ b/etc/profile-m-z/sdat2img.profile
@@ -0,0 +1,43 @@
+# Firejail profile for sdat2img
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sdat2img.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin env,python*,sdat2img
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
new file mode 100644
index 000000000..895724844
--- /dev/null
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -0,0 +1,50 @@
+# Firejail profile for seahorse-adventures
+# Description: Help barbie the seahorse float on bubbles to the moon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seahorse-adventures.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/seahorse-adventures
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin python*,seahorse-adventures
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/seahorse-daemon.profile b/etc/profile-m-z/seahorse-daemon.profile
new file mode 100644
index 000000000..6410da4d8
--- /dev/null
+++ b/etc/profile-m-z/seahorse-daemon.profile
@@ -0,0 +1,14 @@
+# Firejail profile for seahorse-daemon
+# Description: PGP encryption and signing
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include seahorse-daemon.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+memory-deny-write-execute
+
+# Redirect
+include seahorse.profile
diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile
new file mode 100644
index 000000000..96ff74edf
--- /dev/null
+++ b/etc/profile-m-z/seahorse-tool.profile
@@ -0,0 +1,15 @@
+# Firejail profile for seahorse-tool
+# Description: PGP encryption and signing
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seahorse-tool.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# private-etc workaround for: #2877
+private-etc firejail,login.defs,passwd
+private-tmp
+
+# Redirect
+include seahorse.profile
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
new file mode 100644
index 000000000..3a69086b5
--- /dev/null
+++ b/etc/profile-m-z/seahorse.profile
@@ -0,0 +1,63 @@
+# Firejail profile for seahorse
+# Description: GNOME application for managing PGP keys
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seahorse.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.ssh
+noblacklist /tmp/ssh-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# whitelisting in ${HOME} breaks file encryption feature of nautilus.
+# once #2882 is fixed this can be uncommented and nowhitelisted in seahorse-tool.profile
+#mkdir ${HOME}/.gnupg
+#mkdir ${HOME}/.ssh
+#whitelist ${HOME}/.gnupg
+#whitelist ${HOME}/.ssh
+whitelist /tmp/ssh-*
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /usr/share/seahorse
+whitelist /usr/share/seahorse-nautilus
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
+writable-run-user
diff --git a/etc/profile-m-z/seamonkey-bin.profile b/etc/profile-m-z/seamonkey-bin.profile
new file mode 100644
index 000000000..532294950
--- /dev/null
+++ b/etc/profile-m-z/seamonkey-bin.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for seamonkey
+# This file is overwritten after every install/update
+
+# Redirect
+include seamonkey.profile
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
new file mode 100644
index 000000000..807effbeb
--- /dev/null
+++ b/etc/profile-m-z/seamonkey.profile
@@ -0,0 +1,55 @@
+# Firejail profile for seamonkey
+# Description: SeaMonkey internet suite
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seamonkey.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/mozilla
+mkdir ${HOME}/.mozilla
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/mozilla
+whitelist ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.config/pipelight-silverlight5.1
+whitelist ${HOME}/.config/pipelight-widevine
+whitelist ${HOME}/.keysnail.js
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.mozilla
+whitelist ${HOME}/.pentadactyl
+whitelist ${HOME}/.pentadactylrc
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.vimperator
+whitelist ${HOME}/.vimperatorrc
+whitelist ${HOME}/.wine-pipelight
+whitelist ${HOME}/.wine-pipelight64
+whitelist ${HOME}/.zotero
+whitelist ${HOME}/dwhelper
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+disable-mnt
+# private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-m-z/secret-tool.profile b/etc/profile-m-z/secret-tool.profile
new file mode 100644
index 000000000..70d9a5b1d
--- /dev/null
+++ b/etc/profile-m-z/secret-tool.profile
@@ -0,0 +1,11 @@
+# Firejail profile for secret-tool
+# Description: Library for storing and retrieving passwords and other secrets
+# This file is overwritten after every install/update
+# Persistent local customizations
+include secret-tool.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gnome-keyring.profile
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
new file mode 100644
index 000000000..5bc4735ae
--- /dev/null
+++ b/etc/profile-m-z/server.profile
@@ -0,0 +1,77 @@
+# Generic Firejail profile for servers started as root
+#
+# This profile is used as a default when starting the sandbox as root.
+# Example:
+#
+#       $ sudo firejail
+#       [sudo] password for netblue:
+#       Reading profile /etc/firejail/server.profile
+#       Reading profile /etc/firejail/disable-common.inc
+#       Reading profile /etc/firejail/disable-passwdmgr.inc
+#       Reading profile /etc/firejail/disable-programs.inc
+#
+#       ** Note: you can use --noprofile to disable server.profile **
+#
+#       Parent pid 5347, child pid 5348
+#       The new log directory is /proc/5348/root/var/log
+#       Child process initialized in 64.43 ms
+#       root@debian:~#
+#
+# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
+# All the rules for regular user profiles apply with the exception of
+# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
+# by default for root user.
+
+# This file is overwritten after every install/update
+# Persistent local customizations
+include server.local
+# Persistent global definitions
+include globals.local
+
+# generic server profile
+# it allows /sbin and /usr/sbin directories - this is where servers are installed
+# depending on your usage, you can enable some of the commands below:
+
+noblacklist /sbin
+noblacklist /usr/sbin
+# noblacklist /var/opt
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+# include disable-devel.inc
+# include disable-exec.inc
+# include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+
+caps
+# ipc-namespace
+# netfilter /etc/firejail/webserver.net
+no3d
+nodvd
+# nogroups
+# nonewprivs
+# noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+# shell none
+
+# disable-mnt
+private
+# private-bin program
+# private-cache
+private-dev
+# private-etc alternatives
+# private-lib
+private-tmp
+
+# dbus-user none
+# dbus-system none
+
+# memory-deny-write-execute
diff --git a/etc/profile-m-z/sftp.profile b/etc/profile-m-z/sftp.profile
new file mode 100644
index 000000000..66dc2a57b
--- /dev/null
+++ b/etc/profile-m-z/sftp.profile
@@ -0,0 +1,12 @@
+# Firejail profile for sftp
+# Description: Secure file transport protocol
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sftp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include ssh.profile
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
new file mode 100644
index 000000000..6cd70c2ea
--- /dev/null
+++ b/etc/profile-m-z/shellcheck.profile
@@ -0,0 +1,54 @@
+# Firejail profile for shellcheck
+# Description: Lint tool for shell scripts
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include shellcheck.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/shellcheck
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile
new file mode 100644
index 000000000..ee2314833
--- /dev/null
+++ b/etc/profile-m-z/shortwave.profile
@@ -0,0 +1,50 @@
+# Firejail profile for shortwave
+# Description: Listen to internet radio
+# This file is overwritten after every install/update
+# Persistent local customizations
+include shortwave.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Shortwave
+noblacklist ${HOME}/.local/share/Shortwave
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/Shortwave
+mkdir ${HOME}/.local/share/Shortwave
+whitelist ${HOME}/.cache/Shortwave
+whitelist ${HOME}/.local/share/Shortwave
+whitelist /usr/share/shortwave
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin shortwave
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
diff --git a/etc/profile-m-z/shotcut.profile b/etc/profile-m-z/shotcut.profile
new file mode 100644
index 000000000..bec0bfbb0
--- /dev/null
+++ b/etc/profile-m-z/shotcut.profile
@@ -0,0 +1,38 @@
+# Firejail profile for shotcut
+# Description: A free, open source, cross-platform video editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include shotcut.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.config/Meltytech
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+tracelog
+
+#private-bin melt,nice,qmelt,shotcut
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile
new file mode 100644
index 000000000..6a2f5c434
--- /dev/null
+++ b/etc/profile-m-z/signal-cli.profile
@@ -0,0 +1,51 @@
+# Firejail profile for signal-cli
+# Description: signal-cli provides a commandline and dbus interface for signalapp/libsignal-service-java
+# This file is overwritten after every install/update
+# Persistent local customizations
+include signal-cli.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${HOME}/.local/share/signal-cli
+
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/signal-cli
+whitelist ${HOME}/.local/share/signal-cli
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin java,sh,signal-cli
+private-cache
+private-dev
+# Does not work with all Java configurations. You will notice immediately, so you might want to give it a try
+#private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java-10-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java.conf,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
new file mode 100644
index 000000000..5d9225705
--- /dev/null
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -0,0 +1,44 @@
+# Firejail profile for signal-desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include signal-desktop.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec /tmp
+
+noblacklist ${HOME}/.config/Signal
+
+# These lines are needed to allow Firefox to open links
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+
+mkdir ${HOME}/.config/Signal
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/Signal
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.keep sys_admin,sys_chroot
+netfilter
+nodvd
+nogroups
+notv
+nou2f
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile
new file mode 100644
index 000000000..cfc33d074
--- /dev/null
+++ b/etc/profile-m-z/silentarmy.profile
@@ -0,0 +1,39 @@
+# Firejail profile for silentarmy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include silentarmy.local
+# Persistent global definitions
+include globals.local
+
+
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private
+private-bin python*,sa-solver,silentarmy
+private-dev
+private-opt none
+private-tmp
+
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile
new file mode 100644
index 000000000..40fe8c566
--- /dev/null
+++ b/etc/profile-m-z/simple-scan.profile
@@ -0,0 +1,41 @@
+# Firejail profile for simple-scan
+# Description: Simple Scanning Utility
+# This file is overwritten after every install/update
+# Persistent local customizations
+include simple-scan.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/simple-scan
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/simple-scan
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+# novideo
+protocol unix,inet,inet6,netlink
+# blacklisting of ioperm system calls breaks simple-scan
+seccomp !ioperm
+shell none
+tracelog
+
+# private-bin simple-scan
+# private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+# private-tmp
diff --git a/etc/profile-m-z/simplescreenrecorder.profile b/etc/profile-m-z/simplescreenrecorder.profile
new file mode 100644
index 000000000..edcc2a0f4
--- /dev/null
+++ b/etc/profile-m-z/simplescreenrecorder.profile
@@ -0,0 +1,39 @@
+# Firejail profile for simplescreenrecorder
+# Description: A feature-rich screen recorder that supports X11 and OpenGL
+# This file is overwritten after every install/update
+# Persistent local customizations
+include simplescreenrecorder.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${VIDEOS}
+noblacklist ${HOME}/.ssr
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/simplescreenrecorder
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile
new file mode 100644
index 000000000..1b81f2ea1
--- /dev/null
+++ b/etc/profile-m-z/simutrans.profile
@@ -0,0 +1,42 @@
+# Firejail profile for simutrans
+# Description: Transportation simulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include simutrans.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.simutrans
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.simutrans
+whitelist ${HOME}/.simutrans
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+# private-bin simutrans
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile
new file mode 100644
index 000000000..093a61398
--- /dev/null
+++ b/etc/profile-m-z/skanlite.profile
@@ -0,0 +1,37 @@
+# Firejail profile for skanlite
+# Description: Image scanner based on the KSane backend
+# This file is overwritten after every install/update
+# Persistent local customizations
+include skanlite.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+# novideo
+protocol unix,inet,inet6,netlink
+# blacklisting of ioperm system calls breaks skanlite
+seccomp !ioperm
+shell none
+
+# private-bin kbuildsycoca4,kdeinit4,skanlite
+# private-dev
+# private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile
new file mode 100644
index 000000000..341c25a95
--- /dev/null
+++ b/etc/profile-m-z/skypeforlinux.profile
@@ -0,0 +1,31 @@
+# Firejail profile for skypeforlinux
+# This file is overwritten after every install/update
+# Persistent local customizations
+include skypeforlinux.local
+# Persistent global definitions
+include globals.local
+
+# breaks Skype
+ignore noexec /tmp
+
+noblacklist ${HOME}/.config/skypeforlinux
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.keep sys_admin,sys_chroot
+netfilter
+nodvd
+nogroups
+notv
+shell none
+
+disable-mnt
+private-cache
+# private-dev - needs /dev/disk
+private-tmp
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
new file mode 100644
index 000000000..b2828fcb1
--- /dev/null
+++ b/etc/profile-m-z/slack.profile
@@ -0,0 +1,34 @@
+# Firejail profile for slack
+# This file is overwritten after every install/update
+# Persistent local customizations
+include slack.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Slack
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/Slack
+whitelist ${HOME}/.config/Slack
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.keep sys_admin,sys_chroot
+netfilter
+nodvd
+nogroups
+notv
+nou2f
+shell none
+
+disable-mnt
+private-bin locale,slack
+private-cache
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
diff --git a/etc/profile-m-z/slashem.profile b/etc/profile-m-z/slashem.profile
new file mode 100644
index 000000000..ca0516e65
--- /dev/null
+++ b/etc/profile-m-z/slashem.profile
@@ -0,0 +1,47 @@
+# Firejail profile for slashem
+# Description: A rogue-like single player dungeon exploration game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include slashem.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /var/games/slashem
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+whitelist /var/games/slashem
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+#nonewprivs
+#noroot
+nosound
+notv
+novideo
+#protocol unix,netlink
+#seccomp
+shell none
+
+disable-mnt
+#private
+private-cache
+private-dev
+private-tmp
+writable-var
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
new file mode 100644
index 000000000..ac01c675b
--- /dev/null
+++ b/etc/profile-m-z/smplayer.profile
@@ -0,0 +1,49 @@
+# Firejail profile for smplayer
+# Description: Complete front-end for MPlayer and mpv
+# This file is overwritten after every install/update
+# Persistent local customizations
+include smplayer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.mplayer
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/smplayer
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+# nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-bin env,mplayer,mpv,python*,smplayer,smtube,youtube-dl
+private-dev
+private-tmp
+
+# problems with KDE
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/smtube.profile b/etc/profile-m-z/smtube.profile
new file mode 100644
index 000000000..79bc02979
--- /dev/null
+++ b/etc/profile-m-z/smtube.profile
@@ -0,0 +1,48 @@
+# Firejail profile for smtube
+# Description: YouTube videos browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include smtube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/smtube
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.mplayer
+noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.local/share/vlc
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/smplayer
+whitelist /usr/share/smtube
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+notv
+nou2f
+novideo
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+#no private-bin because users can add their own players to smtube and that would prevent that
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile
new file mode 100644
index 000000000..3b3fd1ae1
--- /dev/null
+++ b/etc/profile-m-z/snox.profile
@@ -0,0 +1,19 @@
+# Firejail profile for snox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include snox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/snox
+noblacklist ${HOME}/.config/snox
+
+#mkdir ${HOME}/.cache/dnox
+#mkdir ${HOME}/.config/dnox
+mkdir ${HOME}/.cache/snox
+mkdir ${HOME}/.config/snox
+whitelist ${HOME}/.cache/snox
+whitelist ${HOME}/.config/snox
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/soffice.profile b/etc/profile-m-z/soffice.profile
new file mode 100644
index 000000000..8348a57fe
--- /dev/null
+++ b/etc/profile-m-z/soffice.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile
new file mode 100644
index 000000000..8519de6df
--- /dev/null
+++ b/etc/profile-m-z/sol.profile
@@ -0,0 +1,46 @@
+# Firejail profile for default
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sol.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# all necessary files in $HOME are in whitelist-common.inc
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+# no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+# nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin sol
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
new file mode 100644
index 000000000..b9f3768be
--- /dev/null
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -0,0 +1,43 @@
+# Firejail profile for mpv
+# Description: Graphical audio CD ripper and encoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sound-juicer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/sound-juicer
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+nou2f
+notv
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/soundconverter.profile b/etc/profile-m-z/soundconverter.profile
new file mode 100644
index 000000000..bdd6eb7f5
--- /dev/null
+++ b/etc/profile-m-z/soundconverter.profile
@@ -0,0 +1,50 @@
+# Firejail profile for soundconverter
+# Description: GNOME application to convert audio files into other formats
+# This file is overwritten after every install/update
+# Persistent local customizations
+include soundconverter.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist /usr/share/soundconverter
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/spectre-meltdown-checker.profile b/etc/profile-m-z/spectre-meltdown-checker.profile
new file mode 100644
index 000000000..a0b99abcf
--- /dev/null
+++ b/etc/profile-m-z/spectre-meltdown-checker.profile
@@ -0,0 +1,54 @@
+# Firejail profile for spectre-meltdown-checker
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include spectre-meltdown-checker.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${PATH}/mount
+noblacklist ${PATH}/umount
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/perl5
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+allow-debuggers
+caps.keep sys_rawio
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+nosound
+notv
+novideo
+protocol unix
+seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@reboot,@resources,@swap
+shell none
+x11 none
+
+disable-mnt
+private
+private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils
+private-cache
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
new file mode 100644
index 000000000..1a34cb86d
--- /dev/null
+++ b/etc/profile-m-z/spotify.profile
@@ -0,0 +1,54 @@
+# Firejail profile for spotify
+# This file is overwritten after every install/update
+# Persistent local customizations
+include spotify.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/spotify
+noblacklist ${HOME}/.config/spotify
+noblacklist ${HOME}/.local/share/spotify
+
+blacklist ${HOME}/.bashrc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/spotify
+mkdir ${HOME}/.config/spotify
+mkdir ${HOME}/.local/share/spotify
+whitelist ${HOME}/.cache/spotify
+whitelist ${HOME}/.config/spotify
+whitelist ${HOME}/.local/share/spotify
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
+private-dev
+# Comment the next line or put 'ignore private-etc' in your spotify.local if want to see the albums covers or if you want to use the radio
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-opt spotify
+private-srv none
+private-tmp
+
+# dbus needed for MPRIS
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
new file mode 100644
index 000000000..017120811
--- /dev/null
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -0,0 +1,49 @@
+# Firejail profile for sqlitebrowser
+# Description: GUI editor for SQLite databases
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sqlitebrowser.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/sqlitebrowser
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-bin sqlitebrowser
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl
+private-tmp
+
+# breaks proxy creation
+# dbus-user none
+# dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
new file mode 100644
index 000000000..01b63d3ce
--- /dev/null
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -0,0 +1,38 @@
+# Firejail profile for ssh-agent
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ssh-agent.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /etc/ssh
+noblacklist /tmp/ssh-*
+noblacklist ${HOME}/.ssh
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-usr-share-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+writable-run-user
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
new file mode 100644
index 000000000..5d3458c29
--- /dev/null
+++ b/etc/profile-m-z/ssh.profile
@@ -0,0 +1,52 @@
+# Firejail profile for ssh
+# Description: Secure shell client and server
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ssh.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /etc/ssh
+noblacklist /tmp/ssh-*
+noblacklist ${HOME}/.ssh
+# nc can be used as ProxyCommand, e.g. when using tor
+noblacklist ${PATH}/nc
+noblacklist ${PATH}/ncat
+
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+whitelist ${RUNUSER}/keyring/ssh
+whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+# noroot - see issue #1543
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+# private-tmp # Breaks when exiting
+writable-run-user
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
new file mode 100644
index 000000000..1292b806b
--- /dev/null
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -0,0 +1,44 @@
+# Firejail profile for standardnotes-desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include standardnotes-desktop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/Standard Notes Backups
+noblacklist ${HOME}/.config/Standard Notes
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/Standard Notes Backups
+mkdir ${HOME}/.config/Standard Notes
+whitelist ${HOME}/Standard Notes Backups
+whitelist ${HOME}/.config/Standard Notes
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+
+disable-mnt
+private-dev
+private-tmp
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/start-tor-browser.desktop.profile b/etc/profile-m-z/start-tor-browser.desktop.profile
new file mode 100644
index 000000000..2f73c9fee
--- /dev/null
+++ b/etc/profile-m-z/start-tor-browser.desktop.profile
@@ -0,0 +1,76 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include start-tor-browser.desktop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser*
+
+whitelist ${HOME}/.tor-browser-ar
+whitelist ${HOME}/.tor-browser-ca
+whitelist ${HOME}/.tor-browser-cs
+whitelist ${HOME}/.tor-browser-da
+whitelist ${HOME}/.tor-browser-de
+whitelist ${HOME}/.tor-browser-el
+whitelist ${HOME}/.tor-browser-en
+whitelist ${HOME}/.tor-browser-en-us
+whitelist ${HOME}/.tor-browser-es
+whitelist ${HOME}/.tor-browser-es-es
+whitelist ${HOME}/.tor-browser-fa
+whitelist ${HOME}/.tor-browser-fr
+whitelist ${HOME}/.tor-browser-ga-ie
+whitelist ${HOME}/.tor-browser-he
+whitelist ${HOME}/.tor-browser-hu
+whitelist ${HOME}/.tor-browser-id
+whitelist ${HOME}/.tor-browser-is
+whitelist ${HOME}/.tor-browser-it
+whitelist ${HOME}/.tor-browser-ja
+whitelist ${HOME}/.tor-browser-ka
+whitelist ${HOME}/.tor-browser-ko
+whitelist ${HOME}/.tor-browser-nb
+whitelist ${HOME}/.tor-browser-nl
+whitelist ${HOME}/.tor-browser-pl
+whitelist ${HOME}/.tor-browser-pt-br
+whitelist ${HOME}/.tor-browser-ru
+whitelist ${HOME}/.tor-browser-sv-se
+whitelist ${HOME}/.tor-browser-tr
+whitelist ${HOME}/.tor-browser-vi
+whitelist ${HOME}/.tor-browser-zh-cn
+whitelist ${HOME}/.tor-browser-zh-tw
+
+whitelist ${HOME}/.tor-browser_ar
+whitelist ${HOME}/.tor-browser_ca
+whitelist ${HOME}/.tor-browser_cs
+whitelist ${HOME}/.tor-browser_da
+whitelist ${HOME}/.tor-browser_de
+whitelist ${HOME}/.tor-browser_el
+whitelist ${HOME}/.tor-browser_en
+whitelist ${HOME}/.tor-browser_en_US
+whitelist ${HOME}/.tor-browser_es
+whitelist ${HOME}/.tor-browser_es-ES
+whitelist ${HOME}/.tor-browser_fa
+whitelist ${HOME}/.tor-browser_fr
+whitelist ${HOME}/.tor-browser_ga-IE
+whitelist ${HOME}/.tor-browser_he
+whitelist ${HOME}/.tor-browser_hu
+whitelist ${HOME}/.tor-browser_id
+whitelist ${HOME}/.tor-browser_is
+whitelist ${HOME}/.tor-browser_it
+whitelist ${HOME}/.tor-browser_ja
+whitelist ${HOME}/.tor-browser_ka
+whitelist ${HOME}/.tor-browser_ko
+whitelist ${HOME}/.tor-browser_nb
+whitelist ${HOME}/.tor-browser_nl
+whitelist ${HOME}/.tor-browser_pl
+whitelist ${HOME}/.tor-browser_pt-BR
+whitelist ${HOME}/.tor-browser_ru
+whitelist ${HOME}/.tor-browser_sv-SE
+whitelist ${HOME}/.tor-browser_tr
+whitelist ${HOME}/.tor-browser_vi
+whitelist ${HOME}/.tor-browser_zh-CN
+whitelist ${HOME}/.tor-browser_zh-TW
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/start-tor-browser.profile b/etc/profile-m-z/start-tor-browser.profile
new file mode 100644
index 000000000..b62b19101
--- /dev/null
+++ b/etc/profile-m-z/start-tor-browser.profile
@@ -0,0 +1,42 @@
+# Firejail profile for start-tor-browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include start-tor-browser.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp !chroot
+shell none
+# tracelog may cause issues, see github issue #1930
+#tracelog
+
+disable-mnt
+private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,readlink,realpath,rm,sed,sh,tail,test,update-desktop-database,xmessage,zenity
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/steam-native.profile b/etc/profile-m-z/steam-native.profile
new file mode 100644
index 000000000..47608ad28
--- /dev/null
+++ b/etc/profile-m-z/steam-native.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for steam
+# This file is overwritten after every install/update
+
+# Redirect
+include steam.profile
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
new file mode 100644
index 000000000..2463764a7
--- /dev/null
+++ b/etc/profile-m-z/steam.profile
@@ -0,0 +1,112 @@
+# Firejail profile for steam
+# Description: Valve's Steam digital software delivery system
+# This file is overwritten after every install/update
+# Persistent local customizations
+include steam.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.killingfloor
+noblacklist ${HOME}/.local/share/3909/PapersPlease
+noblacklist ${HOME}/.local/share/aspyr-media
+noblacklist ${HOME}/.local/share/cdprojektred
+noblacklist ${HOME}/.local/share/feral-interactive
+noblacklist ${HOME}/.local/share/Steam
+noblacklist ${HOME}/.local/share/SuperHexagon
+noblacklist ${HOME}/.local/share/Terraria
+noblacklist ${HOME}/.local/share/vpltd
+noblacklist ${HOME}/.local/share/vulkan
+noblacklist ${HOME}/.steam
+noblacklist ${HOME}/.steampath
+noblacklist ${HOME}/.steampid
+# needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
+noblacklist /sbin
+noblacklist /usr/sbin
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/unity3d
+mkdir ${HOME}/.killingfloor
+mkdir ${HOME}/.local/share/3909/PapersPlease
+mkdir ${HOME}/.local/share/aspyr-media
+mkdir ${HOME}/.local/share/cdprojektred
+mkdir ${HOME}/.local/share/feral-interactive
+mkdir ${HOME}/.local/share/Paradox Interactive
+mkdir ${HOME}/.local/share/Steam
+mkdir ${HOME}/.local/share/SuperHexagon
+mkdir ${HOME}/.local/share/Terraria
+mkdir ${HOME}/.local/share/vpltd
+mkdir ${HOME}/.local/share/vulkan
+mkdir ${HOME}/.mbwarband
+mkdir ${HOME}/.paradoxinteractive
+mkdir ${HOME}/.steam
+mkfile ${HOME}/.steampath
+mkfile ${HOME}/.steampid
+whitelist ${HOME}/.config/unity3d
+whitelist ${HOME}/.killingfloor
+whitelist ${HOME}/.local/share/3909/PapersPlease
+whitelist ${HOME}/.local/share/aspyr-media
+whitelist ${HOME}/.local/share/cdprojektred
+whitelist ${HOME}/.local/share/feral-interactive
+whitelist ${HOME}/.local/share/Paradox Interactive
+whitelist ${HOME}/.local/share/Steam
+whitelist ${HOME}/.local/share/SuperHexagon
+whitelist ${HOME}/.local/share/Terraria
+whitelist ${HOME}/.local/share/vpltd
+whitelist ${HOME}/.local/share/vulkan
+whitelist ${HOME}/.mbwarband
+whitelist ${HOME}/.paradoxinteractive
+whitelist ${HOME}/.steam
+whitelist ${HOME}/.steampath
+whitelist ${HOME}/.steampid
+whitelist ${HOME}/.steampid
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+#ipc-namespace
+netfilter
+nodvd
+# nVidia user may need to comment / ignore nogroups and noroot
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+# novideo should be commented for VR
+novideo
+protocol unix,inet,inet6,netlink
+# seccomp cause sometimes issues (see #2951, #3267),
+# comment it or add 'ignore seccomp' to steam.local if so.
+seccomp !kcmp,!ptrace
+shell none
+# tracelog disabled as it breaks integrated browser
+#tracelog
+
+# private-bin is disabled while in testing, but has been tested working with multiple games
+#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
+# extra programs are available which might be needed for select games
+#private-bin java,java-config,mono
+# picture viewers are needed for viewing screenshots
+#private-bin eog,eom,gthumb,pix,viewnior,xviewer
+
+# private-dev should be commented for controllers
+private-dev
+# private-etc breaks a small selection of games on some systems, comment to support those
+private-etc alternatives,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
+private-tmp
+
+# breaks appindicator support
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/stellarium.profile b/etc/profile-m-z/stellarium.profile
new file mode 100644
index 000000000..d6df2e0ad
--- /dev/null
+++ b/etc/profile-m-z/stellarium.profile
@@ -0,0 +1,45 @@
+# Firejail profile for stellarium
+# Description: Real-time photo-realistic sky generator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include stellarium.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/stellarium
+noblacklist ${HOME}/.stellarium
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/stellarium
+mkdir ${HOME}/.stellarium
+whitelist ${HOME}/.config/stellarium
+whitelist ${HOME}/.stellarium
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin stellarium
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile
new file mode 100644
index 000000000..31ed5dd3f
--- /dev/null
+++ b/etc/profile-m-z/strings.profile
@@ -0,0 +1,56 @@
+# Firejail profile for strings
+# Description: print the strings of printable characters in files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include strings.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+#include disable-programs.inc
+#include disable-xdg.inc
+
+#include whitelist-usr-share-common.inc
+#include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+#private
+#private-bin strings
+private-cache
+private-dev
+#private-etc alternatives
+#private-lib libfakeroot
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-m-z/studio.sh.profile b/etc/profile-m-z/studio.sh.profile
new file mode 100644
index 000000000..79e879f36
--- /dev/null
+++ b/etc/profile-m-z/studio.sh.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for Android Studio
+# This file is overwritten after every install/update
+
+# Redirect
+include android-studio.profile
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
new file mode 100644
index 000000000..428af3737
--- /dev/null
+++ b/etc/profile-m-z/subdownloader.profile
@@ -0,0 +1,53 @@
+# Firejail profile for subdownloader
+# Description: Automatic download/upload of subtitles using fast hashing
+# This file is overwritten after every install/update
+# Persistent local customizations
+include subdownloader.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/SubDownloader
+noblacklist ${VIDEOS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
new file mode 100644
index 000000000..e1cdb114c
--- /dev/null
+++ b/etc/profile-m-z/supertux2.profile
@@ -0,0 +1,43 @@
+# Firejail profile for supertux2
+# Description: Jump'n run like game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include supertux2.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/supertux2
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.local/share/supertux2
+whitelist ${HOME}/.local/share/supertux2
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+
+disable-mnt
+# private-bin supertux2
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
new file mode 100644
index 000000000..73877b1b5
--- /dev/null
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -0,0 +1,57 @@
+# Firejail profile for supertuxkart
+# Description: Free kart racing game.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include supertuxkart.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/supertuxkart
+noblacklist ${HOME}/.cache/supertuxkart
+noblacklist ${HOME}/.local/share/supertuxkart
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include disable-interpreters.inc
+
+mkdir ${HOME}/.config/supertuxkart
+mkdir ${HOME}/.cache/supertuxkart
+mkdir ${HOME}/.local/share/supertuxkart
+whitelist ${HOME}/.config/supertuxkart
+whitelist ${HOME}/.cache/supertuxkart
+whitelist ${HOME}/.local/share/supertuxkart
+whitelist /usr/share/supertuxkart
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin supertuxkart
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl
+private-tmp
+private-opt none
+private-srv none
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile
new file mode 100644
index 000000000..d4c6d9afc
--- /dev/null
+++ b/etc/profile-m-z/surf.profile
@@ -0,0 +1,39 @@
+# Firejail profile for surf
+# Description: Simple web browser by suckless community
+# This file is overwritten after every install/update
+# Persistent local customizations
+include surf.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.surf
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.surf
+whitelist ${HOME}/.surf
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,passwd,pki,resolv.conf,ssl
+private-tmp
+
diff --git a/etc/profile-m-z/swell-foop.profile b/etc/profile-m-z/swell-foop.profile
new file mode 100644
index 000000000..9efae815d
--- /dev/null
+++ b/etc/profile-m-z/swell-foop.profile
@@ -0,0 +1,21 @@
+# Firejail profile for swell-foop
+# Description: GNOME colored tiles puzzle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include swell-foop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/swell-foop
+
+mkdir ${HOME}/.local/share/swell-foop
+whitelist ${HOME}/.local/share/swell-foop
+
+whitelist /usr/share/swell-foop
+
+private-bin swell-foop
+
+dbus-user.own org.gnome.SwellFoop
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
new file mode 100644
index 000000000..4344fe73a
--- /dev/null
+++ b/etc/profile-m-z/sylpheed.profile
@@ -0,0 +1,17 @@
+# Firejail profile for sylpheed
+# Description: Light weight e-mail client with GTK+
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sylpheed.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.sylpheed-2.0
+
+mkdir ${HOME}/.sylpheed-2.0
+whitelist ${HOME}/.sylpheed-2.0
+
+whitelist /usr/share/sylpheed
+
+# Redirect
+include email-common.profile
diff --git a/etc/profile-m-z/synfigstudio.profile b/etc/profile-m-z/synfigstudio.profile
new file mode 100644
index 000000000..a83080cc3
--- /dev/null
+++ b/etc/profile-m-z/synfigstudio.profile
@@ -0,0 +1,39 @@
+# Firejail profile for synfigstudio
+# Description: Vector-based 2D animation package
+# This file is overwritten after every install/update
+# Persistent local customizations
+include synfigstudio.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/synfig
+noblacklist ${HOME}/.synfig
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+#private-bin ffmpeg,synfig,synfigstudio
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/sysprof-cli.profile b/etc/profile-m-z/sysprof-cli.profile
new file mode 100644
index 000000000..8f4de130b
--- /dev/null
+++ b/etc/profile-m-z/sysprof-cli.profile
@@ -0,0 +1,20 @@
+# Firejail profile for sysprof-cli
+# Description: Kernel based performance profiler (CLI)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sysprof-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# There is no GUI help menu to break in the CLI version
+private-bin sysprof-cli
+private-lib
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+
+# Redirect
+include sysprof.profile
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
new file mode 100644
index 000000000..ad3346285
--- /dev/null
+++ b/etc/profile-m-z/sysprof.profile
@@ -0,0 +1,52 @@
+# Firejail profile for sysprof
+# Description: Kernel based performance profiler (GUI)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sysprof.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+# Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+shell none
+tracelog
+
+disable-mnt
+#private-bin sysprof - breaks GUI help menu
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
+# private-lib breaks GUI help menu
+#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
+# memory-deny-write-execute - Breaks GUI on Arch
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
new file mode 100644
index 000000000..3a7405305
--- /dev/null
+++ b/etc/profile-m-z/tar.profile
@@ -0,0 +1,55 @@
+# Firejail profile for tar
+# Description: GNU version of the tar archiving utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include tar.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
+noblacklist /var/lib/pacman
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+apparmor
+caps.drop all
+hostname tar
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+# support compressed archives
+private-bin awk,bash,bzip2,compress,firejail,grep,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz
+private-cache
+private-dev
+private-etc alternatives,group,localtime,login.defs,passwd
+private-lib libfakeroot
+# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
+writable-var
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/tb-starter-wrapper.profile b/etc/profile-m-z/tb-starter-wrapper.profile
new file mode 100644
index 000000000..ffe9605b6
--- /dev/null
+++ b/etc/profile-m-z/tb-starter-wrapper.profile
@@ -0,0 +1,19 @@
+# Firejail profile for tb-starter-wrapper
+# Description: wrapper-script used by whonix to start the tor browser
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tb-starter-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tb
+
+mkdir ${HOME}/.tb
+whitelist ${HOME}/.tb
+
+private-bin tb-starter-wrapper
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile
new file mode 100644
index 000000000..881fbf49e
--- /dev/null
+++ b/etc/profile-m-z/tcpdump.profile
@@ -0,0 +1,45 @@
+# Firejail profile for tcpdump
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include tcpdump.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /sbin
+noblacklist /usr/sbin
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+
+apparmor
+caps.keep net_raw
+ipc-namespace
+#net tun0
+netfilter
+no3d
+nodvd
+#nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink,packet
+seccomp
+
+disable-mnt
+#private
+#private-bin tcpdump
+private-dev
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
new file mode 100644
index 000000000..a13c92bc3
--- /dev/null
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -0,0 +1,36 @@
+# Firejail profile for teams-for-linux
+# Description: Unofficial Microsoft Teams client for Linux using Electron.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include teams-for-linux.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore dbus-user none
+ignore dbus-system none
+
+noblacklist ${HOME}/.config/teams-for-linux
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+
+mkdir ${HOME}/.config/teams-for-linux
+whitelist ${HOME}/.config/teams-for-linux
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+nou2f
+novideo
+shell none
+
+disable-mnt
+private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
+private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
new file mode 100644
index 000000000..326b97e4b
--- /dev/null
+++ b/etc/profile-m-z/teams.profile
@@ -0,0 +1,38 @@
+# Firejail profile for teams
+# Description: Official Microsoft Teams client for Linux using Electron.
+# This file is overwritten after every install/update
+# Known issues:
+#  * if Teams crashes on startup try using "ignore apparmor" in your local config
+# Persistent local customizations
+include teams.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore dbus-user none
+ignore dbus-system none
+
+noblacklist ${HOME}/.config/teams
+noblacklist ${HOME}/.config/Microsoft
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+
+mkdir ${HOME}/.config/teams
+mkdir ${HOME}/.config/Microsoft
+whitelist ${HOME}/.config/teams
+whitelist ${HOME}/.config/Microsoft
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+nou2f
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
new file mode 100644
index 000000000..c1c666f58
--- /dev/null
+++ b/etc/profile-m-z/teamspeak3.profile
@@ -0,0 +1,42 @@
+# Firejail profile for teamspeak3
+# Description: TeamSpeak is software for quality voice communication via the Internet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include teamspeak3.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ts3client
+noblacklist ${PATH}/openssl
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.ts3client
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.ts3client
+include whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
new file mode 100644
index 000000000..7765703de
--- /dev/null
+++ b/etc/profile-m-z/teeworlds.profile
@@ -0,0 +1,46 @@
+# Firejail profile for teeworlds
+# Description: Online multi-player platform 2D shooter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include teeworlds.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.teeworlds
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.teeworlds
+whitelist ${HOME}/.teeworlds
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin teeworlds
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile
new file mode 100644
index 000000000..0cfa7114b
--- /dev/null
+++ b/etc/profile-m-z/telegram-desktop.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for telegram
+# Description: Official Telegram Desktop client
+# This file is overwritten after every install/update
+
+# Redirect
+include telegram.profile
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
new file mode 100644
index 000000000..e3af5600a
--- /dev/null
+++ b/etc/profile-m-z/telegram.profile
@@ -0,0 +1,29 @@
+# Firejail profile for telegram
+# This file is overwritten after every install/update
+# Persistent local customizations
+include telegram.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.TelegramDesktop
+noblacklist ${HOME}/.local/share/TelegramDesktop
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+
+disable-mnt
+private-cache
+private-tmp
+
diff --git a/etc/profile-m-z/terasology.profile b/etc/profile-m-z/terasology.profile
new file mode 100644
index 000000000..36ce6d469
--- /dev/null
+++ b/etc/profile-m-z/terasology.profile
@@ -0,0 +1,48 @@
+# Firejail profile for terasology
+# This file is overwritten after every install/update
+# Persistent local customizations
+include terasology.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec /tmp
+
+noblacklist ${HOME}/.local/share/terasology
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.java
+mkdir ${HOME}/.local/share/terasology
+whitelist ${HOME}/.java
+whitelist ${HOME}/.local/share/terasology
+include whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-7-openjdk,java-8-openjdk,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/tex.profile b/etc/profile-m-z/tex.profile
new file mode 100644
index 000000000..f56c3038e
--- /dev/null
+++ b/etc/profile-m-z/tex.profile
@@ -0,0 +1,12 @@
+# Firejail profile for tex
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tex.local
+# Persistent global definitions
+include globals.local
+
+private-bin tex
+
+# Redirect
+include latex-common.profile
+
diff --git a/etc/profile-m-z/textmaker18.profile b/etc/profile-m-z/textmaker18.profile
new file mode 100644
index 000000000..d28947394
--- /dev/null
+++ b/etc/profile-m-z/textmaker18.profile
@@ -0,0 +1,11 @@
+# Firejail profile for textmaker18
+# Description: SoftMaker Office - word processor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include textmaker18.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.inc
+
diff --git a/etc/profile-m-z/textmaker18free.profile b/etc/profile-m-z/textmaker18free.profile
new file mode 100644
index 000000000..7b4fd5b08
--- /dev/null
+++ b/etc/profile-m-z/textmaker18free.profile
@@ -0,0 +1,11 @@
+# Firejail profile for textmaker18free
+# Description: SoftMaker Office - word processor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include textmaker18free.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.inc
+
diff --git a/etc/profile-m-z/thunar.profile b/etc/profile-m-z/thunar.profile
new file mode 100644
index 000000000..19993016a
--- /dev/null
+++ b/etc/profile-m-z/thunar.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for Thunar
+# Description: Modern file manager for Xfce
+# This file is overwritten after every install/update
+
+# Redirect
+include Thunar.profile
diff --git a/etc/profile-m-z/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile
new file mode 100644
index 000000000..6450e40d6
--- /dev/null
+++ b/etc/profile-m-z/thunderbird-beta.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for thunderbird-beta
+# This file is overwritten after every install/update
+
+private-opt thunderbird-beta
+
+# Redirect
+include thunderbird.profile
diff --git a/etc/profile-m-z/thunderbird-wayland.profile b/etc/profile-m-z/thunderbird-wayland.profile
new file mode 100644
index 000000000..9fbb80d29
--- /dev/null
+++ b/etc/profile-m-z/thunderbird-wayland.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for thunderbird-wayland
+# This file is overwritten after every install/update
+# Persistent local customizations
+include thunderbird-wayland.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include thunderbird.profile
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
new file mode 100644
index 000000000..44ed6e5e0
--- /dev/null
+++ b/etc/profile-m-z/thunderbird.profile
@@ -0,0 +1,63 @@
+# Firejail profile for thunderbird
+# Description: Email, RSS and newsgroup client with integrated spam filter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include thunderbird.local
+# Persistent global definitions
+include globals.local
+
+# writable-run-user and dbus are needed by enigmail
+ignore dbus-user none
+ignore dbus-system none
+writable-run-user
+
+# If you want to read local mail stored in /var/mail, add the following to thunderbird.local:
+#noblacklist /var/mail
+#noblacklist /var/spool/mail
+#whitelist /var/mail
+#whitelist /var/spool/mail
+#writable-var
+
+# These lines are needed to allow Firefox to load your profile when clicking a link in an email
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
+noblacklist ${HOME}/.cache/thunderbird
+noblacklist ${HOME}/.gnupg
+# noblacklist ${HOME}/.icedove
+noblacklist ${HOME}/.thunderbird
+
+include disable-passwdmgr.inc
+include disable-xdg.inc
+
+# If you have setup Thunderbird to archive emails to a local folder,
+# make sure you add the path to that folder to the mkdir and whitelist
+# rules below. Otherwise they will be deleted when you close Thunderbird.
+# See https://github.com/netblue30/firejail/issues/2357
+mkdir ${HOME}/.cache/thunderbird
+mkdir ${HOME}/.gnupg
+# mkdir ${HOME}/.icedove
+mkdir ${HOME}/.thunderbird
+whitelist ${HOME}/.cache/thunderbird
+whitelist ${HOME}/.gnupg
+# whitelist ${HOME}/.icedove
+whitelist ${HOME}/.thunderbird
+
+whitelist /usr/share/gnupg
+whitelist /usr/share/mozilla
+whitelist /usr/share/thunderbird
+whitelist /usr/share/webext
+include whitelist-usr-share-common.inc
+
+# machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required
+#machine-id
+novideo
+
+# We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
+ignore private-tmp
+
+read-only ${HOME}/.config/mimeapps.list
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile
new file mode 100644
index 000000000..4d38d5184
--- /dev/null
+++ b/etc/profile-m-z/tilp.profile
@@ -0,0 +1,35 @@
+# Firejail profile for tilp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tilp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.tilp
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin tilp
+private-cache
+private-etc alternatives,fonts
+private-tmp
+
diff --git a/etc/profile-m-z/tor-browser-ar.profile b/etc/profile-m-z/tor-browser-ar.profile
new file mode 100644
index 000000000..612b2d01b
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-ar.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-ar
+
+mkdir ${HOME}/.tor-browser-ar
+whitelist ${HOME}/.tor-browser-ar
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ca.profile b/etc/profile-m-z/tor-browser-ca.profile
new file mode 100644
index 000000000..db70a7109
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-ca.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-ca
+
+mkdir ${HOME}/.tor-browser-ca
+whitelist ${HOME}/.tor-browser-ca
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-cs.profile b/etc/profile-m-z/tor-browser-cs.profile
new file mode 100644
index 000000000..77b271b68
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-cs.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-cs
+
+mkdir ${HOME}/.tor-browser-cs
+whitelist ${HOME}/.tor-browser-cs
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-da.profile b/etc/profile-m-z/tor-browser-da.profile
new file mode 100644
index 000000000..3b9fff9a4
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-da.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-da
+
+mkdir ${HOME}/.tor-browser-da
+whitelist ${HOME}/.tor-browser-da
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-de.profile b/etc/profile-m-z/tor-browser-de.profile
new file mode 100644
index 000000000..3b4f7f94f
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-de.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-de
+
+mkdir ${HOME}/.tor-browser-de
+whitelist ${HOME}/.tor-browser-de
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-el.profile b/etc/profile-m-z/tor-browser-el.profile
new file mode 100644
index 000000000..b978b6042
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-el.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-el
+
+mkdir ${HOME}/.tor-browser-el
+whitelist ${HOME}/.tor-browser-el
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-en-us.profile b/etc/profile-m-z/tor-browser-en-us.profile
new file mode 100644
index 000000000..db56dda1b
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-en-us.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-en-us
+
+mkdir ${HOME}/.tor-browser-en-us
+whitelist ${HOME}/.tor-browser-en-us
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-en.profile b/etc/profile-m-z/tor-browser-en.profile
new file mode 100644
index 000000000..ad4110c0e
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-en.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-en
+
+mkdir ${HOME}/.tor-browser-en
+whitelist ${HOME}/.tor-browser-en
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-es-es.profile b/etc/profile-m-z/tor-browser-es-es.profile
new file mode 100644
index 000000000..1aa586658
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-es-es.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-es-es
+
+mkdir ${HOME}/.tor-browser-es-es
+whitelist ${HOME}/.tor-browser-es-es
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-es.profile b/etc/profile-m-z/tor-browser-es.profile
new file mode 100644
index 000000000..a386e3387
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-es.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-es
+
+mkdir ${HOME}/.tor-browser-es
+whitelist ${HOME}/.tor-browser-es
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-fa.profile b/etc/profile-m-z/tor-browser-fa.profile
new file mode 100644
index 000000000..7f847a7c2
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-fa.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-fa
+
+mkdir ${HOME}/.tor-browser-fa
+whitelist ${HOME}/.tor-browser-fa
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-fr.profile b/etc/profile-m-z/tor-browser-fr.profile
new file mode 100644
index 000000000..bce470ec8
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-fr.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-fr
+
+mkdir ${HOME}/.tor-browser-fr
+whitelist ${HOME}/.tor-browser-fr
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ga-ie.profile b/etc/profile-m-z/tor-browser-ga-ie.profile
new file mode 100644
index 000000000..994897a87
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-ga-ie.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-ga-ie
+
+mkdir ${HOME}/.tor-browser-ga-ie
+whitelist ${HOME}/.tor-browser-ga-ie
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-he.profile b/etc/profile-m-z/tor-browser-he.profile
new file mode 100644
index 000000000..6367b4c0a
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-he.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-he
+
+mkdir ${HOME}/.tor-browser-he
+whitelist ${HOME}/.tor-browser-he
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-hu.profile b/etc/profile-m-z/tor-browser-hu.profile
new file mode 100644
index 000000000..68e79833e
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-hu.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-hu
+
+mkdir ${HOME}/.tor-browser-hu
+whitelist ${HOME}/.tor-browser-hu
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-id.profile b/etc/profile-m-z/tor-browser-id.profile
new file mode 100644
index 000000000..85b455ba2
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-id.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-id
+
+mkdir ${HOME}/.tor-browser-id
+whitelist ${HOME}/.tor-browser-id
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-is.profile b/etc/profile-m-z/tor-browser-is.profile
new file mode 100644
index 000000000..48e88db71
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-is.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-is
+
+mkdir ${HOME}/.tor-browser-is
+whitelist ${HOME}/.tor-browser-is
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-it.profile b/etc/profile-m-z/tor-browser-it.profile
new file mode 100644
index 000000000..3c239ca29
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-it.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-it
+
+mkdir ${HOME}/.tor-browser-it
+whitelist ${HOME}/.tor-browser-it
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ja.profile b/etc/profile-m-z/tor-browser-ja.profile
new file mode 100644
index 000000000..c52e0f64e
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-ja.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-ja
+
+mkdir ${HOME}/.tor-browser-ja
+whitelist ${HOME}/.tor-browser-ja
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ka.profile b/etc/profile-m-z/tor-browser-ka.profile
new file mode 100644
index 000000000..173b85e5c
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-ka.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-ka
+
+mkdir ${HOME}/.tor-browser-ka
+whitelist ${HOME}/.tor-browser-ka
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ko.profile b/etc/profile-m-z/tor-browser-ko.profile
new file mode 100644
index 000000000..8faa5afa1
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-ko.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-ko
+
+mkdir ${HOME}/.tor-browser-ko
+whitelist ${HOME}/.tor-browser-ko
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-nb.profile b/etc/profile-m-z/tor-browser-nb.profile
new file mode 100644
index 000000000..d1352dd80
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-nb.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-nb
+
+mkdir ${HOME}/.tor-browser-nb
+whitelist ${HOME}/.tor-browser-nb
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-nl.profile b/etc/profile-m-z/tor-browser-nl.profile
new file mode 100644
index 000000000..d4443cca2
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-nl.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-nl
+
+mkdir ${HOME}/.tor-browser-nl
+whitelist ${HOME}/.tor-browser-nl
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-pl.profile b/etc/profile-m-z/tor-browser-pl.profile
new file mode 100644
index 000000000..08ddd4ae7
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-pl.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-pl
+
+mkdir ${HOME}/.tor-browser-pl
+whitelist ${HOME}/.tor-browser-pl
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-pt-br.profile b/etc/profile-m-z/tor-browser-pt-br.profile
new file mode 100644
index 000000000..9942a3fe8
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-pt-br.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-pt-br
+
+mkdir ${HOME}/.tor-browser-pt-br
+whitelist ${HOME}/.tor-browser-pt-br
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ru.profile b/etc/profile-m-z/tor-browser-ru.profile
new file mode 100644
index 000000000..6294f8ca0
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-ru.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-ru
+
+mkdir ${HOME}/.tor-browser-ru
+whitelist ${HOME}/.tor-browser-ru
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-sv-se.profile b/etc/profile-m-z/tor-browser-sv-se.profile
new file mode 100644
index 000000000..c8544262f
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-sv-se.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-sv-se
+
+mkdir ${HOME}/.tor-browser-sv-se
+whitelist ${HOME}/.tor-browser-sv-se
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-tr.profile b/etc/profile-m-z/tor-browser-tr.profile
new file mode 100644
index 000000000..2343fa8de
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-tr.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-tr
+
+mkdir ${HOME}/.tor-browser-tr
+whitelist ${HOME}/.tor-browser-tr
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-vi.profile b/etc/profile-m-z/tor-browser-vi.profile
new file mode 100644
index 000000000..734c38698
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-vi.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-vi
+
+mkdir ${HOME}/.tor-browser-vi
+whitelist ${HOME}/.tor-browser-vi
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-zh-cn.profile b/etc/profile-m-z/tor-browser-zh-cn.profile
new file mode 100644
index 000000000..21e813e45
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-zh-cn.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-zh-cn
+
+mkdir ${HOME}/.tor-browser-zh-cn
+whitelist ${HOME}/.tor-browser-zh-cn
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-zh-tw.profile b/etc/profile-m-z/tor-browser-zh-tw.profile
new file mode 100644
index 000000000..6fe09c6c1
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-zh-tw.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-zh-tw
+
+mkdir ${HOME}/.tor-browser-zh-tw
+whitelist ${HOME}/.tor-browser-zh-tw
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile
new file mode 100644
index 000000000..0cd84abf5
--- /dev/null
+++ b/etc/profile-m-z/tor-browser.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser
+
+mkdir ${HOME}/.tor-browser
+whitelist ${HOME}/.tor-browser
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ar.profile b/etc/profile-m-z/tor-browser_ar.profile
new file mode 100644
index 000000000..1e1f5ce35
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_ar.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ar
+
+mkdir ${HOME}/.tor-browser_ar
+whitelist ${HOME}/.tor-browser_ar
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ca.profile b/etc/profile-m-z/tor-browser_ca.profile
new file mode 100644
index 000000000..e114b6051
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_ca.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ca
+
+mkdir ${HOME}/.tor-browser_ca
+whitelist ${HOME}/.tor-browser_ca
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_cs.profile b/etc/profile-m-z/tor-browser_cs.profile
new file mode 100644
index 000000000..498068bc6
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_cs.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_cs
+
+mkdir ${HOME}/.tor-browser_cs
+whitelist ${HOME}/.tor-browser_cs
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_da.profile b/etc/profile-m-z/tor-browser_da.profile
new file mode 100644
index 000000000..5c25c03c8
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_da.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_da
+
+mkdir ${HOME}/.tor-browser_da
+whitelist ${HOME}/.tor-browser_da
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_de.profile b/etc/profile-m-z/tor-browser_de.profile
new file mode 100644
index 000000000..d530e7dbe
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_de.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_de
+
+mkdir ${HOME}/.tor-browser_de
+whitelist ${HOME}/.tor-browser_de
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_el.profile b/etc/profile-m-z/tor-browser_el.profile
new file mode 100644
index 000000000..67d5ab440
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_el.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_el
+
+mkdir ${HOME}/.tor-browser_el
+whitelist ${HOME}/.tor-browser_el
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_en-US.profile b/etc/profile-m-z/tor-browser_en-US.profile
new file mode 100644
index 000000000..b298ab2b8
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_en-US.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_en-US
+
+mkdir ${HOME}/.tor-browser_en-US
+whitelist ${HOME}/.tor-browser_en-US
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_en.profile b/etc/profile-m-z/tor-browser_en.profile
new file mode 100644
index 000000000..6bb0616b1
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_en.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_en
+
+mkdir ${HOME}/.tor-browser_en
+whitelist ${HOME}/.tor-browser_en
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_es-ES.profile b/etc/profile-m-z/tor-browser_es-ES.profile
new file mode 100644
index 000000000..78f57ffe5
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_es-ES.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_es-ES
+
+mkdir ${HOME}/.tor-browser_es-ES
+whitelist ${HOME}/.tor-browser_es-ES
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_es.profile b/etc/profile-m-z/tor-browser_es.profile
new file mode 100644
index 000000000..ea34a07c9
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_es.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_es
+
+mkdir ${HOME}/.tor-browser_es
+whitelist ${HOME}/.tor-browser_es
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_fa.profile b/etc/profile-m-z/tor-browser_fa.profile
new file mode 100644
index 000000000..fbc416ce5
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_fa.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_fa
+
+mkdir ${HOME}/.tor-browser_fa
+whitelist ${HOME}/.tor-browser_fa
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_fr.profile b/etc/profile-m-z/tor-browser_fr.profile
new file mode 100644
index 000000000..caea6db5b
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_fr.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_fr
+
+mkdir ${HOME}/.tor-browser_fr
+whitelist ${HOME}/.tor-browser_fr
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ga-IE.profile b/etc/profile-m-z/tor-browser_ga-IE.profile
new file mode 100644
index 000000000..6342daebf
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_ga-IE.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ga-IE
+
+mkdir ${HOME}/.tor-browser_ga-IE
+whitelist ${HOME}/.tor-browser_ga-IE
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_he.profile b/etc/profile-m-z/tor-browser_he.profile
new file mode 100644
index 000000000..cc4150620
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_he.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_he
+
+mkdir ${HOME}/.tor-browser_he
+whitelist ${HOME}/.tor-browser_he
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_hu.profile b/etc/profile-m-z/tor-browser_hu.profile
new file mode 100644
index 000000000..952a0b68a
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_hu.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_hu
+
+mkdir ${HOME}/.tor-browser_hu
+whitelist ${HOME}/.tor-browser_hu
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_id.profile b/etc/profile-m-z/tor-browser_id.profile
new file mode 100644
index 000000000..a006b27c0
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_id.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_id
+
+mkdir ${HOME}/.tor-browser_id
+whitelist ${HOME}/.tor-browser_id
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_is.profile b/etc/profile-m-z/tor-browser_is.profile
new file mode 100644
index 000000000..038e0fabb
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_is.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_is
+
+mkdir ${HOME}/.tor-browser_is
+whitelist ${HOME}/.tor-browser_is
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_it.profile b/etc/profile-m-z/tor-browser_it.profile
new file mode 100644
index 000000000..3d2566994
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_it.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_it
+
+mkdir ${HOME}/.tor-browser_it
+whitelist ${HOME}/.tor-browser_it
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ja.profile b/etc/profile-m-z/tor-browser_ja.profile
new file mode 100644
index 000000000..08c942bcd
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_ja.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ja
+
+mkdir ${HOME}/.tor-browser_ja
+whitelist ${HOME}/.tor-browser_ja
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ka.profile b/etc/profile-m-z/tor-browser_ka.profile
new file mode 100644
index 000000000..97664be4d
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_ka.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ka
+
+mkdir ${HOME}/.tor-browser_ka
+whitelist ${HOME}/.tor-browser_ka
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ko.profile b/etc/profile-m-z/tor-browser_ko.profile
new file mode 100644
index 000000000..98cf1e3e1
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_ko.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ko
+
+mkdir ${HOME}/.tor-browser_ko
+whitelist ${HOME}/.tor-browser_ko
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_nb.profile b/etc/profile-m-z/tor-browser_nb.profile
new file mode 100644
index 000000000..6df840573
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_nb.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_nb
+
+mkdir ${HOME}/.tor-browser_nb
+whitelist ${HOME}/.tor-browser_nb
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_nl.profile b/etc/profile-m-z/tor-browser_nl.profile
new file mode 100644
index 000000000..3f545f888
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_nl.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_nl
+
+mkdir ${HOME}/.tor-browser_nl
+whitelist ${HOME}/.tor-browser_nl
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_pl.profile b/etc/profile-m-z/tor-browser_pl.profile
new file mode 100644
index 000000000..4e04dc027
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_pl.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_pl
+
+mkdir ${HOME}/.tor-browser_pl
+whitelist ${HOME}/.tor-browser_pl
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_pt-BR.profile b/etc/profile-m-z/tor-browser_pt-BR.profile
new file mode 100644
index 000000000..7f864886c
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_pt-BR.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_pt-BR
+
+mkdir ${HOME}/.tor-browser_pt-BR
+whitelist ${HOME}/.tor-browser_pt-BR
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ru.profile b/etc/profile-m-z/tor-browser_ru.profile
new file mode 100644
index 000000000..2fae6fbe7
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_ru.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ru
+
+mkdir ${HOME}/.tor-browser_ru
+whitelist ${HOME}/.tor-browser_ru
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_sv-SE.profile b/etc/profile-m-z/tor-browser_sv-SE.profile
new file mode 100644
index 000000000..2157f8d2b
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_sv-SE.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_sv-SE
+
+mkdir ${HOME}/.tor-browser_sv-SE
+whitelist ${HOME}/.tor-browser_sv-SE
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_tr.profile b/etc/profile-m-z/tor-browser_tr.profile
new file mode 100644
index 000000000..20ac246ca
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_tr.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_tr
+
+mkdir ${HOME}/.tor-browser_tr
+whitelist ${HOME}/.tor-browser_tr
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_vi.profile b/etc/profile-m-z/tor-browser_vi.profile
new file mode 100644
index 000000000..4faa06ff6
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_vi.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_vi
+
+mkdir ${HOME}/.tor-browser_vi
+whitelist ${HOME}/.tor-browser_vi
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_zh-CN.profile b/etc/profile-m-z/tor-browser_zh-CN.profile
new file mode 100644
index 000000000..e4d8215e6
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_zh-CN.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_zh-CN
+
+mkdir ${HOME}/.tor-browser_zh-CN
+whitelist ${HOME}/.tor-browser_zh-CN
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_zh-TW.profile b/etc/profile-m-z/tor-browser_zh-TW.profile
new file mode 100644
index 000000000..8a28015a6
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_zh-TW.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_zh-TW
+
+mkdir ${HOME}/.tor-browser_zh-TW
+whitelist ${HOME}/.tor-browser_zh-TW
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile
new file mode 100644
index 000000000..13d071635
--- /dev/null
+++ b/etc/profile-m-z/tor.profile
@@ -0,0 +1,51 @@
+# Firejail profile for tor
+# Description: Anonymizing overlay network for TCP
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor.local
+# Persistent global definitions
+include globals.local
+
+# How to use:
+# Create a script called anything (e.g. mytor)
+# with the following contents:
+
+# #!/bin/bash
+# TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1"
+# sudo -b daemon -f -d -- firejail --profile=/home/<username>/.config/firejail/tor.profile $TORCMD
+
+# You'll also likely want to disable the system service (if it exists)
+# Run mytor (or whatever you called the script above) whenever you want to start tor
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.keep dac_read_search,net_bind_service,setgid,setuid
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private
+private-bin bash,tor
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
+private-tmp
+writable-var
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
new file mode 100644
index 000000000..6bcc51f4d
--- /dev/null
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -0,0 +1,56 @@
+# Firejail profile for torbrowser-launcher
+# Description: Helps download and run the Tor Browser Bundle
+# This file is overwritten after every install/update
+# Persistent local customizations
+include torbrowser-launcher.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.config/torbrowser
+noblacklist ${HOME}/.local/share/torbrowser
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/torbrowser
+mkdir ${HOME}/.local/share/torbrowser
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/torbrowser
+whitelist ${HOME}/.local/share/torbrowser
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp !chroot
+shell none
+# tracelog may cause issues, see github issue #1930
+#tracelog
+
+disable-mnt
+private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
new file mode 100644
index 000000000..8dcd7447b
--- /dev/null
+++ b/etc/profile-m-z/torcs.profile
@@ -0,0 +1,45 @@
+# Firejail profile for torcs
+# Description: The Open Racing Car Simulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include torcs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.torcs
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.torcs
+whitelist ${HOME}/.torcs
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
new file mode 100644
index 000000000..d49ef0cb8
--- /dev/null
+++ b/etc/profile-m-z/totem.profile
@@ -0,0 +1,47 @@
+# Firejail profile for totem
+# Description: Simple media player for the GNOME desktop based on GStreamer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include totem.local
+# Persistent global definitions
+include globals.local
+
+# Allow lua (required for youtube video)
+include allow-lua.inc
+
+noblacklist ${HOME}/.config/totem
+noblacklist ${HOME}/.local/share/totem
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+# apparmor - makes settings immutable
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin totem
+# totem needs access to ~/.cache/tracker or it exits
+#private-cache
+private-dev
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile
new file mode 100644
index 000000000..9030b1e01
--- /dev/null
+++ b/etc/profile-m-z/tracker.profile
@@ -0,0 +1,39 @@
+# Firejail profile for tracker
+# Description: Metadata database, indexer and search tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tracker.local
+# Persistent global definitions
+include globals.local
+
+# Tracker is started by systemd on most systems. Therefore it is not firejailed by default
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-runuser-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# private-bin tracker
+# private-dev
+# private-tmp
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
new file mode 100644
index 000000000..cafc6e6d1
--- /dev/null
+++ b/etc/profile-m-z/transgui.profile
@@ -0,0 +1,54 @@
+# Firejail profile for transgui
+# Description: Cross-platform Transmission BitTorrent client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include transgui.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/transgui
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/transgui
+whitelist ${HOME}/.config/transgui
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin geoiplookup,geoiplookup6,transgui
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile
new file mode 100644
index 000000000..486be5fe6
--- /dev/null
+++ b/etc/profile-m-z/transmission-cli.profile
@@ -0,0 +1,14 @@
+# Firejail profile for transmission-cli
+# Description: Fast, easy and free BitTorrent client (CLI tools and web client)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-cli.local
+# Persistent global definitions
+include globals.local
+
+private-bin transmission-cli
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
new file mode 100644
index 000000000..9d2e8e990
--- /dev/null
+++ b/etc/profile-m-z/transmission-common.profile
@@ -0,0 +1,53 @@
+# Firejail profile for transmission-common
+# Description: Fast, easy and free BitTorrent client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include transmission-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/transmission
+noblacklist ${HOME}/.config/transmission
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/transmission
+mkdir ${HOME}/.config/transmission
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/transmission
+whitelist ${HOME}/.config/transmission
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/transmission-create.profile b/etc/profile-m-z/transmission-create.profile
new file mode 100644
index 000000000..8220b7887
--- /dev/null
+++ b/etc/profile-m-z/transmission-create.profile
@@ -0,0 +1,13 @@
+# Firejail profile for transmission-create
+# Description: CLI utility to create BitTorrent .torrent files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-create.local
+# Persistent global definitions
+include globals.local
+
+private-bin transmission-create
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
new file mode 100644
index 000000000..363c685e0
--- /dev/null
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -0,0 +1,26 @@
+# Firejail profile for transmission-daemon
+# Description: Fast, easy and free BitTorrent client (daemon)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-daemon.local
+# Persistent global definitions
+include globals.local
+
+ignore caps.drop all
+
+mkdir ${HOME}/.config/transmission-daemon
+whitelist ${HOME}/.config/transmission-daemon
+whitelist /var/lib/transmission
+
+caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
+
+private-bin transmission-daemon
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+
+read-write /var/lib/transmission
+writable-var-log
+writable-run-user
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-edit.profile b/etc/profile-m-z/transmission-edit.profile
new file mode 100644
index 000000000..df381b5cd
--- /dev/null
+++ b/etc/profile-m-z/transmission-edit.profile
@@ -0,0 +1,13 @@
+# Firejail profile for transmission-edit
+# Description: CLI utility to modify BitTorrent .torrent files' announce URLs
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-edit.local
+# Persistent global definitions
+include globals.local
+
+private-bin transmission-edit
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-gtk.profile b/etc/profile-m-z/transmission-gtk.profile
new file mode 100644
index 000000000..baa970307
--- /dev/null
+++ b/etc/profile-m-z/transmission-gtk.profile
@@ -0,0 +1,17 @@
+# Firejail profile for transmission-gtk
+# Description: Fast, easy and free BitTorrent client (GTK GUI)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-gtk.local
+# Persistent global definitions
+include globals.local
+
+include whitelist-runuser-common.inc
+
+private-bin transmission-gtk
+
+ignore memory-deny-write-execute
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-qt.profile b/etc/profile-m-z/transmission-qt.profile
new file mode 100644
index 000000000..94f3c3a20
--- /dev/null
+++ b/etc/profile-m-z/transmission-qt.profile
@@ -0,0 +1,18 @@
+# Firejail profile for transmission-qt
+# Description: Fast, easy and free BitTorrent client (Qt GUI)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-qt.local
+# Persistent global definitions
+include globals.local
+
+private-bin transmission-qt
+
+# private-lib - breaks on Arch
+ignore private-lib
+
+ignore memory-deny-write-execute
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-remote-cli.profile b/etc/profile-m-z/transmission-remote-cli.profile
new file mode 100644
index 000000000..7b9285e66
--- /dev/null
+++ b/etc/profile-m-z/transmission-remote-cli.profile
@@ -0,0 +1,17 @@
+# Firejail profile for transmission-remote-cli
+# Description: A remote control utility for transmission-daemon (CLI)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-remote-cli.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+private-bin python*,transmission-remote-cli
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile
new file mode 100644
index 000000000..a6400e2c0
--- /dev/null
+++ b/etc/profile-m-z/transmission-remote-gtk.profile
@@ -0,0 +1,22 @@
+# Firejail profile for transmission-remote-gtk
+# Description: A remote control utility for transmission-daemon (GTK GUI)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-remote-gtk.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/transmission-remote-gtk
+
+mkdir ${HOME}/.config/transmission-remote-gtk
+whitelist ${HOME}/.config/transmission-remote-gtk
+
+private-etc fonts,hostname,hosts,resolv.conf
+# Problems with private-lib (see issue #2889)
+ignore private-lib
+
+ignore memory-deny-write-execute
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile
new file mode 100644
index 000000000..fee4999e6
--- /dev/null
+++ b/etc/profile-m-z/transmission-remote.profile
@@ -0,0 +1,14 @@
+# Firejail profile for transmission-remote
+# Description: A remote control utility for transmission-daemon (CLI)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-remote.local
+# Persistent global definitions
+include globals.local
+
+private-bin transmission-remote
+private-etc alternatives,hosts,nsswitch.conf
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile
new file mode 100644
index 000000000..5a3c83f58
--- /dev/null
+++ b/etc/profile-m-z/transmission-show.profile
@@ -0,0 +1,14 @@
+# Firejail profile for transmission-show
+# Description: CLI utility to show BitTorrent .torrent file metadata
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-show.local
+# Persistent global definitions
+include globals.local
+
+private-bin transmission-show
+private-etc alternatives,hosts,nsswitch.conf
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
new file mode 100644
index 000000000..64bb8cba8
--- /dev/null
+++ b/etc/profile-m-z/tremulous.profile
@@ -0,0 +1,46 @@
+# Firejail profile for tremulous
+# Description: First Person Shooter game based on the Quake 3 engine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tremulous.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.tremulous
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.tremulous
+whitelist ${HOME}/.tremulous
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin tremded,tremulous,tremulous-wrapper
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/truecraft.profile b/etc/profile-m-z/truecraft.profile
new file mode 100644
index 000000000..e76d52219
--- /dev/null
+++ b/etc/profile-m-z/truecraft.profile
@@ -0,0 +1,39 @@
+# Firejail profile for truecraft
+# This file is overwritten after every install/update
+# Persistent local customizations
+include truecraft.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mono
+noblacklist ${HOME}/.config/truecraft
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/mono
+mkdir ${HOME}/.config/truecraft
+whitelist ${HOME}/.config/mono
+whitelist ${HOME}/.config/truecraft
+include whitelist-common.inc
+
+caps.drop all
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/ts3client_runscript.sh.profile b/etc/profile-m-z/ts3client_runscript.sh.profile
new file mode 100644
index 000000000..8d4675454
--- /dev/null
+++ b/etc/profile-m-z/ts3client_runscript.sh.profile
@@ -0,0 +1,19 @@
+# Firejail profile alias for teamspeak3
+# Description: TeamSpeak is software for quality voice communication via the Internet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ts3client_runscript.sh.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/TeamSpeak3-Client-linux_x86
+noblacklist ${HOME}/TeamSpeak3-Client-linux_amd64
+
+whitelist ${HOME}/TeamSpeak3-Client-linux_x86
+whitelist ${HOME}/TeamSpeak3-Client-linux_amd64
+
+# Redirect
+include teamspeak3.profile
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile
new file mode 100644
index 000000000..684a9491d
--- /dev/null
+++ b/etc/profile-m-z/tshark.profile
@@ -0,0 +1,46 @@
+# Firejail profile for tshark
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include tshark.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/wireshark
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+#caps.keep net_raw
+caps.keep dac_override,net_admin,net_raw
+ipc-namespace
+#net tun0
+netfilter
+no3d
+nodvd
+# nogroups - breaks network traffic capture for unprivileged users
+# nonewprivs - breaks network traffic capture for unprivileged users
+# noroot
+nosound
+notv
+nou2f
+novideo
+#protocol unix,inet,inet6,netlink,packet
+#seccomp
+
+disable-mnt
+#private
+private-cache
+#private-bin tshark
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile
new file mode 100644
index 000000000..d2b13d9ee
--- /dev/null
+++ b/etc/profile-m-z/tuxguitar.profile
@@ -0,0 +1,45 @@
+# Firejail profile for tuxguitar
+# Description: Multitrack guitar tablature editor and player (gp3 to gp5)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tuxguitar.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.tuxguitar*
+noblacklist ${DOCUMENTS}
+noblacklist ${MUSIC}
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+tracelog
+
+private-dev
+private-tmp
+
+# noexec ${HOME} - tuxguitar may fail to launch
+noexec /tmp
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
new file mode 100644
index 000000000..d3dcbfe53
--- /dev/null
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -0,0 +1,53 @@
+# Firejail profile for tvbrowser
+# Description: java tv programm form tvbrowser.org
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tvbrowser.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/tvbrowser
+noblacklist ${HOME}/.tvbrowser
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/tvbrowser
+mkdir ${HOME}/.tvbrowser
+whitelist ${HOME}/.config/tvbrowser
+whitelist ${HOME}/.tvbrowser
+whitelist /usr/share/tvbrowser
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile
new file mode 100644
index 000000000..265f6429d
--- /dev/null
+++ b/etc/profile-m-z/udiskie.profile
@@ -0,0 +1,45 @@
+# Firejail profile for udiskie
+# Description: Removable disk automounter using udisks
+# This file is overwritten after every install/update
+# Persistent local customizations
+include udiskie.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+net none
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp !request_key
+shell none
+tracelog
+
+private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop
+# add your configured file browser in udiskie.local, e. g.
+# private-bin nautilus
+# private-bin thunar
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
+private-tmp
diff --git a/etc/profile-m-z/uefitool.profile b/etc/profile-m-z/uefitool.profile
new file mode 100644
index 000000000..8807b0b2c
--- /dev/null
+++ b/etc/profile-m-z/uefitool.profile
@@ -0,0 +1,39 @@
+# Firejail profile for uefitool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include uefitool.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/uget-gtk.profile b/etc/profile-m-z/uget-gtk.profile
new file mode 100644
index 000000000..8a2e83a1a
--- /dev/null
+++ b/etc/profile-m-z/uget-gtk.profile
@@ -0,0 +1,37 @@
+# Firejail profile for uget-gtk
+# This file is overwritten after every install/update
+# Persistent local customizations
+include uget-gtk.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/uGet
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/uGet
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/uGet
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin uget-gtk
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile
new file mode 100644
index 000000000..714a3f2f4
--- /dev/null
+++ b/etc/profile-m-z/unbound.profile
@@ -0,0 +1,52 @@
+# Firejail profile for unbound
+# Description: Validating, recursive, caching DNS resolver
+# This file is overwritten after every install/update
+# Persistent local customizations
+include unbound.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /sbin
+noblacklist /usr/sbin
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+
+whitelist /var/lib/unbound
+whitelist /var/run
+
+caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
+
+disable-mnt
+private
+private-dev
+private-tmp
+writable-var
+
+dbus-user none
+dbus-system none
+
+# mdwe can break modules/plugins
+memory-deny-write-execute
diff --git a/etc/profile-m-z/uncompress.profile b/etc/profile-m-z/uncompress.profile
new file mode 100644
index 000000000..f659d8e87
--- /dev/null
+++ b/etc/profile-m-z/uncompress.profile
@@ -0,0 +1,11 @@
+# Firejail profile for uncompress
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include uncompress.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
new file mode 100644
index 000000000..fbbe949e9
--- /dev/null
+++ b/etc/profile-m-z/unf.profile
@@ -0,0 +1,58 @@
+# Firejail profile for unf
+# Description: UNixize Filename -- replace annoying anti-unix characters in filenames
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unf.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+hostname unf
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin unf
+private-cache
+?HAS_APPIMAGE: ignore private-dev
+private-dev
+private-etc alternatives
+private-lib gcc/*/*/libgcc_s.so.*
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
new file mode 100644
index 000000000..7dc13e284
--- /dev/null
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -0,0 +1,44 @@
+# Firejail profile for unknown-horizons
+# Description: 2D realtime strategy simulation
+# This file is overwritten after every install/update
+# Persistent local customizations
+include unknown-horizons.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.unknown-horizons
+
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.unknown-horizons
+whitelist ${HOME}/.unknown-horizons
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+whitelist /usr/share/unknown-horizons
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+disable-mnt
+# private-bin unknown-horizons
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+private-tmp
+
+# doesn't work - maybe all Tcl/Tk programs have this problem
+# memory-deny-write-execute
diff --git a/etc/profile-m-z/unlzma.profile b/etc/profile-m-z/unlzma.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-m-z/unlzma.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
new file mode 100644
index 000000000..88a753d59
--- /dev/null
+++ b/etc/profile-m-z/unrar.profile
@@ -0,0 +1,45 @@
+# Firejail profile for unrar
+# Description: Unarchiver for .rar files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unrar.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+hostname unrar
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+#nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin unrar
+private-dev
+private-etc alternatives,group,localtime,passwd
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/unxz.profile b/etc/profile-m-z/unxz.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-m-z/unxz.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
new file mode 100644
index 000000000..b4b63882b
--- /dev/null
+++ b/etc/profile-m-z/unzip.profile
@@ -0,0 +1,47 @@
+# Firejail profile for unzip
+# Description: De-archiver for .zip files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unzip.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+# GNOME Shell integration (chrome-gnome-shell)
+noblacklist ${HOME}/.local/share/gnome-shell
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+hostname unzip
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+#nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin unzip
+private-dev
+private-etc alternatives,group,localtime,passwd
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/unzstd.profile b/etc/profile-m-z/unzstd.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/profile-m-z/unzstd.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+
+# Redirect
+include zstd.profile
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile
new file mode 100644
index 000000000..9877ea889
--- /dev/null
+++ b/etc/profile-m-z/utox.profile
@@ -0,0 +1,48 @@
+# Firejail profile for utox
+# Description: Lightweight Tox client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include utox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Tox
+noblacklist ${HOME}/.config/tox
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/tox
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/tox
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin utox
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
new file mode 100644
index 000000000..6b5f14cab
--- /dev/null
+++ b/etc/profile-m-z/uudeview.profile
@@ -0,0 +1,46 @@
+# Firejail profile for uudeview
+# Description: Smart multi-file multi-part decoder
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include uudeview.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-usr-share-common.inc
+
+caps.drop all
+hostname uudeview
+ipc-namespace
+machine-id
+net none
+nodvd
+#nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin uudeview
+private-cache
+private-dev
+private-etc alternatives,ld.so.preload
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/uzbl-browser.profile b/etc/profile-m-z/uzbl-browser.profile
new file mode 100644
index 000000000..41487a8f2
--- /dev/null
+++ b/etc/profile-m-z/uzbl-browser.profile
@@ -0,0 +1,40 @@
+# Firejail profile for uzbl-browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include uzbl-browser.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/uzbl
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.local/share/uzbl
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/uzbl
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.local/share/uzbl
+mkdir ${HOME}/.password-store
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/uzbl
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.local/share/uzbl
+whitelist ${HOME}/.password-store
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+tracelog
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
new file mode 100644
index 000000000..f009f6340
--- /dev/null
+++ b/etc/profile-m-z/viewnior.profile
@@ -0,0 +1,51 @@
+# Firejail profile for viewnior
+# Description: Simple, fast and elegant image viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include viewnior.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.config/viewnior
+noblacklist ${HOME}/.steam
+
+blacklist ${HOME}/.bashrc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin viewnior
+private-cache
+private-dev
+private-etc alternatives,fonts,machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808)
diff --git a/etc/profile-m-z/viking.profile b/etc/profile-m-z/viking.profile
new file mode 100644
index 000000000..5b6228a94
--- /dev/null
+++ b/etc/profile-m-z/viking.profile
@@ -0,0 +1,37 @@
+# Firejail profile for viking
+# Description: GPS data editor, analyzer and viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include viking.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.viking
+noblacklist ${HOME}/.viking-maps
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/vim.profile b/etc/profile-m-z/vim.profile
new file mode 100644
index 000000000..e9a474239
--- /dev/null
+++ b/etc/profile-m-z/vim.profile
@@ -0,0 +1,34 @@
+# Firejail profile for vim
+# Description: Vi IMproved - enhanced vi editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vim.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.vim
+noblacklist ${HOME}/.viminfo
+noblacklist ${HOME}/.vimrc
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-runuser-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+
+private-dev
diff --git a/etc/profile-m-z/vimcat.profile b/etc/profile-m-z/vimcat.profile
new file mode 100644
index 000000000..73b76b5ab
--- /dev/null
+++ b/etc/profile-m-z/vimcat.profile
@@ -0,0 +1,10 @@
+# Firejail profile for vimcat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vimcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vim.profile
diff --git a/etc/profile-m-z/vimdiff.profile b/etc/profile-m-z/vimdiff.profile
new file mode 100644
index 000000000..f09faf1d6
--- /dev/null
+++ b/etc/profile-m-z/vimdiff.profile
@@ -0,0 +1,10 @@
+# Firejail profile for vimdiff
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vimdiff.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vim.profile
diff --git a/etc/profile-m-z/vimpager.profile b/etc/profile-m-z/vimpager.profile
new file mode 100644
index 000000000..af7703752
--- /dev/null
+++ b/etc/profile-m-z/vimpager.profile
@@ -0,0 +1,11 @@
+# Firejail profile for vimpager
+# Description: A vim-based script to use as a PAGER
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vimpager.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vim.profile
diff --git a/etc/profile-m-z/vimtutor.profile b/etc/profile-m-z/vimtutor.profile
new file mode 100644
index 000000000..b9584cc49
--- /dev/null
+++ b/etc/profile-m-z/vimtutor.profile
@@ -0,0 +1,10 @@
+# Firejail profile for vimtutor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vimtutor.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vim.profile
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
new file mode 100644
index 000000000..c0dbc9116
--- /dev/null
+++ b/etc/profile-m-z/virtualbox.profile
@@ -0,0 +1,32 @@
+# Firejail profile for virtualbox
+# Description: x86 virtualization solution
+# This file is overwritten after every install/update
+# Persistent local customizations
+include virtualbox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.VirtualBox
+noblacklist ${HOME}/.config/VirtualBox
+noblacklist ${HOME}/VirtualBox VMs
+# noblacklist /usr/bin/virtualbox
+noblacklist /usr/lib/virtualbox
+noblacklist /usr/lib64/virtualbox
+
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/VirtualBox
+mkdir ${HOME}/VirtualBox VMs
+whitelist ${HOME}/.config/VirtualBox
+whitelist ${HOME}/VirtualBox VMs
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.keep net_raw,sys_admin,sys_nice
+netfilter
+nodvd
+notv
diff --git a/etc/profile-m-z/vivaldi-beta.profile b/etc/profile-m-z/vivaldi-beta.profile
new file mode 100644
index 000000000..5de5682a3
--- /dev/null
+++ b/etc/profile-m-z/vivaldi-beta.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for vivaldi
+# This file is overwritten after every install/update
+
+# Redirect
+include vivaldi.profile
diff --git a/etc/profile-m-z/vivaldi-snapshot.profile b/etc/profile-m-z/vivaldi-snapshot.profile
new file mode 100644
index 000000000..ea4a4009f
--- /dev/null
+++ b/etc/profile-m-z/vivaldi-snapshot.profile
@@ -0,0 +1,17 @@
+# Firejail profile for vivaldi-snapshot
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vivaldi-snapshot.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/vivaldi-snapshot
+noblacklist ${HOME}/.config/vivaldi-snapshot
+
+mkdir ${HOME}/.cache/vivaldi-snapshot
+mkdir ${HOME}/.config/vivaldi-snapshot
+whitelist ${HOME}/.cache/vivaldi-snapshot
+whitelist ${HOME}/.config/vivaldi-snapshot
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/vivaldi-stable.profile b/etc/profile-m-z/vivaldi-stable.profile
new file mode 100644
index 000000000..5de5682a3
--- /dev/null
+++ b/etc/profile-m-z/vivaldi-stable.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for vivaldi
+# This file is overwritten after every install/update
+
+# Redirect
+include vivaldi.profile
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile
new file mode 100644
index 000000000..096ce8a72
--- /dev/null
+++ b/etc/profile-m-z/vivaldi.profile
@@ -0,0 +1,31 @@
+# Firejail profile for vivaldi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vivaldi.local
+# Persistent global definitions
+include globals.local
+
+# Allow HTML5 Proprietary Media & DRM/EME (Widevine)
+ignore apparmor
+ignore noexec /var
+noblacklist /var/opt
+whitelist /var/opt/vivaldi
+writable-var
+
+noblacklist ${HOME}/.cache/vivaldi
+noblacklist ${HOME}/.config/vivaldi
+noblacklist ${HOME}/.local/lib/vivaldi
+
+mkdir ${HOME}/.cache/vivaldi
+mkdir ${HOME}/.config/vivaldi
+mkdir ${HOME}/.local/lib/vivaldi
+whitelist ${HOME}/.cache/vivaldi
+whitelist ${HOME}/.config/vivaldi
+whitelist ${HOME}/.local/lib/vivaldi
+
+# breaks vivaldi sync
+ignore dbus-user none
+ignore dbus-system none
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
new file mode 100644
index 000000000..0069ebeae
--- /dev/null
+++ b/etc/profile-m-z/vlc.profile
@@ -0,0 +1,45 @@
+# Firejail profile for vlc
+# Description: Multimedia player and streamer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vlc.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/vlc
+noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.local/share/vlc
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+#apparmor - on Ubuntu 18.04 it refuses to start without dbus access
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc
+private-dev
+private-tmp
+
+# dbus needed for MPRIS
+# dbus-user none
+# dbus-system none
+
+# mdwe is disabled due to breaking hardware accelerated decoding
+#memory-deny-write-execute
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile
new file mode 100644
index 000000000..b4728fb72
--- /dev/null
+++ b/etc/profile-m-z/vscodium.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for Visual Studio Code
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.VSCodium
+
+# Redirect
+include code.profile
diff --git a/etc/profile-m-z/vulturesclaw.profile b/etc/profile-m-z/vulturesclaw.profile
new file mode 100644
index 000000000..2e9078a7b
--- /dev/null
+++ b/etc/profile-m-z/vulturesclaw.profile
@@ -0,0 +1,8 @@
+# Firejail profile alias for nethack-vultures
+# This file is overwritten after every install/update
+
+noblacklist /var/games/vulturesclaw
+whitelist /var/games/vulturesclaw
+
+# Redirect
+include nethack-vultures.profile
diff --git a/etc/profile-m-z/vultureseye.profile b/etc/profile-m-z/vultureseye.profile
new file mode 100644
index 000000000..44c263cfc
--- /dev/null
+++ b/etc/profile-m-z/vultureseye.profile
@@ -0,0 +1,8 @@
+# Firejail profile alias for nethack-vultures
+# This file is overwritten after every install/update
+
+noblacklist /var/games/vultureseye
+whitelist /var/games/vultureseye
+
+# Redirect
+include nethack-vultures.profile
diff --git a/etc/profile-m-z/vym.profile b/etc/profile-m-z/vym.profile
new file mode 100644
index 000000000..fbb53943c
--- /dev/null
+++ b/etc/profile-m-z/vym.profile
@@ -0,0 +1,36 @@
+# Firejail profile for vym
+# Description: Mindmapping tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vym.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/InSilmaril
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
new file mode 100644
index 000000000..5215ee6f5
--- /dev/null
+++ b/etc/profile-m-z/w3m.profile
@@ -0,0 +1,45 @@
+# Firejail profile for w3m
+# Description: WWW browsable pager with excellent tables/frames support
+# This file is overwritten after every install/update
+# Persistent local customizations
+include w3m.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.w3m
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# private-bin w3m
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-tmp
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
new file mode 100644
index 000000000..a3de3d444
--- /dev/null
+++ b/etc/profile-m-z/warmux.profile
@@ -0,0 +1,55 @@
+# Firejail profile for warmux
+# Description: a convivial mass murder game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include warmux.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/wormux
+noblacklist ${HOME}/.local/share/wormux
+noblacklist ${HOME}/.wormux
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/wormux
+mkdir ${HOME}/.local/share/wormux
+mkdir ${HOME}/.wormux
+whitelist ${HOME}/.config/wormux
+whitelist ${HOME}/.local/share/wormux
+whitelist ${HOME}/.wormux
+whitelist /usr/share/warmux
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin warmux
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
new file mode 100644
index 000000000..32d27e1b9
--- /dev/null
+++ b/etc/profile-m-z/warsow.profile
@@ -0,0 +1,51 @@
+# Firejail profile for warsow
+# Description: Fast paced 3D first person shooter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include warsow.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/warsow-2.1
+noblacklist ${HOME}/.local/share/warsow-2.1
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/warsow-2.1
+mkdir ${HOME}/.local/share/warsow-2.1
+whitelist ${HOME}/.cache/warsow-2.1
+whitelist ${HOME}/.local/share/warsow-2.1
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin warsow
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
new file mode 100644
index 000000000..25f401d85
--- /dev/null
+++ b/etc/profile-m-z/warzone2100.profile
@@ -0,0 +1,46 @@
+# Firejail profile for warzone2100
+# Description: 3D real time strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include warzone2100.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.warzone2100-3.*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+# mkdir ${HOME}/.warzone2100-3.1
+# mkdir ${HOME}/.warzone2100-3.2
+whitelist ${HOME}/.warzone2100-3.1
+whitelist ${HOME}/.warzone2100-3.2
+whitelist /usr/share/games
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin warzone2100
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/waterfox-classic.profile b/etc/profile-m-z/waterfox-classic.profile
new file mode 100644
index 000000000..6c7e18a46
--- /dev/null
+++ b/etc/profile-m-z/waterfox-classic.profile
@@ -0,0 +1,7 @@
+# Firejail profile for waterfox-classic
+# This file is overwritten after every install/update
+# Persistent local customizations
+include waterfox-classic.local
+
+# Redirect
+include waterfox.profile
diff --git a/etc/profile-m-z/waterfox-current.profile b/etc/profile-m-z/waterfox-current.profile
new file mode 100644
index 000000000..5e12a6fe3
--- /dev/null
+++ b/etc/profile-m-z/waterfox-current.profile
@@ -0,0 +1,7 @@
+# Firejail profile for waterfox-current
+# This file is overwritten after every install/update
+# Persistent local customizations
+include waterfox-current.local
+
+# Redirect
+include waterfox.profile
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile
new file mode 100644
index 000000000..c6c940fa3
--- /dev/null
+++ b/etc/profile-m-z/waterfox.profile
@@ -0,0 +1,27 @@
+# Firejail profile for waterfox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include waterfox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/waterfox
+noblacklist ${HOME}/.waterfox
+
+mkdir ${HOME}/.cache/waterfox
+mkdir ${HOME}/.waterfox
+whitelist ${HOME}/.cache/waterfox
+whitelist ${HOME}/.waterfox
+
+# Uncomment (or add to watefox.local) the following lines if you want to
+# use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# waterfox requires a shell to launch on Arch. We can possibly remove sh though.
+#private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which
+# private-etc must first be enabled in firefox-common.profile
+#private-etc waterfox
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile
new file mode 100644
index 000000000..fc4e8e571
--- /dev/null
+++ b/etc/profile-m-z/webstorm.profile
@@ -0,0 +1,41 @@
+# Firejail profile for WebStorm
+# This file is overwritten after every install/update
+# Persistent local customizations
+include webstorm.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.WebStorm*
+noblacklist ${HOME}/.android
+noblacklist ${HOME}/.local/share/JetBrains
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.tooling
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+noblacklist ${PATH}/node
+noblacklist ${HOME}/.nvm
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile
new file mode 100644
index 000000000..8928f8116
--- /dev/null
+++ b/etc/profile-m-z/webui-aria2.profile
@@ -0,0 +1,38 @@
+# Firejail profile for webui-aria2
+# Run this with firejail --profile=webui-aria2 node node-server.js
+# This file is overwritten after every install/update
+# Persistent local customizations
+include webui-aria2.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/node
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/weechat-curses.profile b/etc/profile-m-z/weechat-curses.profile
new file mode 100644
index 000000000..4719b9788
--- /dev/null
+++ b/etc/profile-m-z/weechat-curses.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for weechat
+# This file is overwritten after every install/update
+
+# Redirect
+include weechat.profile
diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile
new file mode 100644
index 000000000..800724054
--- /dev/null
+++ b/etc/profile-m-z/weechat.profile
@@ -0,0 +1,29 @@
+# Firejail profile for weechat
+# Description: Fast, light and extensible chat client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include weechat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.weechat
+
+include disable-common.inc
+include disable-programs.inc
+
+whitelist /usr/share/perl5
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+
+# no private-bin support for various reasons:
+# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc,
+# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins
diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile
new file mode 100644
index 000000000..934edfce9
--- /dev/null
+++ b/etc/profile-m-z/wesnoth.profile
@@ -0,0 +1,38 @@
+# Firejail profile for wesnoth
+# Description: Fantasy turn-based strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wesnoth.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/wesnoth
+noblacklist ${HOME}/.config/wesnoth
+noblacklist ${HOME}/.local/share/wesnoth
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/wesnoth
+mkdir ${HOME}/.config/wesnoth
+mkdir ${HOME}/.local/share/wesnoth
+whitelist ${HOME}/.cache/wesnoth
+whitelist ${HOME}/.config/wesnoth
+whitelist ${HOME}/.local/share/wesnoth
+include whitelist-common.inc
+
+caps.drop all
+nodvd
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
new file mode 100644
index 000000000..65723e68c
--- /dev/null
+++ b/etc/profile-m-z/wget.profile
@@ -0,0 +1,59 @@
+# Firejail profile for wget
+# Description: Retrieves files from the web
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include wget.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.netrc
+noblacklist ${HOME}/.wget-hsts
+noblacklist ${HOME}/.wgetrc
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local
+#include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin wget
+private-cache
+private-dev
+# depending on workflow you can uncomment the below or put this private-etc in your wget.local
+#private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc
+#private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
new file mode 100644
index 000000000..187c49ed8
--- /dev/null
+++ b/etc/profile-m-z/whalebird.profile
@@ -0,0 +1,39 @@
+# Firejail profile for whalebird
+# Description: Electron-based Mastodon/Pleroma client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include whalebird.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore dbus-user none
+ignore dbus-system none
+
+noblacklist ${HOME}/.config/Whalebird
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/Whalebird
+whitelist ${HOME}/.config/Whalebird
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+no3d
+nou2f
+novideo
+protocol unix,inet,inet6
+shell none
+
+disable-mnt
+private-bin whalebird
+private-cache
+private-dev
+private-etc fonts,machine-id
+private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
new file mode 100644
index 000000000..2af1379e0
--- /dev/null
+++ b/etc/profile-m-z/whois.profile
@@ -0,0 +1,57 @@
+# Firejail profile for whois
+# Description: Intelligent WHOIS client
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include whois.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+hostname whois
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin bash,sh,whois
+private-cache
+private-dev
+private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf
+private-lib gconv
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/widelands.profile b/etc/profile-m-z/widelands.profile
new file mode 100644
index 000000000..079e4eb96
--- /dev/null
+++ b/etc/profile-m-z/widelands.profile
@@ -0,0 +1,47 @@
+# Firejail profile for widelands
+# Description: Open source realtime-strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include widelands.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.widelands
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.widelands
+whitelist ${HOME}/.widelands
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin widelands
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
new file mode 100644
index 000000000..901340052
--- /dev/null
+++ b/etc/profile-m-z/wine.profile
@@ -0,0 +1,39 @@
+# Firejail profile for wine
+# Description: A compatibility layer for running Windows programs
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wine.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.local/share/Steam
+noblacklist ${HOME}/.local/share/steam
+noblacklist ${HOME}/.steam
+noblacklist ${HOME}/.wine
+noblacklist /tmp/.wine-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+# some applications don't need allow-debuggers, comment the next line
+# if it is not necessary (or put 'ignore allow-debuggers' in your wine.local)
+allow-debuggers
+caps.drop all
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+# nosound
+notv
+# novideo
+seccomp
+
+private-dev
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
new file mode 100644
index 000000000..c1250b1f0
--- /dev/null
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -0,0 +1,36 @@
+# Firejail profile for wire-desktop
+# Description: End-to-end encrypted messenger with file sharing, voice calls and video conferences
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wire-desktop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
+
+ignore caps.drop all
+ignore dbus-user none
+ignore dbus-system none
+
+noblacklist ${HOME}/.config/Wire
+
+include disable-devel.inc
+include disable-interpreters.inc
+
+mkdir ${HOME}/.config/Wire
+whitelist ${HOME}/.config/Wire
+include whitelist-common.inc
+
+caps.keep sys_admin,sys_chroot
+nou2f
+shell none
+
+disable-mnt
+private-bin bash,electron,electron4,electron6,env,sh,wire-desktop
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
+private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/wireshark-gtk.profile b/etc/profile-m-z/wireshark-gtk.profile
new file mode 100644
index 000000000..3e2e1807e
--- /dev/null
+++ b/etc/profile-m-z/wireshark-gtk.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for wireshark
+# Description: Network protocol analyzer
+# This file is overwritten after every install/update
+
+# Redirect
+include wireshark.profile
diff --git a/etc/profile-m-z/wireshark-qt.profile b/etc/profile-m-z/wireshark-qt.profile
new file mode 100644
index 000000000..3e2e1807e
--- /dev/null
+++ b/etc/profile-m-z/wireshark-qt.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for wireshark
+# Description: Network protocol analyzer
+# This file is overwritten after every install/update
+
+# Redirect
+include wireshark.profile
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
new file mode 100644
index 000000000..d73e2e279
--- /dev/null
+++ b/etc/profile-m-z/wireshark.profile
@@ -0,0 +1,50 @@
+# Firejail profile for wireshark
+# Description: Network traffic analyzer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wireshark.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/wireshark
+noblacklist ${HOME}/.wireshark
+noblacklist ${DOCUMENTS}
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/wireshark
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+# caps.drop all
+caps.keep dac_override,net_admin,net_raw
+netfilter
+no3d
+# nogroups - breaks network traffic capture for unprivileged users
+# nonewprivs - breaks network traffic capture for unprivileged users
+# noroot
+nodvd
+nosound
+notv
+nou2f
+novideo
+# protocol unix,inet,inet6,netlink
+# seccomp - breaks network traffic capture for unprivileged users
+shell none
+tracelog
+
+# private-bin wireshark
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl
+private-tmp
+
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
new file mode 100644
index 000000000..6372654bd
--- /dev/null
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -0,0 +1,51 @@
+# Firejail profile for wordwarvi
+# Description: Old school '80's style side scrolling space shoot'em up game.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wordwarvi.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.wordwarvi
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.wordwarvi
+whitelist ${HOME}/.wordwarvi
+whitelist /usr/share/wordwarvi
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin wordwarvi
+private-cache
+private-dev
+private-etc alsa,asound.conf,machine-id,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/wpp.profile b/etc/profile-m-z/wpp.profile
new file mode 100644
index 000000000..a219397a9
--- /dev/null
+++ b/etc/profile-m-z/wpp.profile
@@ -0,0 +1,14 @@
+# Firejail profile for wpp
+# Description: WPS Office - Presentation
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wpp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore machine-id
+ignore nosound
+
+# Redirect
+include wps.profile
diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile
new file mode 100644
index 000000000..6e4a313e3
--- /dev/null
+++ b/etc/profile-m-z/wps.profile
@@ -0,0 +1,49 @@
+# Firejail profile for wps
+# Description: WPS Office - Writer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wps.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.kingsoft
+noblacklist ${HOME}/.config/Kingsoft
+noblacklist ${HOME}/.local/share/Kingsoft
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+# Uncomment the next line (or add to wps.local) if you don't use network features.
+#net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+# seccomp cause some minor issues, if you can live with them enable it.
+#seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/wpspdf.profile b/etc/profile-m-z/wpspdf.profile
new file mode 100644
index 000000000..82080acbc
--- /dev/null
+++ b/etc/profile-m-z/wpspdf.profile
@@ -0,0 +1,11 @@
+# Firejail profile for wpspdf
+# Description: Kingsoft Pdf Reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include et.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include wps.profile
diff --git a/etc/profile-m-z/x-terminal-emulator.profile b/etc/profile-m-z/x-terminal-emulator.profile
new file mode 100644
index 000000000..fe0781336
--- /dev/null
+++ b/etc/profile-m-z/x-terminal-emulator.profile
@@ -0,0 +1,22 @@
+# Firejail profile for x-terminal-emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include x-terminal-emulator.local
+# Persistent global definitions
+include globals.local
+
+caps.drop all
+ipc-namespace
+net none
+nogroups
+noroot
+nou2f
+protocol unix
+seccomp
+
+private-dev
+
+dbus-user none
+dbus-system none
+
+noexec /tmp
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile
new file mode 100644
index 000000000..bc9603835
--- /dev/null
+++ b/etc/profile-m-z/x2goclient.profile
@@ -0,0 +1,49 @@
+# Firejail profile for x2goclient
+# Description: Graphical client for X2Go remote desktop system
+# This file is overwritten after every install/update
+# Persistent local customizations
+include x2goclient.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.x2go
+noblacklist ${HOME}/.x2goclient
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+#no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+#private-bin nxproxy,x2goclient
+private-cache
+private-dev
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,X11,xdg
+#private-lib
+private-opt none
+private-srv none
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
new file mode 100644
index 000000000..56d3cf40d
--- /dev/null
+++ b/etc/profile-m-z/xbill.profile
@@ -0,0 +1,53 @@
+# Firejail profile for xbill
+# Description: save your computers from Wingdows [TM] virus
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xbill.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/xbill
+whitelist /var/games/xbill/scores
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin xbill
+private-cache
+private-dev
+private-etc none
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-m-z/xcalc.profile b/etc/profile-m-z/xcalc.profile
new file mode 100644
index 000000000..294ad7c80
--- /dev/null
+++ b/etc/profile-m-z/xcalc.profile
@@ -0,0 +1,42 @@
+# Firejail profile for xcalc
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xcalc.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private
+private-bin xcalc
+private-dev
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/xchat.profile b/etc/profile-m-z/xchat.profile
new file mode 100644
index 000000000..a94444aab
--- /dev/null
+++ b/etc/profile-m-z/xchat.profile
@@ -0,0 +1,23 @@
+# Firejail profile for xchat
+# Description: IRC client for X similar to AmIRC
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xchat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/xchat
+
+include disable-common.inc
+include disable-devel.inc
+include disable-programs.inc
+
+caps.drop all
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+
+# private-bin requires perl, python*, etc.
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile
new file mode 100644
index 000000000..64a50083f
--- /dev/null
+++ b/etc/profile-m-z/xed.profile
@@ -0,0 +1,53 @@
+# Firejail profile for xed
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xed.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/xed
+noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+# apparmor - makes settings immutable
+caps.drop all
+machine-id
+# net none - makes settings immutable
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin xed
+private-dev
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
+# xed uses python plugins, memory-deny-write-execute breaks python
+# memory-deny-write-execute
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile
new file mode 100644
index 000000000..cd9561e74
--- /dev/null
+++ b/etc/profile-m-z/xfburn.profile
@@ -0,0 +1,32 @@
+# Firejail profile for xfburn
+# Description: CD-burner application for Xfce Desktop Environment
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xfburn.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/xfburn
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# private-bin xfburn
+# private-dev
+# private-tmp
diff --git a/etc/profile-m-z/xfce4-dict.profile b/etc/profile-m-z/xfce4-dict.profile
new file mode 100644
index 000000000..a3e0c4633
--- /dev/null
+++ b/etc/profile-m-z/xfce4-dict.profile
@@ -0,0 +1,40 @@
+# Firejail profile for xfce4-dict
+# Description: Dictionary plugin for Xfce4 panel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xfce4-dict.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/xfce4-dict
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
new file mode 100644
index 000000000..5707dc443
--- /dev/null
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -0,0 +1,53 @@
+# Firejail profile for xfce4-mixer
+# Description: Volume control for Xfce
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xfce4-mixer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+whitelist /usr/share/xfce4
+whitelist /usr/share/xfce4-mixer
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin xfce4-mixer,xfconf-query
+private-cache
+private-dev
+private-etc alternatives,asound.conf,fonts,machine-id,pulse
+private-tmp
+
+# dbus-user none
+# dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/xfce4-notes.profile b/etc/profile-m-z/xfce4-notes.profile
new file mode 100644
index 000000000..c3d0930ff
--- /dev/null
+++ b/etc/profile-m-z/xfce4-notes.profile
@@ -0,0 +1,42 @@
+# Firejail profile for xfce4-notes
+# Description: Notes application for the Xfce4 desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xfce4-notes.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc
+noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc
+noblacklist ${HOME}/.local/share/notes
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile
new file mode 100644
index 000000000..7114f0469
--- /dev/null
+++ b/etc/profile-m-z/xiphos.profile
@@ -0,0 +1,50 @@
+# Firejail profile for xiphos
+# Description: Environment for Bible reading, study, and research
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xiphos.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.sword
+noblacklist ${HOME}/.xiphos
+
+blacklist ${HOME}/.bashrc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.sword
+mkdir ${HOME}/.xiphos
+whitelist ${HOME}/.sword
+whitelist ${HOME}/.xiphos
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin xiphos
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf
+private-tmp
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile
new file mode 100644
index 000000000..7987af280
--- /dev/null
+++ b/etc/profile-m-z/xlinks.profile
@@ -0,0 +1,21 @@
+# Firejail profile for xlinks
+# Description: Text WWW browser (X11)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xlinks.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist /tmp/.X11-unix
+noblacklist ${HOME}/.links
+
+include whitelist-common.inc
+
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
+# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin xlinks
+private-etc fonts
+
+# Redirect
+include links.profile
diff --git a/etc/profile-m-z/xmms.profile b/etc/profile-m-z/xmms.profile
new file mode 100644
index 000000000..7a11e1244
--- /dev/null
+++ b/etc/profile-m-z/xmms.profile
@@ -0,0 +1,31 @@
+# Firejail profile for xmms
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xmms.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.xmms
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+no3d
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin xmms
+private-dev
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
new file mode 100644
index 000000000..c6ba9bd9d
--- /dev/null
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -0,0 +1,45 @@
+# Firejail profile for xmr-stak
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xmr-stak.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.xmr-stak
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.xmr-stak
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private ${HOME}/.xmr-stak
+private-bin xmr-stak
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+#private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
+private-opt cuda
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/xonotic-glx.profile b/etc/profile-m-z/xonotic-glx.profile
new file mode 100644
index 000000000..abb91e1ec
--- /dev/null
+++ b/etc/profile-m-z/xonotic-glx.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for xonotic
+# This file is overwritten after every install/update
+
+# Redirect
+include xonotic.profile
diff --git a/etc/profile-m-z/xonotic-sdl.profile b/etc/profile-m-z/xonotic-sdl.profile
new file mode 100644
index 000000000..abb91e1ec
--- /dev/null
+++ b/etc/profile-m-z/xonotic-sdl.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for xonotic
+# This file is overwritten after every install/update
+
+# Redirect
+include xonotic.profile
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
new file mode 100644
index 000000000..949988c3b
--- /dev/null
+++ b/etc/profile-m-z/xonotic.profile
@@ -0,0 +1,43 @@
+# Firejail profile for xonotic
+# Description: A free, fast-paced crossplatform first-person shooter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xonotic.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.xonotic
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.xonotic
+whitelist ${HOME}/.xonotic
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
new file mode 100644
index 000000000..ba41d5bb3
--- /dev/null
+++ b/etc/profile-m-z/xournal.profile
@@ -0,0 +1,49 @@
+# Firejail profile for xournal
+# Description: Note taking and PDF editing
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xournal.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/xournal
+whitelist /usr/share/poppler
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin xournal
+private-cache
+private-dev
+private-etc alternatives,fonts,group,machine-id,passwd
+# TODO should use private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/xpdf.profile b/etc/profile-m-z/xpdf.profile
new file mode 100644
index 000000000..cdffe4eb7
--- /dev/null
+++ b/etc/profile-m-z/xpdf.profile
@@ -0,0 +1,45 @@
+# Firejail profile for xpdf
+# Description: Portable Document Format (PDF) reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xpdf.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.xpdfrc
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/xplayer-audio-preview.profile b/etc/profile-m-z/xplayer-audio-preview.profile
new file mode 100644
index 000000000..0559b8183
--- /dev/null
+++ b/etc/profile-m-z/xplayer-audio-preview.profile
@@ -0,0 +1,10 @@
+# Firejail profile for xplayer-audio-preview
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xplayer-audio-preview.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include xplayer.profile
diff --git a/etc/profile-m-z/xplayer-video-thumbnailer.profile b/etc/profile-m-z/xplayer-video-thumbnailer.profile
new file mode 100644
index 000000000..6b2878476
--- /dev/null
+++ b/etc/profile-m-z/xplayer-video-thumbnailer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for xplayer-video-thumbnailer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xplayer-video-thumbnailer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include xplayer.profile
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
new file mode 100644
index 000000000..28df73ea5
--- /dev/null
+++ b/etc/profile-m-z/xplayer.profile
@@ -0,0 +1,46 @@
+# Firejail profile for xplayer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xplayer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/xplayer
+noblacklist ${HOME}/.local/share/xplayer
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+# apparmor - makes settings immutable
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
+private-dev
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile
new file mode 100644
index 000000000..1033a7471
--- /dev/null
+++ b/etc/profile-m-z/xpra.profile
@@ -0,0 +1,54 @@
+# Firejail profile for xpra
+# Description: Tool to detach/reattach running X programs
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include xpra.local
+# Persistent global definitions
+include globals.local
+
+#
+# This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
+# To enable it, create a firejail-xpra symlink in /usr/local/bin:
+#
+#    $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra
+#
+# or run "sudo firecfg"
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+whitelist /var/lib/xkb
+# whitelisting home directory, or including whitelist-common.inc
+# will crash xpra on some platforms
+
+caps.drop all
+# xpra needs to be allowed access to the abstract Unix socket namespace.
+nodvd
+nogroups
+nonewprivs
+# In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix.
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+# private home directory doesn't work on some distros, so we go for a regular home
+# private
+# older Xpra versions also use Xvfb
+# private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
+private-dev
+# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
+private-tmp
diff --git a/etc/profile-m-z/xreader-previewer.profile b/etc/profile-m-z/xreader-previewer.profile
new file mode 100644
index 000000000..6e1dcb5d2
--- /dev/null
+++ b/etc/profile-m-z/xreader-previewer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for xreader-previewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xreader-previewer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include xreader.profile
diff --git a/etc/profile-m-z/xreader-thumbnailer.profile b/etc/profile-m-z/xreader-thumbnailer.profile
new file mode 100644
index 000000000..a6925fcde
--- /dev/null
+++ b/etc/profile-m-z/xreader-thumbnailer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for xreader-thumbnailer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xreader-thumbnailer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include xreader.profile
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
new file mode 100644
index 000000000..643c5a317
--- /dev/null
+++ b/etc/profile-m-z/xreader.profile
@@ -0,0 +1,45 @@
+# Firejail profile for xreader
+# Description: Document viewer for files like PDF and Postscript. X-Apps Project.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xreader.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/xreader
+noblacklist ${HOME}/.config/xreader
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# Breaks xreader on Mint 18.3
+# include whitelist-var-common.inc
+
+# apparmor
+caps.drop all
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin xreader,xreader-previewer,xreader-thumbnailer
+private-dev
+private-etc alternatives,fonts,ld.so.cache
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile
new file mode 100644
index 000000000..59c8a44f2
--- /dev/null
+++ b/etc/profile-m-z/xviewer.profile
@@ -0,0 +1,48 @@
+# Firejail profile for xviewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xviewer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.config/xviewer
+noblacklist ${HOME}/.local/share/Trash
+noblacklist ${HOME}/.steam
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+# apparmor - makes settings immutable
+caps.drop all
+# net none - makes settings immutable
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin xviewer
+private-dev
+private-lib
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/xxd.profile b/etc/profile-m-z/xxd.profile
new file mode 100644
index 000000000..864e8ce9c
--- /dev/null
+++ b/etc/profile-m-z/xxd.profile
@@ -0,0 +1,12 @@
+# Firejail profile for xxd
+# Description: Tool to make (or reverse) a hex dump
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include xxd.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xz.profile b/etc/profile-m-z/xz.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-m-z/xz.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzcat.profile b/etc/profile-m-z/xzcat.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-m-z/xzcat.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzcmp.profile b/etc/profile-m-z/xzcmp.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-m-z/xzcmp.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile
new file mode 100644
index 000000000..542363b57
--- /dev/null
+++ b/etc/profile-m-z/xzdec.profile
@@ -0,0 +1,41 @@
+# Firejail profile for xzdec
+# Description: XZ-format compression utilities - tiny decompressors
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include xzdec.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+#nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/xzdiff.profile b/etc/profile-m-z/xzdiff.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-m-z/xzdiff.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzegrep.profile b/etc/profile-m-z/xzegrep.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-m-z/xzegrep.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzfgrep.profile b/etc/profile-m-z/xzfgrep.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-m-z/xzfgrep.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzgrep.profile b/etc/profile-m-z/xzgrep.profile
new file mode 100644
index 000000000..f7410b928
--- /dev/null
+++ b/etc/profile-m-z/xzgrep.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzless.profile b/etc/profile-m-z/xzless.profile
new file mode 100644
index 000000000..f7410b928
--- /dev/null
+++ b/etc/profile-m-z/xzless.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzmore.profile b/etc/profile-m-z/xzmore.profile
new file mode 100644
index 000000000..d9c72407f
--- /dev/null
+++ b/etc/profile-m-z/xzmore.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile
new file mode 100644
index 000000000..680bef677
--- /dev/null
+++ b/etc/profile-m-z/yandex-browser.profile
@@ -0,0 +1,23 @@
+# Firejail profile for yandex-browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include yandex-browser.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/yandex-browser
+noblacklist ${HOME}/.cache/yandex-browser-beta
+noblacklist ${HOME}/.config/yandex-browser
+noblacklist ${HOME}/.config/yandex-browser-beta
+
+mkdir ${HOME}/.cache/yandex-browser
+mkdir ${HOME}/.cache/yandex-browser-beta
+mkdir ${HOME}/.config/yandex-browser
+mkdir ${HOME}/.config/yandex-browser-beta
+whitelist ${HOME}/.cache/yandex-browser
+whitelist ${HOME}/.cache/yandex-browser-beta
+whitelist ${HOME}/.config/yandex-browser
+whitelist ${HOME}/.config/yandex-browser-beta
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
new file mode 100644
index 000000000..7053f98e8
--- /dev/null
+++ b/etc/profile-m-z/yelp.profile
@@ -0,0 +1,57 @@
+# Firejail profile for yelp
+# Description: Help browser for the GNOME desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include yelp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/yelp
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/yelp
+whitelist ${HOME}/.config/yelp
+whitelist /usr/share/doc
+whitelist /usr/share/help
+whitelist /usr/share/yelp
+whitelist /usr/share/yelp-xsl
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin yelp
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml
+private-tmp
+
+# read-only ${HOME} breaks some not necesarry featrues, comment it if
+# you need them or put 'ignore read-only ${HOME}' into your yelp.local.
+# broken features:
+#  1. yelp --editor-mode
+#  2. saving the window geometry
+read-only ${HOME}
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
new file mode 100644
index 000000000..061d873b3
--- /dev/null
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -0,0 +1,66 @@
+# Firejail profile for youtube-dl
+# Description: Downloader of videos from YouTube and other sites
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include youtube-dl.local
+# Persistent global definitions
+include globals.local
+
+# breaks when installed under ${HOME} via `pip install --user` (see #2833)
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/youtube-dl
+noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.netrc
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin env,ffmpeg,python*,youtube-dl
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/zaproxy.profile b/etc/profile-m-z/zaproxy.profile
new file mode 100644
index 000000000..6228ff3bd
--- /dev/null
+++ b/etc/profile-m-z/zaproxy.profile
@@ -0,0 +1,47 @@
+# Firejail profile for zaproxy
+# Description: Integrated penetration testing tool for finding vulnerabilities in web applications
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zaproxy.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ZAP
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.java
+mkdir ${HOME}/.ZAP
+whitelist ${HOME}/.java
+whitelist ${HOME}/.ZAP
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/zart.profile b/etc/profile-m-z/zart.profile
new file mode 100644
index 000000000..3fe3c8ce8
--- /dev/null
+++ b/etc/profile-m-z/zart.profile
@@ -0,0 +1,37 @@
+# Firejail profile for zart
+# Description: A GUI for G'MIC real-time manipulations on the output of a webcam
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zart.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+
+private-bin ffmpeg,ffplay,ffprobe,melt,zart
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile
new file mode 100644
index 000000000..ba0ea1032
--- /dev/null
+++ b/etc/profile-m-z/zathura.profile
@@ -0,0 +1,59 @@
+# Firejail profile for zathura
+# Description: Document viewer with a minimalistic interface
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zathura.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/zathura
+noblacklist ${HOME}/.local/share/zathura
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/zathura
+mkdir ${HOME}/.local/share/zathura
+whitelist /usr/share/doc
+whitelist /usr/share/zathura
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin zathura
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id
+# private-lib has problems on Debian 10
+#private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.config/zathura
+read-write ${HOME}/.local/share/zathura
diff --git a/etc/profile-m-z/zcat.profile b/etc/profile-m-z/zcat.profile
new file mode 100644
index 000000000..12932ea92
--- /dev/null
+++ b/etc/profile-m-z/zcat.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zcat
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zcmp.profile b/etc/profile-m-z/zcmp.profile
new file mode 100644
index 000000000..795cdae2a
--- /dev/null
+++ b/etc/profile-m-z/zcmp.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zcmp
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zcmp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zdiff.profile b/etc/profile-m-z/zdiff.profile
new file mode 100644
index 000000000..1e75e38fe
--- /dev/null
+++ b/etc/profile-m-z/zdiff.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zdiff
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zdiff.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
new file mode 100644
index 000000000..943d39097
--- /dev/null
+++ b/etc/profile-m-z/zeal.profile
@@ -0,0 +1,58 @@
+# Firejail profile for zeal
+# Description: Offline documentation browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zeal.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Zeal
+noblacklist ${HOME}/.cache/Zeal
+noblacklist ${HOME}/.local/share/Zeal
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/Zeal
+mkdir ${HOME}/.cache/Zeal
+mkdir ${HOME}/.local/share/Zeal
+whitelist ${HOME}/.config/Zeal
+whitelist ${HOME}/.cache/Zeal
+whitelist ${HOME}/.local/share/Zeal
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin zeal
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/zegrep.profile b/etc/profile-m-z/zegrep.profile
new file mode 100644
index 000000000..54dc6b2a0
--- /dev/null
+++ b/etc/profile-m-z/zegrep.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zegrep
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zegrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zfgrep.profile b/etc/profile-m-z/zfgrep.profile
new file mode 100644
index 000000000..73b22f2e8
--- /dev/null
+++ b/etc/profile-m-z/zfgrep.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zfgrep
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zfgrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zforce.profile b/etc/profile-m-z/zforce.profile
new file mode 100644
index 000000000..d62e57065
--- /dev/null
+++ b/etc/profile-m-z/zforce.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zforce
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zforce.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zgrep.profile b/etc/profile-m-z/zgrep.profile
new file mode 100644
index 000000000..b39a58420
--- /dev/null
+++ b/etc/profile-m-z/zgrep.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zgrep
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zgrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zless.profile b/etc/profile-m-z/zless.profile
new file mode 100644
index 000000000..0a26cda1f
--- /dev/null
+++ b/etc/profile-m-z/zless.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zless
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zless.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zmore.profile b/etc/profile-m-z/zmore.profile
new file mode 100644
index 000000000..3a8f63562
--- /dev/null
+++ b/etc/profile-m-z/zmore.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zmore
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zmore.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/znew.profile b/etc/profile-m-z/znew.profile
new file mode 100644
index 000000000..a8593e58e
--- /dev/null
+++ b/etc/profile-m-z/znew.profile
@@ -0,0 +1,11 @@
+# Firejail profile for znew
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include znew.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
new file mode 100644
index 000000000..6eac10703
--- /dev/null
+++ b/etc/profile-m-z/zoom.profile
@@ -0,0 +1,33 @@
+# Firejail profile for zoom
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zoom.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/zoomus.conf
+noblacklist ${HOME}/.zoom
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/zoom
+mkfile ${HOME}/.config/zoomus.conf
+mkdir ${HOME}/.zoom
+whitelist ${HOME}/.cache/zoom
+whitelist ${HOME}/.config/zoomus.conf
+whitelist ${HOME}/.zoom
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+
+private-tmp
diff --git a/etc/profile-m-z/zpaq.profile b/etc/profile-m-z/zpaq.profile
new file mode 100644
index 000000000..80329ecfd
--- /dev/null
+++ b/etc/profile-m-z/zpaq.profile
@@ -0,0 +1,15 @@
+# Firejail profile for zpaq
+# Description: Programmable file compressor, library and utilities. Based on the PAQ compression algorithm.
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zpaq.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# mdwx breaks 'list' functionality
+ignore memory-deny-write-execute
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile
new file mode 100644
index 000000000..be27c10e1
--- /dev/null
+++ b/etc/profile-m-z/zstd.profile
@@ -0,0 +1,43 @@
+# Firejail profile for zstd
+# Description: Zstandard - Fast real-time compression algorithm
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zstd.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+apparmor
+caps.drop all
+hostname zstd
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-cache
+private-dev
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/zstdcat.profile b/etc/profile-m-z/zstdcat.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/profile-m-z/zstdcat.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+
+# Redirect
+include zstd.profile
diff --git a/etc/profile-m-z/zstdgrep.profile b/etc/profile-m-z/zstdgrep.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/profile-m-z/zstdgrep.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+
+# Redirect
+include zstd.profile
diff --git a/etc/profile-m-z/zstdless.profile b/etc/profile-m-z/zstdless.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/profile-m-z/zstdless.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+
+# Redirect
+include zstd.profile
diff --git a/etc/profile-m-z/zstdmt.profile b/etc/profile-m-z/zstdmt.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/profile-m-z/zstdmt.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+
+# Redirect
+include zstd.profile
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile
new file mode 100644
index 000000000..999c2f77a
--- /dev/null
+++ b/etc/profile-m-z/zulip.profile
@@ -0,0 +1,47 @@
+# Firejail profile for zulip
+# Description: Real-time team chat based on the email threading model
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zulip.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec /tmp
+
+noblacklist ${HOME}/.config/Zulip
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/Zulip
+whitelist ${HOME}/.config/Zulip
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin locale,zulip
+private-cache
+private-dev
+private-etc asound.conf,fonts,machine-id
+private-tmp