35 files changed, 51 insertions, 55 deletions

diff --git a/README b/README
index 9414d21d9..d31e51443 100644
--- a/README
+++ b/README
@@ -540,6 +540,7 @@ rusty-snake (https://github.com/rusty-snake)
         - fix gajim profile, added gajim-history-manager profile
         - updates for ~/.cargo
         - added klavaro profile
+        - added mypaint, nano, celluoid profiles
 Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
         - fixed ktorrent profile
 sarneaud (https://github.com/sarneaud)
diff --git a/README.md b/README.md
index c8d1b63d2..01c346d88 100644
--- a/README.md
+++ b/README.md
@@ -102,4 +102,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 ## Current development version: 0.9.59
 
 ## New profiles:
-crow, nyx
+crow, nyx, klavaro, mypaint, celluoid, nano, transgui, sysprof, simplescreenrecorder, geekbench, xfce4-mixer, pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring, regextester, hardinfo, gnome-system-log, gnome-nettool, netactview, redshift, devhelp, assogiate, subdownloader, font-manager, exfalso, gconf-editor, dconf-editor, mpdris2, sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
diff --git a/RELNOTES b/RELNOTES
index 4d0df7c89..4251ab9ff 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,11 @@
-firejail (0.9.58) baseline; urgency=low
-  * new profiles: crow, nyx
+firejail (0.9.59) baseline; urgency=low
+  * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
+  * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
+  * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
+  * new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool
+  * new profiles: netactview, redshift, devhelp, assogiate, subdownloader
+  * new profiles: font-manager, exfalso, gconf-editor, dconf-editor
+  * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
 
 firejail (0.9.58,2) baseline; urgency=low
   * cgroup flag in /etc/firejail/firejail.config file
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
index 56ed081e6..49a6d4591 100644
--- a/etc/aria2c.profile
+++ b/etc/aria2c.profile
@@ -33,7 +33,6 @@ seccomp
 shell none
 
 disable-mnt
-# private
 private-bin aria2c,gzip
 private-cache
 private-dev
diff --git a/etc/assogiate.profile b/etc/assogiate.profile
index f1a2b0129..1161c24fe 100644
--- a/etc/assogiate.profile
+++ b/etc/assogiate.profile
@@ -7,7 +7,6 @@ include assogiate.local
 include globals.local
 
 noblacklist ${PICTURES}
-whitelist ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,6 +15,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+whitelist ${PICTURES}
 include whitelist-common.inc
 
 apparmor
diff --git a/etc/authenticator.profile b/etc/authenticator.profile
index fc86001be..7f5090251 100644
--- a/etc/authenticator.profile
+++ b/etc/authenticator.profile
@@ -6,7 +6,6 @@ include authenticator.local
 # Persistent global definitions
 include globals.local
 
-# blacklisted in 'disable-programs.local'
 noblacklist ${HOME}/.config/Authenticator
 
 # Allow python 3.x (blacklisted by disable-interpreters.inc)
@@ -41,7 +40,6 @@ disable-mnt
 private-cache
 private-dev
 private-etc alternatives,fonts,ld.so.cache
-# private-lib
 private-tmp
 
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile
index def292118..54c04f837 100644
--- a/etc/bitcoin-qt.profile
+++ b/etc/bitcoin-qt.profile
@@ -18,7 +18,6 @@ mkdir ${HOME}/.bitcoin
 mkdir ${HOME}/.config/Bitcoin
 whitelist ${HOME}/.bitcoin
 whitelist ${HOME}/.config/Bitcoin
-
 include whitelist-common.inc
 include whitelist-var-common.inc
 
@@ -43,8 +42,6 @@ private-bin bitcoin-qt
 private-dev
 # Causes problem with loading of libGL.so
 #private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
-# Works, but QT complains about OpenSSL a bit.
-#private-lib
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/clawsker.profile b/etc/clawsker.profile
index d50882c75..a3ae74582 100644
--- a/etc/clawsker.profile
+++ b/etc/clawsker.profile
@@ -7,7 +7,6 @@ include clawsker.local
 include globals.local
 
 noblacklist ${HOME}/.claws-mail
-whitelist ${HOME}/.claws-mail
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 noblacklist ${PATH}/cpan*
@@ -21,6 +20,8 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+
+whitelist ${HOME}/.claws-mail
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index ca38600d1..21bef48a4 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -19,8 +19,8 @@ whitelist ${HOME}/.pentadactylrc
 whitelist ${HOME}/.vimperator
 whitelist ${HOME}/.vimperatorrc
 whitelist ${HOME}/.zotero
-whitelist ${HOME}/Downloads
 whitelist ${HOME}/dwhelper
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/d-feet.profile b/etc/d-feet.profile
index 8526f1b0b..aa4ab191b 100644
--- a/etc/d-feet.profile
+++ b/etc/d-feet.profile
@@ -30,7 +30,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/dconf.profile b/etc/dconf.profile
index a0bb5626d..0f1869fb8 100644
--- a/etc/dconf.profile
+++ b/etc/dconf.profile
@@ -6,9 +6,6 @@ include dconf.local
 # Persistent global definitions
 include globals.local
 
-mkdir ${HOME}/.config/dconf
-whitelist ${HOME}/.config/dconf
-
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -16,13 +13,16 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.config/dconf
+whitelist ${HOME}/.config/dconf
+include whitelist-common.inc
+
 apparmor
 caps.drop all
 ipc-namespace
 machine-id
 net none
 no3d
-# nodbus - D-Bus is needed to commit changes to dconf
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/deluge.profile b/etc/deluge.profile
index cb8bff07e..8df6e028f 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -21,7 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/deluge
-whitelist  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/deluge
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/devhelp.profile b/etc/devhelp.profile
index 004ab0c79..7f00e55e7 100644
--- a/etc/devhelp.profile
+++ b/etc/devhelp.profile
@@ -6,8 +6,6 @@ include devhelp.local
 # Persistent global definitions
 include globals.local
 
-mkdir ${HOME}/.cache/mesa_shader_cache
-whitelist ${HOME}/.cache/mesa_shader_cache
 
 include disable-common.inc
 include disable-devel.inc
@@ -47,5 +45,4 @@ private-tmp
 noexec ${HOME}
 noexec /tmp
 
-# devhelp will never write anything
 read-only ${HOME}
diff --git a/etc/devilspie.profile b/etc/devilspie.profile
index 4ced198d1..ffab615d1 100644
--- a/etc/devilspie.profile
+++ b/etc/devilspie.profile
@@ -47,5 +47,4 @@ memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
 
-# devilspie will never write anything
 read-only ${HOME}
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile
index fbf765fa2..b89bf122b 100644
--- a/etc/devilspie2.profile
+++ b/etc/devilspie2.profile
@@ -47,5 +47,4 @@ memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
 
-# devilspie2 will never write anything
 read-only ${HOME}
diff --git a/etc/dino.profile b/etc/dino.profile
index 76f63fdc8..e76499f8f 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 
 mkdir ${HOME}/.local/share/dino
 whitelist ${HOME}/.local/share/dino
-whitelist ${HOME}/Downloads
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 9dbacb02e..b1717d086 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -604,6 +604,7 @@ blacklist ${HOME}/.cache/geeqie
 blacklist ${HOME}/.cache/google-chrome
 blacklist ${HOME}/.cache/google-chrome-beta
 blacklist ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.cache/gnome-recipes
 blacklist ${HOME}/.cache/gnome-twitch
 blacklist ${HOME}/.cache/gradio
 blacklist ${HOME}/.cache/icedove
diff --git a/etc/enchant.profile b/etc/enchant.profile
index f2d9d2ee9..7d304feb7 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -35,7 +35,7 @@ seccomp
 shell none
 tracelog
 
-private-bin enchant, enchant-*
+private-bin enchant,enchant-*
 private-cache
 private-dev
 private-etc alternatives
diff --git a/etc/font-manager.profile b/etc/font-manager.profile
index fa5ee6105..3c57a4327 100644
--- a/etc/font-manager.profile
+++ b/etc/font-manager.profile
@@ -6,8 +6,8 @@ include font-manager.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/font-manager
 noblacklist ${HOME}/.config/font-manager
-whitelist ${HOME}/.config/font-manager
 
 # Allow python (blacklisted by disable-interpreters.inc)
 noblacklist ${PATH}/python2*
@@ -23,7 +23,9 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/font-manager
+mkdir ${HOME}/.config/font-manager
 whitelist ${HOME}/.cache/font-manager
+whitelist ${HOME}/.config/font-manager
 include whitelist-common.inc
 
 apparmor
diff --git a/etc/gajim.profile b/etc/gajim.profile
index efe85f3aa..6924fbe56 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -24,11 +24,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/gajim
 mkdir ${HOME}/.config/gajim
 mkdir ${HOME}/.local/share/gajim
-mkdir ${HOME}/Downloads
 whitelist ${HOME}/.cache/gajim
 whitelist ${HOME}/.config/gajim
 whitelist ${HOME}/.local/share/gajim
-whitelist ${HOME}/Downloads
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/geekbench.profile b/etc/geekbench.profile
index b0bae1e73..c6e45b7d0 100644
--- a/etc/geekbench.profile
+++ b/etc/geekbench.profile
@@ -13,6 +13,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+inclue whitelist-var-common.inc
+
 apparmor
 caps.drop all
 hostname geekbench
@@ -40,6 +42,7 @@ private-cache
 private-dev
 private-etc alternatives,groups,passwd,lsb-release
 private-lib libstdc++.so.*
+private-opt none
 private-tmp
 
 # memory-deny-write-execute - Breaks on Arch
diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile
index 11686e0e9..615e6d01c 100644
--- a/etc/ghostwriter.profile
+++ b/etc/ghostwriter.profile
@@ -18,10 +18,6 @@ include disable-programs.inc
 include disable-xdg.inc
 
 #mkdir ${HOME}/.config/ghostwriter
-#mkdir ${DESKTOP}
-#mkdir ${DOCUMENTS}
-#mkdir ${DOWNLOADS}
-#mkdir ${PICTURES}
 #whitelist ${HOME}/.config/ghostwriter
 #whitelist ${DESKTOP}
 #whitelist ${DOCUMENTS}
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile
index 585fb9a20..dd58f12d5 100644
--- a/etc/gnome-nettool.profile
+++ b/etc/gnome-nettool.profile
@@ -35,15 +35,11 @@ novideo
 #shell none
 
 disable-mnt
-#private-bin gnome-nettool
+private
 private-cache
 private-dev
-#private-etc alternatives
 private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.*
 private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# never write anything
-read-only ${HOME}
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
index fc0bcabdc..24d3cbd87 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/gnome-recipes.profile
@@ -7,6 +7,7 @@ include gnome-recipes.local
 include globals.local
 
 
+noblacklist ${HOME}/.cache/gnome-recipes
 noblacklist ${HOME}/.local/share/gnome-recipes
 
 include disable-common.inc
@@ -16,7 +17,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.cache/gnome-recipes
+mkdir ${HOME}/.local/share/gnome-recipes
 whitelist ${HOME}/.cache/gnome-recipes
+whitelist ${HOME}/.local/share/gnome-recipes
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-system-log.profile b/etc/gnome-system-log.profile
index 67a2213be..214a3923f 100644
--- a/etc/gnome-system-log.profile
+++ b/etc/gnome-system-log.profile
@@ -6,6 +6,8 @@ include gnome-system-log.local
 # Persistent global definitions
 include globals.local
 
+noblacklist /var/log
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -13,10 +15,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
-
-noblacklist /var/log
 whitelist /var/log
+include whitelist-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile
index 4dc635df7..7b7571176 100644
--- a/etc/ktorrent.profile
+++ b/etc/ktorrent.profile
@@ -25,7 +25,7 @@ mkdir ${HOME}/.local/share/ktorrent
 mkfile ${HOME}/.config/ktorrentrc
 mkfile ${HOME}/.kde/share/config/ktorrentrc
 mkfile ${HOME}/.kde4/share/config/ktorrentrc
-whitelist  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/ktorrentrc
 whitelist ${HOME}/.kde/share/apps/ktorrent
 whitelist ${HOME}/.kde/share/config/ktorrentrc
diff --git a/etc/linphone.profile b/etc/linphone.profile
index feb4037fb..cd35dc2bf 100644
--- a/etc/linphone.profile
+++ b/etc/linphone.profile
@@ -19,7 +19,7 @@ mkfile ${HOME}/.linphone-history.db
 mkfile ${HOME}/.linphonerc
 whitelist ${HOME}/.linphone-history.db
 whitelist ${HOME}/.linphonerc
-whitelist ${HOME}/Downloads
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile
index 9fb52c0a8..f057bdd9e 100644
--- a/etc/mpsyt.profile
+++ b/etc/mpsyt.profile
@@ -21,7 +21,6 @@ noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/mps
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
-noblacklist ${DOWNLOADS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/netactview.profile b/etc/netactview.profile
index dfa292bfe..58235c31b 100644
--- a/etc/netactview.profile
+++ b/etc/netactview.profile
@@ -15,6 +15,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkfile ${HOME}/.netactview
+whitelist ${HOME}/.netactview
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile
index 5d0cf2238..d53a6b01d 100644
--- a/etc/pavucontrol.profile
+++ b/etc/pavucontrol.profile
@@ -15,13 +15,14 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkfile ${HOME}/.config/pavucontrol.ini
+whitelist ${HOME}/.config/pavucontrol.ini
 include whitelist-common.inc
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
 ipc-namespace
-machine-id
 net none
 no3d
 nodbus
@@ -29,7 +30,6 @@ nodvd
 nogroups
 nonewprivs
 noroot
-# nosound
 notv
 nou2f
 novideo
@@ -41,7 +41,7 @@ disable-mnt
 private-bin pavucontrol
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,pulse
+private-etc alternatives,asound.conf,fonts,pulse,machine-id
 private-lib
 private-tmp
 
diff --git a/etc/regextester.profile b/etc/regextester.profile
index 8d18b9101..bbd4560e2 100644
--- a/etc/regextester.profile
+++ b/etc/regextester.profile
@@ -14,6 +14,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
+include whitelist-var-common.inc
 
 apparmor
 caps.drop all
diff --git a/etc/simplescreenrecorder.profile b/etc/simplescreenrecorder.profile
index f8f1def64..6862d51ee 100644
--- a/etc/simplescreenrecorder.profile
+++ b/etc/simplescreenrecorder.profile
@@ -6,7 +6,7 @@ include simplescreenrecorder.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOWNLOADS}
+noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -29,7 +29,6 @@ seccomp
 shell none
 tracelog
 
-disable-mnt
 private-cache
 private-dev
 # private-etc alternatives
diff --git a/etc/slack.profile b/etc/slack.profile
index 841998b0e..ed76be373 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -6,7 +6,6 @@ include slack.local
 include globals.local
 
 noblacklist ${HOME}/.config/Slack
-noblacklist ${HOME}/Downloads
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +16,7 @@ include disable-programs.inc
 mkdir ${HOME}/.config
 mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
-whitelist ${HOME}/Downloads
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/transgui.profile b/etc/transgui.profile
index 9627b703f..21daa0685 100644
--- a/etc/transgui.profile
+++ b/etc/transgui.profile
@@ -7,8 +7,6 @@ include /etc/firejail/transgui.local
 include globals.local
 
 noblacklist ${HOME}/.config/transgui
-whitelist ${HOME}/.config/transgui
-
 noblacklist ${DOWNLOADS}
 
 include disable-common.inc
@@ -18,7 +16,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.config/transgui
+whitelist ${HOME}/.config/transgui
 include whitelist-common.inc
+include whitelist-var-common.inc
 
 apparmor
 caps.drop all
diff --git a/etc/xfce4-mixer.profile b/etc/xfce4-mixer.profile
index fc39bff60..093fba362 100644
--- a/etc/xfce4-mixer.profile
+++ b/etc/xfce4-mixer.profile
@@ -15,13 +15,13 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
 include whitelist-common.inc
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
 ipc-namespace
-machine-id
 netfilter
 no3d
 # nodbus
@@ -29,7 +29,6 @@ nodvd
 nogroups
 nonewprivs
 noroot
-# nosound
 notv
 nou2f
 novideo
@@ -41,7 +40,7 @@ disable-mnt
 private-bin xfce4-mixer,xfconf-query
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,pulse
+private-etc alternatives,asound.conf,fonts,pulse,machine-id
 private-tmp
 
 memory-deny-write-execute