15 files changed, 45 insertions, 25 deletions
diff --git a/README.md b/README.md
index 0694d51a1..22d094d04 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ Features: https://firejail.wordpress.com/features-3/
 Documentation: https://firejail.wordpress.com/documentation-2/
-FAQ: https://firejail.wordpress.com/support/
+FAQ: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
 Wiki: https://github.com/netblue30/firejail/wiki
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
index 3b9dfc365..910e52a82 100644
--- a/etc/aria2c.profile
+++ b/etc/aria2c.profile
@@ -14,7 +14,6 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-# include disable-xdg.inc
 caps.drop all
 ipc-namespace
diff --git a/etc/curl.profile b/etc/curl.profile
index d8282b972..d44ce0b96 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -9,8 +9,6 @@ include globals.local
 noblacklist ${HOME}/.curlrc
-blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index b3c83045b..3e6706101 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -254,6 +254,7 @@ blacklist ${HOME}/.config/opera-beta
 blacklist ${HOME}/.config/orage
 blacklist ${HOME}/.config/org.kde.gwenviewrc
 blacklist ${HOME}/.config/pavucontrol.ini
+blacklist ${HOME}/.config/pavucontrol-qt
 blacklist ${HOME}/.config/pcmanfm
 blacklist ${HOME}/.config/pdfmod
 blacklist ${HOME}/.config/Pinta
@@ -655,6 +656,11 @@ blacklist ${HOME}/.xpdfrc
 blacklist ${HOME}/.zoom
 blacklist /tmp/akonadi-*
 blacklist /tmp/ssh-*
+blacklist /var/games/nethack
+blacklist /var/games/slashem
+blacklist /var/games/vulturesclaw
+blacklist /var/games/vultureseye
+blacklist /var/lib/games/Maelstrom-Scores
 # ${HOME}/.cache directory
 blacklist ${HOME}/.cache/0ad
@@ -704,6 +710,7 @@ blacklist ${HOME}/.cache/INRIA/Natron
 blacklist ${HOME}/.cache/inkscape
 blacklist ${HOME}/.cache/inox
 blacklist ${HOME}/.cache/iridium
+blacklist ${HOME}/.cache/kcmshell5
 blacklist ${HOME}/.cache/kdenlive
 blacklist ${HOME}/.cache/kinfocenter
 blacklist ${HOME}/.cache/kmail2
@@ -762,9 +769,3 @@ blacklist ${HOME}/.cache/xmms2
 blacklist ${HOME}/.cache/xreader
 blacklist ${HOME}/.cache/yandex-browser
 blacklist ${HOME}/.cache/yandex-browser-beta
-blacklist /var/games/nethack
-blacklist /var/games/slashem
-blacklist /var/games/vulturesclaw
-blacklist /var/games/vultureseye
-blacklist /var/lib/games/Maelstrom-Scores
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 169b23f5f..c04451373 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -9,8 +9,6 @@ include globals.local
 noblacklist /sbin
 noblacklist /usr/sbin
-blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/gconf-editor.profile b/etc/gconf-editor.profile
index 1b84bf536..a2c441a20 100644
--- a/etc/gconf-editor.profile
+++ b/etc/gconf-editor.profile
@@ -7,5 +7,10 @@ include gconf-editor.local
 # added by included profile
 #include globals.local
+blacklist /tmp/.X11-unix
+ignore net none
+ignore x11 none
 # Redirect
 include gconf.profile
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile
index ea89a259f..25e8089ab 100644
--- a/etc/ocenaudio.profile
+++ b/etc/ocenaudio.profile
@@ -21,7 +21,9 @@ include disable-xdg.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none breaks AppArmor on Ubuntu systems
+# net none - breaks update functionality and AppArmor on Ubuntu systems
+# uncomment (or put 'net none' in your ocenaudio.local) when needed
+#net none
 netfilter
 no3d
 # nodbus - breaks preferences, comment (or put 'ignore nodbus' in your oceanaudio.local) when needed
@@ -38,7 +40,6 @@ seccomp
 shell none
 tracelog
-# disable-mnt
 private-bin ocenaudio
 private-cache
 private-dev
diff --git a/etc/pavucontrol-qt.profile b/etc/pavucontrol-qt.profile
new file mode 100644
index 000000000..f96ba14d2
--- /dev/null
+++ b/etc/pavucontrol-qt.profile
@@ -0,0 +1,19 @@
+# Firejail profile for pavucontrol-qt
+# Description: PulseAudio Volume Control [Qt]
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pavucontrol-qt.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+noblacklist ${HOME}/.config/pavucontrol-qt
+mkdir ${HOME}/.config/pavucontrol-qt
+whitelist ${HOME}/.config/pavucontrol-qt
+private-bin pavucontrol-qt
+ignore private-lib
+# Redirect
+include pavucontrol.profile
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile
index 3fd4f3668..621fef49f 100644
--- a/etc/pavucontrol.profile
+++ b/etc/pavucontrol.profile
@@ -1,5 +1,5 @@
 # Firejail profile for pavucontrol
-# Description: PulseAudio Volume Control
+# Description: PulseAudio Volume Control [GTK]
 # This file is overwritten after every install/update
 # Persistent local customizations
 include pavucontrol.local
@@ -16,15 +16,14 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-mkdir ${HOME}/.config/pavucontrol.ini
+mkfile ${HOME}/.config/pavucontrol.ini
 whitelist ${HOME}/.config/pavucontrol.ini
 include whitelist-common.inc
 include whitelist-var-common.inc
 apparmor
 caps.drop all
-#ipc-namespace
+netfilter
-net none
 no3d
 nodbus
 nodvd
@@ -34,7 +33,7 @@ noroot
 notv
 nou2f
 novideo
-protocol unix
+protocol unix,inet,inet6
 seccomp
 shell none
@@ -42,7 +41,7 @@ disable-mnt
 private-bin pavucontrol
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,machine-id,pulse
+private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
 private-lib
 private-tmp
diff --git a/etc/seahorse-daemon.profile b/etc/seahorse-daemon.profile
index 1beb0edc6..7c0e59c74 100644
--- a/etc/seahorse-daemon.profile
+++ b/etc/seahorse-daemon.profile
@@ -7,8 +7,6 @@ include seahorse-daemon.local
 # added by included profile
 #include globals.local
-blacklist /tmp/.X11-unix
 memory-deny-write-execute
 # Redirect
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index a7c95c073..0c824e95b 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -6,6 +6,8 @@ include seahorse.local
 # Persistent global definitions
 include globals.local
+blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.config/dconf
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.ssh
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 4758871d3..9cba69a77 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -42,4 +42,4 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl
 private-tmp
-memory-deny-write-execute
+#memory-deny-write-execute - breaks on Arch
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index 55df45a87..15e2de9b0 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -27,5 +27,6 @@ notv
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 writable-run-user
diff --git a/etc/wget.profile b/etc/wget.profile
index 2d5c0c4d6..83ff0bb64 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -10,8 +10,6 @@ include globals.local
 noblacklist ${HOME}/.wget-hsts
 noblacklist ${HOME}/.wgetrc
-blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 10a3340bd..04bf123ad 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -437,6 +437,7 @@ pandoc
 parole
 patch
 pavucontrol
+pavucontrol-qt
 pdfchain
 pdfmod
 pdfsam