6 files changed, 38 insertions, 6 deletions

diff --git a/README.md b/README.md
index 0c466a5e5..f39ea1069 100644
--- a/README.md
+++ b/README.md
@@ -294,4 +294,4 @@ Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-can
 pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
 tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder,
 gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8,
-thunderbird-beta
\ No newline at end of file
+thunderbird-beta, ncdu
diff --git a/RELNOTES b/RELNOTES
index b299c5b9b..ace9ec06e 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -30,7 +30,7 @@ firejail (0.9.53) baseline; urgency=low
   * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
   * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes
   * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
-  * new profiles: blender-2.8, thunderbird-beta
+  * new profiles: blender-2.8, thunderbird-beta, ncdu
  -- netblue30 <netblue30@yahoo.com>  Thu, 1 Mar 2018 08:00:00 -0500
 
 firejail (0.9.52) baseline; urgency=low
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
index 2392440a6..2f7657c0c 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/gnome-recipes.profile
@@ -35,7 +35,7 @@ shell none
 disable-mnt
 private-bin gnome-recipes,tar
 private-dev
-private-etc ca-certificates,fonts,ssl
+private-etc ca-certificates,fonts,ssl,crypto-policies,pki
 # private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)
 # not widely tested though, leaving it to devs discretion to enable it later
 #private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2
diff --git a/etc/ncdu.profile b/etc/ncdu.profile
new file mode 100644
index 000000000..ab79a325e
--- /dev/null
+++ b/etc/ncdu.profile
@@ -0,0 +1,29 @@
+# Firejail profile for ncdu
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/ncdu.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+caps.drop all
+ipc-namespace
+nodbus
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+# private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index 4965d3a54..e6449aa97 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -32,7 +32,9 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
+#ipc-namespace
 netfilter
+#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -44,10 +46,10 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 # tracelog disabled as it breaks integrated browser
-# tracelog
+#tracelog
 
 # private-dev should be commented for controllers
 private-dev
-# private-etc breaks some games
-#private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies
+# private-etc breaks a small selection of games on some systems, comment to support those
+private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives
 private-tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index f2409d67b..2f4884105 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -263,6 +263,7 @@ musescore
 mutt
 natron
 nautilus
+ncdu
 netsurf
 neverball
 nheko