227 files changed, 1499 insertions, 828 deletions
diff --git a/Makefile.in b/Makefile.in
index 0cbbb374c..af57f7d2c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -121,6 +121,7 @@ endif
        install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
        install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/.
        install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/.
+        install -c -m 0644 etc/templates/* $(DESTDIR)/$(DOCDIR)/.
        # etc files
        ./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND)
        install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail
diff --git a/README b/README
index 1bb84e8df..d6cf5389b 100644
--- a/README
+++ b/README
@@ -97,6 +97,9 @@ announ (https://github.com/announ)
 Antonio Russo (https://github.com/aerusso)
        - enumerate root directories in apparmor profile
        - fix join-or-start
+Austin Morton
+        - deterministic-exit-code option
+        - private-cwd options
 Austin S. Hemmelgarn (https://github.com/Ferroin)
        - unbound profile update
 avoidr (https://github.com/avoidr)
@@ -176,6 +179,8 @@ curiosity-seeker (https://github.com/curiosity-seeker)
        - write-protection for thumbnailer dir
        - added gramps, newsboat, freeoffice-planmaker profiles
        - added freeoffice-textmaker, freeoffice-presentations profiles
+        - added cantata profile
+        - updated keypassxc profile
 da2x (https://github.com/da2x)
        - matched RPM license tag
 Daan Bakker (https://github.com/dbakker)
@@ -304,6 +309,8 @@ greigdp (https://github.com/greigdp)
        - fixed spotify profile
        - added Slack profile
        - add Spotify profile
+grizzlyuser (https://github.com/grizzlyuser)
+        - added support for youtube-dl in smplayer profile
 GSI (https://github.com/GSI)
        - added Uzbl browser profile
 hamzadis (https://github.com/hamzadis)
@@ -353,6 +360,7 @@ Jean Lucas (https://github.com/flacks)
        - fix wire profile
        - add Beaker profile
        - fixes for gnome-music
+        - allow reading of system-wide Flatpak locale in gajim profile
 Jericho (https://github.com/attritionorg)
        - spelling
 Jesse Smith (https://github.com/slicer69)
@@ -368,6 +376,8 @@ John Mullee (https://github.com/jmullee)
 Jonas Heinrich (https://github.com/onny)
        - added signal-desktop profile
        - fixed franz profile
+Jose Riha (https://github.com/jose1711)
+        - added meteo-qt profile
 jrabe (https://github.com/jrabe)
        - disallow access to kdbx files
        - Epiphany profile
@@ -516,6 +526,7 @@ pwnage-pineapple (https://github.com/pwnage-pineapple)
 Quentin Minster (https://github.com/laomaiweng)
        - propagate --quiet to children Firejail'ed processes
        - nodbus enhancements/bugfixes
+        - added vim syntax and ftdetect files
 Rafael Cavalcanti (https://github.com/rccavalcanti)
        - chromium profile fixes for Arch Linux
 Rahiel Kasim (https://github.com/rahiel)
@@ -554,22 +565,10 @@ rusty-snake (https://github.com/rusty-snake)
        - added profiles: gajim-history-manager, freemind, nomacs, kid3
        - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap
        - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk
-        - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse
+        - added profiles: ktouch, yelp
-        - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool
+        - many profile fixing and hardening
-        - fixed profiles: gnome-logs, atom, brackets, gnome-builder, geany
-        - fixed profiles: vim, emacs, pycharm-community, gedit, klavaro
-        - fixed profiles: default, mpv, authenticator, gramps, webstorm
-        - fixed profiles: freeoffice-planmaker, freeoffice-presentations
-        - fixed profiles: freeoffice-textmaker, code, newsboat, aosp, clion
-        - fixed profiles: android-studio, git, gitg, github-desktop, idea.sh
-        - fixed profiles: ffmpeg, thunderbird, gnome-system-log, file-roller
-        - fixed profiles: eog, eom, xiphos
-        - hardened profiles: disable-common.inc, disable-programs.inc
-        - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox
-        - hardened profiles: gnome-clocks, meld, minetest, youtube-dl
-        - hardened profiles: bibletime, whois, etr, display, feh, mpv, xiphos
-        - gnome-mpv was renamed to celluloid
        - some typo fixes
+        - added profile templates
 Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
        - fixed ktorrent profile
 sarneaud (https://github.com/sarneaud)
@@ -753,6 +752,8 @@ veloute (https://github.com/veloute)
        - add anki profile
 Vincent43 (https://github.com/Vincent43)
        - apparmor enhancements
+Vincent Blillault (https://github.com/Feandil)
+        - fix mumble profile
 vismir2 (https://github.com/vismir2)
        - feh, ranger, 7z, keepass, keepassx and zathura profiles
        - claws-mail, mutt, git, emacs, vim profiles
diff --git a/README.md b/README.md
index f6e4ead8c..b1e867f84 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,10 @@ FAQ: https://firejail.wordpress.com/support/
 Travis-CI status: https://travis-ci.org/netblue30/firejail
+## Security vulnerabilities
+We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com
 ## Compile and install
 `````
 $ git clone https://github.com/netblue30/firejail.git
@@ -95,18 +99,16 @@ If you keep additional Firejail security profiles in a public repository, please
 Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139)
-We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory .
+You can also use this tool to get a list of syscalls needed by a program: [https://github.com/avilum/syscalls](https://github.com/avilum/syscalls).
+We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
 `````
 `````
-## Current development version: 0.9.60-rc2
+## Latest released version: 0.9.60
-## 0.9.60-rc1 is out!
+## Current development version: 0.9.61
 ## New profiles:
-anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, cheese, code-oss, crawl, crawl-tiles, crow, d-feet, dconf,
-dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freeoffice-planmaker, freeoffice-presentations, freeoffice-textmaker, freemind,
+klatexformula, klatexformula_cmdl, links, pandoc, qgis, xlinks
-gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gramps, gsettings, inkview kid3, kid3-cli, kid3-qt, lincity-ng, lugaru,
-Maelstrom, manaplus, megaglest, mp3splt-gtk, mpdris2, mypaint, nano, netactview, newsboat, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol,
-pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof,
-sysprof-cli, teeworlds, torcs, tremulous, transgui, utox, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer
diff --git a/RELNOTES b/RELNOTES
index 32a98b8e3..167a1a60f 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,4 +1,21 @@
-firejail (0.9.60~rc2) baseline; urgency=low
+firejail (0.9.61) baseline; urgency=low
+  * work in progress
+  * profile templates
+  * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
+  * new profiles: pandoc
+ -- netblue30 <netblue30@yahoo.com>  Sat, 1 Jun 2019 08:00:00 -0500
+firejail (0.9.60) baseline; urgency=low
+  * security bug reported by Austin Morton:
+    Seccomp filters are copied into /run/firejail/mnt, and are writable
+    within the jail. A malicious process can modify files from inside the
+    jail. Processes that are later joined to the jail will not have seccomp
+    filters applied.
+  * memory-deny-write-execute now also blocks memfd_create
+  * add private-cwd option to control working directory within jail
+  * blocking system D-Bus socket with --nodbus
+  * bringing back Centos 6 support
+  * drop support for flatpak/snap packages
  * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
  * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
  * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
@@ -15,10 +32,8 @@ firejail (0.9.60~rc2) baseline; urgency=low
  * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
  * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
  * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
-  * new profiles: inkview, mp3splt-gtk
+  * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata
-  * memory-deny-write-execute now also blocks memfd_create
+ -- netblue30 <netblue30@yahoo.com>  Sun, 26 May 2019 08:00:00 -0500
-  * drop support for flatpak/snap packages
- -- netblue30 <netblue30@yahoo.com>  Sun, 21 Apr 2019 08:00:00 -0500
 firejail (0.9.58,2) baseline; urgency=low
  * cgroup flag in /etc/firejail/firejail.config file
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..96da4aff7
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security Policy
+## Supported Versions
+| Version | Supported by us    | EOL  | Supported by distribution |
+| ------- | ------------------ | ---- | ---------------------------
+| 0.9.60  | :heavy_check_mark: |      | :white_check_mark: Debian experimental
+| 0.9.58  |:heavy_check_mark:  |      | :white_check_mark: Ubuntu 19.04 & 19.10; Debian 9 (**backports**), 10, & Sid
+| 0.9.56  | :x:                | 27 Jan 2019 |
+| 0.9.54  | :x:                |      | :white_check_mark: Ubuntu 18.10
+| 0.9.52  | :x:                |      | :white_check_mark: Ubuntu 18.04 LTS
+| 0.9.50  | :x:                | 12 Dec 2017 |
+| 0.9.48  | :x:                | 09 Sep 2017 |
+| 0.9.46  | :x:                | 12 Jun 2017 |
+| 0.9.44  | :x:                |      | :white_check_mark: Debian 9
+| 0.9.42  | :x:                | 22 Oct 2016     |
+| 0.9.40  | :x:                | 09 Sep 2016     |
+| 0.9.38  | :x:                |      | :white_check_mark: Ubuntu 16.04 LTS
+| <0.9.38 | :x:                | Before 05 Feb 2016 |
+## Security vulnerabilities
+We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com
diff --git a/configure b/configure
index 0eece5428..d47e0cbb0 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.60~rc2.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.61.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.60~rc2'
+PACKAGE_VERSION='0.9.61'
-PACKAGE_STRING='firejail 0.9.60~rc2'
+PACKAGE_STRING='firejail 0.9.61'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='https://firejail.wordpress.com'
@@ -1275,7 +1275,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures firejail 0.9.60~rc2 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.61 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1337,7 +1337,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.60~rc2:";;
+     short | recursive ) echo "Configuration of firejail 0.9.61:";;
   esac
  cat <<\_ACEOF
@@ -1442,7 +1442,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-firejail configure 0.9.60~rc2
+firejail configure 0.9.61
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1744,7 +1744,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by firejail $as_me 0.9.60~rc2, which was
+It was created by firejail $as_me 0.9.61, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@@ -4379,7 +4379,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.60~rc2, which was
+This file was extended by firejail $as_me 0.9.61, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@@ -4433,7 +4433,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.60~rc2
+firejail config.status 0.9.61
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
diff --git a/configure.ac b/configure.ac
index 4d0b847f5..40ead1604 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.60~rc2, netblue30@yahoo.com, , https://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.61, netblue30@yahoo.com, , https://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README
new file mode 100644
index 000000000..9f85a0e00
--- /dev/null
+++ b/etc-fixes/seccomp-join-bug/README
@@ -0,0 +1,11 @@
+These are patches for various Firejail versions for the security bug reported by Austin Morton
+on May 21, 2019:
+    Seccomp filters are copied into /run/firejail/mnt, and are writable
+    within the jail. A malicious process can modify files from inside the
+    jail. Processes that are later joined to the jail will not have seccomp
+    filters applied.
+The original discussion thread: https://github.com/netblue30/firejail/issues/2718
+The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
diff --git a/etc-fixes/seccomp-join-bug/eecf35c-backports.zip b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip
new file mode 100644
index 000000000..59782461e
--- /dev/null
+++ b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip
Binary files differ
diff --git a/etc/7z.profile b/etc/7z.profile
index 44ab377b3..ee2b493f8 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -4,23 +4,34 @@ quiet
 # Persistent local customizations
 include 7z.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 blacklist /tmp/.X11-unix
-ignore noroot
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 private-dev
-include default.profile
diff --git a/etc/JDownloader.profile b/etc/JDownloader.profile
index d1bd5c9b2..1435f3422 100644
--- a/etc/JDownloader.profile
+++ b/etc/JDownloader.profile
@@ -5,14 +5,10 @@ include JDownloader.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.jd
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile
index 6aba2678b..c2734b1c1 100644
--- a/etc/Mathematica.profile
+++ b/etc/Mathematica.profile
@@ -16,6 +16,7 @@ include disable-programs.inc
 mkdir ${HOME}/.Mathematica
 mkdir ${HOME}/.Wolfram Research
+mkdir ${HOME}/Documents/Wolfram Mathematica
 whitelist ${HOME}/.Mathematica
 whitelist ${HOME}/.Wolfram Research
 whitelist ${HOME}/Documents/Wolfram Mathematica
diff --git a/etc/Viber.profile b/etc/Viber.profile
index 3f3ee8590..40358aa87 100644
--- a/etc/Viber.profile
+++ b/etc/Viber.profile
@@ -5,7 +5,6 @@ include Viber.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.ViberPC
 include disable-common.inc
@@ -15,6 +14,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.ViberPC
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.ViberPC
 include whitelist-common.inc
@@ -36,5 +36,4 @@ private-bin sh,bash,dig,awk,Viber
 private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf
 private-tmp
 env QTWEBENGINE_DISABLE_SANDBOX=1
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index d9b7f8c26..230a88472 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -7,16 +7,13 @@ include globals.local
 #
 # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr.
-# To enable it, create a firejail-Xephyr  symlink in /usr/local/bin:
+# To enable it, create a firejail-Xephyr symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr
 #
 # or run "sudo firecfg"
 #
-blacklist /media
 whitelist /var/lib/xkb
 include whitelist-common.inc
@@ -34,10 +31,11 @@ protocol unix
 seccomp
 shell none
+disable-mnt
 # using a private home directory
 private
 # private-bin Xephyr,sh,xkbcomp
 # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
 private-dev
 # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
-private-tmp
+#private-tmp
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index ed07485d6..3580f8336 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -9,7 +9,7 @@ include globals.local
 #
 # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb.
 # The target program is sandboxed with its own profile. By default the this functionality
-# is disabled. To enable it, create a firejail-Xvfb  symlink in /usr/local/bin:
+# is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb
 #
@@ -17,8 +17,6 @@ include globals.local
 # some Linux distributions. Also, older versions of Xpra use Xvfb.
 #
-blacklist /media
 whitelist /var/lib/xkb
 include whitelist-common.inc
@@ -36,6 +34,7 @@ protocol unix
 seccomp
 shell none
+disable-mnt
 # using a private home directory
 private
 # private-bin Xvfb,sh,xkbcomp
diff --git a/etc/allow-java.inc b/etc/allow-java.inc
new file mode 100644
index 000000000..c6ab3b2eb
--- /dev/null
+++ b/etc/allow-java.inc
@@ -0,0 +1,4 @@
+noblacklist ${PATH}/java
+noblacklist /usr/lib/java
+noblacklist /etc/java
+noblacklist /usr/share/java
diff --git a/etc/allow-lua.inc b/etc/allow-lua.inc
new file mode 100644
index 000000000..51d76f9b1
--- /dev/null
+++ b/etc/allow-lua.inc
@@ -0,0 +1,4 @@
+noblacklist ${PATH}/lua*
+noblacklist /usr/include/lua*
+noblacklist /usr/lib/lua
+noblacklist /usr/share/lua
diff --git a/etc/allow-perl.inc b/etc/allow-perl.inc
new file mode 100644
index 000000000..d37328936
--- /dev/null
+++ b/etc/allow-perl.inc
@@ -0,0 +1,7 @@
+noblacklist ${PATH}/cpan*
+noblacklist ${PATH}/core_perl
+noblacklist ${PATH}/perl
+noblacklist ${PATH}/site_perl
+noblacklist ${PATH}/vendor_perl
+noblacklist /usr/lib/perl*
+noblacklist /usr/share/perl*
diff --git a/etc/allow-python2.inc b/etc/allow-python2.inc
new file mode 100644
index 000000000..8ea61648b
--- /dev/null
+++ b/etc/allow-python2.inc
@@ -0,0 +1,5 @@
+noblacklist ${PATH}/python2*
+noblacklist /usr/include/python2*
+noblacklist /usr/lib/python2*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/share/python2*
diff --git a/etc/allow-python3.inc b/etc/allow-python3.inc
new file mode 100644
index 000000000..91c7ffca4
--- /dev/null
+++ b/etc/allow-python3.inc
@@ -0,0 +1,5 @@
+noblacklist ${PATH}/python3*
+noblacklist /usr/include/python3*
+noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python3*
+noblacklist /usr/share/python3*
diff --git a/etc/amule.profile b/etc/amule.profile
index 7cb2130bb..feb4a5e7e 100644
--- a/etc/amule.profile
+++ b/etc/amule.profile
@@ -6,7 +6,6 @@ include amule.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.aMule
 include disable-common.inc
@@ -16,6 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.aMule
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.aMule
 include whitelist-common.inc
diff --git a/etc/anki.profile b/etc/anki.profile
index 6ab95dd52..d50c720f7 100644
--- a/etc/anki.profile
+++ b/etc/anki.profile
@@ -10,12 +10,8 @@ noblacklist ${DOCUMENTS}
 noblacklist ${HOME}/.local/share/Anki2
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -25,6 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.local/share/Anki2
 whitelist ${DOCUMENTS}
 whitelist ${HOME}/.local/share/Anki2
 include whitelist-common.inc
diff --git a/etc/arduino.profile b/etc/arduino.profile
index 2ea8445fe..26bd3d0a7 100644
--- a/etc/arduino.profile
+++ b/etc/arduino.profile
@@ -11,11 +11,8 @@ noblacklist ${HOME}/.java
 noblacklist ${HOME}/Arduino
 noblacklist ${DOCUMENTS}
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/arm.profile b/etc/arm.profile
index ae93e9665..dd3fa190a 100644
--- a/etc/arm.profile
+++ b/etc/arm.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.arm
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/assogiate.profile b/etc/assogiate.profile
index 6a9848e83..02a4798f4 100644
--- a/etc/assogiate.profile
+++ b/etc/assogiate.profile
@@ -7,7 +7,6 @@ include assogiate.local
 include globals.local
 noblacklist ${PICTURES}
-whitelist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
@@ -16,6 +15,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist ${PICTURES}
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/atool.profile b/etc/atool.profile
index b17498e9d..3df32baac 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -7,14 +7,10 @@ include atool.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
+blacklist /tmp/.X11-unix
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/authenticator.profile b/etc/authenticator.profile
index e08dc12eb..39546112e 100644
--- a/etc/authenticator.profile
+++ b/etc/authenticator.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.cache/Authenticator
 noblacklist ${HOME}/.config/Authenticator
 # Allow python (blacklisted by disable-interpreters.inc)
-#noblacklist ${PATH}/python2*
+#include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-#noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-#noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/autokey-common.profile b/etc/autokey-common.profile
index 44c0a3c15..47396fe43 100644
--- a/etc/autokey-common.profile
+++ b/etc/autokey-common.profile
@@ -10,14 +10,8 @@ noblacklist ${HOME}/.config/autokey
 noblacklist ${HOME}/.local/share/autokey
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
-noblacklist /usr/share/python2*
-noblacklist /usr/share/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/baobab.profile b/etc/baobab.profile
index fc4e7f268..893865edd 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -33,4 +33,4 @@ private-bin baobab
 private-dev
 private-tmp
-#memory-deny-write-execute  - breaks on Arch
+#memory-deny-write-execute - breaks on Arch
diff --git a/etc/basilisk.profile b/etc/basilisk.profile
index 5f9fc8ef7..5bc91dc74 100644
--- a/etc/basilisk.profile
+++ b/etc/basilisk.profile
@@ -10,7 +10,6 @@ noblacklist ${HOME}/.moonchild productions/basilisk
 mkdir ${HOME}/.cache/moonchild productions/basilisk
 mkdir ${HOME}/.moonchild productions
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/moonchild productions/basilisk
 whitelist ${HOME}/.moonchild productions
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index c41aafd47..4f1b05c88 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -6,12 +6,12 @@ include bibletime.local
 # Persistent global definitions
 include globals.local
-blacklist ${HOME}/.bashrc
 noblacklist ${HOME}/.bibletime
 noblacklist ${HOME}/.sword
 noblacklist ${HOME}/.local/share/bibletime
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 2c2f88ed5..287e5f52e 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -33,6 +33,6 @@ private
 private-cache
 private-dev
 private-tmp
-read-write /var/lib/bitlbee
 noexec /tmp
+read-write /var/lib/bitlbee
diff --git a/etc/bitwarden.profile b/etc/bitwarden.profile
index 2a6fe9d42..609543e14 100644
--- a/etc/bitwarden.profile
+++ b/etc/bitwarden.profile
@@ -6,9 +6,10 @@ include bitwarden.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/Bitwarden
 ignore noexec /tmp
+noblacklist ${HOME}/.config/Bitwarden
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -17,11 +18,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-include whitelist-common.inc
+mkdir ${HOME}/.config/Bitwarden
-include whitelist-var-common.inc
 whitelist ${HOME}/.config/Bitwarden
 whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
 apparmor
 caps.drop all
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index cbc8c25d6..47c0cfa48 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -7,12 +7,8 @@ include bleachbit.local
 include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/blender.profile b/etc/blender.profile
index bfe906408..6a72fb602 100644
--- a/etc/blender.profile
+++ b/etc/blender.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/blender
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/brackets.profile b/etc/brackets.profile
index fa0d7e592..3e157d841 100644
--- a/etc/brackets.profile
+++ b/etc/brackets.profile
@@ -8,7 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/Brackets
 #noblacklist /opt/brackets/
 #noblacklist /opt/google/
-# Uncomment the the next two lines if you are developing rust.
+# Uncomment the next two lines if you are developing rust.
 # or put it in your brackets.local
 #noblacklist ${HOME}/.cargo/config
 #noblacklist ${HOME}/.cargo/registry
diff --git a/etc/brave-browser.profile b/etc/brave-browser.profile
index 6d9d162fd..e223ecf87 100644
--- a/etc/brave-browser.profile
+++ b/etc/brave-browser.profile
@@ -1,6 +1,5 @@
 # Firejail profile alias for brave
 # This file is overwritten after every install/update
 # Redirect
 include brave.profile
diff --git a/etc/brave.profile b/etc/brave.profile
index cc003d49a..984fab5a8 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -6,6 +6,9 @@ include brave.local
 # Persistent global definitions
 include globals.local
+# noexec /tmp is included in chromium-common.profile and breaks Brave
+ignore noexec /tmp
 noblacklist ${HOME}/.config/brave
 noblacklist ${HOME}/.config/BraveSoftware
 # brave uses gpg for built-in password manager
@@ -17,8 +20,5 @@ whitelist ${HOME}/.config/brave
 whitelist ${HOME}/.config/BraveSoftware
 whitelist ${HOME}/.gnupg
-# noexec /tmp is included in chromium-common.profile and breaks Brave
-ignore noexec /tmp
 # Redirect
 include chromium-common.profile
diff --git a/etc/caja.profile b/etc/caja.profile
index f38110dc9..2a95649af 100644
--- a/etc/caja.profile
+++ b/etc/caja.profile
@@ -14,12 +14,8 @@ noblacklist ${HOME}/.local/share/Trash
 # noblacklist ${HOME}/.local/share/caja-python
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/cantata.profile b/etc/cantata.profile
index e4a4de9c1..19abbfea2 100644
--- a/etc/cantata.profile
+++ b/etc/cantata.profile
@@ -11,9 +11,8 @@ noblacklist ${HOME}/.config/cantata
 noblacklist ${HOME}/.local/share/cantata
 noblacklist ${MUSIC}
-noblacklist ${PATH}/perl
+# Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist /usr/lib/perl*
+include allow-perl.inc
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/catfish.profile b/etc/catfish.profile
index 341348ff9..f615b5323 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -12,12 +12,8 @@ include globals.local
 noblacklist ${HOME}/.config/catfish
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index 5604a16b9..190a49588 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -12,12 +12,8 @@ noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile
index 5afbf2d56..1bb9b1860 100644
--- a/etc/checkbashisms.profile
+++ b/etc/checkbashisms.profile
@@ -10,11 +10,7 @@ include globals.local
 noblacklist ${DOCUMENTS}
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 44ef12aa2..70dea5bd9 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/cherrytree
 noblacklist ${DOCUMENTS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/chromium.profile b/etc/chromium.profile
index dab9ce449..1c977a8ba 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/chromium-flags.conf
 mkdir ${HOME}/.cache/chromium
 mkdir ${HOME}/.config/chromium
+mkfile ${HOME}/.config/chromium-flags.conf
 whitelist ${HOME}/.cache/chromium
 whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.config/chromium-flags.conf
diff --git a/etc/clawsker.profile b/etc/clawsker.profile
index c519ecedb..95f15398a 100644
--- a/etc/clawsker.profile
+++ b/etc/clawsker.profile
@@ -9,11 +9,7 @@ include globals.local
 noblacklist ${HOME}/.claws-mail
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index 21bef48a4..38edf0d21 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -10,9 +10,10 @@ noblacklist ${HOME}/.conkeror.mozdev.org
 include disable-common.inc
 include disable-programs.inc
+mkdir ${HOME}/.conkeror.mozdev.org
+mkfile ${HOME}/.conkerorrc
 whitelist ${HOME}/.conkeror.mozdev.org
 whitelist ${HOME}/.conkerorrc
-whitelist ${HOME}/.gtkrc-2.0
 whitelist ${HOME}/.lastpass
 whitelist ${HOME}/.pentadactyl
 whitelist ${HOME}/.pentadactylrc
diff --git a/etc/cower.profile b/etc/cower.profile
index bc1eeedc0..69575cea4 100644
--- a/etc/cower.profile
+++ b/etc/cower.profile
@@ -1,20 +1,13 @@
 # Firejail profile for cower
+# Description: a simple AUR agent with a pretentious name
 # This file is overwritten after every install/update
-# This profile could be significantly strengthened by adding the following to cower.local
-# whitelist ${HOME}/<Your Build Folder>
-# whitelist ${HOME}/.config/cower/
 quiet
 # Persistent local customizations
 include cower.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/cower/config
+noblacklist ${HOME}/.config/cower
-read-only ${HOME}/.config/cower/config
 noblacklist /var/lib/pacman
 include disable-common.inc
@@ -23,6 +16,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
+# This profile could be significantly strengthened by adding the following to cower.local
+# whitelist ${HOME}/<Your Build Folder>
+# whitelist ${HOME}/.config/cower
 caps.drop all
 ipc-namespace
@@ -42,7 +40,9 @@ shell none
 disable-mnt
 private-bin cower
+private-cache
 private-dev
 private-tmp
 memory-deny-write-execute
+read-only ${HOME}/.config/cower/config
diff --git a/etc/cpio.profile b/etc/cpio.profile
index b6f7e7f9f..0bb45f5cd 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -7,11 +7,11 @@ include cpio.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
 include disable-common.inc
 # include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/curl.profile b/etc/curl.profile
index 2703c6fe8..b8b91d278 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -7,10 +7,10 @@ include curl.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.curlrc
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/etc/d-feet.profile b/etc/d-feet.profile
index 9475bdd2a..30749ab40 100644
--- a/etc/d-feet.profile
+++ b/etc/d-feet.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/d-feet
 # Allow python (disabled by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile
index 6b7f8f112..7cd39ca6a 100644
--- a/etc/dconf-editor.profile
+++ b/etc/dconf-editor.profile
@@ -6,8 +6,6 @@ include dconf-editor.local
 # Persistent global definitions
 include globals.local
-whitelist ${HOME}/.local/share/glib-2.0
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -16,6 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist ${HOME}/.local/share/glib-2.0
 include whitelist-common.inc
 apparmor
@@ -39,7 +38,7 @@ disable-mnt
 private-bin dconf-editor
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
 private-lib
 private-tmp
diff --git a/etc/dconf.profile b/etc/dconf.profile
index 6ffcddaf5..cf8b4ab43 100644
--- a/etc/dconf.profile
+++ b/etc/dconf.profile
@@ -6,8 +6,6 @@ include dconf.local
 # Persistent global definitions
 include globals.local
-whitelist ${HOME}/.local/share/glib-2.0
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -16,6 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist ${HOME}/.local/share/glib-2.0
 # dconf paths are whitelisted by the following
 include whitelist-common.inc
diff --git a/etc/deluge.profile b/etc/deluge.profile
index e86c84272..e86255d22 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/deluge
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile
index 2f599366b..9d67ee76e 100644
--- a/etc/devilspie2.profile
+++ b/etc/devilspie2.profile
@@ -8,6 +8,9 @@ include globals.local
 noblacklist ${HOME}/.config/devilspie2
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
index 06a6be3aa..a6fed6c78 100644
--- a/etc/dex2jar.profile
+++ b/etc/dex2jar.profile
@@ -6,11 +6,8 @@ include dex2jar.local
 # Persistent global definitions
 include globals.local
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 9d7a34bc5..9d9be1426 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -242,6 +242,7 @@ read-only ${HOME}/.ssh/authorized_keys
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
+read-only ${HOME}/.cargo/env
 read-only ${HOME}/.dotfiles
 read-only ${HOME}/.emacs
 read-only ${HOME}/.emacs.d
@@ -275,7 +276,6 @@ read-only ${HOME}/bin
 read-only ${HOME}/.bin
 read-only ${HOME}/.local/bin
 read-only ${HOME}/.cargo/bin
-read-only ${HOME}/.cargo/env
 blacklist ${HOME}/.cargo/registry
 blacklist ${HOME}/.cargo/config
@@ -414,3 +414,12 @@ blacklist /usr/share/flatpak
 blacklist /var/lib/flatpak
 # most of the time bwrap is SUID binary
 blacklist ${PATH}/bwrap
+# mail directories used by mutt
+blacklist ${HOME}/.Mail
+blacklist ${HOME}/.mail
+blacklist ${HOME}/.signature
+blacklist ${HOME}/Mail
+blacklist ${HOME}/mail
+blacklist ${HOME}/postponed
+blacklist ${HOME}/sent
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc
index 22f58bb85..4c4eed25d 100644
--- a/etc/disable-interpreters.inc
+++ b/etc/disable-interpreters.inc
@@ -19,6 +19,8 @@ blacklist ${HOME}/.nvm
 blacklist ${PATH}/cpan*
 blacklist ${PATH}/core_perl
 blacklist ${PATH}/perl
+blacklist ${PATH}/site_perl
+blacklist ${PATH}/vendor_perl
 blacklist /usr/lib/perl*
 blacklist /usr/share/perl*
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index aa1205549..b1e5a9e64 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -7,6 +7,7 @@ blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
 blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
+blacklist ${HOME}/mps
 blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
@@ -94,6 +95,7 @@ blacklist ${HOME}/.config/Nathan Osman
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/PBE
 blacklist ${HOME}/.config/Qlipper
+blacklist ${HOME}/.config/QGIS
 blacklist ${HOME}/.config/QMediathekView
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
@@ -117,6 +119,7 @@ blacklist ${HOME}/.config/artha.conf
 blacklist ${HOME}/.config/asunder
 blacklist ${HOME}/.config/atril
 blacklist ${HOME}/.config/audacious
+blacklist ${HOME}/.config/autokey
 blacklist ${HOME}/.config/aweather
 blacklist ${HOME}/.config/baloofilerc
 blacklist ${HOME}/.config/baloorc
@@ -139,6 +142,7 @@ blacklist ${HOME}/.config/clipit
 blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/corebird
+blacklist ${HOME}/.config/cower
 blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
@@ -196,6 +200,7 @@ blacklist ${HOME}/.config/katerc
 blacklist ${HOME}/.config/kateschemarc
 blacklist ${HOME}/.config/katesyntaxhighlightingrc
 blacklist ${HOME}/.config/katevirc
+blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/kdenliverc
 blacklist ${HOME}/.config/kgetrc
 blacklist ${HOME}/.config/kid3rc
@@ -203,12 +208,12 @@ blacklist ${HOME}/.config/klavaro
 blacklist ${HOME}/.config/klipperrc
 blacklist ${HOME}/.config/kmail2rc
 blacklist ${HOME}/.config/kmailsearchindexingrc
-blacklist ${HOME}/.config/kritarc
-blacklist ${HOME}/.config/kwriterc
-blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/knotesrc
 blacklist ${HOME}/.config/konversationrc
+blacklist ${HOME}/.config/kritarc
 blacklist ${HOME}/.config/ktorrentrc
+blacklist ${HOME}/.config/ktouch2rc
+blacklist ${HOME}/.config/kwriterc
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
@@ -265,6 +270,7 @@ blacklist ${HOME}/.config/redshift.conf
 blacklist ${HOME}/.config/remmina
 blacklist ${HOME}/.config/ristretto
 blacklist ${HOME}/.config/scribus
+blacklist ${HOME}/.config/scribusrc
 blacklist ${HOME}/.config/sinew.in
 blacklist ${HOME}/.config/skypeforlinux
 blacklist ${HOME}/.config/slimjet
@@ -273,17 +279,17 @@ blacklist ${HOME}/.config/smtube
 blacklist ${HOME}/.config/snox
 blacklist ${HOME}/.config/specialmailcollectionsrc
 blacklist ${HOME}/.config/spotify
-blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/sqlitebrowser
 blacklist ${HOME}/.config/stellarium
+blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/synfig
 blacklist ${HOME}/.config/telepathy-account-widgets
 blacklist ${HOME}/.config/torbrowser
 blacklist ${HOME}/.config/totem
 blacklist ${HOME}/.config/tox
 blacklist ${HOME}/.config/transgui
-blacklist ${HOME}/.config/truecraft
 blacklist ${HOME}/.config/transmission
+blacklist ${HOME}/.config/truecraft
 blacklist ${HOME}/.config/uGet
 blacklist ${HOME}/.config/uzbl
 blacklist ${HOME}/.config/viewnior
@@ -307,6 +313,7 @@ blacklist ${HOME}/.config/xreader
 blacklist ${HOME}/.config/xviewer
 blacklist ${HOME}/.config/yandex-browser
 blacklist ${HOME}/.config/yandex-browser-beta
+blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
@@ -325,7 +332,6 @@ blacklist ${HOME}/.electron-cache
 blacklist ${HOME}/.electrum*
 blacklist ${HOME}/.elinks
 blacklist ${HOME}/.emacs
-blacklist ${HOME}/.emacs
 blacklist ${HOME}/.emacs.d
 blacklist ${HOME}/.ethereum
 blacklist ${HOME}/.etr
@@ -367,10 +373,10 @@ blacklist ${HOME}/.kde/share/apps/kaffeine
 blacklist ${HOME}/.kde/share/apps/kcookiejar
 blacklist ${HOME}/.kde/share/apps/kget
 blacklist ${HOME}/.kde/share/apps/khtml
+blacklist ${HOME}/.kde/share/apps/klatexformula
 blacklist ${HOME}/.kde/share/apps/konqsidebartng
 blacklist ${HOME}/.kde/share/apps/konqueror
 blacklist ${HOME}/.kde/share/apps/kopete
-blacklist ${HOME}/.kde/share/apps/khtml
 blacklist ${HOME}/.kde/share/apps/ktorrent
 blacklist ${HOME}/.kde/share/apps/okular
 blacklist ${HOME}/.kde/share/config/baloofilerc
@@ -423,10 +429,12 @@ blacklist ${HOME}/.kde4/share/config/okularrc
 blacklist ${HOME}/.killingfloor
 blacklist ${HOME}/.kino-history
 blacklist ${HOME}/.kinorc
+blacklist ${HOME}/.klatexformula
 blacklist ${HOME}/.kodi
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.linphone-history.db
 blacklist ${HOME}/.linphonerc
+blacklist ${HOME}/.links
 blacklist ${HOME}/.lmmsrc.xml
 blacklist ${HOME}/.local/lib/vivaldi
 blacklist ${HOME}/.local/share/0ad
@@ -438,6 +446,7 @@ blacklist ${HOME}/.local/share/JetBrains
 blacklist ${HOME}/.local/share/Mendeley Ltd.
 blacklist ${HOME}/.local/share/Mumble
 blacklist ${HOME}/.local/share/PBE
+blacklist ${HOME}/.local/share/QGIS
 blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
@@ -450,6 +459,7 @@ blacklist ${HOME}/.local/share/akonadi*
 blacklist ${HOME}/.local/share/akregator
 blacklist ${HOME}/.local/share/apps/korganizer
 blacklist ${HOME}/.local/share/aspyr-media
+blacklist ${HOME}/.local/share/autokey
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/bibletime
 blacklist ${HOME}/.local/share/caja-python
@@ -492,8 +502,9 @@ blacklist ${HOME}/.local/share/klavaro
 blacklist ${HOME}/.local/share/kmail2
 blacklist ${HOME}/.local/share/knotes
 blacklist ${HOME}/.local/share/krita
-blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktorrent
+blacklist ${HOME}/.local/share/ktorrentrc
+blacklist ${HOME}/.local/share/ktouch
 blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/liferea
 blacklist ${HOME}/.local/share/local-mail
@@ -517,13 +528,13 @@ blacklist ${HOME}/.local/share/ocenaudio
 blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
-blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/psi+
 blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/qutebrowser
 blacklist ${HOME}/.local/share/remmina
+blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/scribus
 blacklist ${HOME}/.local/share/spotify
 blacklist ${HOME}/.local/share/steam
@@ -576,6 +587,7 @@ blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
+blacklist ${HOME}/.qgis2
 blacklist ${HOME}/.qmmp
 blacklist ${HOME}/.quodlibet
 blacklist ${HOME}/.redeclipse
@@ -624,8 +636,8 @@ blacklist ${HOME}/.wget-hsts
 blacklist ${HOME}/.wgetrc
 blacklist ${HOME}/.widelands
 blacklist ${HOME}/.wine
-blacklist ${HOME}/.wireshark
 blacklist ${HOME}/.wine64
+blacklist ${HOME}/.wireshark
 blacklist ${HOME}/.xiphos
 blacklist ${HOME}/.xmind
 blacklist ${HOME}/.xmms
diff --git a/etc/display.profile b/etc/display.profile
index 0bab32db1..0b9d685e8 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -8,12 +8,8 @@ include globals.local
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 0dc0cc793..ffced747b 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -6,11 +6,11 @@ include dnscrypt-proxy.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index bb41b71d1..daf4795c3 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -6,11 +6,11 @@ include dnsmasq.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/dooble.profile b/etc/dooble.profile
index 80bcce463..bc197b223 100644
--- a/etc/dooble.profile
+++ b/etc/dooble.profile
@@ -1,11 +1,12 @@
 # Firejail profile for dooble
 # This file is overwritten after every install/update
 # Persistent local customizations
+include dooble.local
+# Backward compatibility
 include dooble-qt4.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.dooble
 include disable-common.inc
diff --git a/etc/electrum.profile b/etc/electrum.profile
index ffa0fb5f6..ab554b21f 100644
--- a/etc/electrum.profile
+++ b/etc/electrum.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.electrum
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 842a0db04..980fa7617 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -6,10 +6,10 @@ include elinks.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.elinks
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/enpass.profile b/etc/enpass.profile
index b337c721d..4ac35bbd6 100644
--- a/etc/enpass.profile
+++ b/etc/enpass.profile
@@ -20,12 +20,16 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.cache/Enpass
+mkfile ${HOME}/.config/sinew.in
+mkdir ${HOME}/.config/Sinew Software Systems
+mkdir ${HOME}/.local/share/Enpass
 whitelist ${HOME}/.cache/Enpass
 whitelist ${HOME}/.config/sinew.in
 whitelist ${HOME}/.config/Sinew Software Systems
 whitelist ${HOME}/.local/share/Enpass
 whitelist ${DOCUMENTS}
+include whitelist-common.inc
 include whitelist-var-common.inc
 # machine-id and nosound break audio notification functionality
diff --git a/etc/exfalso.profile b/etc/exfalso.profile
index 6146a8952..978629452 100644
--- a/etc/exfalso.profile
+++ b/etc/exfalso.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.quodlibet
 noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 2ee4aae6f..52e090b89 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -6,12 +6,10 @@ include exiftool.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
-# Allow access to perl
+blacklist /tmp/.X11-unix
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
@@ -41,7 +39,7 @@ shell none
 tracelog
 # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below.
-# Users on non-Arch Linux distributions can safely uncomment the below to enable extra hardening.
+# Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening.
 #private-bin exiftool,perl
 private-cache
 private-dev
diff --git a/etc/falkon.profile b/etc/falkon.profile
index af6aaa1a7..cabf5aeba 100644
--- a/etc/falkon.profile
+++ b/etc/falkon.profile
@@ -16,6 +16,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.cache/falkon
+mkdir ${HOME}/.config/falkon
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/falkon
 whitelist ${HOME}/.config/falkon
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index d1bebafb5..af535880d 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/filezilla
 noblacklist ${HOME}/.filezilla
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc
index 7a0c3e99f..7d9e512b2 100644
--- a/etc/firefox-common-addons.inc
+++ b/etc/firefox-common-addons.inc
@@ -56,8 +56,7 @@ whitelist ${HOME}/dwhelper
 noblacklist ${HOME}/.local/share/gnome-shell
 whitelist ${HOME}/.local/share/gnome-shell
 ignore nodbus
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python3*
 # Flash plugin
 # private-etc must first be enabled in firefox-common.profile and in profiles including it.
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 080d9e81a..bccbb3412 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -9,7 +9,7 @@ include firefox-common.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
-# Uncomment the following line to allow access to common programs/addons/plugins.
+# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins.
 #include firefox-common-addons.inc
 noblacklist ${HOME}/.pki
diff --git a/etc/firejail.config b/etc/firejail.config
index 497d9633e..92df8ad1a 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -32,7 +32,7 @@
 # Disable /mnt, /media, /run/mount and /run/media access. By default access
 # to these directories is enabled. Unlike --disable-mnt profile option this
-# cannot be overridden by --noblacklist.
+# cannot be overridden by --noblacklist or --ignore.
 # disable-mnt no
 # Enable or disable file transfer support, default enabled.
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index 1e84d4ca6..40472ab93 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/flowblade
 noblacklist ${HOME}/.flowblade
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/font-manager.profile b/etc/font-manager.profile
index 98952e1cc..a1280124a 100644
--- a/etc/font-manager.profile
+++ b/etc/font-manager.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.cache/font-manager
 noblacklist ${HOME}/.config/font-manager
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/fontforge.profile b/etc/fontforge.profile
index f98ad9983..6d305e2af 100644
--- a/etc/fontforge.profile
+++ b/etc/fontforge.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.FontForge
 noblacklist ${DOCUMENTS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/franz.profile b/etc/franz.profile
index d6445ff8e..e917e5517 100644
--- a/etc/franz.profile
+++ b/etc/franz.profile
@@ -5,6 +5,8 @@ include franz.local
 # Persistent global definitions
 include globals.local
+ignore noexec /tmp
 noblacklist ${HOME}/.cache/Franz
 noblacklist ${HOME}/.config/Franz
 noblacklist ${HOME}/.pki
@@ -12,6 +14,7 @@ noblacklist ${HOME}/.local/share/pki
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
@@ -41,5 +44,3 @@ shell none
 disable-mnt
 private-dev
 private-tmp
-noexec ${HOME}
diff --git a/etc/freecol.profile b/etc/freecol.profile
index 7987cc076..2d2853c9c 100644
--- a/etc/freecol.profile
+++ b/etc/freecol.profile
@@ -12,11 +12,8 @@ noblacklist ${HOME}/.cache/freecol
 noblacklist ${HOME}/.config/freecol
 noblacklist ${HOME}/.local/share/freecol
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/freemind.profile b/etc/freemind.profile
index 507bd564d..7ab4ae129 100644
--- a/etc/freemind.profile
+++ b/etc/freemind.profile
@@ -7,12 +7,11 @@ include freemind.local
 include globals.local
 noblacklist ${DOCUMENTS}
-noblacklist ${PATH}/java
-noblacklist /etc/java
-noblacklist /usr/lib/java
-noblacklist /usr/share/java
 noblacklist ${HOME}/.freemind
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index 6de61840c..9596bc610 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -9,11 +9,7 @@ include globals.local
 noblacklist ${HOME}/.frozen-bubble
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/gajim.profile b/etc/gajim.profile
index 238b4fca9..75d2f0774 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/gajim
 noblacklist ${HOME}/.local/share/gajim
 # Allow python (blacklisted by disable-interpreters.inc)
-#noblacklist ${PATH}/python2*
+#include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-#noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-#noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/gconf.profile b/etc/gconf.profile
index 5cc6b87a0..a795afa17 100644
--- a/etc/gconf.profile
+++ b/etc/gconf.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/gconf
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-#noblacklist ${PATH}/python3*
+#include allow-python3.inc
-noblacklist /usr/lib/python2*
-#noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-#noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/geary.profile b/etc/geary.profile
index a21eed9f1..a446c81d0 100644
--- a/etc/geary.profile
+++ b/etc/geary.profile
@@ -4,27 +4,25 @@
 # Persistent local customizations
 include geary.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 # Users have Geary set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
+ignore nodbus
+ignore private-tmp
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/geary
 mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.config/geary
 mkdir ${HOME}/.local/share/geary
 whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.config/geary
 whitelist ${HOME}/.local/share/geary
-include whitelist-common.inc
-ignore nodbus
-ignore private-tmp
 read-only ${HOME}/.config/mimeapps.list
 # allow browsers
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 91001cd30..762e743c8 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -7,7 +7,8 @@ include gimp.local
 include globals.local
 # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
-# if you are not using external plugins, you can disable ignore noexec statement below
+# if you are not using external plugins, you can comment 'ignore noexec' statement below
+# or put 'ignore ignore noexec ${HOME}' in your gimp.local
 ignore noexec ${HOME}
 noblacklist ${HOME}/.config/GIMP
diff --git a/etc/git.profile b/etc/git.profile
index 0eb69faed..f7c812e65 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -7,8 +7,6 @@ include git.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.config/nano
 noblacklist ${HOME}/.emacs
@@ -22,6 +20,8 @@ noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.vim
 noblacklist ${HOME}/.viminfo
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index 2f4626891..04409a5e4 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -18,7 +18,10 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
+machine-id
+net none
 no3d
 nodvd
 nogroups
@@ -35,6 +38,7 @@ tracelog
 disable-mnt
 private-bin fairymax,gnome-chess,hoichess,gnuchess
+private-cache
 private-dev
-private-etc alternatives,fonts,gnome-chess
+private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0
 private-tmp
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index 6bebeb526..f843452c9 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.local/share/gnome-music
 noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile
index 931efbbab..08256f3a5 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@@ -36,12 +36,8 @@ noblacklist ${PATH}/xfce4-terminal
 noblacklist ${PATH}/xfce4-terminal.wrapper
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
index 4932c9e42..daa385234 100644
--- a/etc/google-play-music-desktop-player.profile
+++ b/etc/google-play-music-desktop-player.profile
@@ -5,14 +5,19 @@ include google-play-music-desktop-player.local
 # Persistent global definitions
 include globals.local
+# noexec /tmp breaks mpris support
+ignore noexec /tmp
 noblacklist ${HOME}/.config/Google Play Music Desktop Player
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.config/Google Play Music Desktop Player
 # whitelist ${HOME}/.config/pulse
 # whitelist ${HOME}/.pulse
 whitelist ${HOME}/.config/Google Play Music Desktop Player
@@ -35,7 +40,3 @@ shell none
 disable-mnt
 private-dev
 private-tmp
-noexec ${HOME}
-# noexec /tmp breaks mpris support
-#noexec /tmp
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 7181837d5..61b485df5 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -6,10 +6,10 @@ include gpg-agent.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.gnupg
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/gpg.profile b/etc/gpg.profile
index 47e6e5265..99ad1b888 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -6,10 +6,10 @@ include gpg.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.gnupg
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -29,8 +29,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# Causes gpg to hang
+shell none
-#shell none
 tracelog
 # private-bin gpg,gpg-agent
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index be3742fe3..e6d37ee27 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -15,6 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.config/Gpredict
 whitelist ${HOME}/.config/Gpredict
 include whitelist-common.inc
diff --git a/etc/gramps.profile b/etc/gramps.profile
index 764c14b60..54b154964 100644
--- a/etc/gramps.profile
+++ b/etc/gramps.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.gramps
 # Allow python (blacklisted by disable-interpreters.inc)
-#noblacklist ${PATH}/python2*
+#include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-#noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-#noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 27e262f87..810684eae 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -9,12 +9,15 @@ include globals.local
 blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-passwdmgr.inc
-ignore noroot
+include disable-programs.inc
 apparmor
+caps.drop all
 hostname gzip
 ipc-namespace
 machine-id
@@ -23,10 +26,14 @@ no3d
 nodbus
 nodvd
 nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
@@ -34,5 +41,3 @@ private-cache
 private-dev
 memory-deny-write-execute
-include default.profile
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index ee70e6655..d032c93e6 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/hexchat
 noblacklist /usr/share/perl*
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/imagej.profile b/etc/imagej.profile
index 9d0ab43a0..be656bafa 100644
--- a/etc/imagej.profile
+++ b/etc/imagej.profile
@@ -8,11 +8,8 @@ include globals.local
 noblacklist ${HOME}/.imagej
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index ecc5e5d35..bc0377e53 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -13,12 +13,8 @@ noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index dce44e5d4..8442c6ed7 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -8,11 +8,8 @@ include globals.local
 noblacklist ${HOME}/.config/jd-gui.cfg
 noblacklist ${HOME}/.java
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
index 5a575bb71..223c360b8 100644
--- a/etc/jitsi.profile
+++ b/etc/jitsi.profile
@@ -7,11 +7,8 @@ include globals.local
 noblacklist ${HOME}/.jitsi
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/klatexformula.profile b/etc/klatexformula.profile
new file mode 100644
index 000000000..d584f6a56
--- /dev/null
+++ b/etc/klatexformula.profile
@@ -0,0 +1,43 @@
+# Firejail profile for klatexformula
+# Description: generating images from LaTeX equations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include klatexformula.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.kde/share/apps/klatexformula
+noblacklist ${HOME}/.klatexformula
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
diff --git a/etc/klatexformula_cmdl.profile b/etc/klatexformula_cmdl.profile
new file mode 100644
index 000000000..9137963c4
--- /dev/null
+++ b/etc/klatexformula_cmdl.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for klatexformula_cmdl
+# This file is overwritten after every install/update
+# Redirect
+include klatexformula.profile
diff --git a/etc/kodi.profile b/etc/kodi.profile
index dad085967..86afe46b5 100644
--- a/etc/kodi.profile
+++ b/etc/kodi.profile
@@ -15,12 +15,8 @@ noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/krita.profile b/etc/krita.profile
index 8f275f8df..49c36274a 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -15,12 +15,8 @@ noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/ktouch.profile b/etc/ktouch.profile
new file mode 100644
index 000000000..446bc50ee
--- /dev/null
+++ b/etc/ktouch.profile
@@ -0,0 +1,50 @@
+# Firejail profile for KTouch
+# Description: a typing tutor by KDE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ktouch.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/ktouch2rc
+noblacklist ${HOME}/.local/share/ktouch
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkfile ${HOME}/.config/ktouch2rc
+mkdir ${HOME}/.local/share/ktouch
+whitelist ${HOME}/.config/ktouch2rc
+whitelist ${HOME}/.local/share/ktouch
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin ktouch
+private-cache
+private-dev
+private-etc alternatives,fonts,kde5rc,machine-id
+private-tmp
diff --git a/etc/less.profile b/etc/less.profile
index 5ad7cb959..bc85e5ad5 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -5,24 +5,33 @@ quiet
 # Persistent local customizations
 include less.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
-ignore noroot
 apparmor
+caps.drop all
 ipc-namespace
 machine-id
 net none
 no3d
 nodbus
 nodvd
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 writable-var-log
@@ -35,5 +44,3 @@ private-cache
 private-dev
 memory-deny-write-execute
-include default.profile
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 6e77cd741..05dfd4ca6 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -10,12 +10,10 @@ noblacklist ${HOME}/.java
 noblacklist /usr/local/sbin
 noblacklist ${HOME}/.config/libreoffice
-# libreoffice uses java; if you don't care about java functionality,
+# libreoffice uses java for some certain operations
-# comment the next four lines
+# comment if you don't care about java functionality
-noblacklist ${PATH}/java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist /usr/lib/java
+include allow-java.inc
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
@@ -29,9 +27,7 @@ include whitelist-var-common.inc
 # comment the next line to use the ubuntu profile instead of firejail's apparmor profile
 apparmor
 caps.drop all
-#machine-id
 netfilter
-#nodbus
 nodvd
 nogroups
 # comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile
@@ -50,5 +46,4 @@ tracelog
 private-dev
 private-tmp
 join-or-start libreoffice
diff --git a/etc/liferea.profile b/etc/liferea.profile
index e778d7b55..70d317199 100644
--- a/etc/liferea.profile
+++ b/etc/liferea.profile
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/liferea
 noblacklist ${HOME}/.local/share/liferea
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/links.profile b/etc/links.profile
new file mode 100644
index 000000000..bd0b0cc92
--- /dev/null
+++ b/etc/links.profile
@@ -0,0 +1,64 @@
+# Firejail profile for links
+# Description: Text WWW browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include links.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.links
+blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# you may want to noblacklist files/directories blacklisted in
+# disable-programs.inc and used as associated programs
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.links
+whitelist ${HOME}/.links
+whitelist ${DOWNLOADS}
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+# comment machine-id (or put 'ignore machine-id' in your links.local) if you want
+# to allow access only to user-configured associated media player
+machine-id
+netfilter
+# comment no3d (or put 'ignore no3d' in your links.local) if you want
+# to allow access only to user-configured associated media player
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+# comment nosound (or put 'ignore nosound' in your links.local) if you want
+# to allow access only to user-configured associated media player
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local
+# or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin links,sh
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+# Uncomment the following line (or put it in your links.local) allow external
+# media players
+# private-etc alsa,asound.conf,machine-id,openal,pulse
+private-tmp
+memory-deny-write-execute
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index 76b8ed75c..6667815b9 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.local/share/lollypop
 noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
index 7d42f2bfe..f7a059f50 100644
--- a/etc/macrofusion.profile
+++ b/etc/macrofusion.profile
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.config/mfusion
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile
index ce6486115..e4da0c66a 100644
--- a/etc/masterpdfeditor.profile
+++ b/etc/masterpdfeditor.profile
@@ -20,9 +20,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-ipc-namespace
 machine-id
-no3d
 nodvd
 nogroups
 nonewprivs
@@ -36,7 +34,6 @@ seccomp
 shell none
 tracelog
-private-bin masterpdfedito*
 private-cache
 private-dev
 private-etc alternatives,fonts
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index ac5577b4c..2f6020ad3 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -15,12 +15,13 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.cache/mate-calc
+mkdir ${HOME}/.config/caja
+mkdir ${HOME}/.config/mate-menu
 whitelist ${HOME}/.cache/mate-calc
 whitelist ${HOME}/.config/caja
-whitelist ${HOME}/.config/gtk-3.0
-whitelist ${HOME}/.config/dconf
 whitelist ${HOME}/.config/mate-menu
-whitelist ${HOME}/.themes
+include whitelist-common.inc
 caps.drop all
 net none
@@ -40,7 +41,7 @@ shell none
 disable-mnt
 private-bin mate-calc,mate-calculator
-private-etc alternatives,fonts
+private-etc alternatives,dconf,fonts,gtk-3.0
 private-dev
 private-opt none
 private-tmp
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile
index bd3631445..f1a7ca18f 100644
--- a/etc/mate-color-select.profile
+++ b/etc/mate-color-select.profile
@@ -5,7 +5,6 @@ include mate-color-select.local
 # Persistent global definitions
 include globals.local
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -13,10 +12,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-whitelist ${HOME}/.config/gtk-3.0
+include whitelist-common.inc
-whitelist ${HOME}/.fonts
-whitelist ${HOME}/.icons
-whitelist ${HOME}/.themes
 caps.drop all
 netfilter
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile
index 1217910a0..d1dc76260 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/mate-dictionary.profile
@@ -14,11 +14,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.config/mate/mate-dictionary
 whitelist ${HOME}/.config/mate/mate-dictionary
-whitelist ${HOME}/.config/gtk-3.0
+include whitelist-common.inc
-whitelist ${HOME}/.fonts
-whitelist ${HOME}/.icons
-whitelist ${HOME}/.themes
 caps.drop all
 netfilter
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index 497014dab..4ebb5429a 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -18,11 +18,8 @@ noblacklist ${HOME}/.mediathek3
 noblacklist ${HOME}/.mplayer
 noblacklist ${VIDEOS}
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/meld.profile b/etc/meld.profile
index 14e0f238d..34b1f22de 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -6,22 +6,17 @@ include meld.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.local/share/meld
-# Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
-noblacklist ${PATH}/python3*
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.local/share/meld
 noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.subversion
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
@@ -59,3 +54,4 @@ private-dev
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
 private-tmp
+read-only ${HOME}/.ssh
diff --git a/etc/mendeleydesktop.profile b/etc/mendeleydesktop.profile
index d54371371..ed6cc3ae0 100644
--- a/etc/mendeleydesktop.profile
+++ b/etc/mendeleydesktop.profile
@@ -15,12 +15,8 @@ noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/meteo-qt.profile b/etc/meteo-qt.profile
index a769a97ec..4437d86ea 100644
--- a/etc/meteo-qt.profile
+++ b/etc/meteo-qt.profile
@@ -10,9 +10,7 @@ noblacklist ${HOME}/.config/autostart
 noblacklist ${HOME}/.config/meteo-qt
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -22,8 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-whitelist ${HOME}/.config/autostart
 mkdir ${HOME}/.config/meteo-qt
+whitelist ${HOME}/.config/autostart
 whitelist ${HOME}/.config/meteo-qt
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/midori.profile b/etc/midori.profile
index e4d39cd70..ffae4919f 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -6,6 +6,9 @@ include midori.local
 # Persistent global definitions
 include globals.local
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 noblacklist ${HOME}/.config/midori
 noblacklist ${HOME}/.local/share/midori
 # noblacklist ${HOME}/.local/share/webkit
@@ -13,9 +16,6 @@ noblacklist ${HOME}/.local/share/midori
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
-# noexec ${HOME} breaks DRM binaries.
-?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/mpDris2.profile b/etc/mpDris2.profile
index 81bf88b8b..db2bb6a93 100644
--- a/etc/mpDris2.profile
+++ b/etc/mpDris2.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/mpDris2
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile
index 0808c5a1a..775e137bc 100644
--- a/etc/mpsyt.profile
+++ b/etc/mpsyt.profile
@@ -6,14 +6,6 @@ include mpsyt.local
 # Persistent global definitions
 include globals.local
-# Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
-noblacklist ${PATH}/python3*
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.mplayer
 noblacklist ${HOME}/.config/mps-youtube
@@ -22,6 +14,10 @@ noblacklist ${HOME}/mps
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 34542b11b..aa2335516 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -13,12 +13,8 @@ noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/ms-office.profile b/etc/ms-office.profile
index f8e75379e..25b097d72 100644
--- a/etc/ms-office.profile
+++ b/etc/ms-office.profile
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.cache/ms-office-online
 noblacklist ${HOME}/.jak
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/ms-skype.profile b/etc/ms-skype.profile
index 02084d923..df1618361 100644
--- a/etc/ms-skype.profile
+++ b/etc/ms-skype.profile
@@ -3,10 +3,13 @@
 # Persistent local customizations
 include ms-skype.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
-noblacklist ${HOME}/.cache/ms-skype-online
 ignore novideo
+noblacklist ${HOME}/.cache/ms-skype-online
 private-bin ms-skype
 # Redirect
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index b6407c4f9..98edf273e 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -10,11 +10,8 @@ noblacklist ${HOME}/.local/share/multimc
 noblacklist ${HOME}/.local/share/multimc5
 noblacklist ${HOME}/.multimc5
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
@@ -24,6 +21,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.local/share/multimc
+mkdir ${HOME}/.local/share/multimc5
+mkdir ${HOME}/.multimc5
 whitelist ${HOME}/.local/share/multimc
 whitelist ${HOME}/.local/share/multimc5
 whitelist ${HOME}/.multimc5
diff --git a/etc/mutt.profile b/etc/mutt.profile
index cc3a323e0..419e17e95 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -6,8 +6,6 @@ include mutt.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /var/mail
 noblacklist /var/spool/mail
 noblacklist ${HOME}/.Mail
@@ -34,6 +32,8 @@ noblacklist ${HOME}/mail
 noblacklist ${HOME}/postponed
 noblacklist ${HOME}/sent
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/mypaint.profile b/etc/mypaint.profile
index 615bb60d1..19643e749 100644
--- a/etc/mypaint.profile
+++ b/etc/mypaint.profile
@@ -9,10 +9,12 @@ include globals.local
 noblacklist ${HOME}/.cache/mypaint
 noblacklist ${HOME}/.config/mypaint
 noblacklist ${HOME}/.local/share/mypaint
-noblacklist ${PATH}/python2*
-noblacklist /usr/lib/python2*
 noblacklist ${PICTURES}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/natron.profile b/etc/natron.profile
index 3f997a7a0..7ad217b72 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -5,18 +5,13 @@ include natron.local
 # Persistent global definitions
 include globals.local
-# Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
-noblacklist ${PATH}/python3*
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 noblacklist ${HOME}/.Natron
 noblacklist ${HOME}/.cache/INRIA/Natron
 noblacklist ${HOME}/.config/INRIA
-noblacklist /opt/natron
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
@@ -33,9 +28,9 @@ nogroups
 nonewprivs
 noroot
 notv
-protocol unix,inet,inet6
+nou2f
+protocol unix
 seccomp
 shell none
 private-bin natron,Natron,NatronRenderer
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index 1d68ef8e3..b81313b6a 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -15,12 +15,8 @@ noblacklist ${HOME}/.local/share/nautilus
 noblacklist ${HOME}/.local/share/nautilus-python
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/nemo.profile b/etc/nemo.profile
index a23ba1700..26cfedb66 100644
--- a/etc/nemo.profile
+++ b/etc/nemo.profile
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.local/share/nemo
 noblacklist ${HOME}/.local/share/nemo-python
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile
index 2c23a4868..e1294153b 100644
--- a/etc/nethack-vultures.profile
+++ b/etc/nethack-vultures.profile
@@ -6,7 +6,6 @@ include nethack.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.vultures
 noblacklist /var/log
@@ -43,4 +42,3 @@ private-cache
 private-dev
 private-tmp
 writable-var
diff --git a/etc/nethack.profile b/etc/nethack.profile
index 5375d2f4f..3df632451 100644
--- a/etc/nethack.profile
+++ b/etc/nethack.profile
@@ -6,7 +6,6 @@ include nethack.local
 # Persistent global definitions
 include globals.local
 noblacklist /var/games/nethack
 include disable-common.inc
diff --git a/etc/nheko.profile b/etc/nheko.profile
index 2dfddf872..119b30239 100644
--- a/etc/nheko.profile
+++ b/etc/nheko.profile
@@ -18,11 +18,9 @@ include disable-programs.inc
 mkdir ${HOME}/.config/nheko
 mkdir ${HOME}/.cache/nheko/nheko
 whitelist ${HOME}/.config/nheko
 whitelist ${HOME}/.cache/nheko/nheko
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile
index 7aba69490..19b6615ef 100644
--- a/etc/nitroshare.profile
+++ b/etc/nitroshare.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/Nathan Osman
 noblacklist ${HOME}/.config/NitroShare
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/nylas.profile b/etc/nylas.profile
index 263e09198..c959eb991 100644
--- a/etc/nylas.profile
+++ b/etc/nylas.profile
@@ -14,6 +14,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.config/Nylas Mail
+mkdir ${HOME}/.nylas-mail
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Nylas Mail
 whitelist ${HOME}/.nylas-mail
diff --git a/etc/nyx.profile b/etc/nyx.profile
index ed39283b2..1ea33ac4d 100644
--- a/etc/nyx.profile
+++ b/etc/nyx.profile
@@ -6,14 +6,11 @@ include nyx.local
 # Persistent global definitions
 include globals.local
-noblacklist ${PATH}/python2*
+# Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python3*
+include allow-python2.inc
-noblacklist /usr/lib/python2*
+include allow-python3.inc
-noblacklist /usr/lib/python3*
 noblacklist ${HOME}/.nyx
-mkdir ${HOME}/.nyx
-whitelist ${HOME}/.nyx
 include disable-common.inc
 include disable-devel.inc
@@ -23,6 +20,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.nyx
+whitelist ${HOME}/.nyx
+include whitelist-common.inc
+include whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/obs.profile b/etc/obs.profile
index 1f02efc7f..038242cae 100644
--- a/etc/obs.profile
+++ b/etc/obs.profile
@@ -11,12 +11,8 @@ noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile
index ceeb59384..b2249f63b 100644
--- a/etc/ocenaudio.profile
+++ b/etc/ocenaudio.profile
@@ -24,7 +24,7 @@ ipc-namespace
 # net none breaks AppArmor on Ubuntu systems
 netfilter
 no3d
-# nodbus - breaks preferences, comment when needed
+# nodbus - breaks preferences, comment (or put 'ignore nodbus' in your oceanaudio.local) when needed
 nodbus
 nodvd
 nogroups
@@ -39,12 +39,10 @@ shell none
 tracelog
 # disable-mnt
-# private
 private-bin ocenaudio
 private-cache
 private-dev
 private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
-# private-lib
 private-tmp
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/onionshare-gui.profile b/etc/onionshare-gui.profile
index 3ee78c59d..5bfcd0527 100644
--- a/etc/onionshare-gui.profile
+++ b/etc/onionshare-gui.profile
@@ -8,9 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/onionshare
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/openshot.profile b/etc/openshot.profile
index cfda1d0ce..0222243ed 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.openshot
 noblacklist ${HOME}/.openshot_qt
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/orage.profile b/etc/orage.profile
index 2c55ab909..4e12892d6 100644
--- a/etc/orage.profile
+++ b/etc/orage.profile
@@ -24,7 +24,7 @@ nodvd
 nogroups
 nonewprivs
 noroot
-nosound
+# nosound - calendar application, It must be able to play sound to wake you up.
 notv
 nou2f
 novideo
diff --git a/etc/pandoc.profile b/etc/pandoc.profile
new file mode 100644
index 000000000..687a31cc2
--- /dev/null
+++ b/etc/pandoc.profile
@@ -0,0 +1,49 @@
+# Firejail profile for pandoc
+# Description: general markup converter
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include pandoc.local
+# Persistent global definitions
+include globals.local
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+# breaks pdf output
+#include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
+private-cache
+private-dev
+private-tmp
+memory-deny-write-execute
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index 98dcce0b7..bd3592f48 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -9,11 +9,8 @@ include globals.local
 noblacklist ${HOME}/.java
 noblacklist ${DOCUMENTS}
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/picard.profile b/etc/picard.profile
index b756ed629..15fc7a454 100644
--- a/etc/picard.profile
+++ b/etc/picard.profile
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/MusicBrainz
 noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index bdd5404f5..299f807af 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -6,11 +6,11 @@ include pidgin.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.purple
 ignore noexec ${RUNUSER}
 ignore noexec /dev/shm
+noblacklist ${HOME}/.purple
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/pithos.profile b/etc/pithos.profile
index d6a0a7822..62050eb55 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -7,12 +7,8 @@ include pithos.local
 include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pitivi.profile b/etc/pitivi.profile
index 83f5ccbb9..89a6a020b 100644
--- a/etc/pitivi.profile
+++ b/etc/pitivi.profile
@@ -10,12 +10,8 @@ include globals.local
 noblacklist ${HOME}/.config/pitivi
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/playonlinux.profile b/etc/playonlinux.profile
index 2f287223b..03091af6d 100644
--- a/etc/playonlinux.profile
+++ b/etc/playonlinux.profile
@@ -16,19 +16,11 @@ noblacklist ${HOME}/.PlayOnLinux
 noblacklist ${PATH}/nc
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile
index 28ab8caa6..3bce425d9 100644
--- a/etc/pybitmessage.profile
+++ b/etc/pybitmessage.profile
@@ -10,12 +10,8 @@ noblacklist /usr/local/sbin
 noblacklist /usr/sbin
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile
index 1a6f171c8..0531aee4a 100644
--- a/etc/pycharm-community.profile
+++ b/etc/pycharm-community.profile
@@ -10,11 +10,8 @@ noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.pythonrc.py
 noblacklist ${HOME}/.java
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index b0a6a0016..82e237d54 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.config/qBittorrentrc
 noblacklist ${HOME}/.local/share/data/qBittorrent
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -61,4 +57,4 @@ private-dev
 # private-lib - problems on Arch
 private-tmp
-# memory-deny-write-execute - problems on  Arch, see #1690 on GitHub repo
+# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
diff --git a/etc/qgis.profile b/etc/qgis.profile
new file mode 100644
index 000000000..70788b207
--- /dev/null
+++ b/etc/qgis.profile
@@ -0,0 +1,57 @@
+# Firejail profile for qgis
+# Description: GIS application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qgis.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/QGIS
+noblacklist ${HOME}/.local/share/QGIS
+noblacklist ${HOME}/.qgis2
+noblacklist ${DOCUMENTS}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.local/share/QGIS
+mkdir ${HOME}/.qgis2
+mkdir ${HOME}/.config/QGIS
+whitelist ${HOME}/.local/share/QGIS
+whitelist ${HOME}/.qgis2
+whitelist ${HOME}/.config/QGIS
+whitelist ${DOCUMENTS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+machine-id
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# blacklisting of mbind system calls breaks old version
+seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,set_mempolicy,migrate_pages,move_pages,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore
+protocol unix,inet,inet6,netlink
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl,QGIS,QGIS.conf,Trolltech.conf
+private-tmp
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index 41c84425b..e2a3c9c23 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -22,6 +22,8 @@ mkdir ${HOME}/.cache/QuiteRss
 mkdir ${HOME}/.config/QuiteRss
 mkdir ${HOME}/.local/share/data
 mkdir ${HOME}/.local/share/data/QuiteRss
+mkdir ${HOME}/.local/share/QuiteRss
+mkfile ${HOME}/quiterssfeeds.opml
 whitelist ${HOME}/.cache/QuiteRss
 whitelist ${HOME}/.config/QuiteRss/
 whitelist ${HOME}/.config/QuiteRssrc
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index 1b23b2baf..954b1a3b4 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -15,6 +15,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.cache/qupzilla
+mkdir ${HOME}/.config/qupzilla
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/qupzilla
 whitelist ${HOME}/.config/qupzilla
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index 9e3853a09..e556ecf1f 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -9,18 +9,13 @@ include globals.local
 noblacklist ${HOME}/.cache/qutebrowser
 noblacklist ${HOME}/.config/qutebrowser
 noblacklist ${HOME}/.local/share/qutebrowser
-# Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
-noblacklist ${PATH}/python3*
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 # with >=llvm-4 mesa drivers need llvm stuff
 noblacklist /usr/lib/llvm*
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 1e50ca9fa..13e8911ea 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -11,18 +11,11 @@ noblacklist ${HOME}/.config/ranger
 noblacklist ${HOME}/.nanorc
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 # Allow perl
-# noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/ricochet.profile b/etc/ricochet.profile
index 3cb30c459..fc770d62d 100644
--- a/etc/ricochet.profile
+++ b/etc/ricochet.profile
@@ -5,7 +5,6 @@ include ricochet.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.local/share/Ricochet
 include disable-common.inc
@@ -15,6 +14,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.local/share/Ricochet
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.local/share/Ricochet
 include whitelist-common.inc
diff --git a/etc/rocketchat.profile b/etc/rocketchat.profile
index c95bc3c3d..8170c62e7 100644
--- a/etc/rocketchat.profile
+++ b/etc/rocketchat.profile
@@ -7,6 +7,7 @@ include globals.local
 noblacklist ${HOME}/.config/Rocket.Chat
+mkdir ${HOME}/.config/Rocket.Chat
 whitelist ${HOME}/.config/Rocket.Chat
 include whitelist-common.inc
diff --git a/etc/scribus.profile b/etc/scribus.profile
index d8dc7b0e0..c50e0861c 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -27,12 +27,8 @@ noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index 485326fcc..176842c44 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -7,12 +7,8 @@ include sdat2img.local
 include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index cd9f6c767..7baae2603 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -32,6 +32,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -50,7 +51,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# shell none - causes gpg to hang
+shell none
 tracelog
 disable-mnt
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index d92c62a52..ca74efe68 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -18,6 +18,8 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/mozilla
 mkdir ${HOME}/.mozilla
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/mozilla
diff --git a/etc/server.profile b/etc/server.profile
index 686268a18..6e077ff84 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -9,12 +9,12 @@ include globals.local
 # it allows /sbin and /usr/sbin directories - this is where servers are installed
 # depending on your usage, you can enable some of the commands below:
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
 # noblacklist /var/opt
+blacklist /tmp/.X11-unix
 include disable-common.inc
 # include disable-devel.inc
 # include disable-exec.inc
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile
index 008cd218e..04696a918 100644
--- a/etc/signal-desktop.profile
+++ b/etc/signal-desktop.profile
@@ -5,10 +5,13 @@ include signal-desktop.local
 # Persistent global definitions
 include globals.local
+ignore noexec /tmp
 noblacklist ${HOME}/.config/Signal
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -34,5 +37,3 @@ shell none
 disable-mnt
 private-dev
 private-tmp
-noexec ${HOME}
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index ad200be37..eae7dada0 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -5,10 +5,14 @@ include skypeforlinux.local
 # Persistent global definitions
 include globals.local
+# breaks Skype
+ignore noexec /tmp
 noblacklist ${HOME}/.config/skypeforlinux
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -28,6 +32,3 @@ disable-mnt
 private-cache
 # private-dev - needs /dev/disk
 private-tmp
-noexec ${HOME}
-# noexec /tmp - breaks Skype
diff --git a/etc/slack.profile b/etc/slack.profile
index ed76be373..53baf5f40 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -13,7 +13,6 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-mkdir ${HOME}/.config
 mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
 whitelist ${DOWNLOADS}
diff --git a/etc/slashem.profile b/etc/slashem.profile
index 011698e1f..8c84180d7 100644
--- a/etc/slashem.profile
+++ b/etc/slashem.profile
@@ -6,7 +6,6 @@ include slashem.local
 # Persistent global definitions
 include globals.local
 noblacklist /var/games/slashem
 include disable-common.inc
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index 5ae498ab2..0363a2475 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -12,12 +12,8 @@ noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile
index 4d6e80840..d875146de 100644
--- a/etc/soundconverter.profile
+++ b/etc/soundconverter.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile
index 74582dd2f..edbe0e772 100644
--- a/etc/spectre-meltdown-checker.profile
+++ b/etc/spectre-meltdown-checker.profile
@@ -11,12 +11,8 @@ include globals.local
 noblacklist ${PATH}/mount
 noblacklist ${PATH}/umount
-# Allow access to perl
+# Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 6f7f6ec85..2d5c4a48f 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -5,15 +5,12 @@ include spotify.local
 # Persistent global definitions
 include globals.local
-blacklist ${HOME}/.bashrc
-blacklist /lost+found
-blacklist /sbin
-blacklist /srv
 noblacklist ${HOME}/.cache/spotify
 noblacklist ${HOME}/.config/spotify
 noblacklist ${HOME}/.local/share/spotify
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -49,5 +46,6 @@ private-bin spotify,bash,sh,zenity
 private-dev
 private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
 private-opt spotify
+private-srv none
 private-tmp
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index 8aafca8aa..9af747b62 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -6,12 +6,12 @@ include ssh-agent.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /etc/ssh
 noblacklist /tmp/ssh-*
 noblacklist ${HOME}/.ssh
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile
index a61038157..d5d7a17e4 100644
--- a/etc/start-tor-browser.desktop.profile
+++ b/etc/start-tor-browser.desktop.profile
@@ -3,7 +3,6 @@
 # Persistent local customizations
 include start-tor-browser.desktop.local
 noblacklist ${HOME}/.tor-browser-*
 noblacklist ${HOME}/.tor-browser_*
diff --git a/etc/steam.profile b/etc/steam.profile
index 8f08b18f0..5ab600bfb 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -25,19 +25,12 @@ noblacklist /usr/lib/llvm*
 # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
 noblacklist /sbin
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/strings.profile b/etc/strings.profile
index 0caecdf7b..ace0d9351 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -4,30 +4,43 @@ quiet
 # Persistent local customizations
 include strings.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
-ignore noroot
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
+#private
 private-bin strings
 private-cache
 private-dev
 private-etc alternatives
 private-lib libfakeroot
+private-tmp
 memory-deny-write-execute
-include default.profile
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile
index c07131893..b55300c88 100644
--- a/etc/subdownloader.profile
+++ b/etc/subdownloader.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/SubDownloader
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/surf.profile b/etc/surf.profile
index 0504b5fe5..5f116fd0c 100644
--- a/etc/surf.profile
+++ b/etc/surf.profile
@@ -15,6 +15,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.surf
+whitelist ${HOME}/.surf
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
diff --git a/etc/sysprof.profile b/etc/sysprof.profile
index 3cfea5c5e..e978e03f2 100644
--- a/etc/sysprof.profile
+++ b/etc/sysprof.profile
@@ -24,7 +24,7 @@ no3d
 nodvd
 nogroups
 nonewprivs
-# Ubuntu 16.04 version needs root privileges - uncomment if you don't use that
+# Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that
 #noroot
 nosound
 notv
diff --git a/etc/tar.profile b/etc/tar.profile
index 14fc00d21..b6a874217 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -5,17 +5,19 @@ quiet
 # Persistent local customizations
 include tar.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-passwdmgr.inc
-ignore noroot
+include disable-programs.inc
 apparmor
+caps.drop all
 hostname tar
 ipc-namespace
 machine-id
@@ -24,10 +26,14 @@ no3d
 nodbus
 nodvd
 nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
@@ -39,8 +45,5 @@ private-etc alternatives,passwd,group,localtime
 private-lib libfakeroot
 memory-deny-write-execute
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
-include default.profile
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
new file mode 100644
index 000000000..16bf05cec
--- /dev/null
+++ b/etc/templates/profile.template
@@ -0,0 +1,139 @@
+# Firejail profile for PROGRAM_NAME
+# Description: DESCRIPTION
+# This file is overwritten after every install/update
+# --- CUT HERE ---
+# This is a generic template to help you with creation of profiles
+# for new programs. PRs welcome at https://github.com/netblue30/firejail/
+#
+# Rules to follow:
+#  - lines with one # are often used in profiles
+#  - lines with two ## are only needed in special situations
+#  - make the profile as restrictive as possible while still keeping the program useful
+#    (e. g. a program that is unable to save user's work is considered a bad practice)
+#  - dedicate some time (based on how complex the application is) to profile testing before raising
+#    a pull request
+#  - keep the sections structure, use a single empty line as a separator
+#  - entries within sections are alphabetically sorted
+#  - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
+#    to not do this for essential utilities as this may *break* your OS! (related discussion:
+#    https://github.com/netblue30/firejail/issues/2507)
+#  - remove this comment section and any generic comment past 'Persistent global definitions'
+#
+# Sections structure
+#   HEADER
+#   COMMENTS
+#   IGNORES
+#   NOBLACKLISTS
+#   ALLOW INCLUDES
+#   BLACKLISTS
+#   DISABLE INCLUDES
+#   MKDIRS
+#   WHITELISTS
+#   WHITELIST INCLUDES
+#   OPTIONS (no*)
+#   PRIVATE OPTIONS (disable-mnt, private-*)
+#   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
+#   REDIRECT INCLUDES
+#
+# --- CUT HERE ---
+##quiet
+# Persistent local customizations
+#include PROFILE.local
+# Persistent global definitions
+#include globals.local
+##ignore noexec ${HOME}
+##blacklist PATH
+# It is common practice to add files/dirs containing program-specific configuration
+# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
+# (keep list sorted) and then disable blacklisting below.
+# One way to retrieve the files a program uses is:
+#  - launch binary with --private naming a sandbox
+#      `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
+#  - work with the program, do some configuration changes and save them, open new documents,
+#    install plugins if they exists, etc
+#  - join the sandbox with bash:
+#      `firejail --join=test bash`
+#  - look what has changed and use that information to populate blacklist and whitelist sections
+#      `ls -aR`
+#noblacklist PATH
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+#include allow-python3.inc
+# Allow perl (blacklisted by disable-interpreters.inc)
+#include allow-perl.inc
+# Allow java (blacklisted by disable-devel.inc)
+#include allow-java.inc
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+#include disable-common.inc
+#include disable-devel.inc
+#include disable-exec.inc
+#include disable-interpreters.inc
+#include disable-passwdmgr.inc
+#include disable-programs.inc
+#include disable-xdg.inc
+# This section often mirrors noblacklist section above. The idea is
+# that if a user feels too restricted (he's unable to save files into
+# home directory for instance) he/she may disable whitelist (nowhitelist)
+# in PROFILE.local but still be protected by BLACKLISTS section
+# (further explanation at https://github.com/netblue30/firejail/issues/1569)
+#mkdir PATH
+#mkfile PATH
+#whitelist PATH
+#include whitelist-common.inc
+#include whitelist-var-common.inc
+#apparmor
+#caps.drop all
+# CLI only
+##ipc-namespace
+#machine-id
+# 'net none' or 'netfilter'
+#net none
+#netfilter
+#no3d
+#nodbus
+#nodvd
+#nogroups
+#nonewprivs
+#noroot
+#nosound
+#notv
+#nou2f
+#novideo
+#protocol unix,inet,inet6,netlink
+#seccomp
+##seccomp.drop SYSCALLS
+#shell none
+#tracelog
+#disable-mnt
+##private
+#private-bin PROGRAMS
+#private-cache
+#private-dev
+#private-etc FILES
+# private-etc templates (see also #1734)
+#  Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+#  Sound: alsa,asound.conf,machine-id,openal,pulse
+#  GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg
+#  KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg
+#  GUIs: fonts
+#  Alternatives: alternatives
+##private-lib LIBS
+##private-opt NAME
+#private-tmp
+##env VAR=VALUE
+#memory-deny-write-execute
+##read-only ${HOME}
+##join-or-start NAME
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template
new file mode 100644
index 000000000..0a0788e96
--- /dev/null
+++ b/etc/templates/redirect_alias-profile.template
@@ -0,0 +1,43 @@
+# Firejail profile for PROGRAM_NAME
+# Description: DESCRIPTION
+# This file is overwritten after every install/update
+# Persistent local customizations
+include PROFILE.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+#NOTE: let include globals.local commented
+# For more informations see profile.template
+# Ignore something that is in the included profile
+#ignore net none
+#ignore private-bin
+#ignore seccomp
+#...
+# Additional noblacklisting (if needed)
+#noblacklist PATH
+# Additional allow includes (if needed)
+# Additional blacklisting (if needed)
+#blacklist PATH
+# Additional whitelisting (if needed)
+#mkdir PATH
+##mkfile PATH
+#whitelist PATH
+# Additional options (if needed)
+# Additional private-options (if needed)
+# Add programs to private-bin (if needed)
+#private-bin PROGRAMS
+# Add files to private-etc (if needed)
+#private-etc FILES
+# Additional special options (if needed)
+# Redirect
+include PROFILE.profile
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
new file mode 100644
index 000000000..2464df9ee
--- /dev/null
+++ b/etc/templates/syscalls.txt
@@ -0,0 +1,43 @@
+Hints for writing seccomp.drop lines
+====================================
+@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
+@module=delete_module,finit_module,init_module
+@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
+@reboot=kexec_file_load,kexec_load,reboot
+@swap=swapoff,swapon
+@privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
+@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
+@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
+@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
+@resources=mbind,migrate_pages,move_pages,set_mempolicy
+@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,ioprio_set,io_setup,io_submit,kcmp,keyctl,mincore,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+@default-nodebuggers=@default,personality,process_vm_readv,ptrace
+@default-keep=execve,prctl
+---------+----------------+---------------+
+| @clock  | @cpu-emulation | @default-keep |
+| @module | @debug         |               |
+| @raw-io | @obsolete      |               |
+| @reboot | @resources     |               |
+| @swap   |                |               |
+---------+----------------+---------------+
+     :              :
+-------------+     :
+| @privileged |     :
+-------------+     :
+     :              :
+----------+        :
+| @default |........:
+----------+
+    :
+----------------------+
+| @default-nodebuggers |
+----------------------+
diff --git a/etc/terasology.profile b/etc/terasology.profile
index 43865b6fb..2a7212395 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -5,17 +5,17 @@ include terasology.local
 # Persistent global definitions
 include globals.local
+ignore noexec /tmp
 noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/terasology
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -46,5 +46,3 @@ disable-mnt
 private-dev
 private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies
 private-tmp
-noexec ${HOME}
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index c7c810cda..ff4a85871 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.config/torbrowser
 noblacklist ${HOME}/.local/share/torbrowser
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/transgui.profile b/etc/transgui.profile
index 8043bfa01..0d09cef87 100644
--- a/etc/transgui.profile
+++ b/etc/transgui.profile
@@ -2,7 +2,7 @@
 # Description: Cross-platform Transmission BitTorrent client
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/transgui.local
+include transgui.local
 # Persistent global definitions
 include globals.local
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile
index c67200826..9a6052ada 100644
--- a/etc/transmission-daemon.profile
+++ b/etc/transmission-daemon.profile
@@ -1,5 +1,5 @@
 # Firejail profile for transmission-daemon
-# Description:  Fast, easy and free BitTorrent client (daemon)
+# Description: Fast, easy and free BitTorrent client (daemon)
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile
index 3e3ad1a07..7b7a47f14 100644
--- a/etc/transmission-remote-cli.profile
+++ b/etc/transmission-remote-cli.profile
@@ -8,12 +8,8 @@ include transmission-remote-cli.local
 #include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 mkdir ${HOME}/.cache/transmission
 mkdir ${HOME}/.config/transmission
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index 1b657d083..3111a1e22 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -11,11 +11,8 @@ noblacklist ${HOME}/.tuxguitar*
 noblacklist ${DOCUMENTS}
 noblacklist ${MUSIC}
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 6e4b5ed1c..8e7a4a8a8 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -6,11 +6,11 @@ include unbound.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 7fe37f061..5b55f30d2 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -5,21 +5,34 @@ quiet
 # Persistent local customizations
 include unrar.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
 hostname unrar
-ignore noroot
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
@@ -27,5 +40,3 @@ private-bin unrar
 private-dev
 private-etc alternatives,passwd,group,localtime
 private-tmp
-include default.profile
diff --git a/etc/unzip.profile b/etc/unzip.profile
index be6b6c321..79b41f9d8 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -5,29 +5,41 @@ quiet
 # Persistent local customizations
 include unzip.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+# GNOME Shell integration (chrome-gnome-shell)
+noblacklist ${HOME}/.local/share/gnome-shell
 blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
 hostname unzip
-ignore noroot
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 private-bin unzip
+private-cache
 private-dev
 private-etc alternatives,passwd,group,localtime
-# GNOME Shell integration (chrome-gnome-shell)
-noblacklist ${HOME}/.local/share/gnome-shell
-include default.profile
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index 859656fa5..53fad0ba5 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -5,18 +5,31 @@ quiet
 # Persistent local customizations
 include uudeview.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
 hostname uudeview
-ignore noroot
+ipc-namespace
+machine-id
 net none
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
@@ -24,5 +37,3 @@ private-bin uudeview
 private-cache
 private-dev
 private-etc alternatives,ld.so.preload
-include default.profile
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
index dbee819cd..d4e54235b 100644
--- a/etc/uzbl-browser.profile
+++ b/etc/uzbl-browser.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/uzbl
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index f9fb1cefe..943719e75 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -6,12 +6,12 @@ include viewnior.local
 # Persistent global definitions
 include globals.local
-blacklist ${HOME}/.bashrc
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.config/viewnior
 noblacklist ${HOME}/.steam
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/w3m.profile b/etc/w3m.profile
index 143ac4f63..d577932e3 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -6,10 +6,10 @@ include w3m.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.w3m
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/wget.profile b/etc/wget.profile
index a7ef32e2c..ff10b2316 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -7,11 +7,11 @@ include wget.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.wget-hsts
 noblacklist ${HOME}/.wgetrc
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile
index 3953de614..7c545d08f 100644
--- a/etc/wire-desktop.profile
+++ b/etc/wire-desktop.profile
@@ -16,7 +16,6 @@ include disable-programs.inc
 mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 9b9757cd5..b44eae128 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -10,11 +10,8 @@ noblacklist ${HOME}/.config/wireshark
 noblacklist ${HOME}/.wireshark
 noblacklist ${DOCUMENTS}
-# Wireshark can use Lua for scripting
+# Allow lua (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/lua*
+include allow-lua.inc
-noblacklist /usr/lib/lua
-noblacklist /usr/include/lua*
-noblacklist /usr/share/lua
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/xed.profile b/etc/xed.profile
index cce0432a4..9a7806b19 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.config/xed
 noblacklist ${HOME}/.pythonrc.py
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index 33056395e..043e513bd 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -6,11 +6,11 @@ include xiphos.local
 # Persistent global definitions
 include globals.local
-blacklist ${HOME}/.bashrc
 noblacklist ${HOME}/.sword
 noblacklist ${HOME}/.xiphos
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -18,6 +18,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.sword
+mkdir ${HOME}/.xiphos
 whitelist ${HOME}/.sword
 whitelist ${HOME}/.xiphos
 include whitelist-common.inc
diff --git a/etc/xlinks.profile b/etc/xlinks.profile
new file mode 100644
index 000000000..ad1511791
--- /dev/null
+++ b/etc/xlinks.profile
@@ -0,0 +1,18 @@
+# Firejail profile for xlinks
+# Description: Text WWW browser (X11)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xlinks.local
+noblacklist /tmp/.X11-unix
+noblacklist ${HOME}/.links
+include whitelist-common.inc
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
+# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin xlinks
+private-etc fonts
+# Redirect
+include links.profile
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index b4932c99e..5f4e3bf4c 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -11,12 +11,8 @@ noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/xpra.profile b/etc/xpra.profile
index d967c1da2..dc8d7a665 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -8,21 +8,15 @@ include globals.local
 #
 # This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
-# To enable it, create a firejail-xpra  symlink in /usr/local/bin:
+# To enable it, create a firejail-xpra symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra
 #
 # or run "sudo firecfg"
-blacklist /media
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -49,6 +43,7 @@ protocol unix
 seccomp
 shell none
+disable-mnt
 # private home directory doesn't work on some distros, so we go for a regular home
 # private
 # older Xpra versions also use Xvfb
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index a1f265c1e..3adaa557c 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -5,23 +5,34 @@ quiet
 # Persistent local customizations
 include xzdec.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 blacklist /tmp/.X11-unix
-ignore noroot
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 private-dev
-include default.profile
diff --git a/etc/yelp.profile b/etc/yelp.profile
new file mode 100644
index 000000000..66f094e1d
--- /dev/null
+++ b/etc/yelp.profile
@@ -0,0 +1,51 @@
+# Firejail profile for yelp
+# Description: Help browser for the GNOME desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include yelp.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/yelp
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/yelp
+whitelist ${HOME}/.config/yelp
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin yelp
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml
+private-tmp
+# read-only ${HOME} breaks some not necesarry featrues, comment it if
+# you need them or put 'ignore read-only ${HOME}' into your yelp.local.
+# broken features:
+#  1. yelp --editor-mode
+#  2. saving the window geometry
+read-only ${HOME}
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 621ffb2b0..1c2bad51c 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -7,20 +7,16 @@ include youtube-dl.local
 # Persistent global definitions
 include globals.local
+# breaks when installed via pip
+ignore noexec ${HOME}
 noblacklist ${HOME}/.netrc
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
-# breaks when installed via pip
-ignore noexec ${HOME}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile
index dc3164da1..0598ea18d 100644
--- a/etc/zaproxy.profile
+++ b/etc/zaproxy.profile
@@ -9,11 +9,8 @@ include globals.local
 noblacklist ${HOME}/.java
 noblacklist ${HOME}/.ZAP
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
@@ -22,6 +19,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.java
 mkdir ${HOME}/.ZAP
 whitelist ${HOME}/.java
 whitelist ${HOME}/.ZAP
diff --git a/etc/zoom.profile b/etc/zoom.profile
index 456b197f3..6d312aff6 100644
--- a/etc/zoom.profile
+++ b/etc/zoom.profile
@@ -13,6 +13,8 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
+mkdir ${HOME}/.cache/zoom
+mkfile ${HOME}/.config/zoomus.conf
 mkdir ${HOME}/.zoom
 whitelist ${HOME}/.cache/zoom
 whitelist ${HOME}/.config/zoomus.conf
diff --git a/etc/zpaq.profile b/etc/zpaq.profile
index 6d4501e4f..6bf3605eb 100644
--- a/etc/zpaq.profile
+++ b/etc/zpaq.profile
@@ -10,6 +10,5 @@ include zpaq.local
 # mdwx breaks 'list' functionality
 ignore memory-deny-write-execute
 # Redirect
 include cpio.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 65605edb3..d21abbc9a 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -132,7 +132,6 @@ deluge
 devhelp
 dex2jar
 dia
-dig
 digikam
 dillo
 dino
@@ -187,8 +186,8 @@ firefox-developer-edition
 firefox-esr
 firefox-nightly
 firefox-wayland
-flameshot
 flacsplt
+flameshot
 flashpeak-slimjet
 flowblade
 font-manager
@@ -306,6 +305,8 @@ kid3
 kid3-cli
 kid3-qt
 kino
+klatexformula
+klatexformula_cmdl
 klavaro
 kmail
 knotes
@@ -315,6 +316,7 @@ kopete
 krita
 # krunner
 ktorrent
+ktouch
 # kwin_x11
 kwrite
 leafpad
@@ -322,6 +324,7 @@ less
 libreoffice
 liferea
 lincity-ng
+links
 linphone
 lmms
 lobase
@@ -422,6 +425,7 @@ opera-beta
 orage
 ostrichriders
 palemoon
+pandoc
 parole
 patch
 pavucontrol
@@ -450,6 +454,7 @@ pybitmessage
 # pycharm-professional
 qbittorrent
 qemu-launcher
+qgis
 qlipper
 qmmp
 qpdfview
@@ -622,6 +627,7 @@ xfce4-dict
 xfce4-mixer
 xfce4-notes
 xiphos
+xlinks
 xmms
 xmr-stak
 xonotic
@@ -637,6 +643,7 @@ xreader-previewer
 xreader-thumbnailer
 xviewer
 yandex-browser
+yelp
 youtube-dl
 zaproxy
 zart
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h
index e847719cf..71e5d625d 100644
--- a/src/firecfg/firecfg.h
+++ b/src/firecfg/firecfg.h
@@ -17,6 +17,8 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#ifndef FIRECFG_H
+#define FIRECFG_H
 #define _GNU_SOURCE
 #include <stdio.h>
 #include <sys/types.h>
@@ -48,3 +50,5 @@ void sound(void);
 // desktop_files.c
 void fix_desktop_files(char *homedir);
+#endif
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e0f3a6a16..fd6cb9ff2 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -283,6 +283,7 @@ extern int arg_private_srv;	// private srv directory
 extern int arg_private_bin;     // private bin directory
 extern int arg_private_tmp;     // private tmp directory
 extern int arg_private_lib;     // private lib directory
+extern int arg_private_cwd;     // private working directory
 extern int arg_scan;            // arp-scan all interfaces
 extern int arg_whitelist;       // whitelist command
 extern int arg_nosound; // disable sound
@@ -315,6 +316,7 @@ extern int arg_notv;	// --notv
 extern int arg_nodvd;   // --nodvd
 extern int arg_nou2f;   // --nou2f
 extern int arg_nodbus; // -nodbus
+extern int arg_deterministic_exit_code; // always exit with first child's exit status
 extern int login_shell;
 extern int parent_to_child_fds[2];
@@ -521,6 +523,8 @@ void fs_private(void);
 void fs_private_homedir(void);
 // check new private home directory (--private= option) - exit if it fails
 void fs_check_private_dir(void);
+// check new private working directory (--private-cwd= option) - exit if it fails
+void fs_check_private_cwd(const char *dir);
 void fs_private_home_list(void);
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index b44d09acc..3f6d78db4 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -370,6 +370,21 @@ void fs_check_private_dir(void) {
        }
 }
+// check new private working directory (--private-cwd= option) - exit if it fails
+void fs_check_private_cwd(const char *dir) {
+        EUID_ASSERT();
+        invalid_filename(dir, 0); // no globbing
+        // Expand the working directory
+        cfg.cwd = expand_macros(dir);
+        // realpath/is_dir not used because path may not exist outside of jail
+        if (strstr(cfg.cwd, "..")) {
+                fprintf(stderr, "Error: invalid private working directory\n");
+                exit(1);
+        }
+}
 //***********************************************************************************
 // --private-home
 //***********************************************************************************
diff --git a/src/firejail/main.c b/src/firejail/main.c
index f3dc72944..c50ed4dc4 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -92,6 +92,7 @@ int arg_private_srv = 0;			// private srv directory
 int arg_private_bin = 0;                        // private bin directory
 int arg_private_tmp = 0;                        // private tmp directory
 int arg_private_lib = 0;                        // private lib directory
+int arg_private_cwd = 0;                        // private working directory
 int arg_scan = 0;                               // arp-scan all interfaces
 int arg_whitelist = 0;                          // whitelist command
 int arg_nosound = 0;                            // disable sound
@@ -125,6 +126,7 @@ int arg_notv = 0;	// --notv
 int arg_nodvd = 0; // --nodvd
 int arg_nodbus = 0; // -nodbus
 int arg_nou2f = 0; // --nou2f
+int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
 int login_shell = 0;
@@ -630,6 +632,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        else if (strncmp(argv[i], "--get=", 6) == 0) {
                if (checkcfg(CFG_FILE_TRANSFER)) {
                        logargs(argc, argv);
+                        if (arg_private_cwd) {
+                                fprintf(stderr, "Error: --get and --private-cwd options are mutually exclusive\n");
+                                exit(1);
+                        }
                        // verify path
                        if ((i + 2) != argc) {
@@ -654,6 +660,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        else if (strncmp(argv[i], "--put=", 6) == 0) {
                if (checkcfg(CFG_FILE_TRANSFER)) {
                        logargs(argc, argv);
+                        if (arg_private_cwd) {
+                                fprintf(stderr, "Error: --put and --private-cwd options are mutually exclusive\n");
+                                exit(1);
+                        }
                        // verify path
                        if ((i + 3) != argc) {
@@ -684,6 +694,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        else if (strncmp(argv[i], "--ls=", 5) == 0) {
                if (checkcfg(CFG_FILE_TRANSFER)) {
                        logargs(argc, argv);
+                        if (arg_private_cwd) {
+                                fprintf(stderr, "Error: --ls and --private-cwd options are mutually exclusive\n");
+                                exit(1);
+                        }
                        // verify path
                        if ((i + 2) != argc) {
@@ -1773,6 +1787,19 @@ int main(int argc, char **argv) {
                        else
                                exit_err_feature("private-cache");
                }
+                else if (strcmp(argv[i], "--private-cwd") == 0) {
+                        cfg.cwd = NULL;
+                        arg_private_cwd = 1;
+                }
+                else if (strncmp(argv[i], "--private-cwd=", 14) == 0) {
+                        if (*(argv[i] + 14) == '\0') {
+                                fprintf(stderr, "Error: invalid private-cwd option\n");
+                                exit(1);
+                        }
+                        fs_check_private_cwd(argv[i] + 14);
+                        arg_private_cwd = 1;
+                }
                //*************************************
                // hostname, etc
@@ -2275,6 +2302,9 @@ int main(int argc, char **argv) {
                                return 1;
                        }
                }
+                else if (strcmp(argv[i], "--deterministic-exit-code") == 0) {
+                        arg_deterministic_exit_code = 1;
+                }
                else {
                        // double dash - positional params to follow
                        if (strcmp(argv[i], "--") == 0) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index c8619f7e2..99d83c16a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -338,7 +338,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_private = 1;
                return 0;
        }
-        if (strncmp(ptr, "private-home ", 13) == 0) {
+        else if (strncmp(ptr, "private-home ", 13) == 0) {
 #ifdef HAVE_PRIVATE_HOME
                if (checkcfg(CFG_PRIVATE_HOME)) {
                        if (cfg.home_private_keep) {
@@ -353,6 +353,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                return 0;
        }
+        else if (strcmp(ptr, "private-cwd") == 0) {
+                cfg.cwd = NULL;
+                arg_private_cwd = 1;
+                return 0;
+        }
+        else if (strncmp(ptr, "private-cwd ", 12) == 0) {
+                fs_check_private_cwd(ptr + 12);
+                arg_private_cwd = 1;
+                return 0;
+        }
        else if (strcmp(ptr, "allusers") == 0) {
                arg_allusers = 1;
                return 0;
@@ -1301,6 +1311,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
+        if (strcmp(ptr, "deterministic-exit-code") == 0) {
+                arg_deterministic_exit_code = 1;
+                return 0;
+        }
        // rest of filesystem
        if (strncmp(ptr, "blacklist ", 10) == 0)
                ptr += 10;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9f0a5f25c..2c5c5fc12 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -271,6 +271,7 @@ static int monitor_application(pid_t app_pid) {
        }
        int status = 0;
+        int app_status = 0;
        while (monitored_pid) {
                usleep(20000);
                char *msg;
@@ -295,6 +296,8 @@ static int monitor_application(pid_t app_pid) {
                                sleep(1);
                                break;
                        }
+                        else if (rv == app_pid)
+                                app_status = status;
                        // handle --timeout
                        if (options) {
@@ -352,8 +355,8 @@ static int monitor_application(pid_t app_pid) {
                        printf("Sandbox monitor: monitoring %d\n", monitored_pid);
        }
-        // return the latest exit status.
+        // return the appropriate exit status.
-        return status;
+        return arg_deterministic_exit_code ? app_status : status;
 }
 static void print_time(void) {
@@ -1016,6 +1019,10 @@ int sandbox(void* sandbox_arg) {
        if (cfg.cwd) {
                if (chdir(cfg.cwd) == 0)
                        cwd = 1;
+                else if (arg_private_cwd) {
+                        fprintf(stderr, "Error: unable to enter private working directory: %s: %s\n", cfg.cwd, strerror(errno));
+                        exit(1);
+                }
        }
        if (!cwd) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 7620bba82..fbace7374 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -66,6 +66,7 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
        "    --defaultgw=address - configure default gateway.\n"
 #endif
+        "    --deterministic-exit-code - always exit with first child's status code.\n"
        "    --dns=address - set DNS server.\n"
        "    --dns.print=name|pid - print DNS configuration.\n"
        "    --env=name=value - set environment variable.\n"
@@ -162,6 +163,8 @@ static char *usage_str =
        "    --private-etc=file,directory - build a new /etc in a temporary\n"
        "\tfilesystem, and copy the files and directories in the list.\n"
        "    --private-tmp - mount a tmpfs on top of /tmp directory.\n"
+        "    --private-cwd - do not inherit working directory inside jail.\n"
+        "    --private-cwd=directory - set working directory inside jail.\n"
        "    --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"
        "    --private-srv=file,directory - build a new /srv in a temporary filesystem.\n"
        "    --profile=filename|profile_name - use a custom profile.\n"
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index e5f1b6f9a..b3c435d9e 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -83,7 +83,9 @@ int find_child(int id) {
                        return i;
        }
-        return -1;
+        // if a second child is not found, return the first child pid
+        // this happens for processes sandboxed with --join
+        return first_child;
 }
 // sleep and wait for a key to be pressed
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 67d7cfa4f..67c693dce 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -51,13 +51,13 @@
 #define RUN_DNS_ETC     "/run/firejail/mnt/dns-etc"
 #define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp"
-#define RUN_SECCOMP_LIST        "/run/firejail/mnt/seccomp/seccomp.list"        // list of seccomp files installed
+#define RUN_SECCOMP_LIST        (RUN_SECCOMP_DIR "/seccomp.list")       // list of seccomp files installed
-#define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp/seccomp.protocol"    // protocol filter
+#define RUN_SECCOMP_PROTOCOL    (RUN_SECCOMP_DIR "/seccomp.protocol")   // protocol filter
-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp"                     // configured filter
+#define RUN_SECCOMP_CFG (RUN_SECCOMP_DIR "/seccomp")                    // configured filter
-#define RUN_SECCOMP_32          "/run/firejail/mnt/seccomp/seccomp.32"          // 32bit arch filter installed on 64bit architectures
+#define RUN_SECCOMP_32          (RUN_SECCOMP_DIR "/seccomp.32")         // 32bit arch filter installed on 64bit architectures
-#define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp/seccomp.mdwx"                // filter for memory-deny-write-execute
+#define RUN_SECCOMP_MDWX        (RUN_SECCOMP_DIR "/seccomp.mdwx")               // filter for memory-deny-write-execute
-#define RUN_SECCOMP_BLOCK_SECONDARY     "/run/firejail/mnt/seccomp/seccomp.block_secondary"     // secondary arch blocking filter
+#define RUN_SECCOMP_BLOCK_SECONDARY     (RUN_SECCOMP_DIR "/seccomp.block_secondary")    // secondary arch blocking filter
-#define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp/seccomp.postexec"            // filter for post-exec library
+#define RUN_SECCOMP_POSTEXEC    (RUN_SECCOMP_DIR "/seccomp.postexec")           // filter for post-exec library
 #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
 #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
 #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")                 // 32bit arch filter built during make
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 703fac30f..8c9989970 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -288,6 +288,12 @@ All modifications are discarded when the sandbox is closed.
 \fBprivate-tmp
 Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .TP
+\fBprivate-cwd
+Set working directory inside jail to the home directory, and failing that, the root directory.
+.TP
+\fBprivate-cwd directory
+Set working directory inside the jail.
+.TP
 \fBread-only file_or_directory
 Make directory or file read-only.
 .TP
@@ -661,6 +667,10 @@ instead of the default one.
 Join the sandbox identified by name or start a new one.
 Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
+.TP
+\fBdeterministic-exit-code
+Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
 .SH FILES
 /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e6826448b..67b84de0e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -410,6 +410,10 @@ Example:
 $ firejail \-\-disable-mnt firefox
 .TP
+\fB\-\-deterministic-exit-code
+Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
+.TP
 \fB\-\-dns=address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 Use this option if you don't trust the DNS setup on your network.
@@ -1568,6 +1572,48 @@ drwx------  2 nobody nogroup 4096 Apr 30 10:52 pulse-PKdhtXMmr18n
 drwxrwxrwt  2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
 .br
+.TP
+\fB\-\-private-cwd
+Set working directory inside jail to the home directory, and failing that, the root directory.
+.br
+Does not impact working directory of profile include paths.
+.br
+.br
+Example:
+.br
+$ pwd
+.br
+/tmp
+.br
+$ firejail \-\-private-cwd
+.br
+$ pwd
+.br
+/home/user
+.br
+.TP
+\fB\-\-private-cwd=directory
+Set working directory inside the jail.
+.br
+Does not impact working directory of profile include paths.
+.br
+.br
+Example:
+.br
+$ pwd
+.br
+/tmp
+.br
+$ firejail \-\-private-cwd=/opt
+.br
+$ pwd
+.br
+/opt
+.br
 .TP
 \fB\-\-profile=filename_or_profilename
diff --git a/test/environment/deterministic-exit-code.exp b/test/environment/deterministic-exit-code.exp
new file mode 100755
index 000000000..165b9ebe0
--- /dev/null
+++ b/test/environment/deterministic-exit-code.exp
@@ -0,0 +1,55 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2019 Firejail Authors
+# License GPL v2
+set timeout 4
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "({ nohup bash -c \"sleep 0.2; exit 53\" &> /dev/null & } &)\r"
+send -- "exit 35\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Parent is shutting down"
+}
+after 300
+send -- "echo $?\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "53"
+}
+after 100
+send -- "firejail --deterministic-exit-code\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "({ nohup bash -c \"sleep 0.2; exit 53\" &> /dev/null & } &)\r"
+send -- "exit 35\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Parent is shutting down"
+}
+after 300
+send -- "echo $?\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "35"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index 85d6c0873..5b4aa32f4 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -116,3 +116,6 @@ echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)"
 echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)"
 ./rlimit-bad-profile.exp
+echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp"
+./deterministic-exit-code.exp
diff --git a/test/environment/rlimit.profile b/test/environment/rlimit.profile
index a57471604..a569edc6d 100644
--- a/test/environment/rlimit.profile
+++ b/test/environment/rlimit.profile
@@ -1,5 +1,5 @@
-  rlimit-fsize 1024
+rlimit-fsize 1024
 rlimit-nproc 1000
-        rlimit-nofile   500
+rlimit-nofile 500
-rlimit-sigpending       200
+rlimit-sigpending 200
 rlimit-as 123456789012
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
index 0fc216b20..7e1d46f0a 100755
--- a/test/fs/fs.sh
+++ b/test/fs/fs.sh
@@ -69,6 +69,9 @@ echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)"
 echo "TESTING: private-bin (test/fs/private-bin.exp)"
 ./private-bin.exp
+echo "TESTING: private-cwd (test/fs/private-cwd.exp)"
+./private-cwd.exp
 echo "TESTING: macros (test/fs/macro.exp)"
 ./macro.exp
diff --git a/test/fs/private-cwd.exp b/test/fs/private-cwd.exp
new file mode 100755
index 000000000..0fa87a92f
--- /dev/null
+++ b/test/fs/private-cwd.exp
@@ -0,0 +1,52 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2019 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "cd /tmp\r"
+after 100
+# testing profile and private
+send -- "firejail --private-cwd\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "$env(HOME)"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "cd /\r"
+after 100
+# testing profile and private
+send -- "firejail --private-cwd=/tmp\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "/tmp"
+}
+after 100
+send -- "exit\r"
+sleep 1
+puts "all done\n"
diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh
index 5e9d75379..79913fed6 100755
--- a/test/private-lib/private-lib.sh
+++ b/test/private-lib/private-lib.sh
@@ -5,7 +5,7 @@
 export MALLOC_CHECK_=3g
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
-LIST="gnome-logs gnome-system-log gnome-nettool pavucontrol dig whois evince galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog"
+LIST="gnome-logs gnome-system-log gnome-nettool pavucontrol dig evince whois galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog"
 for app in $LIST; do