365 files changed, 1806 insertions, 1332 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index b53b69f75..737003874 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -26,3 +26,10 @@ firejail-profiles was not installed when installing firejail.
 We take security bugs very seriously. If you believe you have found one, please report it by
 emailing us at netblue30@yahoo.com
+# Opening an pull request:
+Pull requests with enhancements, bugfixes or new profiles are very welcome.
+If you want to write a new profile, the easiest way to do this is to use the
+[profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
+If you have already written a profile, please make sure it follows the rules described in the template.
diff --git a/Makefile.in b/Makefile.in
index 0cbbb374c..af57f7d2c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -121,6 +121,7 @@ endif
        install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
        install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/.
        install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/.
+        install -c -m 0644 etc/templates/* $(DESTDIR)/$(DOCDIR)/.
        # etc files
        ./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND)
        install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail
diff --git a/README b/README
index d6cf5389b..4d488dbae 100644
--- a/README
+++ b/README
@@ -97,7 +97,7 @@ announ (https://github.com/announ)
 Antonio Russo (https://github.com/aerusso)
        - enumerate root directories in apparmor profile
        - fix join-or-start
-Austin Morton
+Austin Morton (https://github.com/apmorton)
        - deterministic-exit-code option
        - private-cwd options
 Austin S. Hemmelgarn (https://github.com/Ferroin)
@@ -193,6 +193,8 @@ Danil Semelenov (https://github.com/sgtpep)
 Dara Adib (https://github.com/daradib)
        - ssh profile fix
        - evince profile fix
+David Thole (https://github.com/TheDarkTrumpet)
+        - added profile for teams-for-linux
 Deelvesh Bunjun (https://github.com/DeelveshBunjun)
        - added xpdf profile
 dewbasaur (https://github.com/dewbasaur)
@@ -378,6 +380,9 @@ Jonas Heinrich (https://github.com/onny)
        - fixed franz profile
 Jose Riha (https://github.com/jose1711)
        - added meteo-qt profile
+        - created qgis, links, xlinks profiles
+        - extended profile.template with comments
+        - some typo and comment fixes in profile.template
 jrabe (https://github.com/jrabe)
        - disallow access to kdbx files
        - Epiphany profile
@@ -565,7 +570,9 @@ rusty-snake (https://github.com/rusty-snake)
        - added profiles: gajim-history-manager, freemind, nomacs, kid3
        - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap
        - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk
-        - added profiles: ktouch, yelp
+        - added profiles: ktouch, yelp, klatexformula, klatexformula_cmdl
+        - added profiles: pandoc, gnome-sound-recorder, godot, newsbeuter
+        - added profiles: keepassxc-cli, keepassxc-proxy, rhythmbox-client
        - many profile fixing and hardening
        - some typo fixes
        - added profile templates
@@ -703,6 +710,7 @@ Topi Miettinen (https://github.com/topimiettinen)
        - seccomp default list update
        - improve loading of seccomp filter and memory-deny-write-execute feature
        - private-lib feature
+        - make --nodbus block also system D-Bus socket
 user1024 (user1024@tut.by)
        - electron profile whitelisting
        - fixed Rocket.Chat profile
diff --git a/README.md b/README.md
index 0f692006b..46370e6a5 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,8 @@ Documentation: https://firejail.wordpress.com/documentation-2/
 FAQ: https://firejail.wordpress.com/support/
+Wiki: https://github.com/netblue30/firejail/wiki
 Travis-CI status: https://travis-ci.org/netblue30/firejail
@@ -99,7 +101,7 @@ If you keep additional Firejail security profiles in a public repository, please
 Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139)
-You can also use this tool to get a list of syscalls needed by a program: [https://github.com/avilum/syscalls](https://github.com/avilum/syscalls).
+You can also use this tool to get a list of syscalls needed by a program: [contrib/syscalls.sh](contrib/syscalls.sh).
 We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
 `````
@@ -110,3 +112,5 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 ## Current development version: 0.9.61
 ## New profiles:
+klatexformula, klatexformula_cmdl, links, pandoc, qgis, teams-for-linux, xlinks, OpenArena, gnome-sound-recorder, godot, tcpdump, tshark, keepassxc-cli, keepassxc-proxy, newsbeuter, rhythmbox-client
diff --git a/RELNOTES b/RELNOTES
index f060e64a0..0a3a0a011 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,7 +1,11 @@
-firejail (0.9.60) baseline; urgency=low
+firejail (0.9.61) baseline; urgency=low
  * work in progress
  * profile templates
- -- netblue30 <netblue30@yahoo.com>  Sun, 26 May 2019 08:00:00 -0500
+  * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
+  * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
+  * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli
+  * new profiles: keepassxc-proxy, rhythmbox-client
+ -- netblue30 <netblue30@yahoo.com>  Sat, 1 Jun 2019 08:00:00 -0500
 firejail (0.9.60) baseline; urgency=low
  * security bug reported by Austin Morton:
diff --git a/contrib/syscalls.sh b/contrib/syscalls.sh
new file mode 100755
index 000000000..9ab6acf5b
--- /dev/null
+++ b/contrib/syscalls.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+STRACE_OUTPUT_FILE="$(pwd)/strace_output.txt"
+SYSCALLS_OUTPUT_FILE="$(pwd)/syscalls.txt"
+if [ $# -eq 0 ]
+then
+echo
+echo "   *** No program specified!!! ***"
+echo    
+echo -e "Make this file executable and execute it as:\\n"
+echo -e "\\e[96m   syscalls.sh /full/path/to/program\\n"
+echo -e "\\e[39mif you saved this script in a directory in your PATH (e.g., in ${HOME}/bin), otherwise as:\\n"
+echo -e "\\e[96m   ./syscalls.sh /full/path/to/program\\n"
+echo -e "\\e[39mUse the full path to the respective program to avoid executing it sandboxed with Firejail\\n(if a Firejail profile for it already exits and 'sudo firecfg' was executed earlier)\\nin order to determine the necessary system calls."
+echo
+exit 0
+else
+strace -cfo "$STRACE_OUTPUT_FILE" "$@" && awk '{print $NF}' "$STRACE_OUTPUT_FILE" | sed '/syscall\|-\|total/d' | sort -u | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/' > "$SYSCALLS_OUTPUT_FILE"
+echo
+echo -e "\e[39mThese are the sorted syscalls:\n\e[93m"
+cat "$SYSCALLS_OUTPUT_FILE"
+echo
+echo -e "\e[39mThe sorted syscalls were saved to:\n\n\e[96m$SYSCALLS_OUTPUT_FILE"
+echo
+exit 0
+fi
diff --git a/etc/7z.profile b/etc/7z.profile
index 44ab377b3..15e99e936 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -4,23 +4,33 @@ quiet
 # Persistent local customizations
 include 7z.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
-blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
-ignore noroot
+caps.drop all
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
+x11 none
 private-dev
-include default.profile
diff --git a/etc/JDownloader.profile b/etc/JDownloader.profile
index d1bd5c9b2..1435f3422 100644
--- a/etc/JDownloader.profile
+++ b/etc/JDownloader.profile
@@ -5,14 +5,10 @@ include JDownloader.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.jd
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile
index 6aba2678b..c2734b1c1 100644
--- a/etc/Mathematica.profile
+++ b/etc/Mathematica.profile
@@ -16,6 +16,7 @@ include disable-programs.inc
 mkdir ${HOME}/.Mathematica
 mkdir ${HOME}/.Wolfram Research
+mkdir ${HOME}/Documents/Wolfram Mathematica
 whitelist ${HOME}/.Mathematica
 whitelist ${HOME}/.Wolfram Research
 whitelist ${HOME}/Documents/Wolfram Mathematica
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile
index 7cc50da15..ece681c35 100644
--- a/etc/QMediathekView.profile
+++ b/etc/QMediathekView.profile
@@ -45,11 +45,9 @@ shell none
 tracelog
 disable-mnt
-private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer
+private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer
 private-cache
 private-dev
-# private-etc alternatives
-# private-lib
 private-tmp
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/QOwnNotes.profile b/etc/QOwnNotes.profile
index 27ba00857..c774f3a60 100644
--- a/etc/QOwnNotes.profile
+++ b/etc/QOwnNotes.profile
@@ -47,8 +47,8 @@ shell none
 tracelog
 disable-mnt
-private-bin QOwnNotes,gio
+private-bin gio,QOwnNotes
 private-dev
-private-etc alternatives,fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,nsswitch.conf,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/Viber.profile b/etc/Viber.profile
index 3f3ee8590..ecc500769 100644
--- a/etc/Viber.profile
+++ b/etc/Viber.profile
@@ -5,7 +5,6 @@ include Viber.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.ViberPC
 include disable-common.inc
@@ -15,6 +14,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.ViberPC
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.ViberPC
 include whitelist-common.inc
@@ -32,9 +32,8 @@ seccomp
 shell none
 disable-mnt
-private-bin sh,bash,dig,awk,Viber
+private-bin awk,bash,dig,sh,Viber
-private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
 private-tmp
 env QTWEBENGINE_DISABLE_SANDBOX=1
diff --git a/etc/XMind.profile b/etc/XMind.profile
index a5b0a864e..7e7c0c3cd 100644
--- a/etc/XMind.profile
+++ b/etc/XMind.profile
@@ -32,7 +32,7 @@ seccomp
 shell none
 disable-mnt
-private-bin XMind,sh,cp
+private-bin cp,sh,XMind
 private-tmp
 private-dev
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index bce6dc6e6..5ef75022b 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -7,16 +7,13 @@ include globals.local
 #
 # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr.
-# To enable it, create a firejail-Xephyr  symlink in /usr/local/bin:
+# To enable it, create a firejail-Xephyr symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr
 #
 # or run "sudo firecfg"
 #
-blacklist /media
 whitelist /var/lib/xkb
 include whitelist-common.inc
@@ -34,10 +31,11 @@ protocol unix
 seccomp
 shell none
+disable-mnt
 # using a private home directory
 private
-# private-bin Xephyr,sh,xkbcomp
+# private-bin sh,Xephyr,xkbcomp
-# private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
+# private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp
 private-dev
-# private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
+# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
 #private-tmp
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index ed07485d6..3ecda698e 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -9,7 +9,7 @@ include globals.local
 #
 # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb.
 # The target program is sandboxed with its own profile. By default the this functionality
-# is disabled. To enable it, create a firejail-Xvfb  symlink in /usr/local/bin:
+# is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb
 #
@@ -17,8 +17,6 @@ include globals.local
 # some Linux distributions. Also, older versions of Xpra use Xvfb.
 #
-blacklist /media
 whitelist /var/lib/xkb
 include whitelist-common.inc
@@ -36,10 +34,11 @@ protocol unix
 seccomp
 shell none
+disable-mnt
 # using a private home directory
 private
-# private-bin Xvfb,sh,xkbcomp
+# private-bin sh,xkbcomp,Xvfb
-# private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls
+# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
 private-dev
-private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
+private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
 private-tmp
diff --git a/etc/akregator.profile b/etc/akregator.profile
index 2f35c55c0..466eff22d 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -40,7 +40,7 @@ seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@res
 shell none
 disable-mnt
-private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
+private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kshell4,kshell5
 private-dev
 private-tmp
diff --git a/etc/allow-java.inc b/etc/allow-java.inc
new file mode 100644
index 000000000..5204d2dea
--- /dev/null
+++ b/etc/allow-java.inc
@@ -0,0 +1,6 @@
+noblacklist ${HOME}/.java
+noblacklist ${PATH}/java
+noblacklist /usr/lib/java
+noblacklist /etc/java
+noblacklist /usr/share/java
diff --git a/etc/allow-lua.inc b/etc/allow-lua.inc
new file mode 100644
index 000000000..51d76f9b1
--- /dev/null
+++ b/etc/allow-lua.inc
@@ -0,0 +1,4 @@
+noblacklist ${PATH}/lua*
+noblacklist /usr/include/lua*
+noblacklist /usr/lib/lua
+noblacklist /usr/share/lua
diff --git a/etc/allow-perl.inc b/etc/allow-perl.inc
new file mode 100644
index 000000000..d37328936
--- /dev/null
+++ b/etc/allow-perl.inc
@@ -0,0 +1,7 @@
+noblacklist ${PATH}/cpan*
+noblacklist ${PATH}/core_perl
+noblacklist ${PATH}/perl
+noblacklist ${PATH}/site_perl
+noblacklist ${PATH}/vendor_perl
+noblacklist /usr/lib/perl*
+noblacklist /usr/share/perl*
diff --git a/etc/allow-python2.inc b/etc/allow-python2.inc
new file mode 100644
index 000000000..8ea61648b
--- /dev/null
+++ b/etc/allow-python2.inc
@@ -0,0 +1,5 @@
+noblacklist ${PATH}/python2*
+noblacklist /usr/include/python2*
+noblacklist /usr/lib/python2*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/share/python2*
diff --git a/etc/allow-python3.inc b/etc/allow-python3.inc
new file mode 100644
index 000000000..91c7ffca4
--- /dev/null
+++ b/etc/allow-python3.inc
@@ -0,0 +1,5 @@
+noblacklist ${PATH}/python3*
+noblacklist /usr/include/python3*
+noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python3*
+noblacklist /usr/share/python3*
diff --git a/etc/amarok.profile b/etc/amarok.profile
index 6cec3befc..0b974e9ac 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -31,5 +31,5 @@ shell none
 # private-bin amarok
 private-dev
-# private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
 private-tmp
diff --git a/etc/amule.profile b/etc/amule.profile
index 7cb2130bb..feb4a5e7e 100644
--- a/etc/amule.profile
+++ b/etc/amule.profile
@@ -6,7 +6,6 @@ include amule.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.aMule
 include disable-common.inc
@@ -16,6 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.aMule
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.aMule
 include whitelist-common.inc
diff --git a/etc/anki.profile b/etc/anki.profile
index 6ab95dd52..c349376ff 100644
--- a/etc/anki.profile
+++ b/etc/anki.profile
@@ -10,12 +10,8 @@ noblacklist ${DOCUMENTS}
 noblacklist ${HOME}/.local/share/Anki2
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -25,6 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.local/share/Anki2
 whitelist ${DOCUMENTS}
 whitelist ${HOME}/.local/share/Anki2
 include whitelist-common.inc
@@ -53,5 +50,5 @@ disable-mnt
 private-bin anki,python*
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,Trolltech.conf,ssl
+private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf
 private-tmp
diff --git a/etc/aosp.profile b/etc/aosp.profile
index bdfefa923..701bf4733 100644
--- a/etc/aosp.profile
+++ b/etc/aosp.profile
@@ -5,7 +5,6 @@ include aosp.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.android
 noblacklist ${HOME}/.bash_history
 noblacklist ${HOME}/.config/git
diff --git a/etc/apktool.profile b/etc/apktool.profile
index acddf010b..aeeb845ea 100644
--- a/etc/apktool.profile
+++ b/etc/apktool.profile
@@ -31,6 +31,6 @@ protocol unix
 seccomp
 shell none
-private-bin apktool,bash,java,dirname,basename,expr,sh
+private-bin apktool,basename,bash,dirname,expr,java,sh
 private-cache
 private-dev
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile
index e353326df..2f08fa169 100644
--- a/etc/arch-audit.profile
+++ b/etc/arch-audit.profile
@@ -7,7 +7,6 @@ include arch-audit.local
 # Persistent global definitions
 include globals.local
 noblacklist /var/lib/pacman
 include disable-common.inc
diff --git a/etc/archaudit-report.profile b/etc/archaudit-report.profile
index 2f1715da1..19c37f90e 100644
--- a/etc/archaudit-report.profile
+++ b/etc/archaudit-report.profile
@@ -6,7 +6,6 @@ include archaudit-report.local
 # Persistent global definitions
 include globals.local
 noblacklist /var/lib/pacman
 include disable-common.inc
@@ -17,8 +16,6 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-include whitelist-common.inc
 caps.drop all
 ipc-namespace
 netfilter
@@ -36,7 +33,7 @@ shell none
 disable-mnt
 private
-private-bin archaudit-report,arch-audit,bash,cat,comm,cut,date,fold,grep,pacman,pactree,rm,sed,sort,whoneeds
+private-bin arch-audit,archaudit-report,bash,cat,comm,cut,date,fold,grep,pacman,pactree,rm,sed,sort,whoneeds
 #private-dev
 private-tmp
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
index 211a32e22..5ebeafa76 100644
--- a/etc/ardour5.profile
+++ b/etc/ardour5.profile
@@ -34,9 +34,9 @@ protocol unix
 seccomp
 shell none
-#private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm
+#private-bin ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,ldd,nm,sed,sh
 private-cache
 private-dev
-#private-etc alternatives,pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf
+#private-etc alternatives,ardour4,ardour5,asound.conf,fonts,machine-id,pulse,X11
 private-tmp
diff --git a/etc/arduino.profile b/etc/arduino.profile
index 2ea8445fe..fd1ca9a09 100644
--- a/etc/arduino.profile
+++ b/etc/arduino.profile
@@ -7,15 +7,11 @@ include arduino.local
 include globals.local
 noblacklist ${HOME}/.arduino15
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/Arduino
 noblacklist ${DOCUMENTS}
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
index 68c83e573..3b9dfc365 100644
--- a/etc/aria2c.profile
+++ b/etc/aria2c.profile
@@ -35,9 +35,10 @@ shell none
 # disable-mnt
 private-bin aria2c,gzip
-private-cache
+# Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772)
+#private-cache
 private-dev
-private-etc alternatives,ca-certificates,ssl,resolv.conf
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
 private-lib libreadline.so.*
 private-tmp
diff --git a/etc/ark.profile b/etc/ark.profile
index 9214e96ff..7f74a4d49 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -34,8 +34,8 @@ protocol unix
 seccomp
 shell none
-private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,sh,tclsh
+private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo
-#private-etc alternatives,smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg
+#private-etc alternatives,drirc,fonts,group,kde5rc,mtab,passwd,samba,smb.conf,xdg
 private-dev
 private-tmp
diff --git a/etc/arm.profile b/etc/arm.profile
index ae93e9665..51dad94d1 100644
--- a/etc/arm.profile
+++ b/etc/arm.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.arm
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -45,8 +41,8 @@ shell none
 tracelog
 disable-mnt
-private-bin arm,tor,sh,bash,python*,ps,lsof,ldconfig
+private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor
 private-dev
-private-etc alternatives,tor,passwd,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
 private-tmp
diff --git a/etc/artha.profile b/etc/artha.profile
index 8ef5124de..f886921cb 100644
--- a/etc/artha.profile
+++ b/etc/artha.profile
@@ -16,6 +16,13 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.config/artha.conf
+mkdir ${HOME}/.config/enchant
+whitelist ${HOME}/.config/artha.conf
+whitelist ${HOME}/.config/enchant
+include whitelist-common.inc
+include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
@@ -38,7 +45,7 @@ disable-mnt
 private-bin artha,enchant,notify-send
 private-cache
 private-dev
-private-etc alternatives,machine-id,fonts
+private-etc alternatives,fonts,machine-id
 private-lib libnotify.so.*
 private-tmp
diff --git a/etc/assogiate.profile b/etc/assogiate.profile
index 6a9848e83..074d82955 100644
--- a/etc/assogiate.profile
+++ b/etc/assogiate.profile
@@ -7,7 +7,6 @@ include assogiate.local
 include globals.local
 noblacklist ${PICTURES}
-whitelist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
@@ -16,6 +15,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist ${PICTURES}
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -42,7 +43,7 @@ disable-mnt
 private-bin assogiate,gtk-update-icon-cache,update-mime-database
 private-cache
 private-dev
-private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.*
+private-lib gnome-vfs-2.0,libacl.so.*,libattr.so.*,libfam.so.*
 private-tmp
 memory-deny-write-execute
diff --git a/etc/asunder.profile b/etc/asunder.profile
index fa2479051..fc10739aa 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -34,7 +34,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
-#private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev
 private-tmp
diff --git a/etc/atom.profile b/etc/atom.profile
index a3c62284c..8928baf5d 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -8,11 +8,17 @@ include globals.local
 noblacklist ${HOME}/.atom
 noblacklist ${HOME}/.config/Atom
-noblacklist ${HOME}/.config/git
+# allow rust
 noblacklist ${HOME}/.cargo/config
 noblacklist ${HOME}/.cargo/registry
+# allow git config files
+noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
+# allow python dev files
+noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
 noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
diff --git a/etc/atool.profile b/etc/atool.profile
index b17498e9d..c9d950259 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -7,14 +7,8 @@ include atool.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 # include disable-devel.inc
@@ -44,12 +38,13 @@ protocol unix
 seccomp
 shell none
 tracelog
+x11 none
 # private-bin atool,perl
 private-cache
 private-dev
 # without login.defs atool complains and uses UID/GID 1000 by default
-private-etc alternatives,passwd,group,login.defs
+private-etc alternatives,group,login.defs,passwd
 private-tmp
 memory-deny-write-execute
diff --git a/etc/atril.profile b/etc/atril.profile
index 2f39af823..adca38cb5 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -40,7 +40,7 @@ seccomp
 shell none
 tracelog
-private-bin atril, atril-previewer, atril-thumbnailer
+private-bin atril,atril-previewer,atril-thumbnailer
 private-dev
 private-etc alternatives,fonts,ld.so.cache
 # atril uses webkit gtk to display epub files
diff --git a/etc/authenticator.profile b/etc/authenticator.profile
index e08dc12eb..4887299ec 100644
--- a/etc/authenticator.profile
+++ b/etc/authenticator.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.cache/Authenticator
 noblacklist ${HOME}/.config/Authenticator
 # Allow python (blacklisted by disable-interpreters.inc)
-#noblacklist ${PATH}/python2*
+#include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-#noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-#noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -47,4 +43,4 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl
 private-tmp
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/autokey-common.profile b/etc/autokey-common.profile
index 44c0a3c15..bd50a2dfb 100644
--- a/etc/autokey-common.profile
+++ b/etc/autokey-common.profile
@@ -10,14 +10,8 @@ noblacklist ${HOME}/.config/autokey
 noblacklist ${HOME}/.local/share/autokey
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
-noblacklist /usr/share/python2*
-noblacklist /usr/share/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -44,4 +38,4 @@ private-cache
 private-dev
 private-tmp
-# memory-deny-write-execute - Breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/baobab.profile b/etc/baobab.profile
index fc4e7f268..d2980f75c 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -33,4 +33,4 @@ private-bin baobab
 private-dev
 private-tmp
-#memory-deny-write-execute  - breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/basilisk.profile b/etc/basilisk.profile
index 5f9fc8ef7..5bc91dc74 100644
--- a/etc/basilisk.profile
+++ b/etc/basilisk.profile
@@ -10,7 +10,6 @@ noblacklist ${HOME}/.moonchild productions/basilisk
 mkdir ${HOME}/.cache/moonchild productions/basilisk
 mkdir ${HOME}/.moonchild productions
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/moonchild productions/basilisk
 whitelist ${HOME}/.moonchild productions
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index c41aafd47..4f1b05c88 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -6,12 +6,12 @@ include bibletime.local
 # Persistent global definitions
 include globals.local
-blacklist ${HOME}/.bashrc
 noblacklist ${HOME}/.bibletime
 noblacklist ${HOME}/.sword
 noblacklist ${HOME}/.local/share/bibletime
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile
index 8aae5d668..ac1e21ba7 100644
--- a/etc/bitcoin-qt.profile
+++ b/etc/bitcoin-qt.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin bitcoin-qt
 private-dev
 # Causes problem with loading of libGL.so
-#private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
 memory-deny-write-execute
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 287e5f52e..62eeb88f3 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -6,12 +6,15 @@ include bitlbee.local
 # Persistent global definitions
 include globals.local
+ignore noexec ${HOME}
 noblacklist /sbin
 noblacklist /usr/sbin
 # noblacklist /var/log
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -34,5 +37,4 @@ private-cache
 private-dev
 private-tmp
-noexec /tmp
 read-write /var/lib/bitlbee
diff --git a/etc/bitwarden.profile b/etc/bitwarden.profile
index 2a6fe9d42..a5538bacc 100644
--- a/etc/bitwarden.profile
+++ b/etc/bitwarden.profile
@@ -6,9 +6,10 @@ include bitwarden.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/Bitwarden
 ignore noexec /tmp
+noblacklist ${HOME}/.config/Bitwarden
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -17,11 +18,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-include whitelist-common.inc
+mkdir ${HOME}/.config/Bitwarden
-include whitelist-var-common.inc
 whitelist ${HOME}/.config/Bitwarden
 whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
 apparmor
 caps.drop all
@@ -46,8 +47,8 @@ private-bin bitwarden
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hosts,nsswitch.conf,fonts,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl
 private-opt Bitwarden
 private-tmp
-#memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index cbc8c25d6..47c0cfa48 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -7,12 +7,8 @@ include bleachbit.local
 include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/blender.profile b/etc/blender.profile
index bfe906408..6a72fb602 100644
--- a/etc/blender.profile
+++ b/etc/blender.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/blender
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/bless.profile b/etc/bless.profile
index d4ac80db1..35235962e 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -33,7 +33,7 @@ protocol unix
 seccomp
 shell none
-# private-bin bless,sh,bash,mono
+# private-bin bash,bless,mono,sh
 private-cache
 private-dev
 private-etc alternatives,fonts,mono
diff --git a/etc/brackets.profile b/etc/brackets.profile
index fa0d7e592..3e157d841 100644
--- a/etc/brackets.profile
+++ b/etc/brackets.profile
@@ -8,7 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/Brackets
 #noblacklist /opt/brackets/
 #noblacklist /opt/google/
-# Uncomment the the next two lines if you are developing rust.
+# Uncomment the next two lines if you are developing rust.
 # or put it in your brackets.local
 #noblacklist ${HOME}/.cargo/config
 #noblacklist ${HOME}/.cargo/registry
diff --git a/etc/brasero.profile b/etc/brasero.profile
index aa838380a..058253308 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -31,7 +31,6 @@ tracelog
 # private-bin brasero
 private-cache
 # private-dev
-# private-etc alternatives,fonts
 # private-tmp
 memory-deny-write-execute
diff --git a/etc/brave-browser.profile b/etc/brave-browser.profile
index 6d9d162fd..e223ecf87 100644
--- a/etc/brave-browser.profile
+++ b/etc/brave-browser.profile
@@ -1,6 +1,5 @@
 # Firejail profile alias for brave
 # This file is overwritten after every install/update
 # Redirect
 include brave.profile
diff --git a/etc/brave.profile b/etc/brave.profile
index cc003d49a..984fab5a8 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -6,6 +6,9 @@ include brave.local
 # Persistent global definitions
 include globals.local
+# noexec /tmp is included in chromium-common.profile and breaks Brave
+ignore noexec /tmp
 noblacklist ${HOME}/.config/brave
 noblacklist ${HOME}/.config/BraveSoftware
 # brave uses gpg for built-in password manager
@@ -17,8 +20,5 @@ whitelist ${HOME}/.config/brave
 whitelist ${HOME}/.config/BraveSoftware
 whitelist ${HOME}/.gnupg
-# noexec /tmp is included in chromium-common.profile and breaks Brave
-ignore noexec /tmp
 # Redirect
 include chromium-common.profile
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile
index f964438bc..1f7a02c2b 100644
--- a/etc/bsdtar.profile
+++ b/etc/bsdtar.profile
@@ -37,9 +37,9 @@ shell none
 tracelog
 # support compressed archives
-private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive
+private-bin bash,bsdcat,bsdcpio,bsdtar,bzip2,compress,gtar,gzip,lbzip2,libarchive,lz4,lzip,lzma,lzop,sh,xz
 private-cache
 private-dev
-private-etc alternatives,passwd,group,localtime
+private-etc alternatives,group,localtime,passwd
 memory-deny-write-execute
diff --git a/etc/bzflag.profile b/etc/bzflag.profile
index 94cd40899..86ab73e0b 100644
--- a/etc/bzflag.profile
+++ b/etc/bzflag.profile
@@ -38,7 +38,7 @@ shell none
 tracelog
 disable-mnt
-private-bin bzflag,bzflag-wrapper,bzfs,bzadmin
+private-bin bzadmin,bzflag,bzflag-wrapper,bzfs
 private-cache
 private-dev
 private-tmp
diff --git a/etc/caja.profile b/etc/caja.profile
index f38110dc9..c5cef7b27 100644
--- a/etc/caja.profile
+++ b/etc/caja.profile
@@ -14,12 +14,8 @@ noblacklist ${HOME}/.local/share/Trash
 # noblacklist ${HOME}/.local/share/caja-python
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -43,5 +39,4 @@ tracelog
 # caja needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin caja
 # private-dev
-# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/cantata.profile b/etc/cantata.profile
index e4a4de9c1..c44d56b90 100644
--- a/etc/cantata.profile
+++ b/etc/cantata.profile
@@ -11,9 +11,8 @@ noblacklist ${HOME}/.config/cantata
 noblacklist ${HOME}/.local/share/cantata
 noblacklist ${MUSIC}
-noblacklist ${PATH}/perl
+# Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist /usr/lib/perl*
+include allow-perl.inc
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
@@ -35,6 +34,6 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
-# private-etc samba,gcrypt,drirc,fonts,mpd.conf,kde5rc,passwd,xdg,hosts,ssl
+# private-etc drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
 private-bin cantata,mpd,perl
 private-dev
diff --git a/etc/catfish.profile b/etc/catfish.profile
index 341348ff9..c6c2d7e8a 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -12,18 +12,14 @@ include globals.local
 noblacklist ${HOME}/.config/catfish
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
-include disable-common.inc
+# include disable-common.inc
 # include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-include disable-programs.inc
+# include disable-programs.inc
 whitelist /var/lib/mlocate
 include whitelist-var-common.inc
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index 5604a16b9..89543d6cc 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -12,12 +12,8 @@ noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -42,9 +38,9 @@ seccomp
 shell none
 tracelog
-private-bin celluloid,gnome-mpv,youtube-dl,python*,env
+private-bin celluloid,env,gnome-mpv,python*,youtube-dl
 private-cache
-private-etc alternatives,ca-certificates,ssl,pki,pkcs11,hosts,machine-id,localtime,libva.conf,drirc,fonts,gtk-3.0,dconf,crypto-policies,xdg,selinux,resolv.conf
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
 private-dev
 private-tmp
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile
index 5afbf2d56..fe3202cea 100644
--- a/etc/checkbashisms.profile
+++ b/etc/checkbashisms.profile
@@ -10,11 +10,7 @@ include globals.local
 noblacklist ${DOCUMENTS}
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
@@ -44,6 +40,7 @@ novideo
 protocol unix
 seccomp
 shell none
+x11 none
 private-cache
 private-dev
diff --git a/etc/cheese.profile b/etc/cheese.profile
index b6cb0c9ce..633928260 100644
--- a/etc/cheese.profile
+++ b/etc/cheese.profile
@@ -7,6 +7,7 @@ include cheese.local
 include globals.local
 noblacklist ${VIDEOS}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
@@ -17,6 +18,7 @@ include disable-programs.inc
 include disable-xdg.inc
 whitelist ${VIDEOS}
+whitelist ${PICTURES}
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -39,5 +41,5 @@ tracelog
 disable-mnt
 private-bin cheese
 private-cache
-private-etc alternatives,fonts,drirc,clutter-1.0,gtk-3.0,dconf
+private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0
 private-tmp
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 44ef12aa2..70dea5bd9 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/cherrytree
 noblacklist ${DOCUMENTS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index 63983d93b..ba6f9d88c 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -27,10 +27,9 @@ include whitelist-common.inc
 include whitelist-var-common.inc
 apparmor
-caps.keep sys_chroot,sys_admin
+caps.keep sys_admin,sys_chroot
 netfilter
-# Breaks Gnome connector - disable if you use that
+# nodbus - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
-nodbus
 nodvd
 nogroups
 notv
@@ -42,4 +41,4 @@ private-dev
 # private-tmp - problems with multiple browser sessions
 # the file dialog needs to work without d-bus
-env NO_CHROME_KDE_FILE_DIALOG=1
+?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/clawsker.profile b/etc/clawsker.profile
index c519ecedb..f8c05a55b 100644
--- a/etc/clawsker.profile
+++ b/etc/clawsker.profile
@@ -9,11 +9,7 @@ include globals.local
 noblacklist ${HOME}/.claws-mail
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
@@ -51,4 +47,4 @@ private-etc alternatives,fonts
 private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
 private-tmp
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/clipit.profile b/etc/clipit.profile
index 6e4d3fbaf..44cda0665 100644
--- a/etc/clipit.profile
+++ b/etc/clipit.profile
@@ -17,6 +17,13 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.config/clipit
+mkdir ${HOME}/.local/share/clipit
+whitelist ${HOME}/.config/clipit
+whitelist ${HOME}/.local/share/clipit
+include whitelist-common.inc
+include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
diff --git a/etc/cmus.profile b/etc/cmus.profile
index e602c4e2a..7e12a06de 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -27,4 +27,4 @@ seccomp
 shell none
 private-bin cmus
-private-etc alternatives,group,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,ssl
diff --git a/etc/code.profile b/etc/code.profile
index 16678459e..6faf429e1 100644
--- a/etc/code.profile
+++ b/etc/code.profile
@@ -12,6 +12,9 @@ noblacklist ${HOME}/.config/Code - OSS
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
 noblacklist ${HOME}/.pythonrc.py
 noblacklist ${HOME}/.vscode
 noblacklist ${HOME}/.vscode-oss
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index 21bef48a4..38edf0d21 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -10,9 +10,10 @@ noblacklist ${HOME}/.conkeror.mozdev.org
 include disable-common.inc
 include disable-programs.inc
+mkdir ${HOME}/.conkeror.mozdev.org
+mkfile ${HOME}/.conkerorrc
 whitelist ${HOME}/.conkeror.mozdev.org
 whitelist ${HOME}/.conkerorrc
-whitelist ${HOME}/.gtkrc-2.0
 whitelist ${HOME}/.lastpass
 whitelist ${HOME}/.pentadactyl
 whitelist ${HOME}/.pentadactylrc
diff --git a/etc/cower.profile b/etc/cower.profile
index bc1eeedc0..69575cea4 100644
--- a/etc/cower.profile
+++ b/etc/cower.profile
@@ -1,20 +1,13 @@
 # Firejail profile for cower
+# Description: a simple AUR agent with a pretentious name
 # This file is overwritten after every install/update
-# This profile could be significantly strengthened by adding the following to cower.local
-# whitelist ${HOME}/<Your Build Folder>
-# whitelist ${HOME}/.config/cower/
 quiet
 # Persistent local customizations
 include cower.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/cower/config
+noblacklist ${HOME}/.config/cower
-read-only ${HOME}/.config/cower/config
 noblacklist /var/lib/pacman
 include disable-common.inc
@@ -23,6 +16,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
+# This profile could be significantly strengthened by adding the following to cower.local
+# whitelist ${HOME}/<Your Build Folder>
+# whitelist ${HOME}/.config/cower
 caps.drop all
 ipc-namespace
@@ -42,7 +40,9 @@ shell none
 disable-mnt
 private-bin cower
+private-cache
 private-dev
 private-tmp
 memory-deny-write-execute
+read-only ${HOME}/.config/cower/config
diff --git a/etc/cpio.profile b/etc/cpio.profile
index b6f7e7f9f..17a765700 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -7,8 +7,6 @@ include cpio.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
@@ -36,6 +34,7 @@ novideo
 seccomp
 shell none
 tracelog
+x11 none
 private-cache
 private-dev
diff --git a/etc/crow.profile b/etc/crow.profile
index 8aa70a09c..755b6e9f8 100644
--- a/etc/crow.profile
+++ b/etc/crow.profile
@@ -38,7 +38,7 @@ shell none
 disable-mnt
 private-bin crow
 private-dev
-private-etc alternatives,ca-certificates,ssl,machine-id,dconf,nsswitch.conf,resolv.conf,fonts,asound.conf,pulse,pki,crypto-policies
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
 private-opt none
 private-tmp
 private-srv none
diff --git a/etc/curl.profile b/etc/curl.profile
index 2703c6fe8..76beee46a 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -7,10 +7,10 @@ include curl.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.curlrc
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
@@ -34,5 +34,5 @@ shell none
 # private-bin curl
 private-cache
 private-dev
-# private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index fcb448b30..d1fff0004 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -13,7 +13,7 @@ mkdir ${HOME}/.cache/8pecxstudios
 whitelist ${HOME}/.8pecxstudios
 whitelist ${HOME}/.cache/8pecxstudios
-# private-bin cyberfox,which,sh,dbus-launch,dbus-send,env
+# private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
 # private-etc must first be enabled in firefox-common.profile
 #private-etc cyberfox
diff --git a/etc/d-feet.profile b/etc/d-feet.profile
index 9475bdd2a..e06769601 100644
--- a/etc/d-feet.profile
+++ b/etc/d-feet.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/d-feet
 # Allow python (disabled by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -53,4 +49,4 @@ private-dev
 private-etc alternatives,dbus-1,fonts,machine-id
 private-tmp
-# memory-deny-write-execute - Breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile
index 6b7f8f112..7cd39ca6a 100644
--- a/etc/dconf-editor.profile
+++ b/etc/dconf-editor.profile
@@ -6,8 +6,6 @@ include dconf-editor.local
 # Persistent global definitions
 include globals.local
-whitelist ${HOME}/.local/share/glib-2.0
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -16,6 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist ${HOME}/.local/share/glib-2.0
 include whitelist-common.inc
 apparmor
@@ -39,7 +38,7 @@ disable-mnt
 private-bin dconf-editor
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
 private-lib
 private-tmp
diff --git a/etc/dconf.profile b/etc/dconf.profile
index 6ffcddaf5..81763bd94 100644
--- a/etc/dconf.profile
+++ b/etc/dconf.profile
@@ -6,8 +6,6 @@ include dconf.local
 # Persistent global definitions
 include globals.local
-whitelist ${HOME}/.local/share/glib-2.0
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -16,6 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist ${HOME}/.local/share/glib-2.0
 # dconf paths are whitelisted by the following
 include whitelist-common.inc
@@ -37,6 +36,7 @@ protocol unix
 seccomp
 shell none
 tracelog
+x11 none
 disable-mnt
 private-bin dconf,gsettings
diff --git a/etc/deluge.profile b/etc/deluge.profile
index e86c84272..8f4f9fbe9 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/deluge
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 # include disable-devel.inc
@@ -43,6 +39,6 @@ seccomp
 shell none
 # deluge is using python on Debian
-private-bin deluge,deluge-console,deluged,deluge-gtk,deluge-web,sh,python*,uname
+private-bin deluge,deluge-console,deluge-gtk,deluge-web,deluged,python*,sh,uname
 private-dev
 private-tmp
diff --git a/etc/devhelp.profile b/etc/devhelp.profile
index 4e618b7ea..60bebb0c9 100644
--- a/etc/devhelp.profile
+++ b/etc/devhelp.profile
@@ -41,6 +41,6 @@ private-dev
 private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl
 private-tmp
-# memory-deny-write-execute - Breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue 1803)
 read-only ${HOME}
diff --git a/etc/devilspie.profile b/etc/devilspie.profile
index 2d100c4b0..ca617983d 100644
--- a/etc/devilspie.profile
+++ b/etc/devilspie.profile
@@ -16,6 +16,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.devilspie
+whitelist ${HOME}/.devilspie
+include whitelist-common.inc
+include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile
index 2f599366b..74b0dc939 100644
--- a/etc/devilspie2.profile
+++ b/etc/devilspie2.profile
@@ -8,6 +8,9 @@ include globals.local
 noblacklist ${HOME}/.config/devilspie2
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -16,6 +19,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.config/devilspie2
+whitelist ${HOME}/.config/devilspie2
+include whitelist-common.inc
+include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
index 06a6be3aa..e5f37b06a 100644
--- a/etc/dex2jar.profile
+++ b/etc/dex2jar.profile
@@ -6,11 +6,8 @@ include dex2jar.local
 # Persistent global definitions
 include globals.local
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
@@ -38,7 +35,7 @@ protocol unix
 seccomp
 shell none
-private-bin dex2jar,java,sh,bash,expr,dirname,ls,uname,grep
+private-bin bash,dex2jar,dirname,expr,grep,java,ls,sh,uname
 private-cache
 private-dev
diff --git a/etc/dig.profile b/etc/dig.profile
index 1843f6e46..6f2c1f755 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-mkfile ${HOME}/.digrc
+#mkfile ${HOME}/.digrc -- see #903
 whitelist ${HOME}/.digrc
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -42,10 +42,9 @@ shell none
 disable-mnt
 private
-private-bin sh,bash,dig
+private-bin bash,dig,sh
 private-cache
 private-dev
-# private-etc alternatives,resolv.conf
 private-lib
 private-tmp
diff --git a/etc/digikam.profile b/etc/digikam.profile
index e9c89a1b9..1b80981f7 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -33,11 +33,8 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 seccomp
-# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
 shell none
-# private-bin program
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
-# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
diff --git a/etc/dino.profile b/etc/dino.profile
index 2db395e02..f7b220936 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -37,6 +37,6 @@ shell none
 disable-mnt
 private-bin dino
 private-dev
-# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection
 private-tmp
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 9d7a34bc5..ae82d72b5 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -19,7 +19,10 @@ blacklist-nolog ${HOME}/.local/share/fish/fish_history
 blacklist-nolog ${HOME}/.local/share/klipper
 blacklist-nolog ${HOME}/.macromedia
 blacklist-nolog ${HOME}/.python-history
+blacklist-nolog ${HOME}/.python_history
 blacklist-nolog ${HOME}/.pythonhist
+blacklist-nolog ${HOME}/.lesshst
+blacklist-nolog ${HOME}/.viminfo
 blacklist-nolog /tmp/clipmenu*
 # X11 session autostart
@@ -242,6 +245,7 @@ read-only ${HOME}/.ssh/authorized_keys
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
+read-only ${HOME}/.cargo/env
 read-only ${HOME}/.dotfiles
 read-only ${HOME}/.emacs
 read-only ${HOME}/.emacs.d
@@ -275,7 +279,6 @@ read-only ${HOME}/bin
 read-only ${HOME}/.bin
 read-only ${HOME}/.local/bin
 read-only ${HOME}/.cargo/bin
-read-only ${HOME}/.cargo/env
 blacklist ${HOME}/.cargo/registry
 blacklist ${HOME}/.cargo/config
@@ -294,10 +297,12 @@ blacklist ${HOME}/.Private
 blacklist ${HOME}/.caff
 blacklist ${HOME}/.cert
 blacklist ${HOME}/.config/keybase
+blacklist ${HOME}/.davfs2/secrets
 blacklist ${HOME}/.ecryptfs
 blacklist ${HOME}/.fetchmailrc
 blacklist ${HOME}/.gnome2/keyrings
 blacklist ${HOME}/.gnupg
+blacklist ${HOME}/.config/hub
 blacklist ${HOME}/.kde/share/apps/kwallet
 blacklist ${HOME}/.kde4/share/apps/kwallet
 blacklist ${HOME}/.local/share/keyrings
@@ -313,6 +318,7 @@ blacklist ${HOME}/.local/share/pki
 blacklist ${HOME}/.smbcredentials
 blacklist ${HOME}/.ssh
 blacklist ${HOME}/.vaults
+blacklist /etc/davfs2/secrets
 blacklist /etc/group+
 blacklist /etc/group-
 blacklist /etc/gshadow
@@ -414,3 +420,12 @@ blacklist /usr/share/flatpak
 blacklist /var/lib/flatpak
 # most of the time bwrap is SUID binary
 blacklist ${PATH}/bwrap
+# mail directories used by mutt
+blacklist ${HOME}/.Mail
+blacklist ${HOME}/.mail
+blacklist ${HOME}/.signature
+blacklist ${HOME}/Mail
+blacklist ${HOME}/mail
+blacklist ${HOME}/postponed
+blacklist ${HOME}/sent
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc
index 22f58bb85..4c4eed25d 100644
--- a/etc/disable-interpreters.inc
+++ b/etc/disable-interpreters.inc
@@ -19,6 +19,8 @@ blacklist ${HOME}/.nvm
 blacklist ${PATH}/cpan*
 blacklist ${PATH}/core_perl
 blacklist ${PATH}/perl
+blacklist ${PATH}/site_perl
+blacklist ${PATH}/vendor_perl
 blacklist /usr/lib/perl*
 blacklist /usr/share/perl*
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 5481f976f..fb7e02d0b 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -7,6 +7,7 @@ blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
 blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
+blacklist ${HOME}/mps
 blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
@@ -118,6 +119,7 @@ blacklist ${HOME}/.config/artha.conf
 blacklist ${HOME}/.config/asunder
 blacklist ${HOME}/.config/atril
 blacklist ${HOME}/.config/audacious
+blacklist ${HOME}/.config/autokey
 blacklist ${HOME}/.config/aweather
 blacklist ${HOME}/.config/baloofilerc
 blacklist ${HOME}/.config/baloorc
@@ -140,6 +142,7 @@ blacklist ${HOME}/.config/clipit
 blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/corebird
+blacklist ${HOME}/.config/cower
 blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
@@ -176,6 +179,7 @@ blacklist ${HOME}/.config/git
 blacklist ${HOME}/.config/globaltime
 blacklist ${HOME}/.config/gnome-mplayer
 blacklist ${HOME}/.config/gnome-mpv
+blacklist ${HOME}/.config/godot
 blacklist ${HOME}/.config/gnome-pie
 blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
@@ -197,6 +201,7 @@ blacklist ${HOME}/.config/katerc
 blacklist ${HOME}/.config/kateschemarc
 blacklist ${HOME}/.config/katesyntaxhighlightingrc
 blacklist ${HOME}/.config/katevirc
+blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/kdenliverc
 blacklist ${HOME}/.config/kgetrc
 blacklist ${HOME}/.config/kid3rc
@@ -204,13 +209,12 @@ blacklist ${HOME}/.config/klavaro
 blacklist ${HOME}/.config/klipperrc
 blacklist ${HOME}/.config/kmail2rc
 blacklist ${HOME}/.config/kmailsearchindexingrc
-blacklist ${HOME}/.config/kritarc
-blacklist ${HOME}/.config/kwriterc
-blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/knotesrc
 blacklist ${HOME}/.config/konversationrc
+blacklist ${HOME}/.config/kritarc
 blacklist ${HOME}/.config/ktorrentrc
 blacklist ${HOME}/.config/ktouch2rc
+blacklist ${HOME}/.config/kwriterc
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
@@ -235,6 +239,7 @@ blacklist ${HOME}/.config/nano
 blacklist ${HOME}/.config/nautilus
 blacklist ${HOME}/.config/nemo
 blacklist ${HOME}/.config/netsurf
+blacklist ${HOME}/.config/newsbeuter
 blacklist ${HOME}/.config/nheko
 blacklist ${HOME}/.config/NitroShare
 blacklist ${HOME}/.config/nomacs
@@ -267,6 +272,7 @@ blacklist ${HOME}/.config/redshift.conf
 blacklist ${HOME}/.config/remmina
 blacklist ${HOME}/.config/ristretto
 blacklist ${HOME}/.config/scribus
+blacklist ${HOME}/.config/scribusrc
 blacklist ${HOME}/.config/sinew.in
 blacklist ${HOME}/.config/skypeforlinux
 blacklist ${HOME}/.config/slimjet
@@ -275,17 +281,17 @@ blacklist ${HOME}/.config/smtube
 blacklist ${HOME}/.config/snox
 blacklist ${HOME}/.config/specialmailcollectionsrc
 blacklist ${HOME}/.config/spotify
-blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/sqlitebrowser
 blacklist ${HOME}/.config/stellarium
+blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/synfig
 blacklist ${HOME}/.config/telepathy-account-widgets
 blacklist ${HOME}/.config/torbrowser
 blacklist ${HOME}/.config/totem
 blacklist ${HOME}/.config/tox
 blacklist ${HOME}/.config/transgui
-blacklist ${HOME}/.config/truecraft
 blacklist ${HOME}/.config/transmission
+blacklist ${HOME}/.config/truecraft
 blacklist ${HOME}/.config/uGet
 blacklist ${HOME}/.config/uzbl
 blacklist ${HOME}/.config/viewnior
@@ -328,7 +334,6 @@ blacklist ${HOME}/.electron-cache
 blacklist ${HOME}/.electrum*
 blacklist ${HOME}/.elinks
 blacklist ${HOME}/.emacs
-blacklist ${HOME}/.emacs
 blacklist ${HOME}/.emacs.d
 blacklist ${HOME}/.ethereum
 blacklist ${HOME}/.etr
@@ -370,10 +375,10 @@ blacklist ${HOME}/.kde/share/apps/kaffeine
 blacklist ${HOME}/.kde/share/apps/kcookiejar
 blacklist ${HOME}/.kde/share/apps/kget
 blacklist ${HOME}/.kde/share/apps/khtml
+blacklist ${HOME}/.kde/share/apps/klatexformula
 blacklist ${HOME}/.kde/share/apps/konqsidebartng
 blacklist ${HOME}/.kde/share/apps/konqueror
 blacklist ${HOME}/.kde/share/apps/kopete
-blacklist ${HOME}/.kde/share/apps/khtml
 blacklist ${HOME}/.kde/share/apps/ktorrent
 blacklist ${HOME}/.kde/share/apps/okular
 blacklist ${HOME}/.kde/share/config/baloofilerc
@@ -426,10 +431,12 @@ blacklist ${HOME}/.kde4/share/config/okularrc
 blacklist ${HOME}/.killingfloor
 blacklist ${HOME}/.kino-history
 blacklist ${HOME}/.kinorc
+blacklist ${HOME}/.klatexformula
 blacklist ${HOME}/.kodi
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.linphone-history.db
 blacklist ${HOME}/.linphonerc
+blacklist ${HOME}/.links
 blacklist ${HOME}/.lmmsrc.xml
 blacklist ${HOME}/.local/lib/vivaldi
 blacklist ${HOME}/.local/share/0ad
@@ -454,6 +461,7 @@ blacklist ${HOME}/.local/share/akonadi*
 blacklist ${HOME}/.local/share/akregator
 blacklist ${HOME}/.local/share/apps/korganizer
 blacklist ${HOME}/.local/share/aspyr-media
+blacklist ${HOME}/.local/share/autokey
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/bibletime
 blacklist ${HOME}/.local/share/caja-python
@@ -486,6 +494,7 @@ blacklist ${HOME}/.local/share/gnome-photos
 blacklist ${HOME}/.local/share/gnome-recipes
 blacklist ${HOME}/.local/share/gnome-ring
 blacklist ${HOME}/.local/share/gnome-twitch
+blacklist ${HOME}/.local/share/godot
 blacklist ${HOME}/.local/share/gradio
 blacklist ${HOME}/.local/share/gwenview
 blacklist ${HOME}/.local/share/kaffeine
@@ -496,8 +505,8 @@ blacklist ${HOME}/.local/share/klavaro
 blacklist ${HOME}/.local/share/kmail2
 blacklist ${HOME}/.local/share/knotes
 blacklist ${HOME}/.local/share/krita
-blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktorrent
+blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktouch
 blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/liferea
@@ -522,13 +531,13 @@ blacklist ${HOME}/.local/share/ocenaudio
 blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
-blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/psi+
 blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/qutebrowser
 blacklist ${HOME}/.local/share/remmina
+blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/scribus
 blacklist ${HOME}/.local/share/spotify
 blacklist ${HOME}/.local/share/steam
@@ -566,9 +575,11 @@ blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.nanorc
 blacklist ${HOME}/.netactview
 blacklist ${HOME}/.neverball
+blacklist ${HOME}/.newsbeuter
 blacklist ${HOME}/.newsboat
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
+blacklist ${HOME}/.openarena
 blacklist ${HOME}/.opencity
 blacklist ${HOME}/.openinvaders
 blacklist ${HOME}/.openshot
@@ -603,6 +614,7 @@ blacklist ${HOME}/.surf
 blacklist ${HOME}/.sword
 blacklist ${HOME}/.sylpheed-2.0
 blacklist ${HOME}/.synfig
+blacklist ${HOME}/.config/teams-for-linux
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.teeworlds
 blacklist ${HOME}/.thunderbird
@@ -629,8 +641,8 @@ blacklist ${HOME}/.wget-hsts
 blacklist ${HOME}/.wgetrc
 blacklist ${HOME}/.widelands
 blacklist ${HOME}/.wine
-blacklist ${HOME}/.wireshark
 blacklist ${HOME}/.wine64
+blacklist ${HOME}/.wireshark
 blacklist ${HOME}/.xiphos
 blacklist ${HOME}/.xmind
 blacklist ${HOME}/.xmms
@@ -676,6 +688,7 @@ blacklist ${HOME}/.cache/fossamail
 blacklist ${HOME}/.cache/freecol
 blacklist ${HOME}/.cache/gajim
 blacklist ${HOME}/.cache/geeqie
+blacklist ${HOME}/.cache/godot
 blacklist ${HOME}/.cache/google-chrome
 blacklist ${HOME}/.cache/google-chrome-beta
 blacklist ${HOME}/.cache/google-chrome-unstable
diff --git a/etc/discord-common.profile b/etc/discord-common.profile
index a791c7a06..82dd0475c 100644
--- a/etc/discord-common.profile
+++ b/etc/discord-common.profile
@@ -27,9 +27,9 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
-private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh
+private-bin bash,cut,echo,egrep,grep,head,sed,sh,tr,xdg-mime,xdg-open,zsh
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,ld.so.cache,localtime,login.defs,password,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
 private-tmp
 noexec /tmp
diff --git a/etc/display.profile b/etc/display.profile
index 0bab32db1..0b9d685e8 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -8,12 +8,8 @@ include globals.local
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 0dc0cc793..ae248f2e8 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -6,11 +6,11 @@ include dnscrypt-proxy.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -26,7 +26,7 @@ nosound
 notv
 nou2f
 novideo
-seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
+seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
 disable-mnt
 private
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index bb41b71d1..daf4795c3 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -6,11 +6,11 @@ include dnsmasq.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/dooble.profile b/etc/dooble.profile
index 80bcce463..bc197b223 100644
--- a/etc/dooble.profile
+++ b/etc/dooble.profile
@@ -1,11 +1,12 @@
 # Firejail profile for dooble
 # This file is overwritten after every install/update
 # Persistent local customizations
+include dooble.local
+# Backward compatibility
 include dooble-qt4.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.dooble
 include disable-common.inc
diff --git a/etc/electrum.profile b/etc/electrum.profile
index ffa0fb5f6..42438977f 100644
--- a/etc/electrum.profile
+++ b/etc/electrum.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.electrum
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -50,6 +46,6 @@ disable-mnt
 private-bin electrum,python*
 private-cache
 private-dev
-private-etc alternatives,fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id,resolv.conf
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 842a0db04..94f4179c7 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -6,10 +6,10 @@ include elinks.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.elinks
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -36,5 +36,5 @@ tracelog
 # private-bin elinks
 private-cache
 private-dev
-# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
diff --git a/etc/emacs.profile b/etc/emacs.profile
index 24e800b5e..f8b451f02 100644
--- a/etc/emacs.profile
+++ b/etc/emacs.profile
@@ -12,6 +12,9 @@ noblacklist ${HOME}/.emacs.d
 # or put it into your emacs.local
 #noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
+noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/enchant.profile b/etc/enchant.profile
index 288d8799c..d30fb8232 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -35,6 +35,7 @@ protocol unix
 seccomp
 shell none
 tracelog
+x11 none
 private-bin enchant,enchant-*
 private-cache
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index 562e8f542..aaf3e3382 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -35,7 +35,6 @@ tracelog
 # private-bin engrampa
 private-dev
-# private-etc alternatives,fonts
 # private-tmp
 memory-deny-write-execute
diff --git a/etc/enpass.profile b/etc/enpass.profile
index b337c721d..68113e294 100644
--- a/etc/enpass.profile
+++ b/etc/enpass.profile
@@ -20,12 +20,16 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.cache/Enpass
+mkfile ${HOME}/.config/sinew.in
+mkdir ${HOME}/.config/Sinew Software Systems
+mkdir ${HOME}/.local/share/Enpass
 whitelist ${HOME}/.cache/Enpass
 whitelist ${HOME}/.config/sinew.in
 whitelist ${HOME}/.config/Sinew Software Systems
 whitelist ${HOME}/.local/share/Enpass
 whitelist ${DOCUMENTS}
+include whitelist-common.inc
 include whitelist-var-common.inc
 # machine-id and nosound break audio notification functionality
@@ -49,10 +53,10 @@ seccomp
 shell none
 tracelog
-private-bin dirname,Enpass,importer_enpass,sh,readlink
+private-bin dirname,Enpass,importer_enpass,readlink,sh
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
 private-opt Enpass
 private-tmp
-#memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/eo-common.profile b/etc/eo-common.profile
index ad18e10c4..2a65de5e1 100644
--- a/etc/eo-common.profile
+++ b/etc/eo-common.profile
@@ -44,4 +44,4 @@ private-etc alternatives,dconf,fonts,gtk-3.0
 private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
-#memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/evince.profile b/etc/evince.profile
index 1a429d673..c1fbc7a4f 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -43,7 +43,7 @@ private-bin evince,evince-previewer,evince-thumbnailer
 private-cache
 private-dev
 private-etc alternatives,fonts,group,machine-id,passwd
-private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*,gconv
+private-lib evince,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
 # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803)
diff --git a/etc/exfalso.profile b/etc/exfalso.profile
index 6146a8952..b5eda059f 100644
--- a/etc/exfalso.profile
+++ b/etc/exfalso.profile
@@ -10,12 +10,11 @@ noblacklist ${HOME}/.quodlibet
 noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
+whitelist ${DOWNLOADS}
-noblacklist /usr/local/lib/python2*
+whitelist ${MUSIC}
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -25,6 +24,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.quodlibet
+whitelist ${HOME}/.quodlibet
+include whitelist-common.inc
+include whitelist-var-common.inc
 caps.drop all
 machine-id
 netfilter
@@ -49,4 +53,4 @@ private-etc alternatives,fonts,group,passwd
 private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3*
 private-tmp
-# memory-deny-write-execute - Breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index f694ea212..e76a4ca4c 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -6,12 +6,8 @@ include exiftool.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
-# Allow access to perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
@@ -39,6 +35,7 @@ protocol unix
 seccomp
 shell none
 tracelog
+x11 none
 # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below.
 # Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening.
diff --git a/etc/falkon.profile b/etc/falkon.profile
index af6aaa1a7..cabf5aeba 100644
--- a/etc/falkon.profile
+++ b/etc/falkon.profile
@@ -16,6 +16,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.cache/falkon
+mkdir ${HOME}/.config/falkon
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/falkon
 whitelist ${HOME}/.config/falkon
diff --git a/etc/feh-network.inc b/etc/feh-network.inc
index f3876475e..e94e7205c 100644
--- a/etc/feh-network.inc
+++ b/etc/feh-network.inc
@@ -1,4 +1,4 @@
 ignore net none
 netfilter
 protocol unix,inet,inet6
-private-etc resolv.conf,ca-certificates,ssl,pki,hosts,crypto-policies
+private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile
index 46d0bd08e..d64fe830f 100644
--- a/etc/fetchmail.profile
+++ b/etc/fetchmail.profile
@@ -30,5 +30,5 @@ protocol unix,inet,inet6
 seccomp
 shell none
-#private-bin fetchmail,procmail,bash,chmod
+#private-bin bash,chmod,fetchmail,procmail
 private-dev
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index ee722bc54..0771bf6a5 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -36,14 +36,13 @@ nou2f
 novideo
 protocol inet,inet6
 seccomp
-# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
 shell none
 tracelog
 private-bin ffmpeg
 private-cache
 private-dev
-private-etc alternatives,pki,pkcs11,hosts,ssl,ca-certificates,resolv.conf
+private-etc alternatives,ca-certificates,hosts,pkcs11,pki,resolv.conf,ssl
 private-tmp
 # memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 95accdd36..59d2f3ec8 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -39,7 +39,6 @@ tracelog
 # private-bin file-roller
 private-dev
-# private-etc alternatives,fonts
 # private-tmp
 # memory-deny-write-execute
diff --git a/etc/file.profile b/etc/file.profile
index c304b4efe..69fa7d8cd 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -7,8 +7,6 @@ include file.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
@@ -38,7 +36,7 @@ x11 none
 #private-bin file
 private-cache
 private-dev
-private-etc alternatives,magic.mgc,magic,localtime
+private-etc alternatives,localtime,magic,magic.mgc
 private-lib libarchive.so.*,libfakeroot,libmagic.so.*
 memory-deny-write-execute
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index d1bebafb5..d8d4c1746 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/filezilla
 noblacklist ${HOME}/.filezilla
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -37,6 +33,6 @@ seccomp
 shell none
 # private-bin breaks --join if the user has zsh set as $SHELL - adding zsh on private-bin
-private-bin filezilla,uname,sh,bash,zsh,python*,lsb_release,fzputtygen,fzsftp
+private-bin bash,filezilla,fzputtygen,fzsftp,lsb_release,python*,sh,uname,zsh
 private-dev
 private-tmp
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc
index 7a0c3e99f..0b95c555b 100644
--- a/etc/firefox-common-addons.inc
+++ b/etc/firefox-common-addons.inc
@@ -43,8 +43,10 @@ whitelist ${HOME}/.lastpass
 whitelist ${HOME}/.local/share/kget
 whitelist ${HOME}/.local/share/okular
 whitelist ${HOME}/.local/share/qpdfview
+whitelist ${HOME}/.local/share/tridactyl
 whitelist ${HOME}/.pentadactyl
 whitelist ${HOME}/.pentadactylrc
+whitelist ${HOME}/.tridactylrc
 whitelist ${HOME}/.vimperator
 whitelist ${HOME}/.vimperatorrc
 whitelist ${HOME}/.wine-pipelight
@@ -56,8 +58,7 @@ whitelist ${HOME}/dwhelper
 noblacklist ${HOME}/.local/share/gnome-shell
 whitelist ${HOME}/.local/share/gnome-shell
 ignore nodbus
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python3*
 # Flash plugin
 # private-etc must first be enabled in firefox-common.profile and in profiles including it.
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index bccbb3412..961b338e7 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -34,11 +34,8 @@ caps.drop all
 # machine-id breaks pulse audio; it should work fine in setups where sound is not required.
 #machine-id
 netfilter
-# Breaks Gnome connector and KDE Connect.
+# nodbus breaks various desktop integration features
-# Also seems to break Ubuntu titlebar menu.
+# among other things global menus, Gnome connector, KDE connect and power management on KDE Plasma
-# Also breaks enigmail apparently?
-# During a stream on Plasma it prevents the mechanism to temporarily bypass the power management, i.e. to keep the screen on.
-# Therefore disable if you use that.
 nodbus
 nodvd
 nogroups
@@ -57,5 +54,5 @@ shell none
 disable-mnt
 private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
-#private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 830bbc6a7..84c647cb9 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla
 # firefox requires a shell to launch on Arch.
-#private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
+#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
 # private-etc must first be enabled in firefox-common.profile
 #private-etc firefox
diff --git a/etc/flameshot.profile b/etc/flameshot.profile
index cd3e07455..3aad9723b 100644
--- a/etc/flameshot.profile
+++ b/etc/flameshot.profile
@@ -37,7 +37,7 @@ shell none
 disable-mnt
 private-bin flameshot
 private-cache
-private-etc alternatives,fonts,ld.so.conf,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl
 private-dev
 private-tmp
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index 1e84d4ca6..40472ab93 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/flowblade
 noblacklist ${HOME}/.flowblade
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/font-manager.profile b/etc/font-manager.profile
index 98952e1cc..1699e5cfc 100644
--- a/etc/font-manager.profile
+++ b/etc/font-manager.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.cache/font-manager
 noblacklist ${HOME}/.config/font-manager
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -54,4 +50,4 @@ private-bin font-manager,python*,yelp
 private-dev
 private-tmp
-#memory-deny-write-execute - Breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/fontforge.profile b/etc/fontforge.profile
index f98ad9983..6d305e2af 100644
--- a/etc/fontforge.profile
+++ b/etc/fontforge.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.FontForge
 noblacklist ${DOCUMENTS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/franz.profile b/etc/franz.profile
index d6445ff8e..e917e5517 100644
--- a/etc/franz.profile
+++ b/etc/franz.profile
@@ -5,6 +5,8 @@ include franz.local
 # Persistent global definitions
 include globals.local
+ignore noexec /tmp
 noblacklist ${HOME}/.cache/Franz
 noblacklist ${HOME}/.config/Franz
 noblacklist ${HOME}/.pki
@@ -12,6 +14,7 @@ noblacklist ${HOME}/.local/share/pki
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
@@ -41,5 +44,3 @@ shell none
 disable-mnt
 private-dev
 private-tmp
-noexec ${HOME}
diff --git a/etc/freeciv.profile b/etc/freeciv.profile
index 4813379a7..fa115d325 100644
--- a/etc/freeciv.profile
+++ b/etc/freeciv.profile
@@ -38,7 +38,7 @@ shell none
 tracelog
 disable-mnt
-private-bin freeciv-gtk3,freeciv-mp-gtk3,freeciv-server,freeciv-manual
+private-bin freeciv-gtk3,freeciv-manual,freeciv-mp-gtk3,freeciv-server
 private-cache
 private-dev
 private-tmp
diff --git a/etc/freecol.profile b/etc/freecol.profile
index 7987cc076..baeb4c528 100644
--- a/etc/freecol.profile
+++ b/etc/freecol.profile
@@ -7,16 +7,12 @@ include freecol.local
 include globals.local
 noblacklist ${HOME}/.freecol
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.cache/freecol
 noblacklist ${HOME}/.config/freecol
 noblacklist ${HOME}/.local/share/freecol
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/freemind.profile b/etc/freemind.profile
index 507bd564d..ba945c0fb 100644
--- a/etc/freemind.profile
+++ b/etc/freemind.profile
@@ -7,12 +7,11 @@ include freemind.local
 include globals.local
 noblacklist ${DOCUMENTS}
-noblacklist ${PATH}/java
-noblacklist /etc/java
-noblacklist /usr/lib/java
-noblacklist /usr/share/java
 noblacklist ${HOME}/.freemind
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -43,7 +42,7 @@ shell none
 tracelog
 disable-mnt
-private-bin freemind,java,bash,sed,sh,grep,mkdir,echo,cp,uname,which,lsb_release,rpm,dpkg,dirname,readlink
+private-bin bash,cp,dirname,dpkg,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which
 private-cache
 private-dev
 #private-etc alternatives,fonts,java
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index 6de61840c..3931aa64a 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -9,11 +9,7 @@ include globals.local
 noblacklist ${HOME}/.frozen-bubble
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
@@ -42,5 +38,4 @@ shell none
 disable-mnt
 # private-bin frozen-bubble
 private-dev
-# private-etc alternatives
 private-tmp
diff --git a/etc/gajim.profile b/etc/gajim.profile
index 238b4fca9..74ab9f8b7 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/gajim
 noblacklist ${HOME}/.local/share/gajim
 # Allow python (blacklisted by disable-interpreters.inc)
-#noblacklist ${PATH}/python2*
+#include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-#noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-#noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -50,7 +46,7 @@ shell none
 tracelog
 disable-mnt
-private-bin python,python3,sh,gpg,gpg2,gajim,bash,zsh,paplay,gajim-history-manager
+private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python,python3,sh,zsh
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/gcloud.profile b/etc/gcloud.profile
index a08aebf2c..7ca99f420 100644
--- a/etc/gcloud.profile
+++ b/etc/gcloud.profile
@@ -36,5 +36,5 @@ tracelog
 disable-mnt
 private-dev
-private-etc alternatives,ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/gconf.profile b/etc/gconf.profile
index 5cc6b87a0..4baf8c957 100644
--- a/etc/gconf.profile
+++ b/etc/gconf.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/gconf
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-#noblacklist ${PATH}/python3*
+#include allow-python3.inc
-noblacklist /usr/lib/python2*
-#noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-#noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -46,6 +42,7 @@ protocol unix
 seccomp
 shell none
 tracelog
+x11 none
 disable-mnt
 private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2*
diff --git a/etc/geany.profile b/etc/geany.profile
index b9c0da12e..2cffb8777 100644
--- a/etc/geany.profile
+++ b/etc/geany.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
 noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
diff --git a/etc/geary.profile b/etc/geary.profile
index a21eed9f1..a446c81d0 100644
--- a/etc/geary.profile
+++ b/etc/geary.profile
@@ -4,27 +4,25 @@
 # Persistent local customizations
 include geary.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 # Users have Geary set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
+ignore nodbus
+ignore private-tmp
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/geary
 mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.config/geary
 mkdir ${HOME}/.local/share/geary
 whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.config/geary
 whitelist ${HOME}/.local/share/geary
-include whitelist-common.inc
-ignore nodbus
-ignore private-tmp
 read-only ${HOME}/.config/mimeapps.list
 # allow browsers
diff --git a/etc/gedit.profile b/etc/gedit.profile
index ca2cf6e92..ed6efc3b6 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -12,6 +12,8 @@ noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
 noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
@@ -44,7 +46,6 @@ tracelog
 # private-bin gedit
 private-dev
-# private-etc alternatives,fonts
+private-lib aspell,gconv,gedit,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*
-private-lib /usr/bin/gedit,libtinfo.so.*,libreadline.so.*,gedit,libgspell-1.so.*,gconv,aspell
 private-tmp
diff --git a/etc/geekbench.profile b/etc/geekbench.profile
index 764c68131..8d7dbd48e 100644
--- a/etc/geekbench.profile
+++ b/etc/geekbench.profile
@@ -41,11 +41,11 @@ disable-mnt
 private-bin bash,geekbenc*,sh
 private-cache
 private-dev
-private-etc alternatives,group,passwd,lsb-release
+private-etc alternatives,group,lsb-release,passwd
 private-lib libstdc++.so.*
 private-opt none
 private-tmp
-# memory-deny-write-execute - Breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
diff --git a/etc/geeqie.profile b/etc/geeqie.profile
index adfc3ef1c..8810ca161 100644
--- a/etc/geeqie.profile
+++ b/etc/geeqie.profile
@@ -31,4 +31,3 @@ shell none
 # private-bin geeqie
 private-dev
-# private-etc alternatives,X11
diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile
index 76011df19..48c02f195 100644
--- a/etc/ghostwriter.profile
+++ b/etc/ghostwriter.profile
@@ -49,7 +49,7 @@ tracelog
 #private-bin ghostwriter,pandoc
 private-cache
 private-dev
-private-etc alternatives,cups,crypto-policies,localtime,drirc,fonts,gtk-3.0,dconf,machine-id
+private-etc alternatives,crypto-policies,cups,dconf,drirc,fonts,gtk-3.0,localtime,machine-id
 # Breaks Translation
 #private-lib
 private-tmp
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 91001cd30..762e743c8 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -7,7 +7,8 @@ include gimp.local
 include globals.local
 # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
-# if you are not using external plugins, you can disable ignore noexec statement below
+# if you are not using external plugins, you can comment 'ignore noexec' statement below
+# or put 'ignore ignore noexec ${HOME}' in your gimp.local
 ignore noexec ${HOME}
 noblacklist ${HOME}/.config/GIMP
diff --git a/etc/git.profile b/etc/git.profile
index 0eb69faed..f7c812e65 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -7,8 +7,6 @@ include git.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.config/nano
 noblacklist ${HOME}/.emacs
@@ -22,6 +20,8 @@ noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.vim
 noblacklist ${HOME}/.viminfo
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/etc/gitg.profile b/etc/gitg.profile
index 656d5cfd8..f6f51ef6f 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -35,7 +35,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
-private-bin gitg,git,ssh
+private-bin git,gitg,ssh
 private-cache
 private-dev
 private-tmp
diff --git a/etc/github-desktop.profile b/etc/github-desktop.profile
index 4a969f9ad..b25b138ad 100644
--- a/etc/github-desktop.profile
+++ b/etc/github-desktop.profile
@@ -42,7 +42,6 @@ disable-mnt
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-# private-etc alternatives
 # private-lib
 private-tmp
diff --git a/etc/gitter.profile b/etc/gitter.profile
index 7d0831bc4..017b1765a 100644
--- a/etc/gitter.profile
+++ b/etc/gitter.profile
@@ -37,7 +37,7 @@ shell none
 disable-mnt
 private-bin bash,env,gitter
-private-etc alternatives,fonts,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl
 private-opt Gitter
 private-dev
 private-tmp
diff --git a/etc/gjs.profile b/etc/gjs.profile
index f119e5b34..17b0aa5cf 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -32,7 +32,7 @@ seccomp
 shell none
 tracelog
-# private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather
+# private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
 private-dev
-# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index 184751132..25cd94f0c 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -36,8 +36,7 @@ seccomp
 shell none
 tracelog
-# private-bin gjs gnome-books
+# private-bin gjs,gnome-books
 private-dev
-# private-etc alternatives,fonts
 private-tmp
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile
index c2459e6ee..dfa1a5da8 100644
--- a/etc/gnome-builder.profile
+++ b/etc/gnome-builder.profile
@@ -12,6 +12,8 @@ noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
 noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index 04409a5e4..e657293ac 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -37,7 +37,7 @@ shell none
 tracelog
 disable-mnt
-private-bin fairymax,gnome-chess,hoichess,gnuchess
+private-bin fairymax,gnome-chess,gnuchess,hoichess
 private-cache
 private-dev
 private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
index cb73a9477..2beee83e0 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@@ -37,6 +37,6 @@ disable-mnt
 private-bin gnome-clocks,gsound-play
 private-cache
 private-dev
-private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies,machine-id,hosts,pkcs11,localtime,gtk-3.0,dconf
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl
 private-tmp
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 97de9c2be..be8e809ce 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -10,6 +10,7 @@ include globals.local
 noblacklist ${HOME}/.cache/champlain
 noblacklist ${HOME}/.local/share/flatpak
+noblacklist ${HOME}/.local/share/maps-places.json
 include disable-common.inc
 include disable-devel.inc
@@ -19,6 +20,13 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.cache/champlain
+mkfile ${HOME}/.local/share/maps-places.json
+whitelist ${HOME}/.cache/champlain
+whitelist ${HOME}/.local/share/maps-places.json
+whitelist ${DOWNLOADS}
+whitelist ${PICTURES}
+include whitelist-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -39,8 +47,9 @@ shell none
 tracelog
 disable-mnt
-# private-bin gjs gnome-maps
+private-bin gjs,gnome-maps
+# private-cache -- gnome-maps cache all maps/satelite-images
 private-dev
-# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index 6bebeb526..ad3fa1753 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.local/share/gnome-music
 noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -41,8 +37,8 @@ seccomp
 shell none
 tracelog
-private-bin gnome-music,python*,env,gio-launch-desktop,yelp
+private-bin env,gio-launch-desktop,gnome-music,python*,yelp
 private-dev
-private-etc alternatives,fonts,machine-id,pulse,asound.conf
+private-etc alternatives,asound.conf,fonts,machine-id,pulse
 private-tmp
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile
index 3f28b7efe..001274372 100644
--- a/etc/gnome-nettool.profile
+++ b/etc/gnome-nettool.profile
@@ -14,7 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-include whitelist-common.inc
+#include whitelist-common.inc -- see #903
 include whitelist-var-common.inc
 caps.keep net_raw
@@ -39,6 +39,6 @@ disable-mnt
 private
 private-cache
 private-dev
-private-lib libgtk-3.so.*,libgtop*,libbind9.so.*,libcrypto.so.*,libdns.so.*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.*
+private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libgtk-3.so.*,libgtop*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.*
 private-tmp
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index 4e5a3b109..3bbad67bb 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -33,8 +33,7 @@ seccomp
 shell none
 tracelog
-# private-bin gjs gnome-photos
+# private-bin gjs,gnome-photos
 private-dev
-# private-etc alternatives,fonts
 private-tmp
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
index 1a897a5d8..567fa262c 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/gnome-recipes.profile
@@ -43,7 +43,7 @@ shell none
 disable-mnt
 private-bin gnome-recipes,tar
 private-dev
-private-etc alternatives,ca-certificates,fonts,ssl,crypto-policies,pki
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.*
 private-tmp
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile
index 931efbbab..0fca08505 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@@ -36,12 +36,8 @@ noblacklist ${PATH}/xfce4-terminal
 noblacklist ${PATH}/xfce4-terminal.wrapper
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -73,6 +69,5 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-# private-etc alternatives
 writable-var
diff --git a/etc/gnome-sound-recorder.profile b/etc/gnome-sound-recorder.profile
new file mode 100644
index 000000000..135106c1e
--- /dev/null
+++ b/etc/gnome-sound-recorder.profile
@@ -0,0 +1,41 @@
+# Firejail profile for gnome-sound-recorder
+# Description: simple sound recordings for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-sound-recorder.local
+# Persistent global definitions
+include globals.local
+noblacklist ${MUSIC}
+noblacklist ${HOME}/.local/share/flatpak
+noblacklist ${HOME}/.local/share/Trash
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg
+private-tmp
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index ef7255130..a43db7e2f 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -37,8 +37,8 @@ shell none
 tracelog
 disable-mnt
-# private-bin gjs gnome-weather
+# private-bin gjs,gnome-weather
 private-dev
-# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
diff --git a/etc/godot.profile b/etc/godot.profile
new file mode 100644
index 000000000..2baf09b1d
--- /dev/null
+++ b/etc/godot.profile
@@ -0,0 +1,43 @@
+# Firejail profile for godot
+# Description: multi-platform 2D and 3D game engine with a feature-rich editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include godot.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/godot
+noblacklist ${HOME}/.config/godot
+noblacklist ${HOME}/.local/share/godot
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+# private-bin godot
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
+private-tmp
diff --git a/etc/goobox.profile b/etc/goobox.profile
index be332665e..c932ad528 100644
--- a/etc/goobox.profile
+++ b/etc/goobox.profile
@@ -31,5 +31,5 @@ tracelog
 # private-bin goobox
 private-dev
-# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 # private-tmp
diff --git a/etc/google-earth.profile b/etc/google-earth.profile
index a29e0d563..447a895d7 100644
--- a/etc/google-earth.profile
+++ b/etc/google-earth.profile
@@ -45,7 +45,7 @@ seccomp
 shell none
 disable-mnt
-private-bin google-earth,sh,bash,grep,sed,ls,dirname
+private-bin bash,dirname,google-earth,grep,ls,sed,sh
 private-dev
 private-opt google
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
index 4932c9e42..daa385234 100644
--- a/etc/google-play-music-desktop-player.profile
+++ b/etc/google-play-music-desktop-player.profile
@@ -5,14 +5,19 @@ include google-play-music-desktop-player.local
 # Persistent global definitions
 include globals.local
+# noexec /tmp breaks mpris support
+ignore noexec /tmp
 noblacklist ${HOME}/.config/Google Play Music Desktop Player
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.config/Google Play Music Desktop Player
 # whitelist ${HOME}/.config/pulse
 # whitelist ${HOME}/.pulse
 whitelist ${HOME}/.config/Google Play Music Desktop Player
@@ -35,7 +40,3 @@ shell none
 disable-mnt
 private-dev
 private-tmp
-noexec ${HOME}
-# noexec /tmp breaks mpris support
-#noexec /tmp
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 7181837d5..61b485df5 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -6,10 +6,10 @@ include gpg-agent.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.gnupg
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/gpg.profile b/etc/gpg.profile
index 51662b59c..99ad1b888 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -6,10 +6,10 @@ include gpg.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.gnupg
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index be3742fe3..c1f1b53a0 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -15,6 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.config/Gpredict
 whitelist ${HOME}/.config/Gpredict
 include whitelist-common.inc
@@ -34,6 +35,6 @@ tracelog
 private-bin gpredict
 private-dev
-private-etc alternatives,fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/gradio.profile b/etc/gradio.profile
index 75c793f61..82e2504b9 100644
--- a/etc/gradio.profile
+++ b/etc/gradio.profile
@@ -35,6 +35,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
-private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
diff --git a/etc/gramps.profile b/etc/gramps.profile
index 764c14b60..54b154964 100644
--- a/etc/gramps.profile
+++ b/etc/gramps.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.gramps
 # Allow python (blacklisted by disable-interpreters.inc)
-#noblacklist ${PATH}/python2*
+#include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-#noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-#noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index d4af3ed1a..489be3931 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -43,7 +43,7 @@ seccomp
 shell none
 # tracelog
-private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4
+private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
 private-dev
 private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 27e262f87..38f6ee65e 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -7,14 +7,15 @@ include gzip.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-passwdmgr.inc
-ignore noroot
+include disable-programs.inc
 apparmor
+caps.drop all
 hostname gzip
 ipc-namespace
 machine-id
@@ -23,16 +24,19 @@ no3d
 nodbus
 nodvd
 nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
+x11 none
 private-cache
 private-dev
 memory-deny-write-execute
-include default.profile
diff --git a/etc/hashcat.profile b/etc/hashcat.profile
index 4ed099fae..da59984d7 100644
--- a/etc/hashcat.profile
+++ b/etc/hashcat.profile
@@ -33,6 +33,7 @@ novideo
 protocol unix
 seccomp
 shell none
+x11 none
 disable-mnt
 private-bin hashcat
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index ee70e6655..d032c93e6 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/hexchat
 noblacklist /usr/share/perl*
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/highlight.profile b/etc/highlight.profile
index 243643aea..249d5cd17 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -6,8 +6,6 @@ include highlight.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -30,9 +28,9 @@ protocol unix
 seccomp
 shell none
 tracelog
+x11 none
 private-bin highlight
 private-cache
 private-dev
-# private-etc alternatives
 private-tmp
diff --git a/etc/hugin.profile b/etc/hugin.profile
index 3d8921120..07a697c05 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -33,7 +33,7 @@ protocol unix
 seccomp
 shell none
-private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend
+private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize
 private-cache
 private-dev
 private-tmp
diff --git a/etc/imagej.profile b/etc/imagej.profile
index 9d0ab43a0..00ee115ed 100644
--- a/etc/imagej.profile
+++ b/etc/imagej.profile
@@ -8,11 +8,8 @@ include globals.local
 noblacklist ${HOME}/.imagej
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
@@ -37,7 +34,7 @@ protocol unix
 seccomp
 shell none
-private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln
+private-bin awk,basename,bash,cut,free,grep,hostname,imagej,ln,ls,mkdir,rm,sort,tail,touch,tr,uname,update-java-alternatives,whoami,xprop
 private-dev
 private-tmp
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index ade50048e..19b4e1ed7 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -34,11 +34,11 @@ protocol unix
 seccomp
 shell none
 tracelog
+x11 none
 # private-bin img2txt
 private-cache
 private-dev
-# private-etc alternatives
 private-tmp
 memory-deny-write-execute
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index ecc5e5d35..a1b3bce23 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -13,12 +13,8 @@ noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -47,8 +43,10 @@ novideo
 protocol unix
 seccomp
 shell none
+tracelog
 # private-bin inkscape,potrace,python* - problems on Debian stretch
+private-cache
 private-dev
 private-tmp
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index dce44e5d4..5b7275718 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -6,13 +6,9 @@ include jd-gui.local
 include globals.local
 noblacklist ${HOME}/.config/jd-gui.cfg
-noblacklist ${HOME}/.java
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
@@ -40,7 +36,7 @@ protocol unix
 seccomp
 shell none
-private-bin jd-gui,sh,bash
+private-bin bash,jd-gui,sh
 private-cache
 private-dev
 private-tmp
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
index 5a575bb71..223c360b8 100644
--- a/etc/jitsi.profile
+++ b/etc/jitsi.profile
@@ -7,11 +7,8 @@ include globals.local
 noblacklist ${HOME}/.jitsi
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/kdeinit4.profile b/etc/kdeinit4.profile
index f786c78d5..082045c62 100644
--- a/etc/kdeinit4.profile
+++ b/etc/kdeinit4.profile
@@ -30,7 +30,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
-private-bin kdeinit4,kbuildsycoca4,kded4,knotify4
+private-bin kbuildsycoca4,kded4,kdeinit4,knotify4
 private-dev
 private-tmp
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index 82c8c6793..361109127 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -33,6 +33,6 @@ protocol unix,netlink
 seccomp
 shell none
-private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper,mlt-melt
+private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
 private-dev
-# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg,X11
+# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
diff --git a/etc/keepassxc-cli.profile b/etc/keepassxc-cli.profile
new file mode 100644
index 000000000..6f657e7de
--- /dev/null
+++ b/etc/keepassxc-cli.profile
@@ -0,0 +1,12 @@
+# Firejail profile for keepassxc-cli
+# Description: command line interface for KeePassXC
+# This file is overwritten after every install/update
+# Persistent local customizations
+include keepassxc-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include keepassxc.profile
diff --git a/etc/keepassxc-proxy.profile b/etc/keepassxc-proxy.profile
new file mode 100644
index 000000000..79666aee2
--- /dev/null
+++ b/etc/keepassxc-proxy.profile
@@ -0,0 +1,11 @@
+# Firejail profile for keepassxc-cli
+# This file is overwritten after every install/update
+# Persistent local customizations
+include keepassxc-proxy.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include keepassxc.profile
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index c1adfd516..6ef02ad47 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -37,11 +37,11 @@ nosound
 notv
 nou2f
 novideo
-protocol netlink,unix
+protocol unix,netlink
 seccomp
 shell none
-private-bin keepassxc,keepassxc-proxy
+private-bin keepassxc,keepassxc-cli,keepassxc-proxy
 private-dev
 private-etc alternatives,fonts,ld.so.cache,machine-id
 private-tmp
diff --git a/etc/kid3.profile b/etc/kid3.profile
index 3171e94fe..01064feb5 100644
--- a/etc/kid3.profile
+++ b/etc/kid3.profile
@@ -37,7 +37,7 @@ tracelog
 private-cache
 private-dev
-private-etc alternatives,drirc,fonts,kde5rc,gtk-3.0,dconf,machine-id,ca-certificates,ssl,pki,hostname,hosts,resolv.conf,pulse,,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/klatexformula.profile b/etc/klatexformula.profile
new file mode 100644
index 000000000..d584f6a56
--- /dev/null
+++ b/etc/klatexformula.profile
@@ -0,0 +1,43 @@
+# Firejail profile for klatexformula
+# Description: generating images from LaTeX equations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include klatexformula.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.kde/share/apps/klatexformula
+noblacklist ${HOME}/.klatexformula
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
diff --git a/etc/klatexformula_cmdl.profile b/etc/klatexformula_cmdl.profile
new file mode 100644
index 000000000..9137963c4
--- /dev/null
+++ b/etc/klatexformula_cmdl.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for klatexformula_cmdl
+# This file is overwritten after every install/update
+# Redirect
+include klatexformula.profile
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 009b2c063..0b602c79a 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -53,9 +53,8 @@ protocol unix,inet,inet6,netlink
 # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 # tracelog
-# writable-run-user is needed for signing and encrypting emails
-writable-run-user
 private-dev
 # private-tmp - interrupts connection to akonadi, breaks opening of email attachments
+# writable-run-user is needed for signing and encrypting emails
+writable-run-user
diff --git a/etc/kodi.profile b/etc/kodi.profile
index dad085967..86afe46b5 100644
--- a/etc/kodi.profile
+++ b/etc/kodi.profile
@@ -15,12 +15,8 @@ noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/konversation.profile b/etc/konversation.profile
index 19174459c..dd3e9617f 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -34,7 +34,7 @@ seccomp
 shell none
 tracelog
-private-bin konversation,kbuildsycoca4
+private-bin kbuildsycoca4,konversation
 private-cache
 private-dev
 private-tmp
diff --git a/etc/kopete.profile b/etc/kopete.profile
index 5e931ddac..e0bdce059 100644
--- a/etc/kopete.profile
+++ b/etc/kopete.profile
@@ -31,8 +31,8 @@ notv
 nou2f
 protocol unix,inet,inet6,netlink
 seccomp
-writable-var
 private-dev
 private-tmp
+writable-var
diff --git a/etc/krita.profile b/etc/krita.profile
index 8f275f8df..49c36274a 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -15,12 +15,8 @@ noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile
index f30a1b7e6..2eb46a7e8 100644
--- a/etc/ktorrent.profile
+++ b/etc/ktorrent.profile
@@ -52,7 +52,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
-private-bin ktorrent,kbuildsycoca4,kdeinit4
+private-bin kbuildsycoca4,kdeinit4,ktorrent
 private-dev
 # private-lib - problems on Arch
 private-tmp
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index 9b0640eab..31ac19039 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -43,7 +43,7 @@ seccomp
 shell none
 tracelog
-private-bin kwrite,kbuildsycoca4,kdeinit4
+private-bin kbuildsycoca4,kdeinit4,kwrite
 private-dev
 private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
 private-tmp
diff --git a/etc/less.profile b/etc/less.profile
index 5ad7cb959..e6366ad28 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -5,27 +5,36 @@ quiet
 # Persistent local customizations
 include less.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
-blacklist /tmp/.X11-unix
+noblacklist ${HOME}/.lesshst
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
-ignore noroot
 apparmor
+caps.drop all
 ipc-namespace
 machine-id
 net none
 no3d
 nodbus
 nodvd
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
-writable-var-log
+x11 none
 # The user can have a custom coloring script configured in ${HOME}/.lessfilter.
 # Enable private-bin and private-lib if you are not using any filter.
@@ -33,7 +42,6 @@ writable-var-log
 # private-lib
 private-cache
 private-dev
+writable-var-log
 memory-deny-write-execute
-include default.profile
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 5bb943323..b8a6201b2 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -6,16 +6,13 @@ include libreoffice.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.java
 noblacklist /usr/local/sbin
 noblacklist ${HOME}/.config/libreoffice
-# libreoffice uses java; if you don't care about java functionality,
+# libreoffice uses java for some certain operations
-# comment the next four lines
+# comment if you don't care about java functionality
-noblacklist ${PATH}/java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist /usr/lib/java
+include allow-java.inc
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/liferea.profile b/etc/liferea.profile
index e778d7b55..70d317199 100644
--- a/etc/liferea.profile
+++ b/etc/liferea.profile
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/liferea
 noblacklist ${HOME}/.local/share/liferea
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/links.profile b/etc/links.profile
new file mode 100644
index 000000000..bd0b0cc92
--- /dev/null
+++ b/etc/links.profile
@@ -0,0 +1,64 @@
+# Firejail profile for links
+# Description: Text WWW browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include links.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.links
+blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# you may want to noblacklist files/directories blacklisted in
+# disable-programs.inc and used as associated programs
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.links
+whitelist ${HOME}/.links
+whitelist ${DOWNLOADS}
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+# comment machine-id (or put 'ignore machine-id' in your links.local) if you want
+# to allow access only to user-configured associated media player
+machine-id
+netfilter
+# comment no3d (or put 'ignore no3d' in your links.local) if you want
+# to allow access only to user-configured associated media player
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+# comment nosound (or put 'ignore nosound' in your links.local) if you want
+# to allow access only to user-configured associated media player
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local
+# or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin links,sh
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+# Uncomment the following line (or put it in your links.local) allow external
+# media players
+# private-etc alsa,asound.conf,machine-id,openal,pulse
+private-tmp
+memory-deny-write-execute
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index 76b8ed75c..1ce83822d 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.local/share/lollypop
 noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -41,6 +37,6 @@ seccomp
 shell none
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
diff --git a/etc/lynx.profile b/etc/lynx.profile
index 2f043c9b9..063285316 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -34,5 +34,5 @@ tracelog
 # private-bin lynx
 private-cache
 private-dev
-# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
index 7d42f2bfe..94d90780b 100644
--- a/etc/macrofusion.profile
+++ b/etc/macrofusion.profile
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.config/mfusion
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -40,7 +36,7 @@ protocol unix
 seccomp
 shell none
-private-bin python*,macrofusion,env,enfuse,exiftool,align_image_stack
+private-bin align_image_stack,enfuse,env,exiftool,macrofusion,python*
 private-cache
 private-dev
 private-tmp
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index ac5577b4c..2f6020ad3 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -15,12 +15,13 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.cache/mate-calc
+mkdir ${HOME}/.config/caja
+mkdir ${HOME}/.config/mate-menu
 whitelist ${HOME}/.cache/mate-calc
 whitelist ${HOME}/.config/caja
-whitelist ${HOME}/.config/gtk-3.0
-whitelist ${HOME}/.config/dconf
 whitelist ${HOME}/.config/mate-menu
-whitelist ${HOME}/.themes
+include whitelist-common.inc
 caps.drop all
 net none
@@ -40,7 +41,7 @@ shell none
 disable-mnt
 private-bin mate-calc,mate-calculator
-private-etc alternatives,fonts
+private-etc alternatives,dconf,fonts,gtk-3.0
 private-dev
 private-opt none
 private-tmp
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile
index bd3631445..f1a7ca18f 100644
--- a/etc/mate-color-select.profile
+++ b/etc/mate-color-select.profile
@@ -5,7 +5,6 @@ include mate-color-select.local
 # Persistent global definitions
 include globals.local
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -13,10 +12,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-whitelist ${HOME}/.config/gtk-3.0
+include whitelist-common.inc
-whitelist ${HOME}/.fonts
-whitelist ${HOME}/.icons
-whitelist ${HOME}/.themes
 caps.drop all
 netfilter
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile
index 1217910a0..49a776766 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/mate-dictionary.profile
@@ -14,11 +14,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.config/mate/mate-dictionary
 whitelist ${HOME}/.config/mate/mate-dictionary
-whitelist ${HOME}/.config/gtk-3.0
+include whitelist-common.inc
-whitelist ${HOME}/.fonts
-whitelist ${HOME}/.icons
-whitelist ${HOME}/.themes
 caps.drop all
 netfilter
@@ -37,7 +35,7 @@ shell none
 disable-mnt
 private-bin mate-dictionary
-private-etc alternatives,fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl
 private-opt mate-dictionary
 private-dev
 private-tmp
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
index c65a25edc..134a6ae63 100644
--- a/etc/mcabber.profile
+++ b/etc/mcabber.profile
@@ -30,4 +30,4 @@ shell none
 private-bin mcabber
 private-dev
-private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index d2681f32d..02d4a937c 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -6,8 +6,6 @@ include mediainfo.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -34,6 +32,7 @@ protocol unix
 seccomp
 shell none
 tracelog
+x11 none
 private-bin mediainfo
 private-cache
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index 497014dab..95cd673c6 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -11,18 +11,14 @@ noblacklist ${HOME}/.config/smplayer
 noblacklist ${HOME}/.config/totem
 noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.config/xplayer
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/totem
 noblacklist ${HOME}/.local/share/xplayer
 noblacklist ${HOME}/.mediathek3
 noblacklist ${HOME}/.mplayer
 noblacklist ${VIDEOS}
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/meld.profile b/etc/meld.profile
index 14e0f238d..4a9f64421 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -6,22 +6,24 @@ include meld.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.local/share/meld
+# If you want to use meld as git-mergetool (and maybe some other VCS integrations) you need
+# to bypass firejail, you can do this by removing the symlink or calling it by its absolute path
-# Allow python (blacklisted by disable-interpreters.inc)
+# Removing the symlink:
-noblacklist ${PATH}/python2*
+#  sudo rm /usr/local/bin/meld
-noblacklist ${PATH}/python3*
+# Calling by its absolute path (example for git-mergetool):
-noblacklist /usr/lib/python2*
+#  git config --global mergetool.meld.cmd /usr/bin/meld
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.local/share/meld
 noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.subversion
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
@@ -31,7 +33,8 @@ include disable-passwdmgr.inc
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
-include whitelist-var-common.inc
+# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in /var.
+#include whitelist-var-common.inc
 apparmor
 caps.drop all
@@ -59,3 +62,4 @@ private-dev
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
 private-tmp
+read-only ${HOME}/.ssh
diff --git a/etc/mendeleydesktop.profile b/etc/mendeleydesktop.profile
index d54371371..1f02ff5c0 100644
--- a/etc/mendeleydesktop.profile
+++ b/etc/mendeleydesktop.profile
@@ -15,12 +15,8 @@ noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -47,7 +43,7 @@ shell none
 tracelog
 disable-mnt
-private-bin mendeleydesktop,python*,env,gconftool-2,which,sh,ln,cat,update-desktop-database
+private-bin cat,env,gconftool-2,ln,mendeleydesktop,python*,sh,update-desktop-database,which
 private-dev
 private-tmp
diff --git a/etc/meteo-qt.profile b/etc/meteo-qt.profile
index a769a97ec..4437d86ea 100644
--- a/etc/meteo-qt.profile
+++ b/etc/meteo-qt.profile
@@ -10,9 +10,7 @@ noblacklist ${HOME}/.config/autostart
 noblacklist ${HOME}/.config/meteo-qt
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -22,8 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-whitelist ${HOME}/.config/autostart
 mkdir ${HOME}/.config/meteo-qt
+whitelist ${HOME}/.config/autostart
 whitelist ${HOME}/.config/meteo-qt
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/midori.profile b/etc/midori.profile
index e4d39cd70..ffae4919f 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -6,6 +6,9 @@ include midori.local
 # Persistent global definitions
 include globals.local
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 noblacklist ${HOME}/.config/midori
 noblacklist ${HOME}/.local/share/midori
 # noblacklist ${HOME}/.local/share/webkit
@@ -13,9 +16,6 @@ noblacklist ${HOME}/.local/share/midori
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
-# noexec ${HOME} breaks DRM binaries.
-?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/minetest.profile b/etc/minetest.profile
index b3e692446..0439a1ccc 100644
--- a/etc/minetest.profile
+++ b/etc/minetest.profile
@@ -6,6 +6,7 @@ include minetest.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.cache/minetest
 noblacklist ${HOME}/.minetest
 include disable-common.inc
@@ -16,7 +17,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.cache/minetest
 mkdir ${HOME}/.minetest
+whitelist ${HOME}/.cache/minetest
 whitelist ${HOME}/.minetest
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -42,5 +45,5 @@ private-bin minetest
 private-cache
 private-dev
 # private-etc needs to be updated, see #1702
-#private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/mp3splt-gtk.profile b/etc/mp3splt-gtk.profile
index d14006112..e0936476b 100644
--- a/etc/mp3splt-gtk.profile
+++ b/etc/mp3splt-gtk.profile
@@ -37,5 +37,5 @@ tracelog
 private-bin mp3splt-gtk
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,fonts,gtk-3.0,dconf,machine-id,openal,pulse
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse
 private-tmp
diff --git a/etc/mp3splt.profile b/etc/mp3splt.profile
index 6cf6f0409..95173a890 100644
--- a/etc/mp3splt.profile
+++ b/etc/mp3splt.profile
@@ -37,6 +37,7 @@ protocol unix
 seccomp
 shell none
 tracelog
+x11 none
 disable-mnt
 private-bin flacsplt,mp3splt,mp3wrap,oggsplt
diff --git a/etc/mpDris2.profile b/etc/mpDris2.profile
index 81bf88b8b..eb49b52ab 100644
--- a/etc/mpDris2.profile
+++ b/etc/mpDris2.profile
@@ -9,12 +9,10 @@ include globals.local
 noblacklist ${HOME}/.config/mpDris2
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
+noblacklist ${MUSIC}
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -24,6 +22,12 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist ${MUSIC}
+mkdir ${HOME}/.config/mpDris2
+whitelist ${HOME}/.config/mpDris2
+include whitelist-var-common.inc
 caps.drop all
 machine-id
 netfilter
@@ -47,6 +51,6 @@ private-etc alternatives,hosts,nsswitch.conf
 private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
 private-tmp
-# memory-deny-write-execute - Breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
diff --git a/etc/mpd.profile b/etc/mpd.profile
index 0a98de7c4..0b5ebf705 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -34,7 +34,7 @@ protocol unix,inet,inet6
 seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
 shell none
-#private-bin mpd,bash
+#private-bin bash,mpd
 private-cache
 private-dev
 private-tmp
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile
index 0808c5a1a..f0309da9a 100644
--- a/etc/mpsyt.profile
+++ b/etc/mpsyt.profile
@@ -6,19 +6,16 @@ include mpsyt.local
 # Persistent global definitions
 include globals.local
-# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${HOME}/.config/mps-youtube
-noblacklist ${PATH}/python2*
-noblacklist ${PATH}/python3*
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.mplayer
-noblacklist ${HOME}/.config/mps-youtube
 noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/mps
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
@@ -31,14 +28,17 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/mps-youtube
+mkdir ${HOME}/.config/mpv
+mkdir ${HOME}/.mplayer
+mkdir ${HOME}/mps
+whitelist ${HOME}/.config/mps-youtube
 whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.mplayer
-whitelist ${HOME}/.config/mps-youtube
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/mps
+whitelist ${DOWNLOADS}
 whitelist ${MUSIC}
 whitelist ${VIDEOS}
-whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -54,7 +54,7 @@ seccomp
 shell none
 tracelog
-private-bin mpsyt,mplayer,mpv,youtube-dl,python*,env,ffmpeg
+private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl
 private-dev
 private-tmp
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 34542b11b..07a6ba42b 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -9,16 +9,13 @@ include globals.local
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.netrc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
+noblacklist ${MUSIC}
-noblacklist /usr/local/lib/python2*
+noblacklist ${VIDEOS}
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -44,6 +41,6 @@ seccomp
 shell none
 tracelog
-private-bin mpv,youtube-dl,python*,env
+private-bin env,mpv,python*,youtube-dl
 private-cache
 private-dev
diff --git a/etc/ms-office.profile b/etc/ms-office.profile
index f8e75379e..3bc674134 100644
--- a/etc/ms-office.profile
+++ b/etc/ms-office.profile
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.cache/ms-office-online
 noblacklist ${HOME}/.jak
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -39,8 +35,8 @@ shell none
 tracelog
 disable-mnt
-private-bin bash,fonts,env,jak,ms-office,python*,sh
+private-bin bash,env,fonts,jak,ms-office,python*,sh
-private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
 private-dev
 private-tmp
diff --git a/etc/ms-skype.profile b/etc/ms-skype.profile
index 02084d923..df1618361 100644
--- a/etc/ms-skype.profile
+++ b/etc/ms-skype.profile
@@ -3,10 +3,13 @@
 # Persistent local customizations
 include ms-skype.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
-noblacklist ${HOME}/.cache/ms-skype-online
 ignore novideo
+noblacklist ${HOME}/.cache/ms-skype-online
 private-bin ms-skype
 # Redirect
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index b6407c4f9..475307418 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -5,16 +5,12 @@ include multimc5.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/multimc
 noblacklist ${HOME}/.local/share/multimc5
 noblacklist ${HOME}/.multimc5
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
@@ -24,6 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.local/share/multimc
+mkdir ${HOME}/.local/share/multimc5
+mkdir ${HOME}/.multimc5
 whitelist ${HOME}/.local/share/multimc
 whitelist ${HOME}/.local/share/multimc5
 whitelist ${HOME}/.multimc5
@@ -44,7 +42,7 @@ shell none
 disable-mnt
 # private-bin works, but causes weirdness
-# private-bin multimc5,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname
+# private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper
 private-dev
 private-tmp
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 1d5953ff7..673c9fd0b 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -36,7 +36,7 @@ seccomp
 shell none
 tracelog
-# private-bin mupdf,sh,tempfile,rm
+# private-bin mupdf,rm,sh,tempfile
 private-dev
 private-etc alternatives,fonts
 private-tmp
diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile
index 727269a61..a6b85a8e4 100644
--- a/etc/musixmatch.profile
+++ b/etc/musixmatch.profile
@@ -32,5 +32,5 @@ seccomp
 disable-mnt
 private-dev
-private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
diff --git a/etc/mutt.profile b/etc/mutt.profile
index cc3a323e0..c424dbb85 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -6,8 +6,6 @@ include mutt.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /var/mail
 noblacklist /var/spool/mail
 noblacklist ${HOME}/.Mail
@@ -34,6 +32,8 @@ noblacklist ${HOME}/mail
 noblacklist ${HOME}/postponed
 noblacklist ${HOME}/sent
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -54,6 +54,6 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
-writable-run-user
 private-dev
+writable-run-user
diff --git a/etc/mypaint.profile b/etc/mypaint.profile
index 615bb60d1..d75651d78 100644
--- a/etc/mypaint.profile
+++ b/etc/mypaint.profile
@@ -9,10 +9,12 @@ include globals.local
 noblacklist ${HOME}/.cache/mypaint
 noblacklist ${HOME}/.config/mypaint
 noblacklist ${HOME}/.local/share/mypaint
-noblacklist ${PATH}/python2*
-noblacklist /usr/lib/python2*
 noblacklist ${PICTURES}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -42,6 +44,6 @@ tracelog
 private-cache
 private-dev
-private-etc alternatives,fonts,gtk-3.0,dconf
+private-etc alternatives,dconf,fonts,gtk-3.0
 private-tmp
diff --git a/etc/nano.profile b/etc/nano.profile
index 50e251d49..30a6e03e7 100644
--- a/etc/nano.profile
+++ b/etc/nano.profile
@@ -35,6 +35,7 @@ protocol unix
 seccomp
 shell none
 tracelog
+x11 none
 # disable-mnt
 private-bin nano,rnano
diff --git a/etc/natron.profile b/etc/natron.profile
index 3f997a7a0..7ad217b72 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -5,18 +5,13 @@ include natron.local
 # Persistent global definitions
 include globals.local
-# Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
-noblacklist ${PATH}/python3*
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 noblacklist ${HOME}/.Natron
 noblacklist ${HOME}/.cache/INRIA/Natron
 noblacklist ${HOME}/.config/INRIA
-noblacklist /opt/natron
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
@@ -33,9 +28,9 @@ nogroups
 nonewprivs
 noroot
 notv
-protocol unix,inet,inet6
+nou2f
+protocol unix
 seccomp
 shell none
 private-bin natron,Natron,NatronRenderer
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index 1d68ef8e3..d6d08679b 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -15,12 +15,8 @@ noblacklist ${HOME}/.local/share/nautilus
 noblacklist ${HOME}/.local/share/nautilus-python
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -44,5 +40,4 @@ tracelog
 # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin nautilus
 # private-dev
-# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/ncdu.profile b/etc/ncdu.profile
index c18e1c4bf..0d7915839 100644
--- a/etc/ncdu.profile
+++ b/etc/ncdu.profile
@@ -24,6 +24,7 @@ novideo
 protocol unix
 seccomp
 shell none
+x11 none
 private-dev
 # private-tmp
diff --git a/etc/nemo.profile b/etc/nemo.profile
index a23ba1700..26cfedb66 100644
--- a/etc/nemo.profile
+++ b/etc/nemo.profile
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.local/share/nemo
 noblacklist ${HOME}/.local/share/nemo-python
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile
index 2c23a4868..e1294153b 100644
--- a/etc/nethack-vultures.profile
+++ b/etc/nethack-vultures.profile
@@ -6,7 +6,6 @@ include nethack.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.vultures
 noblacklist /var/log
@@ -43,4 +42,3 @@ private-cache
 private-dev
 private-tmp
 writable-var
diff --git a/etc/nethack.profile b/etc/nethack.profile
index 5375d2f4f..3df632451 100644
--- a/etc/nethack.profile
+++ b/etc/nethack.profile
@@ -6,7 +6,6 @@ include nethack.local
 # Persistent global definitions
 include globals.local
 noblacklist /var/games/nethack
 include disable-common.inc
diff --git a/etc/newsbeuter.profile b/etc/newsbeuter.profile
new file mode 100644
index 000000000..059c2156d
--- /dev/null
+++ b/etc/newsbeuter.profile
@@ -0,0 +1,21 @@
+# Firejail profile for Newsboat
+# Description: Text based Atom/RSS feed reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsbeuter.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+noblacklist ${HOME}/.config/newsbeuter
+noblacklist ${HOME}/.newsbeuter
+mkdir ${HOME}/.config/newsbeuter
+mkdir ${HOME}/.newsbeuter
+whitelist ${HOME}/.config/newsbeuter
+whitelist ${HOME}/.newsbeuter
+private-bin newsbeuter
+# Redirect
+include newsboat.profile
diff --git a/etc/nheko.profile b/etc/nheko.profile
index 2dfddf872..119b30239 100644
--- a/etc/nheko.profile
+++ b/etc/nheko.profile
@@ -18,11 +18,9 @@ include disable-programs.inc
 mkdir ${HOME}/.config/nheko
 mkdir ${HOME}/.cache/nheko/nheko
 whitelist ${HOME}/.config/nheko
 whitelist ${HOME}/.cache/nheko/nheko
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile
index 7aba69490..19b6615ef 100644
--- a/etc/nitroshare.profile
+++ b/etc/nitroshare.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/Nathan Osman
 noblacklist ${HOME}/.config/NitroShare
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/nomacs.profile b/etc/nomacs.profile
index fd154b1c4..7a7ff504a 100644
--- a/etc/nomacs.profile
+++ b/etc/nomacs.profile
@@ -41,7 +41,7 @@ tracelog
 #private-bin nomacs
 private-cache
 private-dev
-private-etc alternatives,hosts,ca-certificates,ssl,pki,crypto-policies,resolv.conf,drirc,fonts,gtk-3.0,dconf,machine-id,login.defs
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl
 private-tmp
 memory-deny-write-execute
diff --git a/etc/nylas.profile b/etc/nylas.profile
index 263e09198..c959eb991 100644
--- a/etc/nylas.profile
+++ b/etc/nylas.profile
@@ -14,6 +14,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.config/Nylas Mail
+mkdir ${HOME}/.nylas-mail
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Nylas Mail
 whitelist ${HOME}/.nylas-mail
diff --git a/etc/nyx.profile b/etc/nyx.profile
index ed39283b2..c4475c75c 100644
--- a/etc/nyx.profile
+++ b/etc/nyx.profile
@@ -6,14 +6,11 @@ include nyx.local
 # Persistent global definitions
 include globals.local
-noblacklist ${PATH}/python2*
+# Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python3*
+include allow-python2.inc
-noblacklist /usr/lib/python2*
+include allow-python3.inc
-noblacklist /usr/lib/python3*
 noblacklist ${HOME}/.nyx
-mkdir ${HOME}/.nyx
-whitelist ${HOME}/.nyx
 include disable-common.inc
 include disable-devel.inc
@@ -23,6 +20,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.nyx
+whitelist ${HOME}/.nyx
+include whitelist-common.inc
+include whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
@@ -43,7 +45,7 @@ disable-mnt
 private-bin nyx,python*
 private-cache
 private-dev
-private-etc alternatives,passwd,tor,fonts
+private-etc alternatives,fonts,passwd,tor
 private-opt none
 private-srv none
 private-tmp
diff --git a/etc/obs.profile b/etc/obs.profile
index 1f02efc7f..038242cae 100644
--- a/etc/obs.profile
+++ b/etc/obs.profile
@@ -11,12 +11,8 @@ noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile
index b2249f63b..ea89a259f 100644
--- a/etc/ocenaudio.profile
+++ b/etc/ocenaudio.profile
@@ -45,4 +45,4 @@ private-dev
 private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
 private-tmp
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index 3e1739bf9..719753c87 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -8,8 +8,6 @@ include globals.local
 noblacklist ${DOCUMENTS}
-blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -33,6 +31,7 @@ protocol unix
 seccomp
 shell none
 tracelog
+x11 none
 private-bin odt2txt
 private-cache
diff --git a/etc/okular.profile b/etc/okular.profile
index 48e45ca3f..99357934d 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -47,7 +47,7 @@ seccomp
 shell none
 tracelog
-private-bin okular,kbuildsycoca4,kdeinit4,lpr
+private-bin kbuildsycoca4,kdeinit4,lpr,okular
 private-dev
 private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
diff --git a/etc/onionshare-gui.profile b/etc/onionshare-gui.profile
index 3ee78c59d..5bfcd0527 100644
--- a/etc/onionshare-gui.profile
+++ b/etc/onionshare-gui.profile
@@ -8,9 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/onionshare
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index bff42fb19..d80b3d351 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -33,5 +33,4 @@ shell none
 # private-bin open-invaders
 private-dev
-# private-etc alternatives
 private-tmp
diff --git a/etc/openarena.profile b/etc/openarena.profile
new file mode 100644
index 000000000..c83e78e2c
--- /dev/null
+++ b/etc/openarena.profile
@@ -0,0 +1,43 @@
+# Firejail profile for OpenArena
+# Description: deathmatch FPS game based on GPL idTech3 technology
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openarena.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.openarena
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+# ipc-namespace
+# netfilter
+# nodbus
+# nodvd
+# nogroups
+nonewprivs
+noroot
+notv
+# nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+# tracelog
+# disable-mnt
+# private-bin openarena
+private-cache
+private-dev
+# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
+private-tmp
diff --git a/etc/openclonk.profile b/etc/openclonk.profile
index 02663c2f4..da60006b3 100644
--- a/etc/openclonk.profile
+++ b/etc/openclonk.profile
@@ -38,7 +38,7 @@ shell none
 tracelog
 disable-mnt
-private-bin openclonk,c4group
+private-bin c4group,openclonk
 private-cache
 private-dev
 private-tmp
diff --git a/etc/openshot.profile b/etc/openshot.profile
index cfda1d0ce..0222243ed 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.openshot
 noblacklist ${HOME}/.openshot_qt
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pandoc.profile b/etc/pandoc.profile
new file mode 100644
index 000000000..788324855
--- /dev/null
+++ b/etc/pandoc.profile
@@ -0,0 +1,50 @@
+# Firejail profile for pandoc
+# Description: general markup converter
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include pandoc.local
+# Persistent global definitions
+include globals.local
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+# breaks pdf output
+#include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+disable-mnt
+private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
+private-cache
+private-dev
+private-tmp
+memory-deny-write-execute
diff --git a/etc/parole.profile b/etc/parole.profile
index 69ed5a2ca..e7a0694ed 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -25,6 +25,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
-private-bin parole,dbus-launch
+private-bin dbus-launch,parole
 private-cache
-private-etc alternatives,passwd,group,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl
diff --git a/etc/patch.profile b/etc/patch.profile
index 9515bffdf..60cc1adbe 100644
--- a/etc/patch.profile
+++ b/etc/patch.profile
@@ -34,6 +34,7 @@ novideo
 protocol unix
 seccomp
 shell none
+x11 none
 private-bin patch,red
 private-dev
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile
index 18b9b7fc6..3fd4f3668 100644
--- a/etc/pavucontrol.profile
+++ b/etc/pavucontrol.profile
@@ -16,6 +16,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.config/pavucontrol.ini
+whitelist ${HOME}/.config/pavucontrol.ini
+include whitelist-common.inc
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index 98dcce0b7..48f424190 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -6,14 +6,10 @@ include pdfsam.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.java
 noblacklist ${DOCUMENTS}
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
@@ -40,7 +36,7 @@ protocol unix
 seccomp
 shell none
-private-bin pdfsam,sh,bash,java,archlinux-java,grep,awk,dirname,uname,which,sort,find,readlink,expr,ls,java-config
+private-bin archlinux-java,awk,bash,dirname,expr,find,grep,java,java-config,ls,pdfsam,readlink,sh,sort,uname,which
 private-cache
 private-dev
 private-tmp
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index 85e28372e..c5016201d 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -7,8 +7,6 @@ include globals.local
 noblacklist ${DOCUMENTS}
-blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -16,6 +14,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
 include whitelist-var-common.inc
 caps.drop all
@@ -35,6 +35,7 @@ protocol unix
 seccomp
 shell none
 tracelog
+x11 none
 private-bin pdftotext
 private-dev
diff --git a/etc/peek.profile b/etc/peek.profile
index fd836560e..8cbff0c64 100644
--- a/etc/peek.profile
+++ b/etc/peek.profile
@@ -34,7 +34,7 @@ seccomp
 shell none
 # private-bin breaks gif mode, mp4 and webm mode work fine however
-# private-bin peek,convert,ffmpeg
+# private-bin convert,ffmpeg,peek
 private-dev
 private-tmp
diff --git a/etc/picard.profile b/etc/picard.profile
index b756ed629..15fc7a454 100644
--- a/etc/picard.profile
+++ b/etc/picard.profile
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/MusicBrainz
 noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index bdd5404f5..299f807af 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -6,11 +6,11 @@ include pidgin.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.purple
 ignore noexec ${RUNUSER}
 ignore noexec /dev/shm
+noblacklist ${HOME}/.purple
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/ping.profile b/etc/ping.profile
index 66574bab5..00ac45c5a 100644
--- a/etc/ping.profile
+++ b/etc/ping.profile
@@ -30,10 +30,8 @@ nosound
 notv
 nou2f
 novideo
 # protocol command is built using seccomp; nonewprivs will kill it
 #protocol unix,inet,inet6,netlink,packet
 # killed by no-new-privs
 #seccomp
@@ -42,7 +40,7 @@ private
 #private-bin has mammoth problems with execvp: "No such file or directory"
 private-dev
 # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem!
-#private-etc resolv.conf,hosts,ca-certificates,ssl,pki,crypto-policies
+#private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
 private-tmp
 # memory-deny-write-execute is built using seccomp; nonewprivs will kill it
diff --git a/etc/pingus.profile b/etc/pingus.profile
index 6b664248f..782ee200d 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -33,5 +33,4 @@ shell none
 # private-bin pingus
 private-dev
-# private-etc alternatives
 private-tmp
diff --git a/etc/pioneer.profile b/etc/pioneer.profile
index a240aa5fc..c5b936617 100644
--- a/etc/pioneer.profile
+++ b/etc/pioneer.profile
@@ -38,7 +38,7 @@ shell none
 tracelog
 disable-mnt
-private-bin pioneer,modelcompiler,savegamedump
+private-bin modelcompiler,pioneer,savegamedump
 private-cache
 private-dev
 private-tmp
diff --git a/etc/pithos.profile b/etc/pithos.profile
index d6a0a7822..ad56ce525 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -7,12 +7,8 @@ include pithos.local
 include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -40,7 +36,7 @@ seccomp
 shell none
 disable-mnt
-private-bin pithos,env,python*
+private-bin env,pithos,python*
 private-dev
 private-tmp
diff --git a/etc/pitivi.profile b/etc/pitivi.profile
index 83f5ccbb9..89a6a020b 100644
--- a/etc/pitivi.profile
+++ b/etc/pitivi.profile
@@ -10,12 +10,8 @@ include globals.local
 noblacklist ${HOME}/.config/pitivi
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/playonlinux.profile b/etc/playonlinux.profile
index 2f287223b..03091af6d 100644
--- a/etc/playonlinux.profile
+++ b/etc/playonlinux.profile
@@ -16,19 +16,11 @@ noblacklist ${HOME}/.PlayOnLinux
 noblacklist ${PATH}/nc
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pluma.profile b/etc/pluma.profile
index 47626753a..81b2b1481 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -7,6 +7,9 @@ include pluma.local
 include globals.local
 noblacklist ${HOME}/.config/pluma
+noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
 noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
@@ -39,7 +42,6 @@ tracelog
 private-bin pluma
 private-dev
-# private-etc alternatives,fonts
 private-lib pluma
 private-tmp
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile
index 480a03e49..116698312 100644
--- a/etc/ppsspp.profile
+++ b/etc/ppsspp.profile
@@ -38,7 +38,7 @@ shell none
 # private-dev is disabled to allow controller support
 #private-dev
-private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-opt ppsspp
 private-tmp
diff --git a/etc/pragha.profile b/etc/pragha.profile
index 4e6840636..019c1a547 100644
--- a/etc/pragha.profile
+++ b/etc/pragha.profile
@@ -33,6 +33,6 @@ seccomp
 shell none
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile
index 28ab8caa6..034c144c7 100644
--- a/etc/pybitmessage.profile
+++ b/etc/pybitmessage.profile
@@ -10,12 +10,8 @@ noblacklist /usr/local/sbin
 noblacklist /usr/sbin
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -43,8 +39,8 @@ seccomp
 shell none
 disable-mnt
-private-bin pybitmessage,python*,sh,ldconfig,env,bash,stat
+private-bin bash,env,ldconfig,pybitmessage,python*,sh,stat
 private-dev
-private-etc alternatives,PyBitmessage,PyBitmessage.conf,Trolltech.conf,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,resolv.conf,selinux,sni-qt.conf,system-fips,xdg,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,pki,PyBitmessage,PyBitmessage.conf,resolv.conf,selinux,sni-qt.conf,ssl,system-fips,Trolltech.conf,xdg
 private-tmp
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile
index 1a6f171c8..17218adee 100644
--- a/etc/pycharm-community.profile
+++ b/etc/pycharm-community.profile
@@ -7,14 +7,12 @@ include globals.local
 noblacklist ${HOME}/.PyCharmCE*
 noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
 noblacklist ${HOME}/.pythonrc.py
-noblacklist ${HOME}/.java
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index b0a6a0016..fe9caec77 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.config/qBittorrentrc
 noblacklist ${HOME}/.local/share/data/qBittorrent
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -55,10 +51,9 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
-private-bin qbittorrent,python*
+private-bin python*,qbittorrent
 private-dev
-# private-etc alternatives,X11,fonts,xdg,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
-# private-lib - problems on Arch
 private-tmp
-# memory-deny-write-execute - problems on  Arch, see #1690 on GitHub repo
+# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
diff --git a/etc/qgis.profile b/etc/qgis.profile
index 45fe59cf7..80a10efce 100644
--- a/etc/qgis.profile
+++ b/etc/qgis.profile
@@ -6,16 +6,13 @@ include qgis.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/QtProject.conf
 noblacklist ${HOME}/.config/QGIS
 noblacklist ${HOME}/.local/share/QGIS
 noblacklist ${HOME}/.qgis2
 noblacklist ${DOCUMENTS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -48,7 +45,7 @@ notv
 nou2f
 novideo
 # blacklisting of mbind system calls breaks old version
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,set_mempolicy,migrate_pages,move_pages,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore
+seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice
 protocol unix,inet,inet6,netlink
 shell none
 tracelog
@@ -56,5 +53,5 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl,QGIS,QGIS.conf,Trolltech.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
 private-tmp
diff --git a/etc/qmmp.profile b/etc/qmmp.profile
index f786e73b7..b69bbdef1 100644
--- a/etc/qmmp.profile
+++ b/etc/qmmp.profile
@@ -31,7 +31,7 @@ seccomp
 shell none
 tracelog
-private-bin qmmp,tar,unzip,bzip2,gzip
+private-bin bzip2,gzip,qmmp,tar,unzip
 private-dev
 private-tmp
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 0ca5a5ef0..c3e8fb95c 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin qtox
 private-cache
 private-dev
-private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
-memory-deny-write-execute
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index 41c84425b..ca1abcdc9 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -22,6 +22,8 @@ mkdir ${HOME}/.cache/QuiteRss
 mkdir ${HOME}/.config/QuiteRss
 mkdir ${HOME}/.local/share/data
 mkdir ${HOME}/.local/share/data/QuiteRss
+mkdir ${HOME}/.local/share/QuiteRss
+mkfile ${HOME}/quiterssfeeds.opml
 whitelist ${HOME}/.cache/QuiteRss
 whitelist ${HOME}/.config/QuiteRss/
 whitelist ${HOME}/.config/QuiteRssrc
@@ -48,5 +50,5 @@ tracelog
 disable-mnt
 private-bin quiterss
 private-dev
-# private-etc alternatives,X11,ssl,pki,ca-certificates,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index 1b23b2baf..954b1a3b4 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -15,6 +15,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.cache/qupzilla
+mkdir ${HOME}/.config/qupzilla
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/qupzilla
 whitelist ${HOME}/.config/qupzilla
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index 9e3853a09..e556ecf1f 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -9,18 +9,13 @@ include globals.local
 noblacklist ${HOME}/.cache/qutebrowser
 noblacklist ${HOME}/.config/qutebrowser
 noblacklist ${HOME}/.local/share/qutebrowser
-# Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
-noblacklist ${PATH}/python3*
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 # with >=llvm-4 mesa drivers need llvm stuff
 noblacklist /usr/lib/llvm*
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 1e50ca9fa..4bbc3ea56 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -11,18 +11,11 @@ noblacklist ${HOME}/.config/ranger
 noblacklist ${HOME}/.nanorc
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 # Allow perl
-# noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
@@ -43,5 +36,6 @@ nou2f
 novideo
 protocol unix
 seccomp
+#x11 none
 private-dev
diff --git a/etc/redshift.profile b/etc/redshift.profile
index e60877172..0f6d34ed0 100644
--- a/etc/redshift.profile
+++ b/etc/redshift.profile
@@ -18,6 +18,9 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.config/redshift
+whitelist ${HOME}/.config/redshift
+whitelist ${HOME}/.config/redshift.conf
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/remmina.profile b/etc/remmina.profile
index a77f2d8aa..e85ceca13 100644
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@@ -31,7 +31,6 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev
 shell none
 private-cache
diff --git a/etc/rhythmbox-client.profile b/etc/rhythmbox-client.profile
new file mode 100644
index 000000000..29e65d716
--- /dev/null
+++ b/etc/rhythmbox-client.profile
@@ -0,0 +1,11 @@
+# Firejail profile for rhythmbox-client
+# Description: controls a running instance of rhythmbox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rhythmbox-client.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include rhythmbox.profile
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index df874f378..9bcbdb561 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -9,11 +9,14 @@ include globals.local
 noblacklist ${MUSIC}
 noblacklist ${HOME}/.local/share/rhythmbox
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
-# rhythmbox is using Python
 include disable-exec.inc
-#include disable-interpreters.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
@@ -23,7 +26,6 @@ include whitelist-var-common.inc
 # apparmor - makes settings immutable
 caps.drop all
 netfilter
-# no3d
 # nodbus - makes settings immutable
 nogroups
 nonewprivs
@@ -36,7 +38,6 @@ seccomp
 shell none
 tracelog
-private-bin rhythmbox
+private-bin rhythmbox,rhythmbox-client
 private-dev
 private-tmp
diff --git a/etc/ricochet.profile b/etc/ricochet.profile
index 3cb30c459..1b8fbbc97 100644
--- a/etc/ricochet.profile
+++ b/etc/ricochet.profile
@@ -5,7 +5,6 @@ include ricochet.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.local/share/Ricochet
 include disable-common.inc
@@ -15,6 +14,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.local/share/Ricochet
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.local/share/Ricochet
 include whitelist-common.inc
@@ -37,5 +37,5 @@ shell none
 disable-mnt
 private-bin ricochet,tor
 private-dev
-#private-etc alternatives,fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies
+#private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11
diff --git a/etc/rocketchat.profile b/etc/rocketchat.profile
index c95bc3c3d..8170c62e7 100644
--- a/etc/rocketchat.profile
+++ b/etc/rocketchat.profile
@@ -7,6 +7,7 @@ include globals.local
 noblacklist ${HOME}/.config/Rocket.Chat
+mkdir ${HOME}/.config/Rocket.Chat
 whitelist ${HOME}/.config/Rocket.Chat
 include whitelist-common.inc
diff --git a/etc/scribus.profile b/etc/scribus.profile
index d8dc7b0e0..e20cd1b5a 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -27,12 +27,8 @@ noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -60,7 +56,7 @@ seccomp
 shell none
 tracelog
-# private-bin scribus,gs,gimp*
+# private-bin gimp*,gs,scribus
 private-dev
 private-tmp
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index 485326fcc..a367acad5 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -7,12 +7,8 @@ include sdat2img.local
 include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -40,7 +36,7 @@ protocol unix
 seccomp
 shell none
-private-bin sdat2img,env,python*
+private-bin env,python*,sdat2img
 private-cache
 private-dev
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index fc54a0716..a7c95c073 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -6,24 +6,10 @@ include seahorse.local
 # Persistent global definitions
 include globals.local
-# dconf
 noblacklist ${HOME}/.config/dconf
-whitelist ${HOME}/.config/dconf
-# gpg
-mkdir ${HOME}/.gnupg
 noblacklist ${HOME}/.gnupg
-whitelist ${HOME}/.gnupg
-# ssh
-whitelist /etc/ld.so.preload
-noblacklist /etc/ssh
-whitelist /etc/ssh
-noblacklist /tmp/ssh-*
-whitelist /tmp/ssh-*
-mkdir ${HOME}/.ssh
 noblacklist ${HOME}/.ssh
-whitelist ${HOME}/.ssh
+noblacklist /tmp/ssh-*
 include disable-common.inc
 include disable-devel.inc
@@ -32,6 +18,14 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.config/dconf
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.ssh
+whitelist ${HOME}/.config/dconf
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.ssh
+whitelist /tmp/ssh-*
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -56,5 +50,5 @@ tracelog
 disable-mnt
 private-cache
 private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
 writable-run-user
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index d92c62a52..807effbeb 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -18,6 +18,8 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/mozilla
 mkdir ${HOME}/.mozilla
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/mozilla
@@ -50,4 +52,4 @@ seccomp
 tracelog
 disable-mnt
-# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
+# private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
diff --git a/etc/server.profile b/etc/server.profile
index 686268a18..6e077ff84 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -9,12 +9,12 @@ include globals.local
 # it allows /sbin and /usr/sbin directories - this is where servers are installed
 # depending on your usage, you can enable some of the commands below:
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
 # noblacklist /var/opt
+blacklist /tmp/.X11-unix
 include disable-common.inc
 # include disable-devel.inc
 # include disable-exec.inc
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile
index b8974e416..da5b4258b 100644
--- a/etc/shellcheck.profile
+++ b/etc/shellcheck.profile
@@ -35,6 +35,7 @@ novideo
 protocol unix
 seccomp
 shell none
+x11 none
 private-dev
 private-tmp
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index 264566dcd..e6c48561f 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -5,10 +5,13 @@ include shotcut.local
 # Persistent global definitions
 include globals.local
+ignore noexec ${HOME}
 noblacklist ${HOME}/.config/Meltytech
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -26,9 +29,6 @@ protocol unix
 seccomp
 shell none
-#private-bin shotcut,melt,qmelt,nice
+#private-bin melt,nice,qmelt,shotcut
 private-cache
 private-dev
-#noexec ${HOME}
-noexec /tmp
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile
index 008cd218e..04696a918 100644
--- a/etc/signal-desktop.profile
+++ b/etc/signal-desktop.profile
@@ -5,10 +5,13 @@ include signal-desktop.local
 # Persistent global definitions
 include globals.local
+ignore noexec /tmp
 noblacklist ${HOME}/.config/Signal
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -34,5 +37,3 @@ shell none
 disable-mnt
 private-dev
 private-tmp
-noexec ${HOME}
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile
index 7aeb2909b..cfc33d074 100644
--- a/etc/silentarmy.profile
+++ b/etc/silentarmy.profile
@@ -32,7 +32,7 @@ shell none
 disable-mnt
 private
-private-bin silentarmy,sa-solver,python*
+private-bin python*,sa-solver,silentarmy
 private-dev
 private-opt none
 private-tmp
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index 4ad841880..64441483d 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -33,5 +33,5 @@ tracelog
 # private-bin simple-scan
 # private-dev
-# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 # private-tmp
diff --git a/etc/simplescreenrecorder.profile b/etc/simplescreenrecorder.profile
index ead475e07..a3caedf88 100644
--- a/etc/simplescreenrecorder.profile
+++ b/etc/simplescreenrecorder.profile
@@ -31,7 +31,6 @@ tracelog
 private-cache
 private-dev
-# private-etc alternatives
 private-tmp
 memory-deny-write-execute
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index c07b1c145..7febcde46 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -33,5 +33,4 @@ shell none
 # private-bin simutrans
 private-dev
-# private-etc alternatives
 private-tmp
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 76b050d18..c10be717b 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -16,7 +16,6 @@ include disable-programs.inc
 include disable-xdg.inc
 caps.drop all
-# net none
 netfilter
 # nodbus
 nodvd
@@ -31,6 +30,6 @@ protocol unix,inet,inet6,netlink
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
-# private-bin skanlite,kbuildsycoca4,kdeinit4
+# private-bin kbuildsycoca4,kdeinit4,skanlite
 # private-dev
 # private-tmp
diff --git a/etc/skype.profile b/etc/skype.profile
index 55057c546..5fab8bdc7 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -28,7 +28,7 @@ seccomp
 shell none
 disable-mnt
-#private-bin skype,bash
+#private-bin bash,skype
 private-cache
 private-dev
 private-tmp
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index ad200be37..eae7dada0 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -5,10 +5,14 @@ include skypeforlinux.local
 # Persistent global definitions
 include globals.local
+# breaks Skype
+ignore noexec /tmp
 noblacklist ${HOME}/.config/skypeforlinux
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -28,6 +32,3 @@ disable-mnt
 private-cache
 # private-dev - needs /dev/disk
 private-tmp
-noexec ${HOME}
-# noexec /tmp - breaks Skype
diff --git a/etc/slack.profile b/etc/slack.profile
index ed76be373..5c10ef0ba 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -13,7 +13,6 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-mkdir ${HOME}/.config
 mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
 whitelist ${DOWNLOADS}
@@ -34,7 +33,7 @@ seccomp
 shell none
 disable-mnt
-private-bin slack,locale
+private-bin locale,slack
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime,pki,crypto-policies,machine-id
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/slashem.profile b/etc/slashem.profile
index 011698e1f..8c84180d7 100644
--- a/etc/slashem.profile
+++ b/etc/slashem.profile
@@ -6,7 +6,6 @@ include slashem.local
 # Persistent global definitions
 include globals.local
 noblacklist /var/games/slashem
 include disable-common.inc
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index 5ae498ab2..f83caee8a 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -8,16 +8,13 @@ include globals.local
 noblacklist ${HOME}/.config/smplayer
 noblacklist ${HOME}/.mplayer
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
+noblacklist ${MUSIC}
-noblacklist /usr/local/lib/python2*
+noblacklist ${VIDEOS}
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -41,7 +38,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
-private-bin smplayer,smtube,mplayer,mpv,youtube-dl,python*,env
+private-bin env,mplayer,mpv,python*,smplayer,smtube,youtube-dl
 private-dev
 private-tmp
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile
index 4d6e80840..efd600eb2 100644
--- a/etc/soundconverter.profile
+++ b/etc/soundconverter.profile
@@ -6,15 +6,11 @@ include soundconverter.local
 # Persistent global definitions
 include globals.local
-noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
+noblacklist ${MUSIC}
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -24,6 +20,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+include whitelist-common.inc
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile
index 74582dd2f..ca2c2b435 100644
--- a/etc/spectre-meltdown-checker.profile
+++ b/etc/spectre-meltdown-checker.profile
@@ -11,12 +11,8 @@ include globals.local
 noblacklist ${PATH}/mount
 noblacklist ${PATH}/umount
-# Allow access to perl
+# Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
@@ -42,6 +38,7 @@ novideo
 protocol unix
 seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@reboot,@resources,@swap
 shell none
+x11 none
 disable-mnt
 private
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 00c2aabe2..59692f1d6 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -5,12 +5,12 @@ include spotify.local
 # Persistent global definitions
 include globals.local
-blacklist ${HOME}/.bashrc
 noblacklist ${HOME}/.cache/spotify
 noblacklist ${HOME}/.config/spotify
 noblacklist ${HOME}/.local/share/spotify
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -42,9 +42,10 @@ shell none
 tracelog
 disable-mnt
-private-bin spotify,bash,sh,zenity
+private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
 private-dev
-private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
+# Comment the next line or put 'ignore private-etc' in your spotify.local if want to see the albums covers or if you want to use the radio
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
 private-opt spotify
 private-srv none
 private-tmp
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index 8aafca8aa..9af747b62 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -6,12 +6,12 @@ include ssh-agent.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /etc/ssh
 noblacklist /tmp/ssh-*
 noblacklist ${HOME}/.ssh
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 4c8af65b8..ce0e54a0d 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -10,6 +10,8 @@ include globals.local
 noblacklist /etc/ssh
 noblacklist /tmp/ssh-*
 noblacklist ${HOME}/.ssh
+# If you want to use tor, uncomment the next line or put it in your ssh.local
+#noblacklist ${PATH}/nc
 include disable-common.inc
 include disable-exec.inc
@@ -35,6 +37,6 @@ tracelog
 private-cache
 private-dev
 # private-tmp # Breaks when exiting
+writable-run-user
 memory-deny-write-execute
-writable-run-user
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile
index 5458120ef..297392b9a 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/standardnotes-desktop.profile
@@ -39,5 +39,5 @@ seccomp
 disable-mnt
 private-dev
 private-tmp
-private-etc alternatives,ca-certificates,fonts,host.conf,hostname,hosts,resolv.conf,ssl,pki,crypto-policies,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,pki,resolv.conf,ssl,xdg
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile
index a61038157..d5d7a17e4 100644
--- a/etc/start-tor-browser.desktop.profile
+++ b/etc/start-tor-browser.desktop.profile
@@ -3,7 +3,6 @@
 # Persistent local customizations
 include start-tor-browser.desktop.local
 noblacklist ${HOME}/.tor-browser-*
 noblacklist ${HOME}/.tor-browser_*
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index 8acf77349..0145f3de6 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -34,7 +34,7 @@ shell none
 #tracelog
 disable-mnt
-private-bin bash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
+private-bin bash,cp,dirname,env,getconf,gpg,grep,id,ln,mkdir,readlink,rm,sed,sh,tail,test
 private-dev
-private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index 8f08b18f0..b6b340980 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -6,7 +6,6 @@ include steam.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.local/share/3909/PapersPlease
 noblacklist ${HOME}/.local/share/aspyr-media
@@ -25,19 +24,12 @@ noblacklist /usr/lib/llvm*
 # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
 noblacklist /sbin
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -67,7 +59,7 @@ shell none
 #tracelog
 # private-bin is disabled while in testing, but has been tested working with multiple games
-#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
+#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
 # extra programs are available which might be needed for select games
 #private-bin java,java-config,mono
 # picture viewers are needed for viewing screenshots
@@ -76,5 +68,5 @@ shell none
 # private-dev should be commented for controllers
 private-dev
 # private-etc breaks a small selection of games on some systems, comment to support those
-private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives,bumblebee,nvidia,os-release
+private-etc alternatives,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
 private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index 0caecdf7b..621e8e177 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -4,30 +4,42 @@ quiet
 # Persistent local customizations
 include strings.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
-blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
-ignore noroot
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
+x11 none
+#private
 private-bin strings
 private-cache
 private-dev
 private-etc alternatives
 private-lib libfakeroot
+private-tmp
 memory-deny-write-execute
-include default.profile
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile
index c07131893..d0176a657 100644
--- a/etc/subdownloader.profile
+++ b/etc/subdownloader.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/SubDownloader
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -44,4 +40,4 @@ private-dev
 private-etc alternatives,fonts
 private-tmp
-# memory-deny-write-execute - Breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index 793e4126c..287a078b3 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -34,5 +34,4 @@ shell none
 disable-mnt
 # private-bin supertux2
 private-dev
-# private-etc alternatives
 private-tmp
diff --git a/etc/supertuxkart.profile b/etc/supertuxkart.profile
index 60d80ecd4..2cd5ec3ad 100644
--- a/etc/supertuxkart.profile
+++ b/etc/supertuxkart.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin supertuxkart
 private-cache
 private-dev
-private-etc alternatives,resolv.conf,ca-certificates,ssl,hosts,machine-id,xdg,openal,crypto-policies,pki,drirc,system-fips,selinux
+private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,selinux,ssl,system-fips,xdg
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/surf.profile b/etc/surf.profile
index 0504b5fe5..d4c6d9afc 100644
--- a/etc/surf.profile
+++ b/etc/surf.profile
@@ -15,6 +15,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.surf
+whitelist ${HOME}/.surf
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
@@ -31,8 +32,8 @@ shell none
 tracelog
 disable-mnt
-private-bin ls,surf,sh,bash,curl,dmenu,printf,sed,sleep,st,stterm,xargs,xprop
+private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop
 private-dev
-private-etc alternatives,passwd,group,hosts,resolv.conf,fonts,ssl,pki,ca-certificates,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,passwd,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 33086a99d..30b0ad762 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -31,7 +31,7 @@ protocol unix
 seccomp
 shell none
-#private-bin synfigstudio,synfig,ffmpeg
+#private-bin ffmpeg,synfig,synfigstudio
 private-cache
 private-dev
 private-tmp
diff --git a/etc/tar.profile b/etc/tar.profile
index 14fc00d21..1232bb372 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -5,17 +5,17 @@ quiet
 # Persistent local customizations
 include tar.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
-blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-passwdmgr.inc
-ignore noroot
+include disable-programs.inc
 apparmor
+caps.drop all
 hostname tar
 ipc-namespace
 machine-id
@@ -24,23 +24,25 @@ no3d
 nodbus
 nodvd
 nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
+x11 none
 # support compressed archives
-private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
+private-bin bash,bzip2,compress,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz
 private-cache
 private-dev
-private-etc alternatives,passwd,group,localtime
+private-etc alternatives,group,localtime,passwd
 private-lib libfakeroot
-memory-deny-write-execute
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
-include default.profile
+memory-deny-write-execute
diff --git a/etc/tcpdump.profile b/etc/tcpdump.profile
new file mode 100644
index 000000000..3c46dfdcb
--- /dev/null
+++ b/etc/tcpdump.profile
@@ -0,0 +1,44 @@
+# Firejail profile for tcpdump
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include tcpdump.local
+# Persistent global definitions
+include globals.local
+noblacklist /sbin
+noblacklist /usr/sbin
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+caps.keep net_raw
+ipc-namespace
+#net tun0
+netfilter
+no3d
+nodvd
+#nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink,packet
+seccomp
+disable-mnt
+#private
+#private-bin tcpdump
+private-dev
+private-tmp
+memory-deny-write-execute
diff --git a/etc/teams-for-linux.profile b/etc/teams-for-linux.profile
new file mode 100644
index 000000000..d9e874be2
--- /dev/null
+++ b/etc/teams-for-linux.profile
@@ -0,0 +1,42 @@
+# Firejail profile for teams-for-linux
+# Description: Teams for Linux is an Electron application for Microsoft's team collaboration and chat program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include teams-for-linux.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/teams-for-linux
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.config/teams-for-linux
+whitelist ${HOME}/.config/teams-for-linux
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+disable-mnt
+private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
+private-tmp
diff --git a/etc/templates/Notes b/etc/templates/Notes
deleted file mode 100644
index a4170207b..000000000
--- a/etc/templates/Notes
+++ /dev/null
@@ -1,7 +0,0 @@
-Notes
-=====
- * Lines with one # are often used
- * Lines with two ## are only in special situation needed
- * Add programs specific paths like .config/program to disable-programs.inc
- * Add the name of the profile/program to src/firecfg/firecfg.config
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index d7da0ed20..892fd71ef 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -1,25 +1,91 @@
 # Firejail profile for PROGRAM_NAME
 # Description: DESCRIPTION
 # This file is overwritten after every install/update
+# --- CUT HERE ---
+# This is a generic template to help you with creation of profiles
+# for new programs. PRs welcome at https://github.com/netblue30/firejail/
+#
+# Rules to follow:
+#  - lines with one # are often used in profiles
+#  - lines with two ## are only needed in special situations
+#  - make the profile as restrictive as possible while still keeping the program useful
+#    (e. g. a program that is unable to save user's work is considered a bad practice)
+#  - dedicate some time (based on how complex the application is) to profile testing before raising
+#    a pull request
+#  - keep the sections structure, use a single empty line as a separator
+#  - entries within sections are alphabetically sorted
+#  - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
+#    to not do this for essential utilities as this may *break* your OS! (related discussion:
+#    https://github.com/netblue30/firejail/issues/2507)
+#  - remove this comment section and any generic comment past 'Persistent global definitions'
+#
+# Sections structure
+#   HEADER
+#   COMMENTS
+#   IGNORES
+#   NOBLACKLISTS
+#   ALLOW INCLUDES
+#   BLACKLISTS
+#   DISABLE INCLUDES
+#   MKDIRS
+#   WHITELISTS
+#   WHITELIST INCLUDES
+#   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
+#   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
+#   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
+#   REDIRECT INCLUDES
+#
+# The following macros may be used in path names to substitute common locations:
+#  ${DESKTOP}
+#  ${DOCUMENTS}
+#  ${DOWNLOADS}
+#  ${HOME} (user's home)
+#  ${PATH} (contents of PATH envvar)
+#  ${MUSIC}
+#  ${VIDEOS}
+#
+# Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths.
+#
+# --- CUT HERE ---
 ##quiet
 # Persistent local customizations
-#include PROFILE.local
+include PROFILE.local
 # Persistent global definitions
-#include globals.local
+include globals.local
 ##ignore noexec ${HOME}
+##ignore noexec /tmp
 ##blacklist PATH
+# Disable X11 (CLI only), see also 'x11 none' below
+#blacklist /tmp/.X11-unix
+# It is common practice to add files/dirs containing program-specific configuration
+# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
+# (keep list sorted) and then disable blacklisting below.
+# One way to retrieve the files a program uses is:
+#  - launch binary with --private naming a sandbox
+#      `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
+#  - work with the program, do some configuration changes and save them, open new documents,
+#    install plugins if they exists, etc
+#  - join the sandbox with bash:
+#      `firejail --join=test bash`
+#  - look what has changed and use that information to populate blacklist and whitelist sections
+#      `ls -aR`
 #noblacklist PATH
 # Allow python (blacklisted by disable-interpreters.inc)
-#noblacklist ${PATH}/python2*
+#include allow-python2.inc
-#noblacklist ${PATH}/python3*
+#include allow-python3.inc
-#noblacklist /usr/lib/python2*
-#noblacklist /usr/lib/python3*
+# Allow perl (blacklisted by disable-interpreters.inc)
-#noblacklist /usr/local/lib/python2*
+#include allow-perl.inc
-#noblacklist /usr/local/lib/python3*
+# Allow java (blacklisted by disable-devel.inc)
+#include allow-java.inc
+# Allow lua (blacklisted by disable-interpreters.inc)
+#include allow-lua.inc
 #include disable-common.inc
 #include disable-devel.inc
@@ -29,16 +95,24 @@
 #include disable-programs.inc
 #include disable-xdg.inc
+# This section often mirrors noblacklist section above. The idea is
+# that if a user feels too restricted (he's unable to save files into
+# home directory for instance) he/she may disable whitelist (nowhitelist)
+# in PROFILE.local but still be protected by BLACKLISTS section
+# (further explanation at https://github.com/netblue30/firejail/issues/1569)
 #mkdir PATH
-#mkfile PATH
+##mkfile PATH
 #whitelist PATH
 #include whitelist-common.inc
 #include whitelist-var-common.inc
 #apparmor
 #caps.drop all
+##caps.keep CAPS
+##hostname NAME
 # CLI only
 ##ipc-namespace
+# breaks sound and sometime dbus related functions
 #machine-id
 # 'net none' or 'netfilter'
 #net none
@@ -53,30 +127,48 @@
 #notv
 #nou2f
 #novideo
-#protocol unix,inet,inet6,netlink
+# Remove every not needed protocol
+#  - unix is usually needed
+#  - inet,inet6 only if internet access is requiered (see 'net none'/'netfilter' above)
+#  - netlink is rarely needed
+#  - packet almost never
+#protocol unix,inet,inet6,netlink,packet
 #seccomp
-##seccomp.drop SYSCALLS
+##seccomp.drop SYSCALLS (see also syscalls.txt)
 #shell none
 #tracelog
+# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
+##x11 none
 #disable-mnt
 ##private
+# It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3
 #private-bin PROGRAMS
 #private-cache
 #private-dev
 #private-etc FILES
-# private-etc templates (see also #1734)
+# private-etc templates (see also #1734, #2093)
-#  Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+#  Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
-#  Sound: alsa,asound.conf,machine-id,openal,pulse
+#    Extra: magic,magic.mgc,passwd,group
-#  GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg
+#  Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc
-#  KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg
+#    Extra: proxychains.conf,gai.conf
-#  GUIs: fonts
+#  Sound: alsa,asound.conf,pulse,machine-id
-#  Alternatives: alternatives
+#  GUI: fonts,pango,X11
+#  GTK: dconf,gconf,gtk-2.0,gtk-3.0
+#  Qt: Trolltech.conf
+#  KDE: kde4rc,kde5rc
+#  3D: drirc,glvnd,bumblebee,nvidia
+#  D-Bus: dbus-1,machine-id
 ##private-lib LIBS
 ##private-opt NAME
 #private-tmp
+##writable-etc
+##writable-run-user
+##writable-var
+##writable-var-log
 ##env VAR=VALUE
 #memory-deny-write-execute
+##noexec PATH
 ##read-only ${HOME}
 ##join-or-start NAME
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template
index 56dd43ca4..0a0788e96 100644
--- a/etc/templates/redirect_alias-profile.template
+++ b/etc/templates/redirect_alias-profile.template
@@ -1,4 +1,4 @@
-# Firejail profile for PRGOGRAM_NAME
+# Firejail profile for PROGRAM_NAME
 # Description: DESCRIPTION
 # This file is overwritten after every install/update
 # Persistent local customizations
@@ -8,29 +8,36 @@ include PROFILE.local
 #include globals.local
 #NOTE: let include globals.local commented
-# Additional blacklisting (if needed)
+# For more informations see profile.template
-#blacklist PATH
+# Ignore something that is in the included profile
+#ignore net none
+#ignore private-bin
+#ignore seccomp
+#...
 # Additional noblacklisting (if needed)
 #noblacklist PATH
+# Additional allow includes (if needed)
+# Additional blacklisting (if needed)
+#blacklist PATH
 # Additional whitelisting (if needed)
 #mkdir PATH
-#mkfile PATH
+##mkfile PATH
 #whitelist PATH
-# Additional options if needed (see firejail-profile.example)
+# Additional options (if needed)
+# Additional private-options (if needed)
 # Add programs to private-bin (if needed)
 #private-bin PROGRAMS
 # Add files to private-etc (if needed)
 #private-etc FILES
-# Ignore something that is in the included profile
+# Additional special options (if needed)
-#ignore net none
-#ignore private-bin
-#ignore seccomp
-#...
 # Redirect
 include PROFILE.profile
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index ec8247517..2464df9ee 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -4,19 +4,19 @@ Hints for writing seccomp.drop lines
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @module=delete_module,finit_module,init_module
 @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
-@reboot=kexec_load,kexec_file_load,reboot,
+@reboot=kexec_file_load,kexec_load,reboot
-@swap=swapon,swapoff
+@swap=swapoff,swapon
 @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
 @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
-@resources=set_mempolicy,migrate_pages,move_pages,mbind
+@resources=mbind,migrate_pages,move_pages,set_mempolicy
-@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore
+@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,ioprio_set,io_setup,io_submit,kcmp,keyctl,mincore,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
-@default-nodebuggers=@default,ptrace,personality,process_vm_readv
+@default-nodebuggers=@default,personality,process_vm_readv,ptrace
 @default-keep=execve,prctl
diff --git a/etc/terasology.profile b/etc/terasology.profile
index 43865b6fb..9a8426435 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -5,17 +5,16 @@ include terasology.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.java
+ignore noexec /tmp
 noblacklist ${HOME}/.local/share/terasology
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -44,7 +43,5 @@ shell none
 disable-mnt
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-7-openjdk,java-8-openjdk,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
-noexec ${HOME}
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index e4f6e6df3..5ad57a8f5 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -32,17 +32,15 @@ ignore private-tmp
 # machine-id breaks audio in browsers; enable it when sound is not required
 # machine-id
 read-only ${HOME}/.config/mimeapps.list
-# writable-run-user is needed for signing and encrypting emails
+# writable-run-user and dbus are needed by enigmail
 writable-run-user
+ignore nodbus
 # If you want to read local mail stored in /var/mail, add the following to thunderbird.local:
 # noblacklist /var/mail
 # noblacklist /var/spool/mail
 # writable-var
-# Uncomment (or put in thunderbird.local) if you use enigmail
-#ignore nodbus
 # allow browsers
 # Redirect
 include firefox-common.profile
diff --git a/etc/tor.profile b/etc/tor.profile
index e80fbadb0..13d071635 100644
--- a/etc/tor.profile
+++ b/etc/tor.profile
@@ -25,7 +25,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-caps.keep setuid,setgid,net_bind_service,dac_read_search
+caps.keep dac_read_search,net_bind_service,setgid,setuid
 ipc-namespace
 machine-id
 netfilter
@@ -40,13 +40,12 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
-writable-var
 disable-mnt
 private
-private-bin tor,bash
+private-bin bash,tor
 private-cache
 private-dev
-private-etc alternatives,tor,passwd,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
 private-tmp
+writable-var
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index c7c810cda..33e87e6a7 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.config/torbrowser
 noblacklist ${HOME}/.local/share/torbrowser
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -54,5 +50,5 @@ shell none
 disable-mnt
 private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,tar,tclsh,test,tor-browser-en,torbrowser-launcher,xz
 private-dev
-private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/totem.profile b/etc/totem.profile
index f541d3cc2..5b74709e3 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -6,6 +6,9 @@ include totem.local
 # Persistent global definitions
 include globals.local
+# Allow lua (required for youtube video)
+include allow-lua.inc
 noblacklist ${HOME}/.config/totem
 noblacklist ${HOME}/.local/share/totem
 noblacklist ${MUSIC}
@@ -37,6 +40,6 @@ private-bin totem
 # totem needs access to ~/.cache/tracker or it exits
 #private-cache
 private-dev
-# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 private-tmp
diff --git a/etc/tracker.profile b/etc/tracker.profile
index c1779ae3e..6e107d99e 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -33,5 +33,4 @@ tracelog
 # private-bin tracker
 # private-dev
-# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile
index c67200826..9a6052ada 100644
--- a/etc/transmission-daemon.profile
+++ b/etc/transmission-daemon.profile
@@ -1,5 +1,5 @@
 # Firejail profile for transmission-daemon
-# Description:  Fast, easy and free BitTorrent client (daemon)
+# Description: Fast, easy and free BitTorrent client (daemon)
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile
index 3e3ad1a07..7b7a47f14 100644
--- a/etc/transmission-remote-cli.profile
+++ b/etc/transmission-remote-cli.profile
@@ -8,12 +8,8 @@ include transmission-remote-cli.local
 #include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 mkdir ${HOME}/.cache/transmission
 mkdir ${HOME}/.config/transmission
diff --git a/etc/tremulous.profile b/etc/tremulous.profile
index a56ac2c07..e148298ae 100644
--- a/etc/tremulous.profile
+++ b/etc/tremulous.profile
@@ -38,7 +38,7 @@ shell none
 tracelog
 disable-mnt
-private-bin tremulous,tremulous-wrapper,tremded
+private-bin tremded,tremulous,tremulous-wrapper
 private-cache
 private-dev
 private-tmp
diff --git a/etc/tshark.profile b/etc/tshark.profile
new file mode 100644
index 000000000..ea85f4e8a
--- /dev/null
+++ b/etc/tshark.profile
@@ -0,0 +1,41 @@
+# Firejail profile for tshark
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include tshark.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+#caps.keep net_raw
+caps.keep dac_override,net_admin,net_raw
+ipc-namespace
+#net tun0
+netfilter
+no3d
+nodvd
+# nogroups - breaks network traffic capture for unprivileged users
+# nonewprivs - breaks network traffic capture for unprivileged users
+# noroot
+nosound
+notv
+nou2f
+novideo
+#protocol unix,inet,inet6,netlink,packet
+#seccomp
+disable-mnt
+#private
+private-cache
+#private-bin tshark
+private-dev
+private-tmp
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index 1b657d083..ae868a022 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -6,16 +6,12 @@ include tuxguitar.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.tuxguitar*
 noblacklist ${DOCUMENTS}
 noblacklist ${MUSIC}
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/udiskie.profile b/etc/udiskie.profile
new file mode 100644
index 000000000..8cc443bff
--- /dev/null
+++ b/etc/udiskie.profile
@@ -0,0 +1,45 @@
+# Firejail profile for udiskie
+# Description: Removable disk automounter using udisks
+# This file is overwritten after every install/update
+# Persistent local customizations
+include udiskie.local
+# Persistent global definitions
+include globals.local
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+caps.drop all
+machine-id
+net none
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop
+# add your configured file browser in udiskie.local, e. g.
+# private-bin nautilus
+# private-bin thunar
+private-cache
+private-dev
+private-etc alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
+private-tmp
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 6e4b5ed1c..e152ee7ea 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -6,11 +6,11 @@ include unbound.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -29,12 +29,12 @@ nosound
 notv
 nou2f
 novideo
-seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
+seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
-writable-var
 disable-mnt
 private
 private-dev
+writable-var
 # mdwe can break modules/plugins
 memory-deny-write-execute
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
index 36d1319d1..b62d3111d 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/unknown-horizons.profile
@@ -23,11 +23,11 @@ nonewprivs
 noroot
 notv
 nou2f
-protocol unix,netlink,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 # private-bin unknown-horizons
 private-dev
-# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 7fe37f061..428173e7d 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -5,27 +5,37 @@ quiet
 # Persistent local customizations
 include unrar.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
-blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
 hostname unrar
-ignore noroot
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
+x11 none
 private-bin unrar
 private-dev
-private-etc alternatives,passwd,group,localtime
+private-etc alternatives,group,localtime,passwd
 private-tmp
-include default.profile
diff --git a/etc/unzip.profile b/etc/unzip.profile
index be6b6c321..94aee724d 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -5,29 +5,40 @@ quiet
 # Persistent local customizations
 include unzip.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
-blacklist /tmp/.X11-unix
+# GNOME Shell integration (chrome-gnome-shell)
+noblacklist ${HOME}/.local/share/gnome-shell
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
 hostname unzip
-ignore noroot
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
+x11 none
 private-bin unzip
+private-cache
 private-dev
-private-etc alternatives,passwd,group,localtime
+private-etc alternatives,group,localtime,passwd
-# GNOME Shell integration (chrome-gnome-shell)
-noblacklist ${HOME}/.local/share/gnome-shell
-include default.profile
diff --git a/etc/utox.profile b/etc/utox.profile
index 9216a6a05..454e3260b 100644
--- a/etc/utox.profile
+++ b/etc/utox.profile
@@ -41,7 +41,7 @@ disable-mnt
 private-bin utox
 private-cache
 private-dev
-private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse,openal
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl
 private-tmp
 memory-deny-write-execute
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index 859656fa5..af6cd620f 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -5,24 +5,36 @@ quiet
 # Persistent local customizations
 include uudeview.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
 hostname uudeview
-ignore noroot
+ipc-namespace
+machine-id
 net none
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
+x11 none
 private-bin uudeview
 private-cache
 private-dev
 private-etc alternatives,ld.so.preload
-include default.profile
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
index dbee819cd..d4e54235b 100644
--- a/etc/uzbl-browser.profile
+++ b/etc/uzbl-browser.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/uzbl
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index f9fb1cefe..e238db8ce 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -6,12 +6,12 @@ include viewnior.local
 # Persistent global definitions
 include globals.local
-blacklist ${HOME}/.bashrc
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.config/viewnior
 noblacklist ${HOME}/.steam
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -43,5 +43,4 @@ private-dev
 private-etc alternatives,fonts,machine-id
 private-tmp
-# memory-deny-write-executes breaks on Arch - see issue #1808
+#memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808)
-#memory-deny-write-execute
diff --git a/etc/vim.profile b/etc/vim.profile
index 55fa22a54..49abb0d44 100644
--- a/etc/vim.profile
+++ b/etc/vim.profile
@@ -7,6 +7,9 @@ include vim.local
 include globals.local
 noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
+noblacklist ${HOME}/.pythonrc.py
 noblacklist ${HOME}/.vim
 noblacklist ${HOME}/.viminfo
 noblacklist ${HOME}/.vimrc
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 64ac7a4f0..572758f28 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -34,7 +34,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
-private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
+private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc
 private-dev
 private-tmp
diff --git a/etc/w3m.profile b/etc/w3m.profile
index 143ac4f63..9b6cc8238 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -6,10 +6,10 @@ include w3m.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.w3m
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -36,5 +36,5 @@ tracelog
 # private-bin w3m
 private-cache
 private-dev
-private-etc alternatives,resolv.conf,ssl,pki,ca-certificates,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
index 3dc21958d..b8ee67ae0 100644
--- a/etc/waterfox.profile
+++ b/etc/waterfox.profile
@@ -20,7 +20,7 @@ whitelist ${HOME}/.mozilla
 whitelist ${HOME}/.waterfox
 # waterfox requires a shell to launch on Arch. We can possibly remove sh though.
-#private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash
+#private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,which
 # private-etc must first be enabled in firefox-common.profile
 #private-etc waterfox
diff --git a/etc/webstorm.profile b/etc/webstorm.profile
index b97ea8d2f..e820bae00 100644
--- a/etc/webstorm.profile
+++ b/etc/webstorm.profile
@@ -11,7 +11,6 @@ noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.gradle
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/JetBrains
 noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
diff --git a/etc/wget.profile b/etc/wget.profile
index a7ef32e2c..2d5c0c4d6 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -7,11 +7,11 @@ include wget.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.wget-hsts
 noblacklist ${HOME}/.wgetrc
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
@@ -36,6 +36,6 @@ shell none
 # private-bin wget
 private-dev
-# private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl
 # private-tmp
diff --git a/etc/whois.profile b/etc/whois.profile
index cc2494f95..f101ee637 100644
--- a/etc/whois.profile
+++ b/etc/whois.profile
@@ -36,7 +36,7 @@ shell none
 disable-mnt
 private
-private-bin sh,bash,whois
+private-bin bash,sh,whois
 private-cache
 private-dev
 # private-etc alternatives,hosts,services,whois.conf
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile
index 3953de614..f41453bf3 100644
--- a/etc/wire-desktop.profile
+++ b/etc/wire-desktop.profile
@@ -16,7 +16,6 @@ include disable-programs.inc
 mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
 caps.drop all
@@ -35,7 +34,7 @@ shell none
 # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop"
 disable-mnt
-private-bin wire-desktop,bash,sh,env,electron
+private-bin bash,electron,env,sh,wire-desktop
 private-dev
-private-etc alternatives,fonts,machine-id,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 9b9757cd5..58ff93750 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -10,11 +10,8 @@ noblacklist ${HOME}/.config/wireshark
 noblacklist ${HOME}/.wireshark
 noblacklist ${DOCUMENTS}
-# Wireshark can use Lua for scripting
+# Allow lua (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/lua*
+include allow-lua.inc
-noblacklist /usr/lib/lua
-noblacklist /usr/include/lua*
-noblacklist /usr/share/lua
 include disable-common.inc
 include disable-devel.inc
@@ -46,6 +43,6 @@ tracelog
 # private-bin wireshark
 private-dev
-# private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl
 private-tmp
diff --git a/etc/xed.profile b/etc/xed.profile
index cce0432a4..a02f1ef51 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -6,15 +6,14 @@ include xed.local
 include globals.local
 noblacklist ${HOME}/.config/xed
+noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
 noblacklist ${HOME}/.pythonrc.py
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -46,7 +45,6 @@ tracelog
 private-bin xed
 private-dev
-# private-etc alternatives,fonts
 private-tmp
 # xed uses python plugins, memory-deny-write-execute breaks python
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
index 1cb7f568a..cd9561e74 100644
--- a/etc/xfburn.profile
+++ b/etc/xfburn.profile
@@ -29,5 +29,4 @@ tracelog
 # private-bin xfburn
 # private-dev
-# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/xfce4-mixer.profile b/etc/xfce4-mixer.profile
index 952625ef8..e6bbb4259 100644
--- a/etc/xfce4-mixer.profile
+++ b/etc/xfce4-mixer.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin xfce4-mixer,xfconf-query
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,pulse,machine-id
+private-etc alternatives,asound.conf,fonts,machine-id,pulse
 private-tmp
 memory-deny-write-execute
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index 33056395e..7114f0469 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -6,11 +6,11 @@ include xiphos.local
 # Persistent global definitions
 include globals.local
-blacklist ${HOME}/.bashrc
 noblacklist ${HOME}/.sword
 noblacklist ${HOME}/.xiphos
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -18,6 +18,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.sword
+mkdir ${HOME}/.xiphos
 whitelist ${HOME}/.sword
 whitelist ${HOME}/.xiphos
 include whitelist-common.inc
@@ -44,5 +46,5 @@ disable-mnt
 private-bin xiphos
 private-cache
 private-dev
-private-etc alternatives,fonts,resolv.conf,sword,ca-certificates,ssli,sword.conf,pki,crypto-policies
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf
 private-tmp
diff --git a/etc/xlinks.profile b/etc/xlinks.profile
new file mode 100644
index 000000000..ad1511791
--- /dev/null
+++ b/etc/xlinks.profile
@@ -0,0 +1,18 @@
+# Firejail profile for xlinks
+# Description: Text WWW browser (X11)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xlinks.local
+noblacklist /tmp/.X11-unix
+noblacklist ${HOME}/.links
+include whitelist-common.inc
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
+# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin xlinks
+private-etc fonts
+# Redirect
+include links.profile
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index 09c0639f8..f4f828eda 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -37,6 +37,6 @@ shell none
 disable-mnt
 private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index b4932c99e..325ce7627 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -11,12 +11,8 @@ noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -43,6 +39,6 @@ tracelog
 private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
 private-dev
-# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 private-tmp
diff --git a/etc/xpra.profile b/etc/xpra.profile
index d967c1da2..6f66b9300 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -8,21 +8,15 @@ include globals.local
 #
 # This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
-# To enable it, create a firejail-xpra  symlink in /usr/local/bin:
+# To enable it, create a firejail-xpra symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra
 #
 # or run "sudo firecfg"
-blacklist /media
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -49,10 +43,11 @@ protocol unix
 seccomp
 shell none
+disable-mnt
 # private home directory doesn't work on some distros, so we go for a regular home
 # private
 # older Xpra versions also use Xvfb
-# private-bin xpra,python*,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
+# private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
 private-dev
-# private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
+# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
 private-tmp
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index b483e9404..b09bf8ab1 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -39,7 +39,6 @@ tracelog
 private-bin xviewer
 private-dev
-#private-etc alternatives,fonts
 private-lib
 private-tmp
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index a1f265c1e..93c288d6e 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -5,23 +5,33 @@ quiet
 # Persistent local customizations
 include xzdec.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
-blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
-ignore noroot
+caps.drop all
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
+x11 none
 private-dev
-include default.profile
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 621ffb2b0..28b5f2376 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -7,20 +7,16 @@ include youtube-dl.local
 # Persistent global definitions
 include globals.local
+# breaks when installed via pip
+ignore noexec ${HOME}
 noblacklist ${HOME}/.netrc
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
-# breaks when installed via pip
-ignore noexec ${HOME}
 include disable-common.inc
 include disable-devel.inc
@@ -53,10 +49,10 @@ shell none
 tracelog
 disable-mnt
-private-bin youtube-dl,python*,ffmpeg
+private-bin env,ffmpeg,python*,youtube-dl
 private-cache
 private-dev
-private-etc alternatives,ssl,pki,ca-certificates,hostname,hosts,resolv.conf,youtube-dl.conf,crypto-policies,mime.types
+private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
 private-tmp
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile
index dc3164da1..6228ff3bd 100644
--- a/etc/zaproxy.profile
+++ b/etc/zaproxy.profile
@@ -6,14 +6,10 @@ include zaproxy.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.ZAP
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
@@ -22,6 +18,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.java
 mkdir ${HOME}/.ZAP
 whitelist ${HOME}/.java
 whitelist ${HOME}/.ZAP
diff --git a/etc/zart.profile b/etc/zart.profile
index f380e93f0..347bed8b6 100644
--- a/etc/zart.profile
+++ b/etc/zart.profile
@@ -31,6 +31,6 @@ protocol unix
 seccomp
 shell none
-private-bin zart,ffmpeg,melt,ffprobe,ffplay
+private-bin ffmpeg,ffplay,ffprobe,melt,zart
 private-dev
diff --git a/etc/zoom.profile b/etc/zoom.profile
index 456b197f3..6d312aff6 100644
--- a/etc/zoom.profile
+++ b/etc/zoom.profile
@@ -13,6 +13,8 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
+mkdir ${HOME}/.cache/zoom
+mkfile ${HOME}/.config/zoomus.conf
 mkdir ${HOME}/.zoom
 whitelist ${HOME}/.cache/zoom
 whitelist ${HOME}/.config/zoomus.conf
diff --git a/etc/zpaq.profile b/etc/zpaq.profile
index 6d4501e4f..6bf3605eb 100644
--- a/etc/zpaq.profile
+++ b/etc/zpaq.profile
@@ -10,6 +10,5 @@ include zpaq.local
 # mdwx breaks 'list' functionality
 ignore memory-deny-write-execute
 # Redirect
 include cpio.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 48789359d..b4efa3add 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -25,8 +25,8 @@ QOwnNotes
 Telegram
 Viber
 VirtualBox
-Xephyr
 XMind
+Xephyr
 abrowser
 akonadi_control
 akregator
@@ -186,8 +186,8 @@ firefox-developer-edition
 firefox-esr
 firefox-nightly
 firefox-wayland
-flameshot
 flacsplt
+flameshot
 flashpeak-slimjet
 flowblade
 font-manager
@@ -248,6 +248,7 @@ gnome-schedule
 gnome-system-log
 gnome-twitch
 gnome-weather
+godot
 goobox
 google-chrome
 google-chrome-beta
@@ -300,11 +301,15 @@ keepass2
 keepassx
 keepassx2
 keepassxc
+keepassxc-cli
+keepassxc-proxy
 kget
 kid3
 kid3-cli
 kid3-qt
 kino
+klatexformula
+klatexformula_cmdl
 klavaro
 kmail
 knotes
@@ -322,6 +327,7 @@ less
 libreoffice
 liferea
 lincity-ng
+links
 linphone
 lmms
 lobase
@@ -396,6 +402,7 @@ netactview
 nethack
 netsurf
 neverball
+newsbeuter
 newsboat
 nheko
 nitroshare
@@ -413,6 +420,7 @@ oggsplt
 okular
 onionshare-gui
 open-invaders
+openarena
 opencity
 openshot
 openshot-qt
@@ -422,6 +430,7 @@ opera-beta
 orage
 ostrichriders
 palemoon
+pandoc
 parole
 patch
 pavucontrol
@@ -466,6 +475,7 @@ redshift
 regextester
 remmina
 rhythmbox
+rhythmbox-client
 ricochet
 riot-desktop
 riot-web
@@ -521,6 +531,7 @@ sylpheed
 synfigstudio
 sysprof
 sysprof-cli
+teams-for-linux
 teamspeak3
 teeworlds
 telegram
@@ -578,7 +589,9 @@ transmission-remote-gtk
 transmission-show
 tremulous
 truecraft
+tshark
 tuxguitar
+udiskie
 uefitool
 uget-gtk
 unbound
@@ -622,6 +635,7 @@ xfce4-dict
 xfce4-mixer
 xfce4-notes
 xiphos
+xlinks
 xmms
 xmr-stak
 xonotic
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index fd6cb9ff2..630adc3d7 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -364,16 +364,23 @@ void preproc_mount_mnt_dir(void);
 void preproc_clean_run(void);
 // fs.c
+typedef enum {
+        BLACKLIST_FILE,
+        BLACKLIST_NOLOG,
+        MOUNT_READONLY,
+        MOUNT_TMPFS,
+        MOUNT_NOEXEC,
+        MOUNT_RDWR,
+        OPERATION_MAX
+} OPERATION;
 // blacklist files or directories by mounting empty files on top of them
 void fs_blacklist(void);
 // mount a writable tmpfs
 void fs_tmpfs(const char *dir, unsigned check_owner);
-// remount a directory read-only
+// remount noexec/nodev/nosuid or read-only or read-write
-void fs_rdonly(const char *dir);
+void fs_remount(const char *dir, OPERATION op, unsigned check_mnt);
-void fs_rdonly_rec(const char *dir);
+void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt);
-// remount a directory noexec, nodev and nosuid
-void fs_noexec(const char *dir);
-void fs_noexec_rec(const char *dir);
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void);
 // build a basic read-only filesystem
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 411f2e778..14d7d7156 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -39,24 +39,17 @@
 //#define TEST_NO_BLACKLIST_MATCHING
-static int mount_warning = 0;
-static void fs_rdwr(const char *dir);
-static void fs_rdwr_rec(const char *dir);
 //***********************************************
 // process profile file
 //***********************************************
-typedef enum {
+static char *opstr[] = {
-        BLACKLIST_FILE,
+        [BLACKLIST_FILE] = "blacklist",
-        BLACKLIST_NOLOG,
+        [BLACKLIST_NOLOG] = "blacklist-nolog",
-        MOUNT_READONLY,
+        [MOUNT_READONLY] = "read-only",
-        MOUNT_TMPFS,
+        [MOUNT_TMPFS] = "tmpfs",
-        MOUNT_NOEXEC,
+        [MOUNT_NOEXEC] = "noexec",
-        MOUNT_RDWR,
+        [MOUNT_RDWR] = "read-write",
-        OPERATION_MAX
+};
-} OPERATION;
 typedef enum {
        UNSUCCESSFUL,
@@ -153,17 +146,9 @@ static void disable_file(OPERATION op, const char *filename) {
                                fs_logger2("blacklist-nolog", fname);
                }
        }
-        else if (op == MOUNT_READONLY) {
+        else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) {
-                fs_rdonly_rec(fname);
+                fs_remount_rec(fname, op, 1);
-// todo: last_disable = SUCCESSFUL;
+                // todo: last_disable = SUCCESSFUL;
-        }
-        else if (op == MOUNT_RDWR) {
-                fs_rdwr_rec(fname);
-// todo: last_disable = SUCCESSFUL;
-        }
-        else if (op == MOUNT_NOEXEC) {
-                fs_noexec_rec(fname);
-// todo: last_disable = SUCCESSFUL;
        }
        else if (op == MOUNT_TMPFS) {
                if (S_ISDIR(s.st_mode)) {
@@ -493,145 +478,60 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
        close(fd);
 }
-// remount directory read-only
+void fs_remount(const char *dir, OPERATION op, unsigned check_mnt) {
-void fs_rdonly(const char *dir) {
        assert(dir);
        // check directory exists
        struct stat s;
        int rv = stat(dir, &s);
        if (rv == 0) {
                unsigned long flags = 0;
-                get_mount_flags(dir, &flags);
+                if (get_mount_flags(dir, &flags) != 0) {
-                if ((flags & MS_RDONLY) == MS_RDONLY)
+                        fwarning("cannot remount %s\n", dir);
                        return;
-                flags |= MS_RDONLY;
-                if (arg_debug)
-                        printf("Mounting read-only %s\n", dir);
-                // mount --bind /bin /bin
-                // mount --bind -o remount,ro /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                    mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
-                        errExit("mount read-only");
-                fs_logger2("read-only", dir);
-        }
-}
-// remount directory read-only recursively
-void fs_rdonly_rec(const char *dir) {
-        assert(dir);
-        // get mount point of the directory
-        int mountid = get_mount_id(dir);
-        if (mountid == -1)
-                return;
-        if (mountid == -2) {
-                // falling back to a simple remount on old kernels
-                if (!mount_warning) {
-                        fwarning("read-only, read-write and noexec options are not applied recursively\n");
-                        mount_warning = 1;
                }
-                fs_rdonly(dir);
+                if (op == MOUNT_RDWR) {
-                return;
+                        // allow only user owned directories, except the user is root
-        }
+                        if (getuid() != 0 && s.st_uid != getuid()) {
-        // build array with all mount points that need to get remounted
+                                fwarning("you are not allowed to change %s to read-write\n", dir);
-        char **arr = build_mount_array(mountid, dir);
+                                return;
-        assert(arr);
+                        }
-        // remount
+                        if ((flags & MS_RDONLY) == 0)
-        char **tmp = arr;
+                                return;
-        while (*tmp) {
+                        flags &= ~MS_RDONLY;
-                fs_rdonly(*tmp);
-                free(*tmp++);
-        }
-        free(arr);
-}
-// remount directory read-write
-static void fs_rdwr(const char *dir) {
-        assert(dir);
-        // check directory exists
-        struct stat s;
-        int rv = stat(dir, &s);
-        if (rv == 0) {
-                // allow only user owned directories, except the user is root
-                uid_t u = getuid();
-                if (u != 0 && s.st_uid != u) {
-                        fwarning("you are not allowed to change %s to read-write\n", dir);
-                        return;
                }
-                unsigned long flags = 0;
+                else if (op == MOUNT_NOEXEC) {
-                get_mount_flags(dir, &flags);
+                        if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID))
-                if ((flags & MS_RDONLY) == 0)
+                                return;
-                        return;
+                        flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
-                flags &= ~MS_RDONLY;
-                if (arg_debug)
-                        printf("Mounting read-write %s\n", dir);
-                // mount --bind /bin /bin
-                // mount --bind -o remount,rw /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                    mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
-                        errExit("mount read-write");
-                fs_logger2("read-write", dir);
-                // run a sanity check on /proc/self/mountinfo
-                MountData *mptr = get_last_mount();
-                size_t len = strlen(dir);
-                if (strncmp(mptr->dir, dir, len) != 0 ||
-                   (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
-                        errLogExit("invalid read-write mount");
-        }
-}
-// remount directory read-write recursively
-static void fs_rdwr_rec(const char *dir) {
-        assert(dir);
-        // get mount point of the directory
-        int mountid = get_mount_id(dir);
-        if (mountid == -1)
-                return;
-        if (mountid == -2) {
-                // falling back to a simple remount on old kernels
-                if (!mount_warning) {
-                        fwarning("read-only, read-write and noexec options are not applied recursively\n");
-                        mount_warning = 1;
                }
-                fs_rdwr(dir);
+                else if (op == MOUNT_READONLY) {
-                return;
+                        if ((flags & MS_RDONLY) == MS_RDONLY)
-        }
+                                return;
-        // build array with all mount points that need to get remounted
+                        flags |= MS_RDONLY;
-        char **arr = build_mount_array(mountid, dir);
+                }
-        assert(arr);
+                else
-        // remount
+                        assert(0);
-        char **tmp = arr;
-        while (*tmp) {
-                fs_rdwr(*tmp);
-                free(*tmp++);
-        }
-        free(arr);
-}
-// remount directory noexec, nodev, nosuid
-void fs_noexec(const char *dir) {
-        assert(dir);
-        // check directory exists
-        struct stat s;
-        int rv = stat(dir, &s);
-        if (rv == 0) {
-                unsigned long flags = 0;
-                get_mount_flags(dir, &flags);
-                if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID))
-                        return;
-                flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
                if (arg_debug)
-                        printf("Mounting noexec %s\n", dir);
+                        printf("Mounting %s %s\n", opstr[op], dir);
                // mount --bind /bin /bin
-                // mount --bind -o remount,noexec /bin
+                // mount --bind -o remount,rw /bin
                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
                    mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
-                        errExit("mount noexec");
+                        errExit("remounting");
-                fs_logger2("noexec", dir);
+                if (check_mnt) {
+                        // run a sanity check on /proc/self/mountinfo
+                        MountData *mptr = get_last_mount();
+                        size_t len = strlen(dir);
+                        if (strncmp(mptr->dir, dir, len) != 0 ||
+                           (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
+                                errLogExit("invalid %s mount", opstr[op]);
+                }
+                fs_logger2(opstr[op], dir);
        }
 }
-// remount directory noexec, nodev, nosuid recursively
+void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) {
-void fs_noexec_rec(const char *dir) {
        assert(dir);
        // get mount point of the directory
        int mountid = get_mount_id(dir);
@@ -639,11 +539,12 @@ void fs_noexec_rec(const char *dir) {
                return;
        if (mountid == -2) {
                // falling back to a simple remount on old kernels
+                static int mount_warning = 0;
                if (!mount_warning) {
                        fwarning("read-only, read-write and noexec options are not applied recursively\n");
                        mount_warning = 1;
                }
-                fs_noexec(dir);
+                fs_remount(dir, op, check_mnt);
                return;
        }
        // build array with all mount points that need to get remounted
@@ -652,7 +553,7 @@ void fs_noexec_rec(const char *dir) {
        // remount
        char **tmp = arr;
        while (*tmp) {
-                fs_noexec(*tmp);
+                fs_remount(*tmp, op, check_mnt);
                free(*tmp++);
        }
        free(arr);
@@ -818,28 +719,29 @@ static void disable_config(void) {
 // build a basic read-only filesystem
+// top level directories could be links, run no after-mount checks
 void fs_basic_fs(void) {
        uid_t uid = getuid();
        if (arg_debug)
                printf("Basic read-only filesystem:\n");
        if (!arg_writable_etc) {
-                fs_rdonly("/etc");
+                fs_remount("/etc", MOUNT_READONLY, 0);
                if (uid)
-                        fs_noexec("/etc");
+                        fs_remount("/etc", MOUNT_NOEXEC, 0);
        }
        if (!arg_writable_var) {
-                fs_rdonly("/var");
+                fs_remount("/var", MOUNT_READONLY, 0);
                if (uid)
-                        fs_noexec("/var");
+                        fs_remount("/var", MOUNT_NOEXEC, 0);
        }
-        fs_rdonly("/bin");
+        fs_remount("/bin", MOUNT_READONLY, 0);
-        fs_rdonly("/sbin");
+        fs_remount("/sbin", MOUNT_READONLY, 0);
-        fs_rdonly("/lib");
+        fs_remount("/lib", MOUNT_READONLY, 0);
-        fs_rdonly("/lib64");
+        fs_remount("/lib64", MOUNT_READONLY, 0);
-        fs_rdonly("/lib32");
+        fs_remount("/lib32", MOUNT_READONLY, 0);
-        fs_rdonly("/libx32");
+        fs_remount("/libx32", MOUNT_READONLY, 0);
-        fs_rdonly("/usr");
+        fs_remount("/usr", MOUNT_READONLY, 0);
        // update /var directory in order to support multiple sandboxes running on the same root directory
        fs_var_lock();
@@ -848,7 +750,7 @@ void fs_basic_fs(void) {
        if (!arg_writable_var_log)
                fs_var_log();
        else
-                fs_rdwr("/var/log");
+                fs_remount("/var/log", MOUNT_RDWR, 0);
        fs_var_lib();
        fs_var_cache();
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index e3f237b8e..b82473476 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -88,7 +88,7 @@ void pulseaudio_init(void) {
        if (mkdir(RUN_PULSE_DIR, 0700) == -1)
                errExit("mkdir");
        // mount it nosuid, noexec, nodev
-        fs_noexec(RUN_PULSE_DIR);
+        fs_remount(RUN_PULSE_DIR, MOUNT_NOEXEC, 0);
        // create the new client.conf file
        char *pulsecfg = NULL;
@@ -155,8 +155,10 @@ void pulseaudio_init(void) {
                if (fstatvfs(fd, &vfs) == -1)
                        errExit("fstatvfs");
                if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY)
-                        fs_rdonly(RUN_PULSE_DIR);
+                        fs_remount(RUN_PULSE_DIR, MOUNT_READONLY, 0);
                // mount via the link in /proc/self/fd
+                if (arg_debug)
+                        printf("Mounting %s on %s\n", RUN_PULSE_DIR, homeusercfg);
                char *proc;
                if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
                        errExit("asprintf");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 841d57c89..f91e5ab7c 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1116,7 +1116,7 @@ int sandbox(void* sandbox_arg) {
                (void) rv;
        }
        // make seccomp filters read-only
-        fs_rdonly(RUN_SECCOMP_DIR);
+        fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0);
 #endif
        // set capabilities
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 9d821d980..69a9a7bee 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1169,7 +1169,7 @@ void x11_xorg(void) {
        umount("/tmp");
        // remount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid
-        fs_noexec(RUN_XAUTHORITY_SEC_FILE);
+        fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0);
        // Ensure there is already a file in the usual location, so that bind-mount below will work.
        char *dest;
@@ -1202,9 +1202,11 @@ void x11_xorg(void) {
        if (fstatvfs(fd, &vfs) == -1)
                errExit("fstatvfs");
        if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY)
-                fs_rdonly(RUN_XAUTHORITY_SEC_FILE);
+                fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_READONLY, 0);
        // mount via the link in /proc/self/fd
+        if (arg_debug)
+                printf("Mounting %s on %s\n", RUN_XAUTHORITY_SEC_FILE, dest);
        char *proc;
        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
                errExit("asprintf");
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index e5f1b6f9a..b3c435d9e 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -83,7 +83,9 @@ int find_child(int id) {
                        return i;
        }
-        return -1;
+        // if a second child is not found, return the first child pid
+        // this happens for processes sandboxed with --join
+        return first_child;
 }
 // sleep and wait for a key to be pressed
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 8c9989970..f97261456 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -74,6 +74,9 @@ Child process initialized
 [...]
 .RE
+.SH Templates
+Templates for writing own profiles can be found in /usr/share/doc/firejail.
 .SH Scripting
 Scripting commands:
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 67b84de0e..201339c8b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2318,9 +2318,9 @@ $ sudo firejail --writable-var-log
 .TP
 \fB\-\-x11
 Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension.
-The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
+The sandbox will prevent screenshot and keylogger applications started inside the sandbox from accessing
 clients running outside the sandbox.
-Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
+Firejail will try Xpra first, and if Xpra is not installed on the system, it will try to find Xephyr.
 If all fails, Firejail will not attempt to use Xvfb or X11 security extension.
 .br
diff --git a/test/environment/rlimit.profile b/test/environment/rlimit.profile
index a57471604..a569edc6d 100644
--- a/test/environment/rlimit.profile
+++ b/test/environment/rlimit.profile
@@ -1,5 +1,5 @@
-  rlimit-fsize 1024
+rlimit-fsize 1024
 rlimit-nproc 1000
-        rlimit-nofile   500
+rlimit-nofile 500
-rlimit-sigpending       200
+rlimit-sigpending 200
 rlimit-as 123456789012