31 files changed, 748 insertions, 0 deletions

diff --git a/etc/Viber.profile b/etc/Viber.profile
new file mode 100644
index 000000000..5de92f36f
--- /dev/null
+++ b/etc/Viber.profile
@@ -0,0 +1,38 @@
+# Firejail profile for Viber
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/Viber.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.ViberPC
+whitelist /dev/dri
+whitelist /dev/full
+whitelist /dev/null
+whitelist /dev/ptmx
+whitelist /dev/pts
+whitelist /dev/random
+whitelist /dev/shm
+whitelist /dev/snd
+whitelist /dev/tty
+whitelist /dev/urandom
+whitelist /dev/video0
+whitelist /dev/zero
+whitelist /opt/viber
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+nogroups
+noroot
+seccomp
+shell none
+
+private-bin sh,dig,awk
+private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/amule.profile b/etc/amule.profile
new file mode 100644
index 000000000..5cd6e613e
--- /dev/null
+++ b/etc/amule.profile
@@ -0,0 +1,33 @@
+# Firejail profile for amule
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/amule.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+blacklist /usr/local/bin
+blacklist /usr/local/sbin
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.aMule
+whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.gtkrc.mine
+whitelist ${HOME}/.themes
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+nogroups
+nonewprivs
+noroot
+seccomp
+shell none
+
+private-bin amule
+private-dev
+private-etc fonts,hosts
+private-tmp
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
new file mode 100644
index 000000000..f17c74e2b
--- /dev/null
+++ b/etc/ardour5.profile
@@ -0,0 +1,36 @@
+# Firejail profile for ardour5
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/ardour5.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+blacklist /usr/local/bin
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/ardour4
+whitelist ${HOME}/.config/ardour5
+whitelist ${HOME}/.lv2
+whitelist ${HOME}/.vst
+whitelist ${HOME}/Documents
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nogroups
+noroot
+seccomp
+shell none
+
+private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm
+private-dev
+private-etc pulse,X11,alternatives,ardour4,ardour5,fonts
+private-tmp
+
+noexec /home
+noexec /tmp
diff --git a/etc/brackets.profile b/etc/brackets.profile
new file mode 100644
index 000000000..3c7622435
--- /dev/null
+++ b/etc/brackets.profile
@@ -0,0 +1,31 @@
+# Firejail profile for brackets
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/brackets.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/Brackets
+whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.themes
+whitelist ${HOME}/Documents
+whitelist /opt/brackets/
+whitelist /opt/google/
+whitelist /tmp/.X11-unix
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+# Comment out or use --ignore=net if you want to install extensions or themes
+net none
+# Disable these if you use live preview (until I figure out a workaround)
+# Doing so should be relatively safe since there is no network access
+noroot
+seccomp
+
+private-bin bash,brackets,readlink,dirname,google-chrome,cat
+private-dev
diff --git a/etc/calligra.profile b/etc/calligra.profile
new file mode 100644
index 000000000..260097560
--- /dev/null
+++ b/etc/calligra.profile
@@ -0,0 +1,37 @@
+# Firejail profile for calligra
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/calligra.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/Trolltech.conf
+whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.kde
+whitelist ${HOME}/.themes
+whitelist ${HOME}/Documents
+whitelist /tmp/.X11-unix
+# DBus is forced to use an ordinary unix socket
+whitelist /tmp/dbus_session_socket
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nogroups
+noroot
+seccomp
+shell none
+
+private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch
+private-dev
+private-etc fonts,passwd,alternatives,X11
+
+noexec /home
+noexec /tmp
diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile
new file mode 100644
index 000000000..2b005c5c9
--- /dev/null
+++ b/etc/calligraauthor.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+include ${HOME}/.config/firejail/calligra.profile
diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile
new file mode 100644
index 000000000..2b005c5c9
--- /dev/null
+++ b/etc/calligraconverter.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+include ${HOME}/.config/firejail/calligra.profile
diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile
new file mode 100644
index 000000000..2b005c5c9
--- /dev/null
+++ b/etc/calligraflow.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+include ${HOME}/.config/firejail/calligra.profile
diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile
new file mode 100644
index 000000000..2b005c5c9
--- /dev/null
+++ b/etc/calligraplan.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+include ${HOME}/.config/firejail/calligra.profile
diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile
new file mode 100644
index 000000000..2b005c5c9
--- /dev/null
+++ b/etc/calligraplanwork.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+include ${HOME}/.config/firejail/calligra.profile
diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile
new file mode 100644
index 000000000..2b005c5c9
--- /dev/null
+++ b/etc/calligrasheets.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+include ${HOME}/.config/firejail/calligra.profile
diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile
new file mode 100644
index 000000000..2b005c5c9
--- /dev/null
+++ b/etc/calligrastage.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+include ${HOME}/.config/firejail/calligra.profile
diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile
new file mode 100644
index 000000000..2b005c5c9
--- /dev/null
+++ b/etc/calligrawords.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+
+
+include ${HOME}/.config/firejail/calligra.profile
diff --git a/etc/cin.profile b/etc/cin.profile
new file mode 100644
index 000000000..3a8a4d8de
--- /dev/null
+++ b/etc/cin.profile
@@ -0,0 +1,32 @@
+# Firejail profile for cin
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/cin.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.bcast5
+whitelist ${HOME}/Videos
+whitelist /tmp/.X11-unix
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nogroups
+noroot
+seccomp
+shell none
+
+private-bin cin
+private-dev
+private-etc fonts,pulse
+
+noexec /home
+noexec /tmp
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile
new file mode 100644
index 000000000..dc7f4abc3
--- /dev/null
+++ b/etc/fetchmail.profile
@@ -0,0 +1,31 @@
+# Firejail profile for fetchmail
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/fetchmail.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
+# Location of your fetchmailrc - I decrypt it into /tmp/fetchmailrc
+# whitelist ${HOME}/.fetchmailrc.gpg
+whitelist ${HOME}/.procmailrc.brown
+whitelist ${HOME}/.procmailrc.gmail
+whitelist ${HOME}/Mail
+whitelist ${HOME}/scripts/fetchmail-real.sh
+whitelist /tmp/fetchmailrc
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+nogroups
+noroot
+nosound
+seccomp
+x11 none
+
+# private-bin fetchmail,procmail,bash,chmod
+private-dev
+# private-etc passwd,hosts,resolv.conf
diff --git a/etc/freecad.profile b/etc/freecad.profile
new file mode 100644
index 000000000..0467edb6d
--- /dev/null
+++ b/etc/freecad.profile
@@ -0,0 +1,36 @@
+# Firejail profile for freecad
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/freecad.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+blacklist /usr/local/bin
+blacklist /usr/local/sbin
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/FreeCAD
+whitelist ${HOME}/Documents
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nogroups
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+
+private-bin freecad,freecadcmd
+private-dev
+private-etc fonts,passwd,alternatives,X11
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile
new file mode 100644
index 000000000..41cfd3fab
--- /dev/null
+++ b/etc/freecadcmd.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for freecad
+# This file is overwritten after every install/update
+
+
+include ${HOME}/.config/firejail/freecad.profile
diff --git a/etc/google-earth.profile b/etc/google-earth.profile
new file mode 100644
index 000000000..a339402e2
--- /dev/null
+++ b/etc/google-earth.profile
@@ -0,0 +1,32 @@
+# Firejail profile for google-earth
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/google-earth.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+
+whitelist ${HOME}/.config/Google
+whitelist ${HOME}/.googleearth/Cache/
+whitelist ${HOME}/.googleearth/Temp/
+whitelist ${HOME}/.googleearth/myplaces.backup.kml
+whitelist ${HOME}/.googleearth/myplaces.kml
+whitelist /tmp/.X11-unix
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+nogroups
+noroot
+seccomp
+shell none
+
+private-bin google-earth,sh,grep,sed,ls,dirname
+private-dev
+private-etc fonts,resolv.conf,X11,alternatives,pulse
+
+noexec /home
+noexec /tmp
diff --git a/etc/imagej.profile b/etc/imagej.profile
new file mode 100644
index 000000000..4404cc9a2
--- /dev/null
+++ b/etc/imagej.profile
@@ -0,0 +1,34 @@
+# Firejail profile for imagej
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/imagej.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+blacklist /usr/local/bin
+blacklist /usr/local/sbin
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.gtkrc.mine
+whitelist ${HOME}/.imagej
+whitelist ${HOME}/.themes
+whitelist ${HOME}/Pictures
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nogroups
+nonewprivs
+noroot
+seccomp
+
+private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln
+private-dev
+# private-etc passwd,alternatives,hosts,fonts,X11
+private-tmp
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
new file mode 100644
index 000000000..b982bd045
--- /dev/null
+++ b/etc/kdenlive.profile
@@ -0,0 +1,32 @@
+# Firejail profile for kdenlive
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/kdenlive.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
+# Apparently these break kdenlive for some people - they work for me though?
+# whitelist ${DOWNLOADS}
+# whitelist ${HOME}/.config/
+# whitelist ${HOME}/Videos
+# whitelist ${HOME}/kdenlive
+whitelist /tmp/.X11-unix
+# DBus is forced to use an ordinary unix socket
+whitelist /tmp/dbus_session_socket
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+net none
+nogroups
+noroot
+seccomp
+shell none
+
+private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
+private-dev
+private-etc fonts,alternatives,X11,pulse,passwd
diff --git a/etc/linphone.profile b/etc/linphone.profile
new file mode 100644
index 000000000..850fcb320
--- /dev/null
+++ b/etc/linphone.profile
@@ -0,0 +1,22 @@
+# Firejail profile for linphone
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/linphone.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
+whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.gtkrc.mine
+whitelist ${HOME}/.linphone-history.db
+whitelist ${HOME}/.linphonerc
+whitelist ${HOME}/Downloads
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+noroot
+seccomp
diff --git a/etc/lmms.profile b/etc/lmms.profile
new file mode 100644
index 000000000..8ac039cc0
--- /dev/null
+++ b/etc/lmms.profile
@@ -0,0 +1,32 @@
+# Firejail profile for lmms
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/lmms.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.lmmsrc.xml
+whitelist ${HOME}/Music
+whitelist ${HOME}/lmms
+whitelist /tmp/.X11-unix
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nogroups
+noroot
+seccomp
+shell none
+
+private-dev
+private-etc fonts,pulse
+
+noexec /home
+noexec /tmp
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
new file mode 100644
index 000000000..287a5ea85
--- /dev/null
+++ b/etc/macrofusion.profile
@@ -0,0 +1,28 @@
+# Firejail profile for macrofusion
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/macrofusion.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/gtk-3.0
+whitelist ${HOME}/.config/mfusion
+whitelist ${HOME}/.themes
+whitelist ${HOME}/Pictures
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nogroups
+nonewprivs
+noroot
+seccomp
+shell none
+
+private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack
+private-dev
+private-etc fonts
+private-tmp
diff --git a/etc/mpd.profile b/etc/mpd.profile
new file mode 100644
index 000000000..44baab7e9
--- /dev/null
+++ b/etc/mpd.profile
@@ -0,0 +1,26 @@
+# Firejail profile for mpd
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/mpd.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
+whitelist ${HOME}/.config/pulse/
+whitelist ${HOME}/.mpdconf
+whitelist ${HOME}/.pulse/
+whitelist ${HOME}/Music
+whitelist ${HOME}/mpd
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+noroot
+seccomp
+
+private-bin mpd,bash
+private-dev
+read-only ${HOME}/Music/
diff --git a/etc/natron.profile b/etc/natron.profile
new file mode 100644
index 000000000..6101d1331
--- /dev/null
+++ b/etc/natron.profile
@@ -0,0 +1,34 @@
+# Firejail profile for natron
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/natron.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+# Contributed by triceratops1 (https://github.com/triceratops1)
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /usr/local/bin
+blacklist /usr/local/sbin
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.Natron
+whitelist ${HOME}/.cache/INRIA/Natron/
+whitelist ${HOME}/.config/INRIA/
+whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.themes
+whitelist ${HOME}/Videos
+whitelist /opt/natron/
+whitelist /tmp/.X11-unix/
+include /etc/firejail/whitelist-common.inc
+
+ipc-namespace
+shell none
+
+private-bin natron
+private-etc fonts,X11,pulse
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/ricochet.profile b/etc/ricochet.profile
new file mode 100644
index 000000000..47b16b30e
--- /dev/null
+++ b/etc/ricochet.profile
@@ -0,0 +1,30 @@
+# Firejail profile for ricochet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/ricochet.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.local/share/Ricochet
+whitelist /tmp/.X11-unix
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+nogroups
+noroot
+seccomp
+shell none
+
+private-bin ricochet,tor
+private-dev
+private-etc fonts,tor,X11,alternatives
+
+noexec /home
+noexec /tmp
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
new file mode 100644
index 000000000..2bf3cc2e0
--- /dev/null
+++ b/etc/shotcut.profile
@@ -0,0 +1,28 @@
+# Firejail profile for shotcut
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/shotcut.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /usr/local/bin
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/Meltytech
+whitelist ${HOME}/Videos
+whitelist /tmp/.X11-unix
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+net none
+nogroups
+noroot
+seccomp
+shell none
+
+private-bin shotcut,melt,qmelt,nice
+private-dev
+private-etc X11,alternatives,pulse,fonts
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile
new file mode 100644
index 000000000..1f0b61c75
--- /dev/null
+++ b/etc/tor-browser-en.profile
@@ -0,0 +1,41 @@
+# Firejail profile for tor-browser-en
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/tor-browser-en.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+blacklist /usr/local/bin
+blacklist /var
+
+whitelist ${HOME}/.tor-browser-en
+whitelist /dev/dri
+whitelist /dev/full
+whitelist /dev/null
+whitelist /dev/ptmx
+whitelist /dev/pts
+whitelist /dev/random
+whitelist /dev/shm
+whitelist /dev/snd
+whitelist /dev/tty
+whitelist /dev/urandom
+whitelist /dev/video0
+whitelist /dev/zero
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+noroot
+seccomp
+shell none
+
+private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr
+# FIXME: Spoof D-Bus machine id (tor-browser segfaults when it is missing!)
+# https://github.com/netblue30/firejail/issues/955
+private-etc X11,pulse,machine-id
+private-tmp
+
+noexec /tmp
diff --git a/etc/tor.profile b/etc/tor.profile
new file mode 100644
index 000000000..2e2172cad
--- /dev/null
+++ b/etc/tor.profile
@@ -0,0 +1,38 @@
+# Firejail profile for tor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/tor.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+# How to use:
+# Create a script called anything (e.g. mytor)
+# with the following contents:
+# #!/bin/bash
+# TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1"
+# sudo -b daemon -f -d -- firejail --profile=/home/<username>/.config/firejail/tor.profile $TORCMD
+
+# You'll also likely want to disable the system service (if it exists)
+# Run mytor (or whatever you called the script above) whenever you want to start tor
+
+blacklist /boot
+blacklist /media
+blacklist /mnt
+blacklist /opt
+
+caps.keep setuid,setgid,net_bind_service,dac_read_search
+ipc-namespace
+no3d
+nogroups
+nonewprivs
+nosound
+seccomp
+shell none
+writable-var
+x11 none
+
+private
+private-bin tor,bash
+private-dev
+private-etc tor,passwd
+private-tmp
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile
new file mode 100644
index 000000000..eb4c58480
--- /dev/null
+++ b/etc/x-terminal-emulator.profile
@@ -0,0 +1,25 @@
+# Firejail profile for x-terminal-emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/x-terminal-emulator.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+whitelist /tmp/.X11-unix/X470
+whitelist /tmp/fcitx-socket-:0
+whitelist /tmp/user/1000/
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+env DISPLAY=:470
+ipc-namespace
+net none
+netfilter
+nogroups
+noroot
+seccomp
+
+private-dev
+
+noexec /tmp
diff --git a/etc/zart.profile b/etc/zart.profile
new file mode 100644
index 000000000..654679174
--- /dev/null
+++ b/etc/zart.profile
@@ -0,0 +1,27 @@
+# Firejail profile for zart
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/zart.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+# Contributed by triceratops1 (https://github.com/triceratops1)
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/Videos
+whitelist /tmp/.X11-unix
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+noroot
+seccomp
+shell none
+
+private-bin zart,ffmpeg,melt,ffprobe,ffplay
+private-dev
+private-etc fonts,X11
+
+noexec ${HOME}
+noexec /tmp