41 files changed, 43 insertions, 43 deletions
diff --git a/etc/amarok.profile b/etc/amarok.profile
index dab23c218..d7ce6b7ea 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -29,5 +29,5 @@ shell none
 # private-bin amarok
 private-dev
-# private-etc none,machine-id,pulse,asound.conf
+# private-etc none,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/arm.profile b/etc/arm.profile
index a89ee86cc..bebf05366 100644
--- a/etc/arm.profile
+++ b/etc/arm.profile
@@ -42,7 +42,7 @@ tracelog
 disable-mnt
 private-bin arm,tor,sh,bash,python*,ps,lsof,ldconfig
 private-dev
-private-etc tor,passwd
+private-etc tor,passwd,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 noexec ${HOME}
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index b84e8186b..fef7474a9 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -38,5 +38,5 @@ tracelog
 # private-bin bibletime,qt5ct
 private-dev
-private-etc fonts,resolv.conf,sword,sword.conf,passwd,machine-id
+private-etc fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile
index 84c2c77de..efc11cc9c 100644
--- a/etc/bitcoin-qt.profile
+++ b/etc/bitcoin-qt.profile
@@ -40,7 +40,7 @@ tracelog
 private-bin bitcoin-qt
 private-dev
 # Causes problem with loading of libGL.so
-#private-etc fonts
+#private-etc fonts,ca-certificates,ssl,pki,crypto-policies
 # Works, but QT complains about OpenSSL a bit.
 #private-lib
 private-tmp
diff --git a/etc/cmus.profile b/etc/cmus.profile
index 36478ef85..a9f76ec80 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -26,4 +26,4 @@ seccomp
 shell none
 private-bin cmus
-private-etc group,machine-id,pulse,asound.conf
+private-etc group,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
diff --git a/etc/curl.profile b/etc/curl.profile
index 1d2515f51..d1a682e60 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -31,7 +31,7 @@ shell none
 # private-bin curl
 private-cache
 private-dev
-# private-etc resolv.conf
+# private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 noexec ${HOME}
diff --git a/etc/digikam.profile b/etc/digikam.profile
index 2e1947419..5a0e70ef1 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -36,7 +36,7 @@ shell none
 # private-bin program
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
-# private-etc none
+# private-etc none,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 noexec ${HOME}
diff --git a/etc/dino.profile b/etc/dino.profile
index 5c9d44140..a39ec8931 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -35,7 +35,7 @@ shell none
 disable-mnt
 private-bin dino
 private-dev
-# private-etc fonts # breaks server connection
+# private-etc fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection
 private-tmp
 noexec ${HOME}
diff --git a/etc/discord-common.profile b/etc/discord-common.profile
index 9f0e02525..b835ce401 100644
--- a/etc/discord-common.profile
+++ b/etc/discord-common.profile
@@ -24,9 +24,9 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
-private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep
+private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh
 private-dev
-private-etc fonts,machine-id,localtime,ld.so.cache
+private-etc fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 noexec ${HOME}
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 61fbab3cc..6eeef738e 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -34,5 +34,5 @@ tracelog
 # private-bin elinks
 private-cache
 private-dev
-# private-etc none
+# private-etc none,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/flameshot.profile b/etc/flameshot.profile
index 7c2bc8c11..8dbd74cc1 100644
--- a/etc/flameshot.profile
+++ b/etc/flameshot.profile
@@ -33,7 +33,7 @@ shell none
 disable-mnt
 private-bin flameshot
 private-cache
-private-etc fonts,ca-certificates,ld.so.conf,resolv.conf,ssl
+private-etc fonts,ld.so.conf,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-dev
 private-tmp
diff --git a/etc/gitter.profile b/etc/gitter.profile
index 2edbf8a4e..b5bedb66d 100644
--- a/etc/gitter.profile
+++ b/etc/gitter.profile
@@ -34,7 +34,7 @@ shell none
 disable-mnt
 private-bin bash,env,gitter
-private-etc fonts,pulse,resolv.conf
+private-etc fonts,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-opt Gitter
 private-dev
 private-tmp
diff --git a/etc/gjs.profile b/etc/gjs.profile
index 9d439782c..6110cb71e 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -32,5 +32,5 @@ tracelog
 # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather
 private-dev
-# private-etc fonts
+# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
index 4251f70ed..b0a6cf80e 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@@ -32,7 +32,7 @@ tracelog
 disable-mnt
 # private-bin gnome-clocks
 private-dev
-# private-etc fonts
+# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 noexec ${HOME}
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index da73d9450..b747743fc 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -35,7 +35,7 @@ tracelog
 disable-mnt
 # private-bin gjs gnome-maps
 private-dev
-# private-etc fonts
+# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 noexec ${HOME}
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index 28c9e6d86..f2c6acac5 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -36,7 +36,7 @@ tracelog
 disable-mnt
 # private-bin gjs gnome-weather
 private-dev
-# private-etc fonts
+# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 noexec ${HOME}
diff --git a/etc/goobox.profile b/etc/goobox.profile
index 680e14a49..ca92b1540 100644
--- a/etc/goobox.profile
+++ b/etc/goobox.profile
@@ -29,5 +29,5 @@ tracelog
 # private-bin goobox
 private-dev
-# private-etc fonts,machine-id,pulse,asound.conf
+# private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 # private-tmp
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index 51f384751..58f79ac14 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -31,7 +31,7 @@ tracelog
 private-bin gpredict
 private-dev
-private-etc fonts,resolv.conf
+private-etc fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 noexec ${HOME}
diff --git a/etc/lynx.profile b/etc/lynx.profile
index 0f4de2fee..a63e1b7b4 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -32,5 +32,5 @@ tracelog
 # private-bin lynx
 private-cache
 private-dev
-# private-etc none
+# private-etc none,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile
index 6c9ed4499..b0bd99519 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/mate-dictionary.profile
@@ -35,7 +35,7 @@ shell none
 disable-mnt
 private-bin mate-dictionary
-private-etc fonts,resolv.conf
+private-etc fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-opt mate-dictionary
 private-dev
 private-tmp
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
index 860de3f0a..46f6b90ce 100644
--- a/etc/mcabber.profile
+++ b/etc/mcabber.profile
@@ -28,4 +28,4 @@ shell none
 private-bin mcabber
 private-dev
-private-etc null
+private-etc none,ca-certificates,ssl,pki,crypto-policies
diff --git a/etc/ms-office.profile b/etc/ms-office.profile
index 49bc4ad37..cedc5eff4 100644
--- a/etc/ms-office.profile
+++ b/etc/ms-office.profile
@@ -36,7 +36,7 @@ tracelog
 disable-mnt
 private-bin bash,fonts,env,jak,ms-office,python*,sh
-private-etc ca-certificates,resolv.conf,ssl
+private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-dev
 private-tmp
diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile
index b572f13d2..87aac6727 100644
--- a/etc/musixmatch.profile
+++ b/etc/musixmatch.profile
@@ -30,7 +30,7 @@ seccomp
 disable-mnt
 private-dev
-private-etc none,machine-id,pulse,asound.conf
+private-etc none,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/parole.profile b/etc/parole.profile
index 17d31af15..df8f8e194 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -26,4 +26,4 @@ shell none
 private-bin parole,dbus-launch
 private-cache
-private-etc passwd,group,fonts,machine-id,pulse,asound.conf
+private-etc passwd,group,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
diff --git a/etc/ping.profile b/etc/ping.profile
index db5390a41..2b20bf8c9 100644
--- a/etc/ping.profile
+++ b/etc/ping.profile
@@ -40,7 +40,7 @@ private
 #private-bin has mammoth problems with execvp: "No such file or directory"
 private-dev
 # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem!
-#private-etc resolv.conf,hosts
+#private-etc resolv.conf,hosts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 # memory-deny-write-execute is built using seccomp; nonewprivs will kill it
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 2017beee4..eb15ff445 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -51,7 +51,7 @@ shell none
 private-bin qbittorrent,python*
 private-dev
-# private-etc X11,fonts,xdg,resolv.conf
+# private-etc X11,fonts,xdg,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 # private-lib - problems on Arch
 private-tmp
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 26697eeaa..92a8bbf28 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -34,7 +34,7 @@ tracelog
 disable-mnt
 private-bin qtox
-private-etc fonts,resolv.conf,ld.so.cache,localtime
+private-etc fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies
 private-dev
 private-tmp
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index da1ca2281..e73e8a5e1 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -33,7 +33,7 @@ seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@res
 # tracelog
 private-dev
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id
+# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
 # private-tmp - interferes with the opening of downloaded files
 noexec ${HOME}
diff --git a/etc/ricochet.profile b/etc/ricochet.profile
index e23e7c756..2e2143a54 100644
--- a/etc/ricochet.profile
+++ b/etc/ricochet.profile
@@ -35,7 +35,7 @@ shell none
 disable-mnt
 private-bin ricochet,tor
 private-dev
-#private-etc fonts,tor,X11,alternatives
+#private-etc fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index dc2fd8e30..365fd3a53 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -47,4 +47,4 @@ seccomp
 tracelog
 disable-mnt
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id
+# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index 3e8a4e41b..a15576478 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -32,5 +32,5 @@ tracelog
 # private-bin simple-scan
 # private-dev
-# private-etc fonts
+# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
 # private-tmp
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 0688723c7..7f40d4399 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -46,7 +46,7 @@ tracelog
 disable-mnt
 private-bin spotify,bash,sh,zenity
 private-dev
-private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf
+private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-opt spotify
 private-tmp
diff --git a/etc/tor.profile b/etc/tor.profile
index cbe932104..6bfc1c9a6 100644
--- a/etc/tor.profile
+++ b/etc/tor.profile
@@ -44,7 +44,7 @@ private
 private-bin tor,bash
 private-cache
 private-dev
-private-etc tor,passwd
+private-etc tor,passwd,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 noexec ${HOME}
diff --git a/etc/totem.profile b/etc/totem.profile
index 66fac60a4..0acbc5127 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -34,7 +34,7 @@ private-bin totem
 # totem needs access to ~/.cache/tracker or it exits
 #private-cache
 private-dev
-# private-etc fonts,machine-id,pulse,asound.conf
+# private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 noexec ${HOME}
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index 8b50859fc..f839ebfdb 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -30,7 +30,7 @@ tracelog
 # private-bin transmission-cli
 private-dev
-private-etc none
+private-etc none,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 memory-deny-write-execute
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
index 34c148ee9..6bd8568d4 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/unknown-horizons.profile
@@ -27,5 +27,5 @@ shell none
 # private-bin unknown-horizons
 private-dev
-# private-etc none
+# private-etc none,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/wget.profile b/etc/wget.profile
index a16d770f2..c509faecc 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -32,7 +32,7 @@ shell none
 # private-bin wget
 private-dev
-# private-etc resolv.conf
+# private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies
 # private-tmp
 noexec ${HOME}
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile
index e65cfc43c..64d2cefd5 100644
--- a/etc/wire-desktop.profile
+++ b/etc/wire-desktop.profile
@@ -33,8 +33,8 @@ shell none
 # Note: The current version of Wire is located in /opt/wire-desktop/wire-desktop, and therefore
 # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop"
+disable-mnt
 private-bin wire-desktop
 private-dev
-private-etc fonts,machine-id,resolv.conf
+private-etc fonts,machine-id,resolv.conf,ca-certificates,ssl,pki,crypto-policies
-disable-mnt
 private-tmp
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 2b597ba35..d45198f6a 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -42,7 +42,7 @@ tracelog
 # private-bin wireshark
 private-dev
-# private-etc fonts,group,hosts,machine-id,passwd
+# private-etc fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 noexec ${HOME}
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index 9358fe192..14aced0d9 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -36,5 +36,5 @@ tracelog
 private-bin xiphos
 private-dev
-private-etc fonts,resolv.conf,sword
+private-etc fonts,resolv.conf,sword,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 5873e2436..f51362b6b 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -39,7 +39,7 @@ tracelog
 private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
 private-dev
-# private-etc fonts,machine-id,pulse,asound.conf
+# private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 noexec ${HOME}