Merge branch 'master' into fix-profile-builder

36 files changed, 163 insertions, 105 deletions

diff --git a/etc/Viber.profile b/etc/Viber.profile
index ecc500769..925e130de 100644
--- a/etc/Viber.profile
+++ b/etc/Viber.profile
@@ -28,12 +28,10 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6
-seccomp
+seccomp !chroot
 shell none
 
 disable-mnt
 private-bin awk,bash,dig,sh,Viber
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
 private-tmp
-
-env QTWEBENGINE_DISABLE_SANDBOX=1
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
index 904c784c6..ffc613f1e 100644
--- a/etc/akonadi_control.profile
+++ b/etc/akonadi_control.profile
@@ -47,7 +47,7 @@ notv
 nou2f
 novideo
 # protocol unix,inet,inet6,netlink
-# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+# seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set
 tracelog
 
 private-dev
diff --git a/etc/akregator.profile b/etc/akregator.profile
index 466eff22d..34933f283 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -36,7 +36,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 # chroot syscalls are needed for setting up the built-in sandbox
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 
 disable-mnt
diff --git a/etc/ar.profile b/etc/ar.profile
new file mode 100644
index 000000000..6b1fb830c
--- /dev/null
+++ b/etc/ar.profile
@@ -0,0 +1,43 @@
+# Firejail profile for ar
+# Description: Create, modify, and extract from archives
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ar.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+apparmor
+caps.drop all
+hostname ar
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin ar
+private-cache
+private-dev
+
+memory-deny-write-execute
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index f46987cc7..6f7638fa3 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -39,7 +39,7 @@ nou2f
 novideo
 protocol unix
 # blacklisting of ioprio_set system calls breaks baloo_file
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 shell none
 # x11 xorg
 
diff --git a/etc/basilisk.profile b/etc/basilisk.profile
index 5bc91dc74..8dc3847a0 100644
--- a/etc/basilisk.profile
+++ b/etc/basilisk.profile
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/basilisk
 whitelist ${HOME}/.moonchild productions
 
 # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
-ignore seccomp.drop
 seccomp
+ignore seccomp
 
 #private-bin basilisk
 # private-etc must first be enabled in firefox-common.profile
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 4f1b05c88..0de3bc480 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -42,7 +42,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 
 disable-mnt
diff --git a/etc/brackets.profile b/etc/brackets.profile
index b7d560bbc..13a3bef79 100644
--- a/etc/brackets.profile
+++ b/etc/brackets.profile
@@ -27,7 +27,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot,!ioperm
 shell none
 
 private-cache
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 147b0de4b..4d92157d0 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -27,7 +27,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 # blacklisting of ioprio_set system calls breaks clementine
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 
 private-dev
 private-tmp
diff --git a/etc/code.profile b/etc/code.profile
index 7ac4e1619..6f8a25211 100644
--- a/etc/code.profile
+++ b/etc/code.profile
@@ -18,7 +18,6 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
-net none
 netfilter
 nodvd
 nogroups
diff --git a/etc/falkon.profile b/etc/falkon.profile
index ddcda6228..0024b6660 100644
--- a/etc/falkon.profile
+++ b/etc/falkon.profile
@@ -34,7 +34,7 @@ notv
 nou2f
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks falkon
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 # tracelog
 
 private-dev
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 6ad4a9bc2..02d6199a0 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -46,7 +46,7 @@ notv
 ?BROWSER_DISABLE_U2F: nou2f
 protocol unix,inet,inet6,netlink
 # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
 #tracelog
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile
index cbeb82465..30ca56094 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@@ -58,6 +58,5 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc at.allow,at.deny,cron.allow,cron.deny,fonts,ld.so.preload,pam.d,shadow
 writable-var
 
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index 6ef02ad47..3e1e0a2ce 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -29,7 +29,9 @@ machine-id
 net none
 no3d
 nodvd
-nodbus
+# Breaks 'Lock database when session is locked or lid is closed' (#2899),
+# you can safely uncomment it or add to keepassxc.local if you don't need this feature.
+#nodbus
 nogroups
 nonewprivs
 noroot
@@ -46,8 +48,5 @@ private-dev
 private-etc alternatives,fonts,ld.so.cache,machine-id
 private-tmp
 
-# 2.2.4 crashes on database open
-# memory-deny-write-execute
-
 # Mutex is stored in /tmp by default, which is broken by private-tmp
 join-or-start keepassxc
diff --git a/etc/kiwix-desktop.profile b/etc/kiwix-desktop.profile
index db8f7880c..8b7b12882 100644
--- a/etc/kiwix-desktop.profile
+++ b/etc/kiwix-desktop.profile
@@ -39,7 +39,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 
 disable-mnt
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 0b602c79a..198b05a11 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -51,7 +51,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
 # tracelog
 
 private-dev
diff --git a/etc/mpd.profile b/etc/mpd.profile
index 0b5ebf705..6c5963793 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -31,7 +31,7 @@ novideo
 protocol unix,inet,inet6
 # blacklisting of ioprio_set system calls breaks auto-updating of
 # MPD's database when files in music_directory are changed
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 shell none
 
 #private-bin bash,mpd
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index 11464e6cf..acb2ce176 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
 
 # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
-ignore seccomp.drop
 seccomp
+ignore seccomp
 
 #private-bin palemoon
 # private-etc must first be enabled in firefox-common.profile
diff --git a/etc/qgis.profile b/etc/qgis.profile
index 80a10efce..88ed0cd81 100644
--- a/etc/qgis.profile
+++ b/etc/qgis.profile
@@ -45,7 +45,7 @@ notv
 nou2f
 novideo
 # blacklisting of mbind system calls breaks old version
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice
+seccomp !mbind
 protocol unix,inet,inet6,netlink
 shell none
 tracelog
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index abbd76aff..863f57ba4 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -22,7 +22,8 @@ include whitelist-var-common.inc
 
 caps.drop all
 machine-id
-nodbus
+# needs D-Bus when started from a file manager
+#nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index 3f3270dd6..7aa71c848 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -21,7 +21,5 @@ mkdir ${HOME}/.config/qupzilla
 whitelist ${HOME}/.cache/qupzilla
 whitelist ${HOME}/.config/qupzilla
 
-# private-tmp - interferes with the opening of downloaded files
-
 # Redirect
 include falkon.profile
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index a7ba18292..95c189458 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -36,5 +36,5 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks qt webengine
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 # tracelog
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile
index e6af4c2cb..4372fabe1 100644
--- a/etc/riot-desktop.profile
+++ b/etc/riot-desktop.profile
@@ -7,8 +7,7 @@ include riot-desktop.local
 # added by included profile
 #include globals.local
 
-ignore seccomp
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 
 # Redirect
 include riot-web.profile
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index b9a0fd149..fe29a6731 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -20,10 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-mkdir ${HOME}/.config/dconf
 mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.ssh
-whitelist ${HOME}/.config/dconf
 whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.ssh
 whitelist /tmp/ssh-*
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile
index 04696a918..f810a37ec 100644
--- a/etc/signal-desktop.profile
+++ b/etc/signal-desktop.profile
@@ -22,16 +22,12 @@ whitelist ${HOME}/.config/Signal
 include whitelist-common.inc
 include whitelist-var-common.inc
 
-caps.drop all
+caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
-nonewprivs
-noroot
 notv
 nou2f
-protocol unix,inet,inet6,netlink
-seccomp
 shell none
 
 disable-mnt
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index 64441483d..a0c9e8303 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -27,7 +27,7 @@ notv
 # novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks simple-scan
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !ioperm
 shell none
 tracelog
 
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index c10be717b..6f9bfd201 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -27,7 +27,7 @@ notv
 # novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks skanlite
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !ioperm
 shell none
 
 # private-bin kbuildsycoca4,kdeinit4,skanlite
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index 8a45f2465..341c25a95 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -16,16 +16,13 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
-caps.drop all
+caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
-nonewprivs
-noroot
 notv
-protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
 
 disable-mnt
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile
index 5703f932a..aa6902854 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/standardnotes-desktop.profile
@@ -34,7 +34,7 @@ nosound
 notv
 nou2f
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 
 disable-mnt
 private-dev
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index 1c2a2cd10..a8b5d109e 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -28,7 +28,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # tracelog may cause issues, see github issue #1930
 #tracelog
diff --git a/etc/tar.profile b/etc/tar.profile
index cace89965..3fba96eee 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -40,7 +40,7 @@ tracelog
 x11 none
 
 # support compressed archives
-private-bin bash,bzip2,compress,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz
+private-bin bash,bzip2,compress,firejail,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz
 private-cache
 private-dev
 private-etc alternatives,group,localtime,passwd
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile
index b34d15731..c1c666f58 100644
--- a/etc/teamspeak3.profile
+++ b/etc/teamspeak3.profile
@@ -33,7 +33,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 
 disable-mnt
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 0d67e222f..10b5ee2ae 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -138,6 +138,7 @@ include globals.local
 #  - packet almost never
 #protocol unix,inet,inet6,netlink,packet
 #seccomp
+##seccomp !chroot
 ##seccomp.drop SYSCALLS (see syscalls.txt)
 #shell none
 #tracelog
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index bc45d9f9d..ea3b5a6b0 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -1,73 +1,107 @@
-Hints for writing seccomp.drop lines
-====================================
+Hints to write own seccomp filters
+==================================
+
+
+The different seccomp commands
+------------------------------
+
+Always have a look at 'man 1 firejail'.
+
+ - seccomp
+    Blocks all syscalls in the default-group.
+     - The default-group is @default-nodebuggers, unless allow-debuggers is
+       specified, then @default is used.
+     - Listed syscalls and groups are also blocked.
+     - Exceptions are possible by putting a ! in before the name of a syscall.
+ - seccomp.block-secondary
+    Allows only native syscalls, all syscalls for other architectures are blocked.
+ - seccomp.drop
+    Blocks all listed syscalls.
+     - Exceptions are possible by putting a ! in before the name of a syscall.
+ - seccomp.keep
+    Allows only listed syscalls.
+     To write your own seccomp.keep line, see:
+     - https://firejail.wordpress.com/documentation-2/seccomp-guide/
+     - https://github.com/netblue30/firejail/blob/master/contrib/syscalls.sh
 
 Definition of groups
 --------------------
 
+@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit
+@basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev
+@chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
-@module=delete_module,finit_module,init_module
-@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
-@reboot=kexec_file_load,kexec_load,reboot
-@swap=swapoff,swapon
-
-@privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
-
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
-@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
-@resources=mbind,migrate_pages,move_pages,set_mempolicy
-
-@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
-
-@default-nodebuggers=@default,personality,process_vm_readv,ptrace
-
+@default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
+@default-nodebuggers=@default,ptrace,personality,process_vm_readv
 @default-keep=execve,prctl
+@file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
+@io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select
+@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
+@keyring=add_key,keyctl,request_key
+@memlock=mlock,mlock2,mlockall,munlock,munlockall
+@module=delete_module,finit_module,init_module
+@mount=chroot,mount,pivot_root,umount,umount2
+@network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair
+@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
+@privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup
+@process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
+@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
+@reboot=kexec_load,kexec_file_load,reboot
+@resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy
+@setuid=setgid,setgid32,setgroups,setgroups32,setregid,setregid32,setresgid,setresgid32,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32
+@signal=rt_sigaction,rt_sigpending,rt_sigprocmask,rt_sigsuspend,rt_sigtimedwait,sigaction,sigaltstack,signal,signalfd,signalfd4,sigpending,sigprocmask,sigsuspend
+@swap=swapon,swapoff
+@sync=fdatasync,fsync,msync,sync,sync_file_range,sync_file_range2,syncfs
+@system-service=@aio,@basic-io,@chown,@default,@file-system,@io-event,@ipc,@keyring,@memlock,@network-io,@process,@resources,@setuid,@signal,@sync,@timer,brk,capget,capset,copy_file_range,fadvise64,fadvise64_64,flock,get_mempolicy,getcpu,getpriority,getrandom,ioctl,ioprio_get,kcmp,madvise,mprotect,mremap,name_to_handle_at,oldolduname,olduname,personality,readahead,readdir,remap_file_pages,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,sched_getattr,sched_getparam,sched_getscheduler,sched_rr_get_interval,sched_yield,sendfile,sendfile64,setfsgid,setfsgid32,setfsuid,setfsuid32,setpgid,setsid,splice,sysinfo,tee,umask,uname,userfaultfd,vmsplice
+@timer=alarm,getitimer,setitimer,timer_create,timer_delete,timer_getoverrun,timer_gettime,timer_settime,timerfd_create,timerfd_gettime,timerfd_settime,times
 
 Inheritance of groups
 ---------------------
 
-+---------+----------------+---------------+
-| @clock  | @cpu-emulation | @default-keep |
-| @module | @debug         |               |
-| @raw-io | @obsolete      |               |
-| @reboot | @resources     |               |
-| @swap   |                |               |
-+---------+----------------+---------------+
-     :              :
-+-------------+     :
-| @privileged |     :
-+-------------+     :
-     :              :
-+----------+        :
-| @default |........:
-+----------+
-    :
-+----------------------+
-| @default-nodebuggers |
-+----------------------+
-
-common used seccomp.drop lines
-------------------------------
-
-@default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
-
-@default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
-
-Building a seccomp.drop line if seccomp breaks a programm
----------------------------------------------------------
++---------------+
+| @default-keep |
+| @mount        |
++---------------+
+
++----------------+  +---------+  +--------+  +--------------+
+| @cpu-emulation |  | @clock  |  | @chown |  | @aio         |
+| @debug         |  | @module |  +--------+  | @basic-io    |
+| @obsolete      |  | @raw-io |     :  :     | @file-system |
++----------------+  | @reboot |     :  :     | @io-event    |
+   :                | @swap   |     :  :     | @ipc         |
+   :                +---------+     :  :     | @keyring     |
+   :                  :  :          :  :     | @memlock     |
+   :    ..............:  :          :  :     | @network-io  |
+   :    :                :  ........:  :     | @process     |
+   :    :                :  :          :     | @resources   |
++----------+    +-------------+        :     | @setuid      |
+| @default |    | @privileged |        :     | @signal      |
++----------+    +-------------+        :     | @sync        |
+   :    :                              :     | @timer       |
+   :    :...........................   :     +--------------+
+   :                               :   :        :
++----------------------+        +-----------------+
+| @default-nodebuggers |        | @system-service |
++----------------------+        +-----------------+
+
+
+What to do if seccomp breaks a program
+--------------------------------------
 
 ```
 $ journalctl --grep=syscall --follow
 <...> audit[…]: SECCOMP <...> syscall=161 <...>
 $ firejail --debug-syscalls | grep 161
-161     - chroot
+161 - chroot
 ```
+Profile: `seccomp -> seccomp !chroot`
 
-TODO: write a short explanation
-TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible
-
-see also
---------
+Start `journalctl --grep=syscall --follow` in a terminal, then start the broken
+program. Now you see one or more long lines containing `syscall=NUMBER` somewhere.
+Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You
+will see something like `NUMBER  - NAME`, because you now know the name of the
+syscall, you can add an exception to seccomp by putting `!NAME` to seccomp.
 
- - contrib/syscalls.sh
- - https://firejail.wordpress.com/documentation-2/seccomp-guide/
+If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 8485c0c4c..1183cd2f7 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -42,7 +42,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # tracelog may cause issues, see github issue #1930
 #tracelog
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 9c1b7b92c..717c82379 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -20,10 +20,6 @@ whitelist ${HOME}/.local/share/icons
 whitelist ${HOME}/.local/share/mime
 whitelist ${HOME}/.mime.types
 
-# dconf
-mkdir ${HOME}/.config/dconf
-whitelist ${HOME}/.config/dconf
-
 # fonts
 whitelist ${HOME}/.cache/fontconfig
 whitelist ${HOME}/.config/fontconfig