34 files changed, 163 insertions, 95 deletions

diff --git a/etc/7z.profile b/etc/7z.profile
index 44ab377b3..ee2b493f8 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -4,23 +4,34 @@ quiet
 # Persistent local customizations
 include 7z.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
 blacklist /tmp/.X11-unix
 
-ignore noroot
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 
 private-dev
-
-include default.profile
diff --git a/etc/atool.profile b/etc/atool.profile
index 4ea3c02dc..3df32baac 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -7,11 +7,11 @@ include atool.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 # include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index c41aafd47..4f1b05c88 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -6,12 +6,12 @@ include bibletime.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${HOME}/.bashrc
-
 noblacklist ${HOME}/.bibletime
 noblacklist ${HOME}/.sword
 noblacklist ${HOME}/.local/share/bibletime
 
+blacklist ${HOME}/.bashrc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/cpio.profile b/etc/cpio.profile
index b6f7e7f9f..0bb45f5cd 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -7,11 +7,11 @@ include cpio.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 noblacklist /sbin
 noblacklist /usr/sbin
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 # include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/curl.profile b/etc/curl.profile
index 2703c6fe8..b8b91d278 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -7,10 +7,10 @@ include curl.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 noblacklist ${HOME}/.curlrc
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 0dc0cc793..ffced747b 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -6,11 +6,11 @@ include dnscrypt-proxy.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 noblacklist /sbin
 noblacklist /usr/sbin
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index bb41b71d1..daf4795c3 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -6,11 +6,11 @@ include dnsmasq.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 noblacklist /sbin
 noblacklist /usr/sbin
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 842a0db04..980fa7617 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -6,10 +6,10 @@ include elinks.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 noblacklist ${HOME}/.elinks
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index b33d73233..52e090b89 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -6,11 +6,11 @@ include exiftool.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/franz.profile b/etc/franz.profile
index d6445ff8e..e917e5517 100644
--- a/etc/franz.profile
+++ b/etc/franz.profile
@@ -5,6 +5,8 @@ include franz.local
 # Persistent global definitions
 include globals.local
 
+ignore noexec /tmp
+
 noblacklist ${HOME}/.cache/Franz
 noblacklist ${HOME}/.config/Franz
 noblacklist ${HOME}/.pki
@@ -12,6 +14,7 @@ noblacklist ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 
@@ -41,5 +44,3 @@ shell none
 disable-mnt
 private-dev
 private-tmp
-
-noexec ${HOME}
diff --git a/etc/git.profile b/etc/git.profile
index 0eb69faed..f7c812e65 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -7,8 +7,6 @@ include git.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.config/nano
 noblacklist ${HOME}/.emacs
@@ -22,6 +20,8 @@ noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.vim
 noblacklist ${HOME}/.viminfo
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
index 4932c9e42..daa385234 100644
--- a/etc/google-play-music-desktop-player.profile
+++ b/etc/google-play-music-desktop-player.profile
@@ -5,14 +5,19 @@ include google-play-music-desktop-player.local
 # Persistent global definitions
 include globals.local
 
+# noexec /tmp breaks mpris support
+ignore noexec /tmp
+
 noblacklist ${HOME}/.config/Google Play Music Desktop Player
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+mkdir ${HOME}/.config/Google Play Music Desktop Player
 # whitelist ${HOME}/.config/pulse
 # whitelist ${HOME}/.pulse
 whitelist ${HOME}/.config/Google Play Music Desktop Player
@@ -35,7 +40,3 @@ shell none
 disable-mnt
 private-dev
 private-tmp
-
-noexec ${HOME}
-# noexec /tmp breaks mpris support
-#noexec /tmp
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 7181837d5..61b485df5 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -6,10 +6,10 @@ include gpg-agent.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 noblacklist ${HOME}/.gnupg
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/gpg.profile b/etc/gpg.profile
index 51662b59c..99ad1b888 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -6,10 +6,10 @@ include gpg.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 noblacklist ${HOME}/.gnupg
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/links.profile b/etc/links.profile
index 99b445fe0..bd0b0cc92 100644
--- a/etc/links.profile
+++ b/etc/links.profile
@@ -6,10 +6,10 @@ include links.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 noblacklist ${HOME}/.links
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/mutt.profile b/etc/mutt.profile
index cc3a323e0..419e17e95 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -6,8 +6,6 @@ include mutt.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 noblacklist /var/mail
 noblacklist /var/spool/mail
 noblacklist ${HOME}/.Mail
@@ -34,6 +32,8 @@ noblacklist ${HOME}/mail
 noblacklist ${HOME}/postponed
 noblacklist ${HOME}/sent
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/natron.profile b/etc/natron.profile
index 329f79f9b..7ad217b72 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -8,7 +8,6 @@ include globals.local
 noblacklist ${HOME}/.Natron
 noblacklist ${HOME}/.cache/INRIA/Natron
 noblacklist ${HOME}/.config/INRIA
-noblacklist /opt/natron
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -29,9 +28,9 @@ nogroups
 nonewprivs
 noroot
 notv
-protocol unix,inet,inet6
+nou2f
+protocol unix
 seccomp
 shell none
 
 private-bin natron,Natron,NatronRenderer
-
diff --git a/etc/nyx.profile b/etc/nyx.profile
index f50014a4d..1ea33ac4d 100644
--- a/etc/nyx.profile
+++ b/etc/nyx.profile
@@ -11,8 +11,6 @@ include allow-python2.inc
 include allow-python3.inc
 
 noblacklist ${HOME}/.nyx
-mkdir ${HOME}/.nyx
-whitelist ${HOME}/.nyx
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,6 +20,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.nyx
+whitelist ${HOME}/.nyx
+include whitelist-common.inc
+include whitelist-var-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/server.profile b/etc/server.profile
index 686268a18..6e077ff84 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -9,12 +9,12 @@ include globals.local
 # it allows /sbin and /usr/sbin directories - this is where servers are installed
 # depending on your usage, you can enable some of the commands below:
 
-blacklist /tmp/.X11-unix
-
 noblacklist /sbin
 noblacklist /usr/sbin
 # noblacklist /var/opt
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 # include disable-devel.inc
 # include disable-exec.inc
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile
index 008cd218e..04696a918 100644
--- a/etc/signal-desktop.profile
+++ b/etc/signal-desktop.profile
@@ -5,10 +5,13 @@ include signal-desktop.local
 # Persistent global definitions
 include globals.local
 
+ignore noexec /tmp
+
 noblacklist ${HOME}/.config/Signal
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -34,5 +37,3 @@ shell none
 disable-mnt
 private-dev
 private-tmp
-
-noexec ${HOME}
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index ad200be37..eae7dada0 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -5,10 +5,14 @@ include skypeforlinux.local
 # Persistent global definitions
 include globals.local
 
+# breaks Skype
+ignore noexec /tmp
+
 noblacklist ${HOME}/.config/skypeforlinux
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -28,6 +32,3 @@ disable-mnt
 private-cache
 # private-dev - needs /dev/disk
 private-tmp
-
-noexec ${HOME}
-# noexec /tmp - breaks Skype
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 00c2aabe2..2d5c4a48f 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -5,12 +5,12 @@ include spotify.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${HOME}/.bashrc
-
 noblacklist ${HOME}/.cache/spotify
 noblacklist ${HOME}/.config/spotify
 noblacklist ${HOME}/.local/share/spotify
 
+blacklist ${HOME}/.bashrc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index 8aafca8aa..9af747b62 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -6,12 +6,12 @@ include ssh-agent.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 noblacklist /etc/ssh
 noblacklist /tmp/ssh-*
 noblacklist ${HOME}/.ssh
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/tar.profile b/etc/tar.profile
index 14fc00d21..b6a874217 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -5,17 +5,19 @@ quiet
 # Persistent local customizations
 include tar.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
 blacklist /tmp/.X11-unix
 
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-
-ignore noroot
+include disable-passwdmgr.inc
+include disable-programs.inc
 
 apparmor
+caps.drop all
 hostname tar
 ipc-namespace
 machine-id
@@ -24,10 +26,14 @@ no3d
 nodbus
 nodvd
 nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 
@@ -39,8 +45,5 @@ private-etc alternatives,passwd,group,localtime
 private-lib libfakeroot
 
 memory-deny-write-execute
-
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
-
-include default.profile
diff --git a/etc/terasology.profile b/etc/terasology.profile
index b01b4fdb3..2a7212395 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -5,6 +5,8 @@ include terasology.local
 # Persistent global definitions
 include globals.local
 
+ignore noexec /tmp
+
 noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/terasology
 
@@ -13,6 +15,7 @@ include allow-java.inc
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -43,5 +46,3 @@ disable-mnt
 private-dev
 private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies
 private-tmp
-
-noexec ${HOME}
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 6e4b5ed1c..8e7a4a8a8 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -6,11 +6,11 @@ include unbound.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 noblacklist /sbin
 noblacklist /usr/sbin
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 7fe37f061..5b55f30d2 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -5,21 +5,34 @@ quiet
 # Persistent local customizations
 include unrar.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
 blacklist /tmp/.X11-unix
 
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
 hostname unrar
-ignore noroot
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 
@@ -27,5 +40,3 @@ private-bin unrar
 private-dev
 private-etc alternatives,passwd,group,localtime
 private-tmp
-
-include default.profile
diff --git a/etc/unzip.profile b/etc/unzip.profile
index be6b6c321..deda8fe64 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -5,29 +5,41 @@ quiet
 # Persistent local customizations
 include unzip.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+# GNOME Shell integration (chrome-gnome-shell)
+noblacklist ${HOME}/.local/share/gnome-shell
 
 blacklist /tmp/.X11-unix
 
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+ipc-namespace
+machine-id
 hostname unzip
-ignore noroot
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 
 private-bin unzip
+private-cache
 private-dev
 private-etc alternatives,passwd,group,localtime
-
-# GNOME Shell integration (chrome-gnome-shell)
-noblacklist ${HOME}/.local/share/gnome-shell
-
-include default.profile
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index 859656fa5..9b7c4f5ba 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -5,18 +5,31 @@ quiet
 # Persistent local customizations
 include uudeview.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+ipc-namespace
+machine-id
 hostname uudeview
-ignore noroot
 net none
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 
@@ -24,5 +37,3 @@ private-bin uudeview
 private-cache
 private-dev
 private-etc alternatives,ld.so.preload
-
-include default.profile
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index f9fb1cefe..943719e75 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -6,12 +6,12 @@ include viewnior.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${HOME}/.bashrc
-
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.config/viewnior
 noblacklist ${HOME}/.steam
 
+blacklist ${HOME}/.bashrc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/w3m.profile b/etc/w3m.profile
index 143ac4f63..d577932e3 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -6,10 +6,10 @@ include w3m.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 noblacklist ${HOME}/.w3m
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/wget.profile b/etc/wget.profile
index a7ef32e2c..ff10b2316 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -7,11 +7,11 @@ include wget.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-
 noblacklist ${HOME}/.wget-hsts
 noblacklist ${HOME}/.wgetrc
 
+blacklist /tmp/.X11-unix
+
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index 33056395e..043e513bd 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -6,11 +6,11 @@ include xiphos.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${HOME}/.bashrc
-
 noblacklist ${HOME}/.sword
 noblacklist ${HOME}/.xiphos
 
+blacklist ${HOME}/.bashrc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -18,6 +18,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+mkdir ${HOME}/.sword
+mkdir ${HOME}/.xiphos
 whitelist ${HOME}/.sword
 whitelist ${HOME}/.xiphos
 include whitelist-common.inc
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index a1f265c1e..3adaa557c 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -5,23 +5,34 @@ quiet
 # Persistent local customizations
 include xzdec.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
 blacklist /tmp/.X11-unix
 
-ignore noroot
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 
 private-dev
-
-include default.profile